Threat Intelligence Analyst

Why It Matters

Threat intelligence transforms raw data about cyber threats into actionable knowledge that enables better security decisions. Intelligence analysts research adversaries, track campaigns, and provide context that helps organizations understand not just what threats exist, but which ones matter to them specifically.

The role bridges technical security knowledge with analytical tradecraft. Analysts must understand how attacks work technically while also reasoning about attacker motivations, capabilities, and likely targets. This combination enables predictive insights rather than purely reactive defense.

Organizations leverage threat intelligence at multiple levels: tactical indicators for detection, operational insights for incident response, and strategic assessments for security investment decisions. Quality intelligence multiplies the effectiveness of every other security function.

For those who enjoy research, analysis, and connecting disparate pieces of information, threat intelligence offers intellectually engaging work with real defensive impact. The field combines technical depth with the satisfaction of understanding complex adversary operations.

Role and Responsibilities

Intelligence Cycle

Core Functions

Collection and Monitoring

• Monitor threat feeds and intelligence sources
• Track dark web forums and criminal marketplaces
• Follow security researcher publications
• Gather indicators of compromise (IOCs)

Analysis and Research

• Analyze malware samples and campaigns
• Research threat actor groups and TTPs
• Map adversary techniques to MITRE ATT&CK
• Assess threat relevance to organization

Intelligence Production

• Write threat reports for various audiences
• Develop threat profiles and actor assessments
• Create tactical intelligence (IOCs, detection rules)
• Produce strategic briefings for leadership

Operational Support

• Support incident response with threat context
• Advise on adversary capabilities and intent
• Prioritize vulnerabilities based on exploitation
• Inform security architecture decisions

Typical Threat Intelligence Activities:

Morning:
- Review overnight threat reporting
- Check intelligence feeds for new indicators
- Monitor industry alerts and advisories
- Update threat tracking dashboards

Analysis Work:
- Research new malware campaign
- Analyze phishing kit from incident
- Map TTPs to MITRE ATT&CK
- Correlate indicators across sources

Production:
- Write threat briefing for SOC
- Update threat actor profile
- Create detection rules from analysis
- Prepare executive threat summary

Collaboration:
- Brief incident response team
- Participate in information sharing groups
- Support vulnerability prioritization
- Present findings to security leadership

Intelligence Types

Tactical Intelligence
- Indicators of Compromise (IOCs)
- Detection signatures
- Immediate threat data
- Hours to days relevance

Operational Intelligence
- Threat actor TTPs
- Campaign analysis
- Attack methodologies
- Weeks to months relevance

Strategic Intelligence
- Threat landscape assessments
- Industry targeting trends
- Adversary motivations
- Months to years relevance

Essential Skills

Analytical Skills

Critical Thinking

• Evaluate source reliability and bias
• Distinguish correlation from causation
• Recognize gaps in information
• Form and test hypotheses

Research Methodology

• Structured analytic techniques
• OSINT collection methods
• Source development and validation
• Documentation and citation

Technical Skills

Technical Knowledge:

Threat Analysis:
- Malware analysis basics
- Network traffic analysis
- Attack technique understanding
- Indicator extraction

Frameworks and Standards:
- MITRE ATT&CK
- Diamond Model
- Cyber Kill Chain
- STIX/TAXII formats

Tools:
- Threat intelligence platforms (MISP, ThreatConnect)
- Malware sandboxes
- OSINT tools
- Visualization tools

Technical Foundations:
- Networking and protocols
- Operating system internals
- Programming/scripting basics
- Security tool familiarity

Communication Skills

Intelligence Report Structure:

Executive Summary
- Key findings in 2-3 sentences
- Recommended actions
- Confidence assessment

Threat Overview
- What is the threat?
- Who is behind it?
- What do they want?

Technical Analysis
- Attack methodology
- Indicators of Compromise
- MITRE ATT&CK mapping

Relevance Assessment
- Why does this matter to us?
- What assets are at risk?
- Current exposure assessment

Recommendations
- Detection opportunities
- Mitigation steps
- Monitoring priorities

Appendices
- Full IOC list
- Technical deep-dive
- Source references

Career Path

Entry Points

From Security Operations

• SOC analyst experience
• Develop research and writing skills
• Build threat knowledge through investigations
• Transition to dedicated intel role

From Analysis Background

• Intelligence, research, or journalism experience
• Learn technical security fundamentals
• Apply analytical tradecraft to cyber domain
• Leverage existing research skills

Academic Path

• Relevant degree (cybersecurity, international relations)
• Research and writing experience
• Build technical foundation
• Internships or entry positions

Progression

Junior Analyst (0-2 years)
- Process threat feeds
- Write tactical alerts
- Support senior analysts
- Build technical skills

Threat Intelligence Analyst (2-5 years)
- Independent research
- Produce operational intelligence
- Develop specialization
- Build external network

Senior Analyst (5-8 years)
- Lead research projects
- Strategic assessments
- Mentor junior analysts
- Industry collaboration

Intelligence Lead/Manager (8+ years)
- Team leadership
- Program development
- Executive engagement
- Strategic direction

Specializations

• Malware Intelligence: Deep technical analysis
• Geopolitical/Nation-State: APT tracking
• Financial Crime: Criminal threat actors
• Industry-Specific: Sector-focused threats
• Vulnerability Intelligence: Exploitation trends

Certifications

Relevant Certifications

Intelligence-Specific

• GIAC Cyber Threat Intelligence (GCTI): Primary intel cert
• CRTIA (Certified Threat Intelligence Analyst): EC-Council

Supporting Certifications

• GREM: Malware analysis for deep technical work
• OSINT certifications: Collection skills
• Security+/CySA+: Foundational knowledge

Salary and Market

Employment Options

• Enterprise teams: Internal intelligence programs
• Threat intel vendors: Commercial intelligence providers
• Government: Intelligence agencies, CISA
• Consulting: Advisory and assessment services
• ISACs: Industry information sharing organizations

Getting Started

Build Skills

Learning Path:

1. Security Foundation
 - Technical security fundamentals
 - Common attack techniques
 - Security monitoring concepts
 - Malware basics

2. Analytical Skills
 - Structured analytic techniques
 - OSINT collection methods
 - Research methodology
 - Technical writing

3. Intelligence Tradecraft
 - MITRE ATT&CK framework
 - Diamond Model
 - Intelligence cycle
 - Report writing

4. Specialization
 - Choose focus area
 - Deep-dive research
 - Build external network
 - Publish analysis

Practice Activities

• Track and document a threat actor group
• Write threat reports on current campaigns
• Participate in information sharing communities
• Analyze publicly available malware samples
• Map real attacks to MITRE ATT&CK

Build Visibility

• Write threat analysis blog posts
• Contribute to threat intelligence communities
• Present research at conferences
• Participate in CTI Twitter/Mastodon
• Share IOCs and analysis responsibly