Torchora
Back to Home

Key Responsibilities and Required Skills for Cyber Intelligence Analyst

💰 $80,000 - $150,000

CybersecurityIntelligenceThreat AnalysisInformation Security

🎯 Role Definition

A Cyber Intelligence Analyst collects, analyzes, and disseminates actionable cyber threat intelligence to reduce organizational risk, prioritize defensive actions, and support incident response and executive decision-making. This role blends technical analysis (malware analysis, network traffic review, IOC development), open-source and human intelligence collection (OSINT/HUMINT), threat actor profiling, and contextual reporting mapped to frameworks such as MITRE ATT&CK. The Cyber Intelligence Analyst drives proactive detection, advises on mitigation strategies, and ensures intelligence is operationalized across security operations, incident response, risk, and executive stakeholders.

📈 Career Progression

Typical Career Path

Entry Point From:

  • SOC Analyst (Tier 1 / Tier 2) with familiarity in alerts, triage, and SIEM use.
  • Incident Response Analyst or Digital Forensics Technician who has experience investigating compromises.
  • Intelligence Analyst Intern / OSINT Researcher with hands-on experience gathering and validating open-source data.

Advancement To:

  • Senior Cyber Intelligence Analyst (lead analyst role focusing on strategic intelligence products).
  • Threat Intelligence Lead or Threat Intelligence Manager (team leadership and program ownership).
  • Threat Hunting Lead, Director of Threat Intelligence, or Head of Threat Operations.
  • Strategic Risk or CISO-track roles where intelligence informs enterprise security strategy.

Lateral Moves:

  • Threat Hunter (proactive adversary discovery across telemetry).
  • Incident Responder / Forensics Lead (hands-on remediation and root cause analysis).
  • SOC Manager or Detection Engineering (build detection content and tune telemetry).
  • Cyber Risk Analyst or Vulnerability Management Analyst (translate intelligence into remediation priorities).

