{"id":72702,"date":"2026-04-13T03:16:31","date_gmt":"2026-04-13T03:16:31","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/lead-threat-intelligence-analyst-role-blueprint-responsibilities-skills-kpis-and-career-path\/"},"modified":"2026-04-13T03:16:31","modified_gmt":"2026-04-13T03:16:31","slug":"lead-threat-intelligence-analyst-role-blueprint-responsibilities-skills-kpis-and-career-path","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/lead-threat-intelligence-analyst-role-blueprint-responsibilities-skills-kpis-and-career-path\/","title":{"rendered":"Lead Threat Intelligence Analyst: Role Blueprint, Responsibilities, Skills, KPIs, and Career Path"},"content":{"rendered":"\n

1) Role Summary<\/h2>\n\n\n\n

The Lead Threat Intelligence Analyst<\/strong> is a senior, hands-on security analyst who designs, runs, and continuously improves an organization\u2019s threat intelligence (TI) capability to reduce cyber risk. The role turns raw signals (telemetry, OSINT, vendor feeds, dark web monitoring, incident learnings) into actionable intelligence<\/strong> that informs detection engineering, incident response, vulnerability management, and security strategy.<\/p>\n\n\n\n

This role exists in software and IT organizations because modern threats move faster than traditional perimeter defenses; TI provides early warning, prioritization, and context that improves decision-making across product security, cloud security, and SOC operations. Business value is created through reduced incident frequency and impact, faster detection\/response, better prioritization of remediation, and stronger executive visibility into threat exposure and adversary activity.<\/p>\n\n\n\n

Role horizon:<\/strong> Current (established practice in mature security organizations; expanding scope with automation\/AI).\nTypical interactions:<\/strong> SOC, Incident Response, Detection Engineering, Vulnerability Management, Cloud Security, Product Security\/AppSec, IT Ops, Risk\/GRC, Legal, Privacy, and occasionally Customer Trust\/Sales Engineering.<\/p>\n\n\n\n

Conservative reporting line (typical):<\/strong> Reports to Head of Security Operations<\/strong> \/ SOC Manager<\/strong> \/ Director of Security<\/strong> (varies by organization maturity). The role may lead a small TI pod or act as the functional lead for TI within SecOps.<\/p>\n\n\n\n

\n\n\n\n

2) Role Mission<\/h2>\n\n\n\n

Core mission:<\/strong>\nProvide timely, accurate, and relevant threat intelligence that measurably improves prevention, detection, response, and risk prioritization across the company\u2019s technology estate and product portfolio.<\/p>\n\n\n\n

Strategic importance:<\/strong>\nThreat intelligence is the connective tissue between adversary behavior and defensive action. A Lead Threat Intelligence Analyst ensures the organization is not simply collecting intel, but operationalizing<\/strong> it into detections, controls, and decisions that reduce business risk and protect customers.<\/p>\n\n\n\n

Primary business outcomes expected:<\/strong>\n– Reduced mean time to detect (MTTD) and mean time to respond (MTTR) through better context and detection content.\n– Improved prioritization of patching and mitigation based on exploitation likelihood and active campaigns.\n– Increased resilience to targeted threats (brand impersonation, credential theft, supply-chain attacks, cloud abuse).\n– Stronger executive and stakeholder confidence via consistent threat reporting and measurable TI-to-action pipelines.\n– Mature, repeatable TI processes aligned to frameworks (e.g., MITRE ATT&CK) and organizational risk appetite.<\/p>\n\n\n\n

\n\n\n\n

3) Core Responsibilities<\/h2>\n\n\n\n

Strategic responsibilities<\/h3>\n\n\n\n
    \n
  1. Define and maintain the threat intelligence operating model<\/strong> (collection, processing, analysis, dissemination, feedback loops), aligned to business priorities and the organization\u2019s threat profile.<\/li>\n
  2. Own the TI requirements (PIRs\/SIRs)<\/strong>: translate business and security priorities into prioritized intelligence requirements and collection plans.<\/li>\n
  3. Develop and maintain threat models of key adversaries<\/strong> relevant to the company (e.g., financially motivated actors, ransomware affiliates, supply-chain threats, cloud abuse groups).<\/li>\n
  4. Drive TI-informed security strategy inputs<\/strong>: recommend investments and control improvements based on trends and observed gaps.<\/li>\n
  5. Lead threat briefings for senior stakeholders<\/strong>: present risk-relevant insights, emerging campaigns, and recommended actions.<\/li>\n<\/ol>\n\n\n\n

    Operational responsibilities<\/h3>\n\n\n\n
      \n
    1. Run the TI production cadence<\/strong> (daily\/weekly intel notes, campaign tracking, monthly trend reports), ensuring timeliness and relevance.<\/li>\n
    2. Triage and validate intelligence<\/strong> from vendor feeds, ISACs, OSINT, internal telemetry, and incident learnings; reduce noise and ensure confidence scoring.<\/li>\n
    3. Coordinate intelligence-driven response<\/strong> during active incidents: provide adversary context, likely next steps, infrastructure indicators, and targeted hunt guidance.<\/li>\n
    4. Operate and refine intelligence workflows<\/strong> in the TIP\/SIEM\/ITSM tools: intake, enrichment, deduplication, scoring, and dissemination to the right consumers.<\/li>\n<\/ol>\n\n\n\n

      Technical responsibilities<\/h3>\n\n\n\n
        \n
      1. Operationalize indicators and TTPs<\/strong> into detections and mitigations: map to MITRE ATT&CK, create hunting hypotheses, and drive detection engineering requirements.<\/li>\n
      2. Develop and maintain detection-adjacent artifacts<\/strong> (YARA rules, Sigma rules, Splunk\/KQL queries, Suricata\/Snort signatures where applicable), with QA and lifecycle management.<\/li>\n
      3. Perform threat hunting support<\/strong>: design hunts based on campaigns; assist in validating findings and translating them into durable detections.<\/li>\n
      4. Assess exploitation and vulnerability intelligence<\/strong>: prioritize vulnerabilities based on EPSS, KEV, exploit availability, and environment exposure; advise VM on patch timelines.<\/li>\n
      5. Support cloud threat intelligence<\/strong>: track cloud abuse patterns (IAM compromise, token theft, metadata service abuse), and advise on detection\/controls in cloud-native tools.<\/li>\n<\/ol>\n\n\n\n

