Threat Intelligence Analyst

What Does a Threat Intelligence Analyst Do?

Threat Intelligence Analysts serve as the research and strategy arm of cybersecurity teams. Unlike SOC Analysts who focus on detecting and responding to immediate threats, TI Analysts take a broader view, studying adversaries, tracking attack campaigns, and transforming raw data into actionable intelligence that strengthens organizational defenses.

The core mission is understanding who might attack the organization, how they operate, and what defensive measures will be most effective. This requires combining technical analysis with strategic thinking, often researching threat actors for weeks or months to understand their motivations, capabilities, and typical attack patterns.

Primary responsibilities include:

• Monitoring threat landscapes: Continuously tracking threat feeds, security news, dark web forums, and intelligence sharing communities for emerging threats relevant to the organization.
• Researching threat actors: Building profiles of adversary groups, including their motivations (financial, espionage, hacktivism), capabilities, preferred targets, and historical attack patterns.
• Analyzing malware and attack campaigns: Examining malicious code samples, phishing campaigns, and infrastructure to understand attacker techniques and extract indicators of compromise.
• Producing intelligence reports: Translating complex technical findings into clear, actionable reports tailored for different audiences, from technical staff to executive leadership.
• Mapping threats to frameworks: Using MITRE ATT&CK to categorize adversary tactics and techniques, enabling defenders to prioritize detection capabilities.
• Collaborating with security teams: Working with SOC analysts, incident responders, and security engineers to ensure intelligence translates into improved defenses.
• Sharing intelligence externally: Participating in Information Sharing and Analysis Centers (ISACs) and threat intelligence sharing communities to both contribute and receive intelligence.
• Supporting incident response: Providing contextual intelligence during active incidents, helping responders understand who is attacking and what to expect next.

A skilled Threat Intelligence Analyst connects the dots between seemingly unrelated events, identifies patterns that indicate coordinated attack campaigns, and provides the strategic context that helps organizations invest their security resources wisely.

Types of Threat Intelligence

Effective threat intelligence programs produce different types of intelligence for different audiences and purposes. Understanding these categories is fundamental to the role.

Strategic Intelligence

Strategic intelligence addresses high-level trends and risks for executives, boards, and business leaders. It focuses on questions like: Which threat actors target our industry? What geopolitical developments might increase our risk? How does our threat landscape compare to peers?

This intelligence is typically delivered through quarterly briefings, annual threat assessments, and board-level presentations. It requires strong communication skills and the ability to translate technical findings into business impact.

Tactical Intelligence

Tactical intelligence focuses on adversary tactics, techniques, and procedures (TTPs). Security teams use this intelligence to improve detection rules, hunting hypotheses, and defensive architectures.

For example, if a threat actor group is known to use specific lateral movement techniques, tactical intelligence enables the SOC to create detection rules for those exact patterns.

Operational Intelligence

Operational intelligence provides details on specific attack campaigns, including timing, targets, and methods. This intelligence helps organizations prepare for imminent threats or understand ongoing attacks.

When a new ransomware campaign targets healthcare organizations, operational intelligence describes how the attacks unfold, what initial access vectors are used, and what indicators to watch for.

Technical Intelligence

Technical intelligence comprises the raw indicators of compromise (IOCs): IP addresses, domain names, file hashes, email addresses, and other technical artifacts. While the most perishable type of intelligence (attackers change infrastructure frequently), technical indicators remain valuable for immediate detection and blocking.

Career Progression

Threat Intelligence is generally not an entry-level role. Most analysts build foundational security experience before specializing in intelligence work.

Pre-TI Experience (1-3 years)

Most successful TI analysts start in roles that provide operational security experience:

• SOC Analyst or Security Analyst
• Incident Responder
• Security Researcher
• Malware Analyst

This foundation is essential because producing useful intelligence requires understanding how defenders actually work.

Junior Threat Intel Analyst ($70K-$88K)

Entry-level TI positions focus on:

• Processing threat feeds and managing IOCs
• Assisting senior analysts with research
• Writing tactical intelligence reports
• Maintaining threat intelligence platforms

Threat Intelligence Analyst ($92K-$118K)

Mid-level analysts take on more complex analysis:

• Independent research on threat actors
• Producing strategic intelligence reports
• Briefing stakeholders and leadership
• Building relationships with external intelligence partners
• Developing collection strategies

Senior Analyst / Team Lead ($125K-$155K)

Senior roles involve strategic leadership:

• Leading threat research programs
• Mentoring junior analysts
• Shaping organizational intelligence priorities
• Presenting to executive leadership
• Building and managing TI teams

Beyond Analyst Roles

Experienced Threat Intelligence professionals often progress to:

• Threat Intelligence Manager/Director: Leading TI programs and teams
• Threat Hunting Lead: Applying intelligence to proactive threat detection
• Security Research (Vendor): Working at security companies producing threat research
• Government/Intelligence Agencies: Applying skills to national security
• Red Team Leadership: Using adversary knowledge offensively
• CISO/Security Leadership: Leveraging strategic perspective for executive roles

Essential Skills for Success

Technical Skills

MITRE ATT&CK Mastery: The ATT&CK framework is the common language of threat intelligence. Understanding how to map adversary behavior to ATT&CK techniques and use the framework for analysis is essential.

