Threat Intelligence Analyst Career Guide

What This Role Actually Looks Like on a Tuesday Morning

It's 7:43 AM. You're scanning a fresh batch of finished intelligence reports from three different feeds: a commercial provider, an ISAC your organization belongs to, and a government-sharing portal. One report flags a new phishing campaign attributed to a tracked threat actor your team calls by their MITRE group ID. The TTPs match something you saw in your organization's Splunk logs two weeks ago. That's not a coincidence. That's a lead.

You pull the IOCs, cross-reference them against your SIEM, and find two endpoints that made outbound connections to a domain registered 11 days ago. The SOC didn't flag it. The EDR didn't fire. But you found it because you knew what to look for before the alert existed.

That's threat intelligence work. You're not waiting for the alarm. You're building the context that makes the alarm possible.

Threat intelligence analysts sit at the intersection of research, analysis, and operational security. You consume raw data from open-source feeds, dark web monitoring, vendor reports, government advisories, and internal telemetry. You turn that data into finished intelligence products: threat actor profiles, campaign assessments, indicator packages, and executive briefings. Your output feeds the SOC, the IR team, the red team, and sometimes the board.

The role is less hands-on-keyboard than a SOC analyst or pen tester, but that doesn't mean it's passive. You're writing, briefing, hunting, and building detection logic based on adversary behavior. You're the person who reads a CISA advisory and translates it into three specific Splunk queries your blue team can run today.

If you have a Holland Code profile that leans Investigative and Artistic, this role fits better than most in security. You're doing structured research with real analytical creativity. The answer is rarely obvious. You're building arguments from incomplete evidence, which is exactly what makes it interesting.

---

What You'll Actually Earn

Threat intelligence is a specialized enough function that salary data is less standardized than for SOC analysts or pen testers. That said, the picture from ISC2's 2025 Workforce Study, CyberSeek, and Glassdoor aggregates is consistent enough to work with.

Mid-level threat intelligence analysts in the US earn between $85,000 and $115,000. Senior analysts with 5+ years and a specialization (nation-state tracking, financial sector threat intel, ICS/OT threats) regularly clear $130,000 to $160,000. Principal or lead analysts at major financial institutions, defense contractors, or tech companies can reach $175,000 to $200,000 when total compensation includes bonuses and equity.

The DC metro and Northern Virginia corridor skew these numbers significantly. Cleared threat intelligence work (TS/SCI is common in this specialty) adds $20,000 to $40,000 to base compensation. If you're tracking nation-state actors for a defense contractor in Tysons Corner, you're in a different salary bracket than a threat intel analyst at a regional hospital system.

Outside the US, the picture varies. UK threat intelligence analysts earn £55,000 to £90,000 at mid-to-senior levels, with London financial sector roles at the top of that range. In Germany and the Netherlands, equivalent roles run €65,000 to €95,000. LATAM markets are earlier stage but growing fast. Brazil, Mexico, and Colombia are seeing significant demand growth as multinational corporations build regional security operations. Salaries in those markets are lower in absolute terms, but the geo-arbitrage opportunity is real: US companies increasingly hire LATAM-based threat intelligence analysts at $45,000 to $65,000, which is top-tier compensation locally.

One thing that doesn't show up in the salary aggregates: threat intelligence analysts who can write. Not just reports, but finished intelligence products that a CISO can hand to a board member. That skill is rare and it commands a premium. If you can produce a two-page threat assessment that a non-technical executive can act on, you're worth more than your title suggests.

---

The Skills That Actually Get You Hired

Job postings for threat intelligence analysts are notoriously inconsistent. Some want a malware reverse engineer. Some want a report writer. Some want a SOC analyst who also does threat hunting. The actual skill set that experienced hiring managers look for is narrower and more specific than the job descriptions suggest.

Analytical tradecraft comes first. This is the ability to assess source reliability, weigh competing hypotheses, and express confidence levels honestly. The Intelligence Community uses a structured analytic techniques framework. You don't need a government clearance to learn it. Books like "Psychology of Intelligence Analysis" by Richards Heuer are free on the CIA's website. Analysts who can distinguish between "we assess with high confidence" and "we assess with moderate confidence" based on source quality are rare. That skill gets noticed.

MITRE ATT&CK proficiency is non-negotiable. Not just knowing the framework exists, but being able to map a threat actor's observed behavior to specific techniques and sub-techniques, identify gaps in your detection coverage, and build threat actor profiles using ATT&CK Navigator. If you can't do this fluently, you're not ready for the role. If you can, you're ahead of most applicants.