        Cross-functional or stakeholder responsibilities<\/h3>\n\n\n\n
          \n
        1. Partner with Product Security\/AppSec<\/strong> to translate threat trends into secure design guidance, abuse case updates, and SDLC security requirements.<\/li>\n
        2. Coordinate with IT and Endpoint teams<\/strong> to deploy mitigations and response actions (blocking, containment, hardening) informed by intelligence.<\/li>\n
        3. Support Customer Trust and Communications<\/strong> (context-specific) with accurate statements, threat summaries, and impact framing during major events.<\/li>\n<\/ol>\n\n\n\n

          Governance, compliance, or quality responsibilities<\/h3>\n\n\n\n
            \n
          1. Maintain intelligence standards and quality controls<\/strong>: source reliability, analytic confidence levels, citation practices, handling restrictions (TLP), and audit-ready documentation.<\/li>\n
          2. Manage third-party intel relationships and information sharing<\/strong>: handle sharing agreements, ensure legal\/privacy constraints are met, and represent the company in communities (ISACs).<\/li>\n<\/ol>\n\n\n\n

            Leadership responsibilities (Lead level)<\/h3>\n\n\n\n
              \n
            1. Mentor analysts and influence execution<\/strong>: coach junior TI\/SOC analysts on analytic tradecraft, structured analysis, and operationalization; lead without necessarily having direct reports.<\/li>\n
            2. Set technical direction for TI tooling and automation<\/strong>: define requirements, guide integrations, and evaluate vendors in partnership with SecOps leadership.<\/li>\n
            3. Own TI program KPIs and continuous improvement<\/strong>: measure impact, identify bottlenecks, and drive process maturity.<\/li>\n<\/ol>\n\n\n\n
              \n\n\n\n

              4) Day-to-Day Activities<\/h2>\n\n\n\n

              Daily activities<\/h3>\n\n\n\n
                \n
              • Monitor threat landscape changes: exploitation news, ransomware leaks, phishing campaigns, cloud abuse trends, and high-signal community reporting.<\/li>\n
              • Triage new intelligence items (from TIP, email, ISAC portals, vendor alerts) and decide what becomes:<\/li>\n
              • a detection request,<\/li>\n
              • a hunt package,<\/li>\n
              • a vulnerability priority update,<\/li>\n
              • or an \u201cFYI\u201d advisory.<\/li>\n
              • Provide rapid-response support to SOC\/IR: enrichment on IPs\/domains\/hashes, infrastructure pivots, adversary clustering, and recommended containment actions.<\/li>\n
              • Maintain campaign trackers and update confidence levels as new evidence arrives.<\/li>\n
              • Communicate \u201cwhat changed today\u201d to operational teams (SOC, VM, Detection Engineering) in concise, action-oriented formats.<\/li>\n<\/ul>\n\n\n\n

                Weekly activities<\/h3>\n\n\n\n
                  \n
                • Run a weekly intel sync<\/strong> with SOC\/Detection Engineering: review top campaigns, review what was operationalized, unblock content deployment.<\/li>\n
                • Produce a weekly threat note<\/strong> summarizing:<\/li>\n
                • relevant campaigns,<\/li>\n
                • notable TTPs,<\/li>\n
                • exposure assessment,<\/li>\n
                • recommended actions and owners.<\/li>\n
                • Conduct structured analysis sessions (e.g., ACH-lite, hypothesis testing) for ambiguous or high-impact threat questions.<\/li>\n
                • Review vulnerability exploitation intelligence and update patch prioritization recommendations.<\/li>\n
                • Validate the health of TI pipelines: feed ingestion, deduplication, scoring, and integration success rates.<\/li>\n<\/ul>\n\n\n\n

                  Monthly or quarterly activities<\/h3>\n\n\n\n
                    \n
                  • Deliver a monthly threat landscape report<\/strong> tailored to leadership:<\/li>\n
                  • trends and top risks,<\/li>\n
                  • major incidents in the industry,<\/li>\n
                  • control and investment recommendations,<\/li>\n
                  • measurable TI impact metrics.<\/li>\n
                  • Refresh threat models and adversary profiles for the organization\u2019s highest-value assets and products.<\/li>\n
                  • Review and tune intelligence requirements (PIRs) with stakeholders; retire low-value questions.<\/li>\n
                  • Perform retrospectives on major incidents and near-misses to capture new intelligence and detection gaps.<\/li>\n
                  • Evaluate TI tool effectiveness and coverage: what sources produce actions vs noise; rationalize spend.<\/li>\n<\/ul>\n\n\n\n

                    Recurring meetings or rituals<\/h3>\n\n\n\n
                      \n
                    • Daily SOC standup (optional\/context-specific; common in smaller teams).<\/li>\n
                    • Weekly intel-to-detection working session (common).<\/li>\n
                    • Weekly vulnerability triage meeting (common).<\/li>\n
                    • Incident response post-incident reviews (common).<\/li>\n
                    • Monthly security leadership readout (common in mature orgs).<\/li>\n
                    • Vendor check-ins (monthly\/quarterly).<\/li>\n<\/ul>\n\n\n\n

                      Incident, escalation, or emergency work<\/h3>\n\n\n\n
                        \n
                      • During high-severity incidents, the Lead Threat Intelligence Analyst typically:<\/li>\n
                      • joins incident bridge calls as the adversary context owner<\/strong>,<\/li>\n
                      • produces \u201cknowns\/unknowns\u201d and likely adversary next steps,<\/li>\n
                      • quickly validates indicators and recommended blocks to avoid self-inflicted outages,<\/li>\n
                      • coordinates with Legal\/Privacy on information sharing constraints (where required),<\/li>\n
                      • supports executive updates with accurate, defensible statements.<\/li>\n
                      • May be on an escalation rotation (context-specific). Even without formal on-call, availability during major incidents is commonly expected.<\/li>\n<\/ul>\n\n\n\n
                        \n\n\n\n

                        5) Key Deliverables<\/h2>\n\n\n\n
                          \n
                        • Threat Intelligence Program Artifacts<\/strong><\/li>\n
                        • TI operating model (intake \u2192 analysis \u2192 dissemination \u2192 feedback)<\/li>\n
                        • Priority Intelligence Requirements (PIRs) and review cadence<\/li>\n
                        • Source catalog with reliability scoring and handling restrictions (TLP)<\/li>\n
                        • \n

