选择你当前的职位

选择角色和级别——我们会展示成长路径、技能和差距分析。

发展路径

Junior

0-2 years

当前

职责: Выполнение задач под руководством старших коллег. Изучение кодовой базы, стандартов и процессов команды. Написание кода по спецификациям, исправление простых багов, написание тестов.

关键技能:

GDPR / 152-FZ Compliance 需要
JWT / OAuth2 / OIDC 需要
OWASP & Application Security 需要
PCI DSS 需要
RBAC / ABAC Authorization 需要
SAST/DAST 需要
Secrets Management 需要
SOC2 Compliance 需要
Supply Chain Security 需要
Kubernetes Security 需要
Cloud Security 需要
Threat Modeling 需要
Digital Forensics Basics 需要
Secure Coding Practices 需要
Incident Response Process 需要
Network Security 需要
Dependency Vulnerability Scanning 需要
Vulnerability Management 需要

Middle

2-5 years

下一个

职责: Самостоятельная разработка фич от декомпозиции до деплоя. Участие в code review. Оптимизация производительности. Менторинг junior-разработчиков. Участие в архитектурных обсуждениях.

关键技能:

GDPR / 152-FZ Compliance 需要
JWT / OAuth2 / OIDC 需要
OWASP & Application Security 需要
PCI DSS 需要
RBAC / ABAC Authorization 需要
SAST/DAST 需要
Secrets Management 需要
SOC2 Compliance 需要
Supply Chain Security 需要
Kubernetes Security 需要
Cloud Security 需要
Threat Modeling 需要
Digital Forensics Basics 需要
Secure Coding Practices 需要
Incident Response Process 需要
Network Security 需要
Dependency Vulnerability Scanning 需要
Vulnerability Management 需要

Senior

5-8 years

职责: Проектирование архитектуры компонентов и сервисов. Решение сложных технических проблем. Ведение технического долга. Code review как gatekeeper качества. Менторинг middle-разработчиков. Выбор технологий для новых задач.

关键技能:

Architecture Documentation: C4, arc42 需要
Code Review 需要
Diagramming: Mermaid, PlantUML, D2 需要
Docker 需要
ELK Stack 需要
GDPR / 152-FZ Compliance 需要
Git Advanced 需要
GitHub Copilot 需要
JWT / OAuth2 / OIDC 需要
OWASP & Application Security 需要
PCI DSS 需要
Prometheus & Grafana 需要
RBAC / ABAC Authorization 需要
REST API Design 需要
Runbook & Playbook Writing 需要
SAST/DAST 需要
Secrets Management 需要
Security Testing 需要
SLI / SLO / SLA 需要
SOC2 Compliance 需要
Supply Chain Security 需要
Algorithms & Complexity 需要
Kubernetes Security 需要
Cloud Security 需要
Code Quality & Refactoring 需要
Threat Modeling 需要
Network Fundamentals 需要
Digital Forensics Basics 需要
Secure Coding Practices 需要
Incident Response Process 需要
Network Security 需要
Dependency Vulnerability Scanning 需要
Structured Logging 需要
Data Structures 需要
On-Call Management 需要
Vulnerability Management 需要

Lead / Staff

7-12 years

职责: Техническое лидерство команды или направления. Проектирование системной архитектуры. Координация с другими командами. Формирование стандартов и best practices. Участие в найме. Планирование технического roadmap.

关键技能:

Architecture Documentation: C4, arc42 需要
Code Review 需要
Diagramming: Mermaid, PlantUML, D2 需要
Docker 需要
ELK Stack 需要
GDPR / 152-FZ Compliance 需要
Git Advanced 需要
GitHub Copilot 需要
JWT / OAuth2 / OIDC 需要
OWASP & Application Security 需要
PCI DSS 需要
Prometheus & Grafana 需要
RBAC / ABAC Authorization 需要
REST API Design 需要
Runbook & Playbook Writing 需要
SAST/DAST 需要
Secrets Management 需要
Security Testing 需要
SLI / SLO / SLA 需要
SOC2 Compliance 需要
Supply Chain Security 需要
Algorithms & Complexity 需要
Kubernetes Security 需要
Cloud Security 需要
Code Quality & Refactoring 需要
Threat Modeling 需要
Network Fundamentals 需要
Digital Forensics Basics 需要
Secure Coding Practices 需要
Incident Response Process 需要
Network Security 需要
Dependency Vulnerability Scanning 需要
Structured Logging 需要
Data Structures 需要
On-Call Management 需要
Vulnerability Management 需要

Principal

10+ years

职责: Техническая стратегия на уровне компании или домена. Кросс-организационное влияние. Решение системных проблем бизнеса через технологии. Менторинг lead-инженеров. Публичное представление компании.