OSINT methodology matters more than any single tool. Maltego, Shodan, VirusTotal, Censys, URLScan.io, and WHOIS history tools are all part of the toolkit. But the skill is knowing how to pivot from one data point to the next without losing the thread. An IP address leads to an ASN leads to a hosting provider leads to a cluster of related domains. That pivot chain is OSINT tradecraft, and it's learned through practice, not reading.

Writing is a technical skill in this role. Finished intelligence products have a specific structure: key judgments up front, supporting evidence, confidence levels, source citations, and implications for the reader. If you've never written a formal intelligence assessment, start now. Write one about a public threat actor using only open sources. That document in your portfolio is worth more than a certification.

Understanding of adversary infrastructure. How do threat actors build and operate C2 infrastructure? What does a Cobalt Strike beacon look like in network traffic? How do groups like APT29 or Lazarus Group use legitimate cloud services to blend in? This knowledge comes from reading threat reports obsessively and from hands-on work in a lab environment.

---

How to Break Into Threat Intelligence (The Catch-22 Is Real)

Here's the problem stated plainly: most threat intelligence analyst job postings want 3 to 5 years of experience in threat intelligence. You don't have that. You have adjacent experience in a SOC, in IT, in network administration, or in a completely different field. The cycle is self-reinforcing. Experience gets you hired. Getting hired gets you experience. Breaking that cycle requires proof of a different kind.

The most common entry path is through a SOC analyst role first. Spend 12 to 24 months in a SOC, learn to use a SIEM fluently (Splunk or Microsoft Sentinel are the most common), develop pattern recognition on alert triage, and start volunteering for anything threat-intel-adjacent: IOC enrichment, threat hunting, writing internal threat summaries. That's your bridge.

If you're coming from a non-security background, the path is longer but not impossible. IT roles with network or system administration experience translate well. Security-adjacent roles like fraud analysis, competitive intelligence, or law enforcement intelligence work are underrated entry points. The analytical tradecraft from those fields transfers directly.

The certification sequence that makes sense:

Start with CompTIA CySA+ ($404 exam fee). It's positioned as a mid-level cert, but it's the right foundation for threat intelligence work because it covers threat and vulnerability management, security operations, and incident response from a blue team perspective. The CySA+ exam maps closely to the analytical work you'll do in a threat intel role. The salary difference between CySA+ holders and non-holders in analyst roles runs $10,000 to $15,000 based on Glassdoor and ISC2 data. That's a 25x to 37x first-year return on a $404 exam.

After CySA+, the SANS GIAC certifications are the gold standard for threat intelligence specifically. GIAC Cyber Threat Intelligence (GCTI) is the most directly relevant. It's expensive ($8,000 to $9,000 for the course and exam), but it's recognized by every serious employer in the space. If you can't afford SANS, the FOR578 course materials are sometimes available through work training budgets or scholarships. Apply for them.

The Recorded Future Intelligence Analyst certification and the Anomali ThreatStream training are free or low-cost and signal platform familiarity to employers who use those tools.

The portfolio approach is your fastest path. Write three to five threat intelligence reports using only open-source data. Pick a tracked threat actor (APT28, Lazarus Group, FIN7), research their recent campaigns using public sources, map their TTPs to MITRE ATT&CK, and write a finished intelligence product. Post it on a blog or GitHub. That document does more work than a certification in an interview because it proves you can actually do the job.

Community involvement accelerates everything. The threat intelligence community is active on Twitter/X, LinkedIn, and in specific Discord servers. Following analysts like Katie Nickels, John Hultquist, and Costin Raiu (when they post) gives you a real-time education. The SANS Cyber Threat Intelligence Summit is one of the best free resources in the field. Watch the recorded talks.

---

The Tools You'll Use

Your daily toolkit will vary by employer, but these are the platforms that appear consistently across threat intelligence job postings and practitioner discussions.

Threat intelligence platforms: Recorded Future, Anomali ThreatStream, ThreatConnect, and MISP (the open-source option). You'll use these to manage IOCs, track threat actors, and collaborate with other analysts. Recorded Future is the dominant commercial platform in enterprise environments. MISP is common in government and ISAC contexts.

OSINT tools: Maltego for relationship mapping, Shodan for internet-exposed infrastructure, Censys for similar purposes, VirusTotal for file and URL analysis, URLScan.io for web-based threat analysis, and RiskIQ (now Microsoft Defender Threat Intelligence) for passive DNS and infrastructure tracking.

SIEM integration: You'll need to be comfortable in Splunk or Microsoft Sentinel to push IOCs into detection pipelines and to hunt for evidence of TTPs in historical log data. Elastic SIEM is common in smaller organizations.

Malware analysis (at the basic level): You don't need to be a reverse engineer, but you should be able to run a suspicious file through a sandbox (Any.run, Cuckoo, or Hybrid Analysis), read the behavioral output, and extract IOCs. Understanding what a YARA rule does and being able to write a basic one is a differentiator.

