What does a Threat Intelligence Analyst do?
A Threat Intelligence Analyst turns raw cybersecurity signals into decisions the business can act on. You track adversaries, not just indicators. You read malware analysis reports, monitor underground forums, correlate campaigns across CISA advisories and vendor research, and write briefs that help leadership prioritize defense. The work runs on three time horizons. Strategic intel briefs the board on ransomware trends. Operational intel tells the SOC which threat actor to watch this quarter. Tactical intel pushes indicators to the SIEM for blocking. What surprises junior analysts is how much writing matters. A clear PIR-driven brief with source reliability ratings is worth more than any single IOC.
A day in the role
Tuesday, coffee, CISA and NVD feed review. A new vulnerability in a widely deployed VPN product dropped overnight, and a known ransomware affiliate has historically weaponized these within ten days. You pull the CVE details, check internal asset inventory, and confirm the company has sixty-two vulnerable appliances. By 9:00 AM you've drafted a tactical alert to the patch team and the SOC with proposed detection logic. Mid-morning you work on a strategic brief for the board on the quarter's top three ransomware actors targeting the company's sector. You pull campaign data from Mandiant, correlate with internal incidents, and write the assessment with clear confidence ratings. Lunch. Afternoon you pivot on a suspicious domain from last week's phishing investigation, find it tied through passive DNS to a broader campaign, and write a short operational brief for IR. At 4:00 PM you push new YARA rules to the detection engineering team and log off.
Core responsibilities
- Translate Priority Intelligence Requirements from leadership into collection plans
- Track named threat actors using MITRE ATT&CK, the Diamond Model, and the Kill Chain
- Analyze malware samples, phishing campaigns, and leaked data for attribution signals
- Publish strategic, operational, and tactical intelligence products with clear confidence ratings
- Maintain an internal knowledge base of adversary tradecraft using STIX and TAXII formats
- Feed curated indicators into SIEM and EDR detection platforms
- Brief SOC, IR, and executive leadership on relevant campaigns
- Manage relationships with ISAC peers, commercial feeds, and government partners
Key skills
Tools you will use
Common pitfalls
- Dumping raw indicators into the SIEM without analyzing fidelity or business relevance
- Writing long briefs with no confidence rating, so readers can't weight the conclusions
- Chasing every new APT name in the news instead of the actors relevant to this business
- Treating attribution as certainty when the evidence only supports a working hypothesis
Where this leads
Natural next roles for experienced Threat Intelligence Analysts.
Which certifications does a Threat Intelligence Analyst need?
Professionals in this role typically hold or pursue these cybersecurity certifications. Visit our certification guides for cost, exam details, and career impact analysis.
Career intelligence synthesized from Bureau of Labor Statistics, MITRE ATT&CK, O*NET, and community data using the DecipherU Methodology™, designed by Julian Calvo, Ed.D., M.S.
How much does a Threat Intelligence Analyst make?
Salary estimates for Threat Intelligence Analyst roles. Based on BLS OES median ($110,800) with experience-tier ratios derived from BLS OES percentile patterns for cybersecurity occupations, May 2024. Actual compensation varies by location, employer, and certifications. Source: BLS OES
Career progression
Personality fit (RIASEC)
The radar maps this role's top RIASEC dimensions to the Holland Code occupational profile published by O*NET, the US Department of Labor's occupational information network. Realistic-Investigative-Conventional patterns dominate technical cybersecurity roles; Enterprising-Social-Investigative patterns dominate sales and leadership tracks.
Holland Code fit based on O*NET occupational profile and DecipherU career data. Take the full RIASEC assessment →
How do I become a Threat Intelligence Analyst?
Start by exploring the interview questions for this role, reviewing salary data by location, and taking the RIASEC career assessment to confirm this path matches your personality profile. Use the links below to access each resource.
Career resilience: Threat Intelligence Analyst
Recession risk
Very Low
Cybersecurity employment grew through every downturn since 2008. Source: BLS OES historical data.
AI impact
Augments (not replaces)
AI automates alert triage but expands attack surface, creating more specialized roles.
Regulatory demand
SOX, HIPAA, PCI-DSS, and SEC cyber disclosure rules legally require security teams regardless of economic conditions.
Government/defense demand
Federal and defense contractor roles for this function carry 15-25% salary premiums and strong job security.
Cybersecurity is one of the few technical fields where employment has grown through every recession since BLS began tracking it. The data across four economic downturns shows a consistent pattern: demand surges during crises, not during booms.
Salary data is compiled from public sources including the Bureau of Labor Statistics and industry surveys. Actual compensation varies by location, experience, company, and negotiation. This information is for educational purposes only and does not constitute financial advice.