Core Responsibilities

Primary Functions

  • Collect, aggregate, and normalize threat data from diverse sources (internal telemetry, SIEM, EDR, TIPs, OSINT feeds, commercial intelligence, and partner sharing communities) to create a single curated intelligence picture that drives detection and response.
  • Produce timely tactical intelligence products (IOCs, YARA rules, Sigma rules, STIX/TAXII packages) that are immediately operationalized by SOC and detection engineering teams to block or detect adversary activity.
  • Perform malware triage and static/dynamic analysis to identify malware capabilities, persistence mechanisms, C2 protocols, and indicators of compromise, and translate findings into remediation and detection guidance for infrastructure owners.
  • Map observed adversary behavior, tools, and techniques to MITRE ATT&CK and other frameworks, producing clear TTP-based assessments that inform prioritized defensive actions and detection coverage gaps.
  • Lead incident intelligence support during security incidents by providing attribution analysis, campaign correlation, artifact enrichment, and recommendations for containment, eradication, and recovery actions.
  • Conduct proactive threat hunting campaigns using hypotheses derived from intelligence, telemetry analysis (network, endpoint, application logs), and adversary behaviors to uncover hidden compromises and reduce dwell time.
  • Maintain and enrich the organization’s threat intelligence platform (MISP, Anomali, Recorded Future, ThreatConnect or equivalent), ensuring accurate tagging, confidence scoring, and lifecycle management of IOCs and threat actors.
  • Develop and maintain automated enrichment pipelines (e.g., scripts, playbooks, STIX/TAXII integrations) that enhance observables with contextual data (geolocation, ASN, actor profiles, previous sightings), improving analyst triage speed and accuracy.
  • Monitor dark web, underground forums, paste sites, code repositories, and social media for targeted threats, data leaks, or emerging tooling relevant to the enterprise and deliver prioritized intelligence briefs.
  • Conduct strategic analysis that synthesizes long-term threat trends, geopolitical drivers, and sector-specific risks to inform executive briefings, tabletop exercises, and enterprise risk decisions.
  • Build and maintain relationships with external intelligence sharing communities (ISACs/ISAOs, government CERTs, vendor partners) to exchange indicators, coordinated responses, and best practices.
  • Validate and tune detection content by correlating intelligence findings with historical telemetry and confirmed incidents, providing measurable improvements to detection fidelity and reducing false positives.
  • Create and deliver clear written intelligence deliverables and oral briefings for technical teams, business stakeholders, and executives—tailoring the level of detail to audience needs and decision timelines.
  • Translate adversary playbooks into concrete mitigation and control recommendations (network segmentation, EDR policies, threat hunting signatures, blocking lists) and work with owners to implement them.
  • Lead threat modeling and risk assessments for critical applications and assets by integrating external threat intelligence with internal architecture, exposure, and vulnerability data.
  • Maintain awareness of legal, privacy, and policy constraints when collecting and disseminating intelligence, ensuring all activity complies with applicable laws and organizational guidelines.
  • Curate and maintain an internal knowledge base of adversary profiles, campaign timelines, and investigative playbooks to accelerate future investigations and onboarding of new analysts.
  • Support vulnerability management by prioritizing patches and compensating controls based on active exploitation, public exploit availability, and targetability of the organization.
  • Conduct attribution and campaign clustering by linking multiple incidents across time and telemetry to identify persistent adversaries, supply chain threats, or coordinated campaigns.
  • Mentor junior analysts in investigative techniques, intelligence lifecycle management, and use of tools (SIEM, EDR, malware sandboxes, TIPs), building team capability and analytical rigor.
  • Define and track intelligence program metrics (mean time to deliver intelligence, IOC time-to-enrichment, detection coverage improvements) to demonstrate operational impact and guide resourcing.
  • Perform scheduled and ad-hoc open-source and commercial research to evaluate new threat actor groups, malware families, or exploitation trends, and translate findings into detection or policy change proposals.
  • Coordinate cross-functional intelligence-driven exercises and tabletop scenarios with incident response, legal, communications, and business continuity to validate organizational readiness and playbooks.
  • Maintain readiness for 24/7 escalation as part of on-call rotations, providing high-confidence intelligence support during major incidents and cross-organizational crisis responses.

Secondary Functions

  • Support ad-hoc intelligence requests from internal teams (legal, HR, physical security, executive protection) and external partners, delivering tailored reporting and recommended actions.
  • Contribute to the organization’s intelligence strategy, roadmap, and tooling selection (TIPs, analytical platforms, automation frameworks) to scale program effectiveness.
  • Collaborate with detection engineering to translate intelligence into durable detection rules (Sigma, YARA, Snort) and automated response playbooks for SOAR integration.
  • Participate in sprint planning and agile ceremonies when intelligence products are delivered as part of engineering or security ops teams.
  • Provide subject matter expertise to procurement, legal, and third-party risk teams when evaluating supplier compromises, vendor security posture, or supply chain threats.
  • Develop training materials and run workshops for SOC analysts, incident responders, and engineering teams on latest adversary techniques, IOC interpretation, and intelligence-driven investigations.
  • Maintain and refine playbooks, runbooks, and case templates for common investigations to reduce time-to-resolution and ensure consistent analysis quality.
  • Assist in the evaluation and proof-of-concept testing of new intelligence vendors, data sources, and analytic tools to augment internal capabilities.
  • Create executive-ready dashboards and periodic reports summarizing threat posture, active campaigns, and strategic recommendations for senior leadership.
  • Support legal and compliance teams with intelligence artifacts needed for regulatory reporting, law enforcement coordination, or insurance claims.