Visualization and reporting: Analysts who can build clear visualizations of threat actor infrastructure or campaign timelines in tools like Maltego, i2 Analyst's Notebook, or even well-structured Python notebooks stand out. The ability to make complex data readable is undervalued and underdeveloped in most analysts.

---

Where the Jobs Are

Threat intelligence roles concentrate in specific sectors and geographies more than most security functions.

In the US, the highest density of threat intelligence positions is in the DC/Northern Virginia corridor (defense, government contractors, federal agencies), New York City (financial sector), San Francisco Bay Area (tech companies), and Chicago (financial and insurance). These markets also have the highest salaries.

Financial services is the largest private-sector employer of threat intelligence analysts. Banks, payment processors, and insurance companies run mature threat intelligence programs because they're targeted constantly and have the budget to staff them properly. The Financial Services ISAC (FS-ISAC) is a good community to engage with if you're targeting this sector.

Healthcare is an underserved market with growing demand. Hospital systems and health insurance companies are under sustained attack from ransomware groups and face significant regulatory pressure to improve their security posture. Salaries are lower than financial services, but competition for roles is also lower.

Remote work has changed the geography significantly. Many threat intelligence roles, particularly at the mid-level, are now fully remote. This matters for readers outside major US metros. A threat intelligence analyst in Austin, Denver, or Raleigh can access the same job market as someone in DC, often at the same salary.

For readers outside the US: the UK's National Cyber Security Centre (NCSC) and financial sector are the strongest markets in Europe. Germany's BSI and the broader DACH financial sector are growing. In Asia-Pacific, Singapore is the hub for regional threat intelligence work, with salaries competitive with European markets. Australia's ASD (Australian Signals Directorate) and the big four banks run active threat intelligence programs.

One underappreciated opportunity: Spanish-language cybersecurity resources are nearly nonexistent. Bilingual threat intelligence analysts who can produce finished intelligence products in both English and Spanish have a genuine advantage in multinational organizations operating across North and South America. That's a real differentiator that almost nobody is building toward intentionally.

---

Where This Role Goes Next

Threat intelligence is not a dead-end specialty. It's one of the better-positioned roles in security for upward mobility because the skills transfer broadly.

12 to 24 months in: Most analysts at this stage are building their MITRE ATT&CK proficiency, learning their organization's threat profile, and developing their report writing. The goal is becoming the person who can own a threat actor track independently.

2 to 4 years in: Senior analyst territory. You're leading threat actor tracking, mentoring junior analysts, and producing strategic intelligence products for leadership. You're also starting to specialize. Nation-state threats, cybercrime, ICS/OT threats, and financial fraud are the common specializations. Each has its own community, conference circuit, and salary premium.

4 to 7 years in: Principal analyst, threat intelligence lead, or manager. At this level, you're building programs, managing vendor relationships, and briefing executives. Some analysts at this stage move toward threat intelligence consulting, which can reach $200,000 to $300,000 in total compensation at top-tier firms.

Adjacent pivots that make sense: Threat intelligence analysts make strong candidates for threat hunting roles (you already know what to hunt for), incident response (you understand adversary behavior deeply), and security product management (vendors pay well for analysts who can translate threat research into product requirements). The CISO path is also viable for analysts who develop strong business communication skills.

AI is changing the role in specific ways. Automated IOC enrichment, AI-assisted report drafting, and LLM-based threat summarization are reducing the time analysts spend on low-level tasks. That's not a threat to the role. It's a shift in where your time goes. The analysts who will be most valuable in three years are the ones who can direct AI tools effectively and who focus their human judgment on the assessments that require it: attribution, strategic forecasting, and executive communication.

---

What to Do This Week

Pick one tracked threat actor from MITRE ATT&CK's Groups page. Choose someone with substantial public reporting: APT29, FIN7, or Lazarus Group are all well-documented.

Spend four hours this week doing the following: read the three most recent public threat reports about that group (Mandiant, CrowdStrike, and Recorded Future all publish free research), map their observed TTPs to ATT&CK Navigator, and write a two-page intelligence assessment in finished intelligence format. Key judgments at the top, supporting evidence in the body, confidence levels stated explicitly, and one paragraph on implications for a hypothetical defender.

Post it somewhere public. LinkedIn, a personal blog, or GitHub. Tag it with the threat actor name and "threat intelligence."

That document is your first portfolio artifact. It proves analytical tradecraft, ATT&CK proficiency, and writing ability in a single piece of work. It's the kind of evidence that makes a hiring manager stop scrolling.

You don't need permission to start doing threat intelligence work. The data is public. The frameworks are free. The community is accessible. The only thing between you and your first finished intelligence product is four hours and a blank document.