                          TI playbooks and runbooks (what happens when a high-confidence campaign appears)<\/p>\n<\/li>\n

                        • \n

                          Analytic Products<\/strong><\/p>\n<\/li>\n

                        • Daily\/weekly intel notes (actionable, owner-assigned recommendations)<\/li>\n
                        • Monthly\/quarterly threat landscape reports<\/li>\n
                        • Adversary profiles and campaign dossiers (TTPs, infra, targeting, motivations)<\/li>\n
                        • \n

                          Intelligence bulletins for urgent topics (e.g., active exploitation of a CVE)<\/p>\n<\/li>\n

                        • \n

                          Operationalized Security Outputs<\/strong><\/p>\n<\/li>\n

                        • Detection engineering requirements and acceptance criteria<\/li>\n
                        • Hunting packages (hypotheses, queries, telemetry requirements, success criteria)<\/li>\n
                        • Indicator packages (curated, scored IOCs with expiry and context)<\/li>\n
                        • YARA\/Sigma rules and SIEM queries (where applicable)<\/li>\n
                        • \n

                          Mitigation recommendations (blocks, hardening steps, MFA changes, IAM controls)<\/p>\n<\/li>\n

                        • \n

                          Dashboards and Metrics<\/strong><\/p>\n<\/li>\n

                        • TI-to-action pipeline dashboard (intel items \u2192 actions \u2192 deployed controls)<\/li>\n
                        • KPI reporting for MTTD\/MTTR influence, alert quality improvements, and source value<\/li>\n
                        • \n

                          Vulnerability exploitation watchlists and \u201cinternet exposure + exploitability\u201d views<\/p>\n<\/li>\n

                        • \n

                          Training and Enablement<\/strong><\/p>\n<\/li>\n

                        • Analyst enablement sessions (structured analysis, ATT&CK mapping, confidence scoring)<\/li>\n
                        • SOC\/IR cheat sheets (top TTPs, ransomware playbook intelligence inputs)<\/li>\n
                        • Executive briefing decks (board-ready where required)<\/li>\n<\/ul>\n\n\n\n
                          \n\n\n\n

                          6) Goals, Objectives, and Milestones<\/h2>\n\n\n\n

                          30-day goals (onboarding and baseline)<\/h3>\n\n\n\n
                            \n
                          • Understand the company\u2019s environment: products, cloud footprint, data sensitivity, and business priorities.<\/li>\n
                          • Map current security operations workflows (SOC, IR, VM) and identify where TI is consumed or missing.<\/li>\n
                          • Review existing TI sources, TIP\/SIEM integrations, and current intel outputs; assess quality and relevance.<\/li>\n
                          • Establish stakeholder map and agree initial PIRs with SecOps leadership.<\/li>\n
                          • Deliver first quick-win intel product (e.g., a campaign brief with clear actions) that results in at least one operational change.<\/li>\n<\/ul>\n\n\n\n

                            60-day goals (operationalization and cadence)<\/h3>\n\n\n\n
                              \n
                            • Implement a repeatable intel dissemination cadence (weekly operational note + leadership summary).<\/li>\n
                            • Establish intelligence scoring standards (source reliability, analytic confidence, relevance tags, ATT&CK mapping).<\/li>\n
                            • Create a TI-to-detection workflow with defined SLAs and acceptance criteria with Detection Engineering\/SOC.<\/li>\n
                            • Stand up a vulnerability exploitation prioritization flow integrated with VM triage.<\/li>\n
                            • Reduce noise from feeds via deduplication, filtering, and \u201cdo not action\u201d criteria.<\/li>\n<\/ul>\n\n\n\n

                              90-day goals (measurable impact)<\/h3>\n\n\n\n
                                \n
                              • Demonstrate measurable improvements:<\/li>\n
                              • increased number of intel-driven detections deployed,<\/li>\n
                              • reduced time from intel receipt to action,<\/li>\n
                              • improved incident enrichment speed.<\/li>\n
                              • Deliver at least one mature adversary or campaign dossier relevant to the organization and use it to drive hunts\/detections.<\/li>\n
                              • Establish baseline KPIs and dashboards for TI program performance.<\/li>\n
                              • Document and socialize TI runbooks for major scenarios (ransomware, credential compromise, cloud token theft, supplier compromise).<\/li>\n<\/ul>\n\n\n\n

                                6-month milestones (program maturity)<\/h3>\n\n\n\n
                                  \n
                                • Mature TI operating model with clear:<\/li>\n
                                • requirements management (PIRs),<\/li>\n
                                • collection strategy,<\/li>\n
                                • analytic standards,<\/li>\n
                                • dissemination channels by audience,<\/li>\n
                                • feedback loops and success measures.<\/li>\n
                                • Achieve consistent operationalization:<\/li>\n
                                • a sustained pipeline of intel \u2192 detections\/hunts\/mitigations,<\/li>\n
                                • reduction in false positives through better context and scoring.<\/li>\n
                                • Improve external collaboration posture (ISAC participation, vetted sharing processes, legal guardrails).<\/li>\n
                                • Complete a tooling gap assessment and implement prioritized improvements (automation, integrations, dashboarding).<\/li>\n<\/ul>\n\n\n\n

                                  12-month objectives (strategic outcomes)<\/h3>\n\n\n\n
                                    \n
                                  • Establish TI as a trusted decision-support function:<\/li>\n
                                  • leadership uses TI reports to prioritize investment,<\/li>\n
                                  • SOC\/IR uses TI to accelerate response,<\/li>\n
                                  • VM uses TI to prioritize remediation by exploitation likelihood.<\/li>\n
                                  • Demonstrably reduce exposure to top threats (measured via control improvements, fewer repeat incidents, improved detection coverage).<\/li>\n
                                  • Build and mentor a high-performing TI capability (could include hiring, training, or developing a community of practice).<\/li>\n
                                  • Develop an annual threat landscape outlook and integrate it into security planning and tabletop exercises.<\/li>\n<\/ul>\n\n\n\n

                                    Long-term impact goals (18\u201336 months)<\/h3>\n\n\n\n
                                      \n
                                    • Institutionalize intelligence-led defense:<\/li>\n
                                    • robust detection coverage aligned to top adversary TTPs,<\/li>\n
                                    • proactive identification of campaigns targeting the company\/industry,<\/li>\n
                                    • mature automation pipelines that minimize manual triage.<\/li>\n
                                    • Position the organization as a credible participant in trusted sharing communities, improving early warning and peer collaboration.<\/li>\n<\/ul>\n\n\n\n