OSINT Collection: Gathering intelligence from open sources requires knowing where to look and how to validate information. This includes social media, paste sites, code repositories, dark web forums, and technical databases.

Malware Analysis Fundamentals: While you may not need to be a reverse engineering expert, understanding malware behavior, extracting indicators, and interpreting sandbox reports is valuable.

Scripting Ability: Python skills enable automation of repetitive tasks, data parsing, and integration with threat intelligence platforms. YARA rule writing is particularly valuable for malware research.

Research Methodology: Systematic approaches to investigation, hypothesis testing, and evidence evaluation separate skilled analysts from those who produce unreliable intelligence.

Soft Skills

Analytical Thinking: The ability to synthesize information from multiple sources, identify patterns, and draw logical conclusions under uncertainty is the core competency.

Written Communication: Intelligence is only valuable if communicated effectively. Strong writing skills are essential for producing reports that people actually read and act upon.

Geopolitical Awareness: Understanding international relations, nation-state motivations, and current events helps contextualize threat actor activity and predict future targeting.

Stakeholder Management: Different audiences need different intelligence products. Adapting your communication style for technical teams versus executives is crucial.

Critical Evaluation: Not all sources are reliable. Evaluating source credibility, identifying misinformation, and avoiding confirmation bias requires constant vigilance.

Day in the Life

A typical day for a mid-level Threat Intelligence Analyst might include:

8:00 AM: Review overnight threat feed alerts and intelligence reports from sharing partners. Flag anything requiring immediate attention.

9:00 AM: Continue research on an APT group targeting the financial sector. Analyze new malware samples associated with the group and update the internal threat actor profile.

10:30 AM: Team standup meeting. Share findings from APT research and discuss priorities for the week.

11:00 AM: Write a tactical intelligence brief on the new TTPs identified. Include detection recommendations for the SOC team.

12:00 PM: Lunch and browse security Twitter, Reddit, and industry blogs for emerging stories.

1:00 PM: Attend an ISAC meeting virtually. Share sanitized intelligence about recent phishing campaigns and receive intelligence from peer organizations.

2:30 PM: Support an active incident investigation. Provide context on the threat actor likely responsible based on observed TTPs.

3:30 PM: Update threat intelligence platform with new IOCs and adversary mappings from morning research.

4:30 PM: Prepare slides for next week's executive briefing on quarterly threat trends.

5:30 PM: Review MISP feed contributions from the community and end the day.

Is This Career Right for You?

Threat Intelligence work attracts certain personality types. Consider whether these characteristics describe you:

You May Excel If You:

• Enjoy research and investigation, following threads for hours
• Are naturally curious about adversaries and attack techniques
• Can communicate complex technical concepts to non-technical audiences
• Follow geopolitical news and understand international relations
• Have strong writing skills and enjoy producing reports
• Can work independently while still collaborating with teams
• Tolerate ambiguity and incomplete information
• Find patterns and connections others miss

Consider Other Paths If You:

• Prefer hands-on technical work over research and writing
• Need immediate, tangible results from your work
• Dislike writing reports and briefings
• Are uncomfortable making assessments with incomplete information
• Prefer reactive work over proactive research
• Do not enjoy tracking news and current events

Common Challenges

Intelligence Consumption Gap: Organizations often struggle to use intelligence effectively. Producing excellent reports that nobody reads can be frustrating. Success requires building relationships and ensuring intelligence connects to action.

Attribution Uncertainty: Definitively attributing attacks to specific actors is extremely difficult. Analysts must communicate confidence levels clearly and avoid overclaiming.

Staying Current: The threat landscape evolves constantly. Continuous learning and staying updated on new threats, actors, and techniques requires ongoing effort.

Measuring Impact: Quantifying the value of threat intelligence is challenging. Unlike incident response where outcomes are clear, intelligence value is often preventive and harder to demonstrate.

Why This Role is In Demand

The demand for Threat Intelligence Analysts continues to grow as organizations recognize that reactive security is insufficient. Understanding adversaries provides strategic advantage.

Key demand drivers:

• Nation-state threats targeting critical infrastructure, intellectual property, and financial systems continue increasing
• Sophisticated criminal organizations (ransomware groups, fraud networks) require dedicated tracking
• Regulatory requirements increasingly mandate threat intelligence capabilities
• Supply chain attacks require understanding of threat actor targeting patterns
• Executive leadership demands strategic intelligence for risk decisions
• Security teams need context to prioritize alerts and defensive investments

Financial services, healthcare, government, defense contractors, and critical infrastructure organizations are particularly active employers. Consulting firms and Managed Security Service Providers also maintain substantial TI teams.

Remote work has expanded opportunities significantly, allowing analysts to work for organizations anywhere. The combination of technical skills and strategic thinking commands premium salaries, with senior roles often exceeding $150,000.