How do I start a career in cybersecurity threat intelligence?

Cybersecurity threat intelligence (CTI) focuses on understanding adversaries: who they are, what they target, how they operate, and how that intelligence drives defensive decisions. The discipline splits into three altitude levels, each with distinct skill demands. Strategic CTI: long-form reporting for executives and boards, geopolitical context, threat-actor attribution narratives, industry-level trend analysis. Operational CTI: campaign-tracking, mid-term threat-actor TTP evolution, intelligence requirements management. Tactical CTI: IOC enrichment, technical indicators (hashes, IPs, domains), MITRE ATT&CK technique mapping that feeds detection content. Most working CTI analysts spend roughly 60 percent of time on tactical and operational work and 40 percent on strategic reporting.

Year-by-year compensation and scope. Year 0-2 entry-level Junior CTI Analyst or pivot from SOC: $72,000-$98,000, focuses on IOC enrichment, automated feed curation, and shadowing senior analyst report production. Year 2-5 Threat Intelligence Analyst: $95,000-$135,000, owns named threat-actor tracking, contributes to weekly threat reports, briefs SOC on emerging campaigns. Year 5-8 Senior CTI Analyst: $130,000-$170,000, owns multi-actor campaign narratives, leads intelligence-requirements gathering with security leadership. Year 8-12 CTI Lead or Manager: $155,000-$210,000, manages a 3-8 person team, owns the intelligence program roadmap. Per the SANS 2024 GIAC Salary Survey, GCTI holders earn a median of $128,400, with senior-tier CTI analysts at top-paying employers (Mandiant, CrowdStrike, Recorded Future, Microsoft Threat Intelligence Center, Google TAG) clearing $185,000-$240,000.

Entry paths in order of efficiency. Path one, SOC Analyst with deliberate CTI focus: 18-24 months in Tier 1 or Tier 2 SOC with a documented portfolio of threat-research blog posts or internal CTI deliverables. Path two, military or government intelligence: USCYBERCOM, NSA, DIA, FBI Cyber Division, and military intelligence MOSs (Army 35Q Cryptologic Linguist, Navy CTN, Air Force 1N4 Fusion Analyst) produce CTI candidates with strong analytic-tradecraft foundations. Path three, OSINT-first: independent OSINT research, contributions to MISP communities or open-source threat-intel projects, public-facing threat-actor write-ups that demonstrate analytic rigor before any cybersecurity job. Path four, journalism or analyst pivot: former tech or security journalists frequently move into vendor CTI roles where writing rigor outweighs technical depth.

Required skills by category. Tradecraft: structured analytic techniques per the IARPA-funded analytic standards, Analysis of Competing Hypotheses (ACH), the diamond model of intrusion analysis (Caltagirone, Pendergast, Betz 2013), and the Kill Chain framework (Hutchins, Cloppert, Amin 2011). Technical: MITRE ATT&CK technique mapping, IOC pivot pattern recognition, light malware behavioral analysis. Tooling: MISP (open-source threat-intel platform), Maltego for relationship mapping, OpenCTI, ThreatConnect, Anomali, Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence, VirusTotal Enterprise, urlscan.io, Shodan, Censys, RiskIQ PassiveTotal. Writing: short-form (1-page) threat advisories, medium-form (5-10 page) campaign reports, long-form (20-50 page) strategic assessments.

Certifications and training that signal readiness. GCTI (GIAC Cyber Threat Intelligence) maps to SANS FOR578 and is the most recognized CTI credential. GREM (GIAC Reverse Engineering Malware) maps to SANS FOR610 and adds technical depth for tactical CTI. CompTIA CySA+ at entry provides the analytical-framework baseline. CTIA (Certified Threat Intelligence Analyst) from EC-Council is recognized but carries less weight than GCTI. CSFP (Certified SOC Forensic Practitioner) and SANS FOR508 (Advanced Incident Response, Threat Hunting and Digital Forensics) overlap usefully. Many senior CTI analysts also hold CISSP for general-security breadth.

Frameworks and reference reading. MITRE ATT&CK Enterprise Matrix v14+ is the canonical TTP framework. The Diamond Model of Intrusion Analysis (Caltagirone et al., 2013) is the standard event-modeling framework. The Lockheed Martin Kill Chain (Hutchins et al., 2011) structures campaign analysis. CISA Joint Cyber Advisories and CISA SHIELDS UP guidance provide governmental reference points. Vendor reports worth reading regularly: Mandiant M-Trends annual report, CrowdStrike Global Threat Report, Microsoft Digital Defense Report, Verizon DBIR, ENISA Threat Landscape report (annual EU reference). Subscribe to Krebs on Security, the Lawfare blog, Risky Business newsletter, and the SANS NewsBites for ongoing context.

Industry verticals that pay top of band for CTI. Financial services (JP Morgan Threat Intelligence Group, Goldman Sachs, large insurers) pays $145,000-$210,000 for senior analysts. Cybersecurity vendors (Mandiant, CrowdStrike, Recorded Future, Microsoft MSTIC, Google TAG, Sophos X-Ops) pay $135,000-$220,000 with significant variance for staff and principal levels. Federal contractors and intelligence-community supporting roles pay $130,000-$185,000 with strong clearance premiums. Tech companies with mature security programs (Meta, Apple, Amazon, Cloudflare) pay $150,000-$230,000 for in-house CTI leads. DecipherU's threat intelligence career guide covers analytic-tradecraft training, the FOR578 self-study reading list, and the portfolio examples (CTI writing samples, MITRE ATT&CK mapping exercises) that move you from SOC-adjacent to a named CTI analyst seat.