                                      Role success definition<\/h3>\n\n\n\n

                                      Success is defined by actionable intelligence that changes outcomes<\/strong>, not by volume of reports or feeds ingested. A successful Lead Threat Intelligence Analyst consistently produces intelligence that results in detections, mitigations, improved prioritization, and faster\/cleaner incident handling.<\/p>\n\n\n\n

                                      What high performance looks like<\/h3>\n\n\n\n
                                        \n
                                      • Stakeholders can clearly articulate how TI helped them this quarter (specific actions taken).<\/li>\n
                                      • The TI pipeline is measurable, predictable, and resilient (not dependent on heroics).<\/li>\n
                                      • Intelligence outputs are concise, credible, and aligned to business priorities.<\/li>\n
                                      • Detection engineering and IR teams proactively request TI support because it reliably accelerates results.<\/li>\n
                                      • The organization has fewer \u201csurprises\u201d due to better early warning and preparedness.<\/li>\n<\/ul>\n\n\n\n
                                        \n\n\n\n

                                        7) KPIs and Productivity Metrics<\/h2>\n\n\n\n

                                        The measurement framework below emphasizes impact<\/strong> (outcomes) and operational excellence<\/strong> (reliability, efficiency), while avoiding vanity metrics such as \u201cnumber of IOCs processed\u201d without action.<\/p>\n\n\n\n

                                        \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                        Metric name<\/th>\nWhat it measures<\/th>\nWhy it matters<\/th>\nExample target\/benchmark (illustrative)<\/th>\nFrequency<\/th>\n<\/tr>\n<\/thead>\n
                                        Intel-to-Action Cycle Time<\/td>\nTime from intel receipt to an action (detection\/hunt\/mitigation)<\/td>\nShows operationalization speed<\/td>\nP1 intel: <72 hours; P2: <2 weeks<\/td>\nWeekly<\/td>\n<\/tr>\n
                                        % Intel Items Operationalized<\/td>\nPortion of high\/medium relevance intel that results in an action<\/td>\nValidates relevance and execution<\/td>\n40\u201360% of curated items lead to actions (varies by org)<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Detection Coverage Lift (TI-driven)<\/td>\nNumber of new\/updated detections mapped to TI-derived TTPs<\/td>\nDemonstrates security posture improvement<\/td>\n+X detections\/month mapped to priority ATT&CK techniques<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Hunt Yield Rate<\/td>\nHunts producing confirmed findings or control improvements<\/td>\nMeasures hunt effectiveness<\/td>\n20\u201340% yield (context-specific)<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Incident Enrichment SLA<\/td>\nTime to provide context during an incident (e.g., infra pivots, actor hypotheses)<\/td>\nReduces MTTR and improves decisions<\/td>\nInitial enrichment <60 minutes for P1 incidents<\/td>\nWeekly\/Per incident<\/td>\n<\/tr>\n
                                        False Positive Reduction from TI Context<\/td>\nReduction in alerts escalated due to better context\/scoring<\/td>\nImproves SOC efficiency<\/td>\n5\u201315% reduction over 2 quarters<\/td>\nQuarterly<\/td>\n<\/tr>\n
                                        Vulnerability Exploitation Prioritization Accuracy<\/td>\nHow often \u201cactively exploited\u201d calls align with observed activity and credible sources<\/td>\nBuilds trust with VM and leadership<\/td>\n>90% of \u201cdrop everything\u201d calls validated by KEV\/exploit evidence<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Patch Acceleration for Exploited Vulns<\/td>\nTime from exploited vuln intel to patch\/mitigation completion<\/td>\nReduces exposure to real threats<\/td>\nCritical exploited: mitigation <7 days (varies by environment)<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Source Value Score<\/td>\nRatio of actionable items to total items per source<\/td>\nOptimizes spend and analyst time<\/td>\nTop sources deliver 70\u201380% of actions<\/td>\nQuarterly<\/td>\n<\/tr>\n
                                        Stakeholder Satisfaction (TI Consumers)<\/td>\nFeedback from SOC\/IR\/VM\/Product Security<\/td>\nEnsures relevance and usability<\/td>\n\u22654.2\/5 average<\/td>\nQuarterly<\/td>\n<\/tr>\n
                                        Report Timeliness<\/td>\nDelivery against agreed cadence<\/td>\nBuilds trust and predictability<\/td>\n95% on-time delivery<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Analytic Quality Score<\/td>\nPeer review rating for evidence, confidence, clarity, and actionability<\/td>\nMaintains rigor<\/td>\n\u22654\/5 average across sampled outputs<\/td>\nMonthly<\/td>\n<\/tr>\n
                                        Knowledge Reuse<\/td>\nUse of TI artifacts in tabletop exercises, detections, training<\/td>\nIndicates institutionalization<\/td>\nTI referenced in \u22652 exercises\/quarter<\/td>\nQuarterly<\/td>\n<\/tr>\n
                                        Leadership Enablement (Lead-level)<\/td>\nMentoring, standards adoption, process improvements delivered<\/td>\nConfirms lead scope beyond IC work<\/td>\n1\u20132 measurable process improvements\/quarter<\/td>\nQuarterly<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n

                                        Notes on variability:<\/strong> Targets depend on company size, tool maturity, and volume of alerts\/incidents. Early-stage TI programs may focus first on cycle time, operationalization rate, and stakeholder satisfaction.<\/p>\n\n\n\n

                                        \n\n\n\n

                                        8) Technical Skills Required<\/h2>\n\n\n\n

                                        Must-have technical skills<\/h3>\n\n\n\n
                                          \n
                                        1. \n

                                          Threat intelligence lifecycle and tradecraft<\/strong> (Critical)\n – Use: Define PIRs, collection plans, analysis, dissemination, feedback loops.\n – Includes confidence scoring, source evaluation, and structured analytic techniques.<\/p>\n<\/li>\n

                                        2. \n

                                          MITRE ATT&CK mapping and adversary TTP analysis<\/strong> (Critical)\n – Use: Translate reports into techniques, drive detections\/hunts, communicate consistently across teams.<\/p>\n<\/li>\n