Required Skills & Competencies

Hard Skills (Technical)

  • Threat intelligence collection & analysis (OSINT, HUMINT, SIGINT sources) and operationalization across SOC and incident response.
  • Proficiency with Threat Intelligence Platforms (TIPs) and formats like MISP, ThreatConnect, Recorded Future, STIX/TAXII, and TAXII server integrations.
  • Strong experience with SIEM platforms (Splunk, IBM QRadar, Elastic/Security, Azure Sentinel) to query telemetry, create searches, and validate detections.
  • Malware analysis capabilities including static and dynamic analysis using tools such as Ghidra, IDA Pro, Cuckoo sandbox, or VirusTotal; ability to extract IOCs and behavioral indicators.
  • Experience writing detection and hunting queries (Sigma rules, YARA, Elastic DSL, KQL, Splunk SPL) and converting intelligence into operational detections.
  • Familiarity with network forensics and packet analysis (Wireshark, Zeek/Bro), and an understanding of TCP/IP, DNS, HTTP, and common C2 protocols.
  • Scripting and automation skills (Python, PowerShell, Bash) to build enrichment pipelines, parsers, and small-scale automation for repeatable intelligence workflows.
  • Knowledge of MITRE ATT&CK framework, adversary TTP mapping, and experience using ATT&CK for assessments and detection coverage reporting.
  • Reverse engineering fundamentals and ability to reason about compiled code behavior, obfuscation techniques, and persistence strategies.
  • Experience with IOC lifecycle management, enrichment, and dissemination to security controls (firewalls, EDR, network devices) and playbook integration with SOAR.
  • Familiarity with cloud security telemetry (AWS CloudTrail, AWS VPC Flow Logs, Azure Monitor, GCP logs) and cloud-specific threat patterns.
  • Understanding of vulnerability management prioritization using intel data (exploit availability, active campaigns) and CVE mapping.
  • Experience with threat hunting methodologies and hypothesis-driven investigative techniques across multiple telemetry sources.

Soft Skills

  • Exceptional analytical reasoning and synthesis—able to turn noisy telemetry into clear, prioritized intelligence and actionable recommendations.
  • Strong written and verbal communication skills for producing concise intelligence reports, executive briefings, and technical documentation.
  • Stakeholder management and collaboration across security operations, incident response, legal, risk, and business units.
  • Curiosity and continuous learning mindset to keep pace with adversary innovation, emerging threats, and new tooling.
  • Attention to detail and investigative rigor to validate sources, avoid false positives, and maintain intelligence quality.
  • Ability to prioritize under pressure and manage multiple concurrent investigations or requests during incidents.
  • Teaching and mentorship skills to upskill junior analysts and promote best practices across teams.
  • Ethical judgment and respect for confidentiality, privacy, and legal boundaries while collecting and sharing intelligence.
  • Problem solving and creativity when developing detection strategies or working around data gaps.
  • Project management skills to drive intelligence projects from requirements through delivery and measure outcomes.

Education & Experience

Educational Background

Minimum Education:

  • Bachelor’s degree in Computer Science, Cybersecurity, Information Systems, Intelligence Studies, Criminal Justice, or a related technical or analytical field.
  • Equivalent practical experience (SOC/IR/CTI roles) may substitute for formal degree.

Preferred Education:

  • Master’s degree in Cybersecurity, Information Assurance, Intelligence Analysis, Data Science, or a related discipline.
  • Professional certifications such as GCTI (GIAC Cyber Threat Intelligence), CISSP, GCIA, GREM, OSCP, or SANS coursework related to malware analysis and threat intelligence.

Relevant Fields of Study:

  • Cybersecurity / Information Security
  • Computer Science or Engineering
  • Intelligence Studies / International Relations
  • Data Science / Applied Analytics
  • Criminal Justice / Forensic Science

Experience Requirements

Typical Experience Range: 3–7+ years in cybersecurity roles with at least 2 years focused on threat intelligence, incident response, malware analysis, or SOC operations.

Preferred:

  • 5+ years of direct threat intelligence experience across tactical, operational, and strategic intelligence lifecycles.
  • Demonstrated experience producing intelligence products that were operationalized by SOC, detection engineering, and incident response teams.
  • Prior experience collaborating with external sharing communities (ISACs/ISAOs), government agencies, or multi-organization threat intelligence programs.
Explore More Careers