关键技能:

Architecture Documentation: C4, arc42 需要
Code Review 需要
Diagramming: Mermaid, PlantUML, D2 需要
Docker 需要
ELK Stack 需要
GDPR / 152-FZ Compliance 需要
Git Advanced 需要
GitHub Copilot 需要
JWT / OAuth2 / OIDC 需要
OWASP & Application Security 需要
PCI DSS 需要
Prometheus & Grafana 需要
RBAC / ABAC Authorization 需要
REST API Design 需要
Runbook & Playbook Writing 需要
SAST/DAST 需要
Secrets Management 需要
Security Testing 需要
SLI / SLO / SLA 需要
SOC2 Compliance 需要
Supply Chain Security 需要
Algorithms & Complexity 需要
Kubernetes Security 需要
Cloud Security 需要
Code Quality & Refactoring 需要
Threat Modeling 需要
Network Fundamentals 需要
Digital Forensics Basics 需要
Secure Coding Practices 需要
Incident Response Process 需要
Network Security 需要
Dependency Vulnerability Scanning 需要
Structured Logging 需要
Data Structures 需要
On-Call Management 需要
Vulnerability Management 需要

差距分析:待发展的技能

要达到下一级别,你需要发展:

GDPR / 152-FZ Compliance

Applies GDPR/152-FZ compliance in security analysis: monitors data processing activities for regulatory violations, conducts DPIA assessments, and validates data retention policies. Uses DLP tools to detect unauthorized PII transfers.

JWT / OAuth2 / OIDC

Analyzes JWT/OAuth2 security posture: monitors authentication logs for anomalous token usage, reviews OIDC provider configurations for misconfigurations, and assesses token lifecycle policies. Creates security dashboards for authentication metrics. Conducts access reviews for OAuth2 client registrations and scope assignments.

OWASP & Application Security

Applies OWASP security knowledge for security event analysis and threat correlation. Conducts security reviews of application logs identifying exploitation attempts for OWASP Top 10 vulnerabilities. Uses SIEM rules and detection logic to identify application-layer attacks and suspicious authentication patterns.

PCI DSS

Applies PCI DSS controls during security assessments and risk analysis. Monitors compliance status across systems processing cardholder data. Uses scanning and log analysis tools to detect deviations from PCI requirements.

RBAC / ABAC Authorization

Analyzes RBAC and ABAC authorization policies for compliance and risk exposure. Reviews access control configurations and identifies excessive permissions. Uses audit tools to monitor authorization events and detect anomalous access patterns.

SAST/DAST

Analyzes SAST/DAST scan results to assess risk levels and prioritize remediation efforts. Correlates scanner findings with threat intelligence and known vulnerability databases. Generates actionable security reports from scanning data for development and management teams.

Secrets Management

Monitors secrets usage patterns for security anomalies: analyzes Vault audit logs, detects unauthorized access attempts, and tracks secret lifecycle compliance. Conducts periodic access reviews for secret-consuming services. Uses SIEM integration for secrets-related incident detection.

SOC2 Compliance

Applies SOC 2 compliance frameworks in daily security operations. Conducts control testing, collects audit evidence, and maintains documentation for Trust Services Criteria across availability, security, and confidentiality.

Supply Chain Security

Applies supply chain security analysis in daily work: reviews SBOM outputs for vulnerability exposure, tracks CVE impact across dependency graphs, and assesses third-party component risks. Uses SCA scanning tools to monitor software composition and produces risk reports for stakeholders.

Kubernetes Security

Monitors Kubernetes clusters for security events using Falco and audit logs. Analyzes container runtime behavior to detect anomalous activity and potential breaches. Investigates Kubernetes-specific security alerts including unauthorized API access, privilege escalation, and suspicious pod deployments.

Cloud Security

Monitors cloud environments using SIEM platforms and CloudTrail analysis. Conducts security reviews of cloud resource configurations. Uses cloud-native detection tools to identify suspicious activity, analyze security events, and escalate confirmed threats for incident response.

Threat Modeling

Independently conducts threat modeling for medium-complexity systems using STRIDE and attack trees. Correlates identified threats with MITRE ATT&CK framework tactics. Understands trade-offs between security controls and system usability. Produces actionable threat reports with risk-ranked mitigation recommendations.

Digital Forensics Basics

Performs initial forensic triage on security alerts using log analysis and artifact collection. Preserves digital evidence following established procedures and chain of custody requirements. Uses forensic imaging tools to create verified copies of affected systems for detailed investigation.

Secure Coding Practices

Applies secure coding knowledge in security event analysis — correlates SAST/DAST findings with runtime security events, identifies exploitation attempts for known code vulnerabilities, and validates security fixes in remediation workflows. Uses code analysis tools to support threat investigation and vulnerability triage.

Incident Response Process

Executes incident response procedures including detection, containment, and initial investigation. Classifies incidents by severity using established criteria and escalates appropriately. Performs log analysis and IOC correlation in SIEM to determine attack scope and impact on affected systems.

Network Security

Independently monitors and investigates network security events using SIEM and IDS/IPS platforms. Correlates firewall logs, NetFlow data, and DNS queries to detect lateral movement and C2 communication. Tunes IDS signatures to reduce false positives and documents network-based indicators of compromise for incident response playbooks.

Dependency Vulnerability Scanning

Independently runs and interprets SCA scans using Snyk, Dependabot, or Trivy across the organization's repositories. Conducts security reviews of dependency update pull requests, assessing changelog impact and potential regressions. Correlates vulnerability scanner output with threat intelligence feeds to prioritize remediation. Produces actionable reports for engineering teams with clear remediation timelines.

Vulnerability Management

Triages and prioritizes vulnerabilities based on risk scoring, asset criticality, and threat context. Monitors vulnerability feeds and correlates with organizational exposure. Uses vulnerability management platforms to generate remediation reports and track SLA compliance across teams.