                                        3. \n

                                          SIEM investigation and query skills<\/strong> (Critical)\n – Use: Validate IOCs\/TTPs, support hunts, enrich incidents.\n – Examples: Splunk SPL, Microsoft Sentinel KQL, Elastic query DSL.<\/p>\n<\/li>\n

                                        4. \n

                                          IOC and infrastructure analysis<\/strong> (Critical)\n – Use: Pivot domains\/IPs\/certs\/WHOIS\/passive DNS, identify clusters, validate maliciousness.<\/p>\n<\/li>\n

                                        5. \n

                                          Incident response collaboration<\/strong> (Important \u2192 Critical in many orgs)\n – Use: Provide threat context, support containment decisions, document intel learnings post-incident.<\/p>\n<\/li>\n

                                        6. \n

                                          Vulnerability exploitation intelligence<\/strong> (Critical)\n – Use: Assess exploit maturity, active exploitation, KEV\/EPSS, advise VM on prioritization.<\/p>\n<\/li>\n

                                        7. \n

                                          Scripting and automation fundamentals<\/strong> (Important)\n – Use: Automate enrichment, normalize feeds, create repeatable workflows.\n – Typical: Python, basic Bash\/PowerShell, API usage.<\/p>\n<\/li>\n

                                        8. \n

                                          Cloud security fundamentals<\/strong> (Important)\n – Use: Interpret cloud logs, understand IAM abuse patterns, advise cloud detections\/controls.\n – Typical: AWS\/Azure\/GCP basics, CloudTrail\/Azure AD logs.<\/p>\n<\/li>\n<\/ol>\n\n\n\n

                                          Good-to-have technical skills<\/h3>\n\n\n\n
                                            \n
                                          1. \n

                                            TIP operation and integration<\/strong> (Important)\n – Use: Manage feeds, scoring, deduplication, and integration with SIEM\/SOAR.<\/p>\n<\/li>\n

                                          2. \n

                                            SOAR playbook design<\/strong> (Important)\n – Use: Automate enrichment and dissemination, reduce manual triage.<\/p>\n<\/li>\n

                                          3. \n

                                            Malware analysis fundamentals<\/strong> (Optional to Important, context-specific)\n – Use: Triage suspicious files, extract IOCs, understand behavior patterns (sandbox, static indicators).<\/p>\n<\/li>\n

                                          4. \n

                                            Detection content development<\/strong> (Important)\n – Use: Produce Sigma, YARA, SIEM rules, EDR detections in partnership with Detection Engineering.<\/p>\n<\/li>\n

                                          5. \n

                                            Threat modeling and abuse case development<\/strong> (Important)\n – Use: Inform product security and architecture decisions with real-world attacker behavior.<\/p>\n<\/li>\n<\/ol>\n\n\n\n

                                            Advanced or expert-level technical skills<\/h3>\n\n\n\n
                                              \n
                                            1. \n

                                              Campaign and actor clustering at scale<\/strong> (Advanced; Important in mature orgs)\n – Use: Connect disparate intel artifacts to campaigns using infrastructure and TTP overlap; reduce duplicate work.<\/p>\n<\/li>\n

                                            2. \n

                                              Advanced log\/telemetry fluency<\/strong> (Advanced)\n – Use: Identify gaps in telemetry, recommend instrumentation, interpret endpoint\/network\/cloud audit data.<\/p>\n<\/li>\n

                                            3. \n

                                              Data analysis for TI (statistics, scoring models)<\/strong> (Advanced; Optional)\n – Use: Source scoring, signal-to-noise optimization, trend analysis, predictive prioritization.<\/p>\n<\/li>\n

                                            4. \n

                                              Digital risk \/ brand protection analysis<\/strong> (Advanced; Context-specific)\n – Use: Detect impersonation, phishing kits, credential leaks, brand abuse targeting customers.<\/p>\n<\/li>\n

                                            5. \n

                                              Advanced malware triage and reverse engineering<\/strong> (Advanced; Optional)\n – Use: Support high-impact investigations, extract TTPs from novel samples.<\/p>\n<\/li>\n<\/ol>\n\n\n\n

                                              Emerging future skills for this role (next 2\u20135 years)<\/h3>\n\n\n\n
                                                \n
                                              1. \n

                                                AI-assisted intelligence production governance<\/strong> (Important)\n – Use: Ensure AI-generated summaries are verifiable, cited, and safe to share; manage hallucination risk.<\/p>\n<\/li>\n

                                              2. \n

                                                Detection engineering for identity and SaaS abuse<\/strong> (Important)\n – Use: Translate TI into detections across IdP, SaaS audit logs, and API-based telemetry.<\/p>\n<\/li>\n

                                              3. \n

                                                Supply-chain and dependency intelligence<\/strong> (Important; context-specific)\n – Use: Track threats targeting CI\/CD pipelines, artifact repositories, and open-source dependencies.<\/p>\n<\/li>\n

                                              4. \n

                                                Automated graph-based enrichment and correlation<\/strong> (Optional \u2192 Important over time)\n – Use: Entity graphs for infra, identities, malware families to accelerate pivoting and reduce manual analysis.<\/p>\n<\/li>\n<\/ol>\n\n\n\n

                                                \n\n\n\n

                                                9) Soft Skills and Behavioral Capabilities<\/h2>\n\n\n\n
                                                  \n
                                                1. \n

                                                  Analytic rigor and intellectual honesty<\/strong>\n – Why it matters: TI decisions can trigger disruptive actions (blocking IPs, emergency patching).\n – On the job: Clearly separates fact from inference; communicates confidence levels and alternatives.\n – Strong performance: Uses evidence-based reasoning, cites sources, and updates conclusions when new data emerges.<\/p>\n<\/li>\n

                                                2. \n

                                                  Executive communication and synthesis<\/strong>\n – Why it matters: Leaders need clarity, not raw data.\n – On the job: Converts technical threat details into business risk and concrete actions.\n – Strong performance: Produces briefings that lead to decisions (prioritization, investment, risk acceptance).<\/p>\n<\/li>\n

                                                3. \n

                                                  Operational empathy and service orientation<\/strong>\n – Why it matters: TI only works when consumers can use it.\n – On the job: Designs outputs around SOC\/IR\/VM workflows and constraints.\n – Strong performance: Stakeholders report that TI is \u201cimmediately actionable\u201d and reduces their workload.<\/p>\n<\/li>\n

                                                4. \n

                                                  Influence without authority (Lead-level)<\/strong>\n – Why it matters: Often leads outcomes across teams without owning them.\n – On the job: Aligns Detection Engineering, SOC, and VM on priorities and SLAs.\n – Strong performance: Drives adoption of standards and workflows through credibility and clarity.<\/p>\n<\/li>\n

                                                5. \n

                                                  Prioritization under ambiguity<\/strong>\n – Why it matters: Threat landscape is noisy; time is limited.\n – On the job: Chooses what to act on now vs monitor; avoids distraction by low-impact intel.\n – Strong performance: Consistently focuses effort on threats most relevant to the company\u2019s assets and business.<\/p>\n<\/li>\n

                                                6. \n

                                                  Collaboration and conflict navigation<\/strong>\n – Why it matters: Blocking\/patching decisions can disrupt engineering and operations.\n – On the job: Negotiates tradeoffs, aligns on risk-based timelines, resolves disputes with evidence.\n – Strong performance: Partners feel respected; escalations are rare and well-justified.<\/p>\n<\/li>\n

                                                7. \n

                                                  Teaching and mentoring mindset<\/strong>\n – Why it matters: TI capability scales through shared tradecraft and standards.\n – On the job: Coaches analysts on ATT&CK mapping, structured analysis, and writing.\n – Strong performance: Observable growth in junior analysts; consistent quality across TI outputs.<\/p>\n<\/li>\n

                                                8. \n

                                                  Calm performance in incidents<\/strong>\n – Why it matters: During active incidents, misinformation spreads quickly.\n – On the job: Provides steady, evidence-based guidance; avoids speculation.\n – Strong performance: Incident teams trust their calls; reduces churn and accelerates containment.<\/p>\n<\/li>\n<\/ol>\n\n\n\n

                                                  \n\n\n\n

                                                  10) Tools, Platforms, and Software<\/h2>\n\n\n\n

                                                  Tooling varies widely by company maturity. The list below reflects common enterprise software\/IT environments; each item is labeled Common<\/strong>, Optional<\/strong>, or Context-specific<\/strong>.<\/p>\n\n\n\n

                                                  \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                  Category<\/th>\nTool \/ platform<\/th>\nPrimary use<\/th>\nCommonality<\/th>\n<\/tr>\n<\/thead>\n
                                                  Threat Intelligence Platforms (TIP)<\/td>\nAnomali, Recorded Future, Mandiant Advantage, ThreatConnect<\/td>\nFeed aggregation, scoring, enrichment, dissemination<\/td>\nContext-specific (often Common in mature orgs)<\/td>\n<\/tr>\n
                                                  Threat sharing standards<\/td>\nSTIX\/TAXII<\/td>\nStructured intel exchange<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  SIEM<\/td>\nSplunk, Microsoft Sentinel, Elastic Security<\/td>\nQuerying, correlation, investigations, dashboards<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  SOAR<\/td>\nPalo Alto Cortex XSOAR, Splunk SOAR, Microsoft Sentinel playbooks<\/td>\nAutomate enrichment, ticketing, response workflows<\/td>\nOptional to Common<\/td>\n<\/tr>\n
                                                  EDR\/XDR<\/td>\nCrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne<\/td>\nEndpoint detections, investigations, containment<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Network Security<\/td>\nPalo Alto NGFW, Cisco, Suricata\/Snort<\/td>\nNetwork telemetry and blocking<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  Cloud platforms<\/td>\nAWS, Azure, GCP<\/td>\nCloud-native telemetry and controls<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Cloud security<\/td>\nWiz, Prisma Cloud, Defender for Cloud<\/td>\nExposure management, cloud threat detection context<\/td>\nOptional<\/td>\n<\/tr>\n
                                                  Identity<\/td>\nOkta, Entra ID (Azure AD)<\/td>\nIdentity audit logs, access risk, abuse detection inputs<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Vulnerability management<\/td>\nTenable, Qualys, Rapid7 InsightVM<\/td>\nVulnerability context and prioritization<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Ticketing \/ ITSM<\/td>\nServiceNow, Jira Service Management<\/td>\nWork tracking, SLAs, coordination<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Collaboration<\/td>\nSlack, Microsoft Teams<\/td>\nRapid dissemination and incident comms<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Documentation<\/td>\nConfluence, SharePoint, Notion<\/td>\nKnowledge base, reports, runbooks<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Source control<\/td>\nGitHub, GitLab<\/td>\nManage detection content, scripts, rule versioning<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  Data analysis<\/td>\nPython, Jupyter, Pandas<\/td>\nEnrichment automation, analysis, reporting<\/td>\nCommon<\/td>\n<\/tr>\n
                                                  OSINT \/ enrichment<\/td>\nVirusTotal, urlscan.io, GreyNoise, Shodan, Censys<\/td>\nIndicator validation, infra analysis, exposure checks<\/td>\nCommon (tool choice varies)<\/td>\n<\/tr>\n
                                                  Passive DNS \/ DNS tools<\/td>\nFarsight\/SecurityTrails (or equivalents)<\/td>\nPivoting and infra clustering<\/td>\nOptional<\/td>\n<\/tr>\n
                                                  Malware sandboxes<\/td>\nAny.Run, Joe Sandbox, Cuckoo<\/td>\nBehavioral analysis and IOC extraction<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  Email security<\/td>\nProofpoint, Microsoft Defender for Office 365<\/td>\nPhishing campaign analysis<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  Observability<\/td>\nDatadog, Grafana, Prometheus<\/td>\nSupplemental telemetry, service health during mitigations<\/td>\nOptional<\/td>\n<\/tr>\n
                                                  BI \/ dashboards<\/td>\nPower BI, Tableau<\/td>\nLeadership reporting<\/td>\nOptional<\/td>\n<\/tr>\n
                                                  Secrets \/ key management<\/td>\nVault, AWS KMS, Azure Key Vault<\/td>\nContext for cloud threat patterns<\/td>\nContext-specific<\/td>\n<\/tr>\n
                                                  Secure web gateway \/ DNS security<\/td>\nZscaler, Umbrella<\/td>\nBlocking and telemetry<\/td>\nContext-specific<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                  \n\n\n\n

                                                  11) Typical Tech Stack \/ Environment<\/h2>\n\n\n\n

                                                  Infrastructure environment<\/h3>\n\n\n\n
                                                    \n
                                                  • Hybrid cloud is common: cloud-first with remaining on-prem services (AD, legacy apps, build systems).<\/li>\n
                                                  • Mix of IaaS\/PaaS:<\/li>\n
                                                  • AWS (CloudTrail, GuardDuty), Azure (Entra ID, Defender), or GCP equivalents.<\/li>\n
                                                  • Enterprise endpoint fleet:<\/li>\n
                                                  • developer workstations (macOS\/Windows\/Linux),<\/li>\n
                                                  • server estates (Linux-heavy for production).<\/li>\n<\/ul>\n\n\n\n

                                                    Application environment<\/h3>\n\n\n\n
                                                      \n
                                                    • SaaS-delivered product(s) and internal services:<\/li>\n
                                                    • microservices and APIs,<\/li>\n
                                                    • containerized workloads (Kubernetes),<\/li>\n
                                                    • CI\/CD pipelines (GitHub Actions\/GitLab CI\/Jenkins).<\/li>\n
                                                    • Identity-centric access model:<\/li>\n
                                                    • SSO, MFA, conditional access,<\/li>\n
                                                    • privileged access management (optional).<\/li>\n<\/ul>\n\n\n\n

                                                      Data environment<\/h3>\n\n\n\n
                                                        \n
                                                      • Logs from:<\/li>\n
                                                      • SIEM ingest (endpoint, identity, cloud audit, network),<\/li>\n
                                                      • data lake (optional) for long-term analytics.<\/li>\n
                                                      • TI enrichment data:<\/li>\n
                                                      • feed data, OSINT, internal incident artifacts, vulnerability data.<\/li>\n<\/ul>\n\n\n\n

                                                        Security environment<\/h3>\n\n\n\n
                                                          \n
                                                        • SOC function with alert triage and escalation.<\/li>\n
                                                        • Incident Response playbooks and severity model.<\/li>\n
                                                        • Vulnerability management program (patch SLAs, scanning).<\/li>\n
                                                        • Detection engineering function (dedicated or shared with SOC).<\/li>\n
                                                        • Threat modeling and AppSec programs (varying maturity).<\/li>\n<\/ul>\n\n\n\n

                                                          Delivery model<\/h3>\n\n\n\n
                                                            \n
                                                          • Agile\/iterative security operations improvements.<\/li>\n
                                                          • Regular operational cadences (weekly\/biweekly).<\/li>\n
                                                          • Some work is interrupt-driven (incidents, urgent exploitation).<\/li>\n<\/ul>\n\n\n\n

                                                            Scale or complexity context<\/h3>\n\n\n\n
                                                              \n
                                                            • Medium-to-large software company or IT organization:<\/li>\n
                                                            • multiple cloud accounts\/subscriptions,<\/li>\n
                                                            • thousands of endpoints and identities,<\/li>\n
                                                            • high log volume and frequent change.<\/li>\n<\/ul>\n\n\n\n

                                                              Team topology<\/h3>\n\n\n\n
                                                                \n
                                                              • Lead Threat Intelligence Analyst typically sits within:<\/li>\n
                                                              • SecOps (SOC\/IR), or<\/li>\n
                                                              • a broader Detection & Response team.<\/li>\n
                                                              • Close working relationship with:<\/li>\n
                                                              • Detection Engineering,<\/li>\n
                                                              • Cloud Security,<\/li>\n
                                                              • Vulnerability Management.<\/li>\n<\/ul>\n\n\n\n
                                                                \n\n\n\n

                                                                12) Stakeholders and Collaboration Map<\/h2>\n\n\n\n

                                                                Internal stakeholders<\/h3>\n\n\n\n
                                                                  \n
                                                                • SOC Analysts \/ SOC Lead<\/strong>: consumers of intel for triage, correlation, and escalation; provide feedback on usefulness.<\/li>\n
                                                                • Incident Response (IR) Lead \/ DFIR<\/strong>: uses TI for attribution hypotheses, scoping, eradication guidance, and post-incident learnings.<\/li>\n
                                                                • Detection Engineering<\/strong>: converts TTPs into durable detections; co-owns rule quality and lifecycle.<\/li>\n
                                                                • Vulnerability Management<\/strong>: consumes exploitation intel for patch prioritization and exception handling.<\/li>\n
                                                                • Cloud Security \/ Platform Security<\/strong>: applies TI to cloud control improvements and cloud-native detections.<\/li>\n
                                                                • Product Security \/ AppSec<\/strong>: uses TI to update abuse cases, threat models, secure defaults, and backlog items.<\/li>\n
                                                                • GRC \/ Risk<\/strong>: aligns TI outputs to risk registers, audits, and control narratives (especially in regulated environments).<\/li>\n
                                                                • IT Operations \/ Endpoint Engineering<\/strong>: executes mitigations (blocks, configuration changes), helps validate operational impact.<\/li>\n
                                                                • Legal \/ Privacy<\/strong> (context-specific): supports external sharing constraints, incident communications, data handling.<\/li>\n
                                                                • Executive leadership (CISO\/VP Security)<\/strong>: consumes high-level intelligence and risk-driven recommendations.<\/li>\n<\/ul>\n\n\n\n

                                                                  External stakeholders (as applicable)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • ISAC\/ISAO communities<\/strong>: bi-directional sharing, early warning.<\/li>\n
                                                                  • Vendors \/ managed security partners<\/strong>: intelligence sourcing, incident support, tooling.<\/li>\n
                                                                  • Law enforcement liaison<\/strong> (rare; context-specific): for severe incidents or fraud.<\/li>\n<\/ul>\n\n\n\n

                                                                    Peer roles<\/h3>\n\n\n\n
                                                                      \n
                                                                    • Lead SOC Analyst, Lead Detection Engineer, Security Engineer (IR tooling), Vulnerability Lead, Cloud Security Engineer, AppSec Lead.<\/li>\n<\/ul>\n\n\n\n

                                                                      Upstream dependencies<\/h3>\n\n\n\n
                                                                        \n
                                                                      • Quality telemetry and logging coverage.<\/li>\n
                                                                      • Feed access and licensing.<\/li>\n
                                                                      • Incident artifacts and timely sharing from IR\/SOC.<\/li>\n
                                                                      • Vulnerability scan data and asset inventory accuracy.<\/li>\n<\/ul>\n\n\n\n

                                                                        Downstream consumers<\/h3>\n\n\n\n
                                                                          \n
                                                                        • Detections deployed to SIEM\/EDR.<\/li>\n
                                                                        • VM prioritization and patch campaigns.<\/li>\n
                                                                        • IR decisions and containment measures.<\/li>\n
                                                                        • Product security requirements and design changes.<\/li>\n
                                                                        • Leadership reporting and risk decisions.<\/li>\n<\/ul>\n\n\n\n

                                                                          Nature of collaboration<\/h3>\n\n\n\n
                                                                            \n
                                                                          • TI is a service + enablement<\/strong> function: it produces analytic products and also co-builds operational outcomes with other teams.<\/li>\n
                                                                          • Most collaboration is iterative: intel \u2192 action request \u2192 implementation \u2192 feedback \u2192 refinement.<\/li>\n<\/ul>\n\n\n\n

                                                                            Typical decision-making authority<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Decides what intelligence is relevant, how to score it, and how to package it.<\/li>\n
                                                                            • Recommends actions and priorities; execution authority often sits with SOC\/IR\/VM\/Engineering leadership.<\/li>\n<\/ul>\n\n\n\n

                                                                              Escalation points<\/h3>\n\n\n\n
                                                                                \n
                                                                              • Conflicting priorities (e.g., emergency patch vs release constraints) escalated to SecOps leadership\/CISO delegate.<\/li>\n
                                                                              • Vendor\/tool spending escalated to Director\/VP depending on budget thresholds.<\/li>\n
                                                                              • Legal\/privacy concerns escalated to General Counsel\/Privacy Officer as appropriate.<\/li>\n<\/ul>\n\n\n\n
                                                                                \n\n\n\n

                                                                                13) Decision Rights and Scope of Authority<\/h2>\n\n\n\n

                                                                                Can decide independently<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Intelligence relevance scoring, confidence levels, and handling labels (e.g., TLP).<\/li>\n
                                                                                • What becomes a bulletin vs an FYI vs a watch item.<\/li>\n
                                                                                • Initial analytic judgments (with clear confidence statements) and recommended next steps.<\/li>\n
                                                                                • TI workflows, templates, and quality standards (within agreed operating model).<\/li>\n
                                                                                • Technical approach for enrichment automation scripts and analytic methods.<\/li>\n<\/ul>\n\n\n\n

                                                                                  Requires team approval (Security\/SecOps consensus)<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Changes that impact SOC workflows materially (alert routing, triage logic, sustained new tasks).<\/li>\n
                                                                                  • Detection content changes that may affect alert volumes or operational load (typically reviewed by Detection Engineering\/SOC).<\/li>\n
                                                                                  • New recurring deliverables that commit other teams (e.g., weekly hunt cadence requiring SOC support).<\/li>\n<\/ul>\n\n\n\n

                                                                                    Requires manager\/director\/executive approval<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Budget spend on TI tools, new feed contracts, or major platform changes.<\/li>\n
                                                                                    • Policy-level changes (information sharing policy, data retention affecting TI pipelines).<\/li>\n
                                                                                    • Organization-wide response posture changes based on TI (e.g., blocking broad IP ranges, aggressive geo-blocking, emergency user friction changes).<\/li>\n
                                                                                    • Headcount requests or changes to operating model that cross org boundaries.<\/li>\n<\/ul>\n\n\n\n

                                                                                      Budget \/ vendor authority (typical)<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Influences vendor selection and requirements; may lead evaluations and recommend decisions.<\/li>\n
                                                                                      • Final purchase approval typically resides with Director\/VP and Procurement.<\/li>\n<\/ul>\n\n\n\n

                                                                                        Architecture \/ delivery authority<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Can define TI integration patterns (TIP \u2194 SIEM \u2194 SOAR \u2194 ITSM), but production changes often require Security Engineering\/SecOps platform owners to approve and implement.<\/li>\n<\/ul>\n\n\n\n

                                                                                          Hiring authority<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Usually contributes to hiring panels, develops interview content, and mentors new hires; final hiring decisions typically made by the hiring manager.<\/li>\n<\/ul>\n\n\n\n

                                                                                            Compliance authority<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Ensures TI handling aligns to policy (TLP, privacy constraints). Formal compliance sign-off typically belongs to GRC\/Legal.<\/li>\n<\/ul>\n\n\n\n
                                                                                              \n\n\n\n

                                                                                              14) Required Experience and Qualifications<\/h2>\n\n\n\n

                                                                                              Typical years of experience<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • 8\u201312 years<\/strong> in security, with 3\u20136 years<\/strong> directly in threat intelligence, detection\/response, or adjacent domains (SOC, IR, detection engineering).<\/li>\n
                                                                                              • Lead-level expectations include consistent delivery ownership, cross-team influence, and program\/process maturity contributions.<\/li>\n<\/ul>\n\n\n\n

                                                                                                Education expectations<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Bachelor\u2019s degree in Computer Science, Information Security, or related field is common. <\/li>\n
                                                                                                • Equivalent experience is often acceptable, especially with strong technical evidence and operational accomplishments.<\/li>\n<\/ul>\n\n\n\n

                                                                                                  Certifications (Common \/ Optional)<\/h3>\n\n\n\n

                                                                                                  Common (helpful, not always required):<\/strong>\n– GIAC GCTI (Cyber Threat Intelligence)\n– GIAC GCIA \/ GCIH (network analysis \/ incident handling)\n– CompTIA Security+ (baseline; more common earlier career)\n– MITRE ATT&CK training (non-cert but relevant)<\/p>\n\n\n\n

                                                                                                  Optional \/ Context-specific:<\/strong>\n– CISSP (useful for broader security leadership and governance)\n– AWS\/Azure security certs (useful in cloud-heavy orgs)\n– GIAC GPEN \/ GXPN (pentest; helps understanding attacker tradecraft)\n– SANS FOR578 (cyber threat intel) or similar advanced TI coursework<\/p>\n\n\n\n

                                                                                                  Prior role backgrounds commonly seen<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Senior SOC Analyst \/ SOC Lead<\/li>\n
                                                                                                  • Incident Responder \/ DFIR Analyst<\/li>\n
                                                                                                  • Detection Engineer \/ Security Engineer (SIEM\/EDR)<\/li>\n
                                                                                                  • Vulnerability Analyst with exploitation intelligence focus<\/li>\n
                                                                                                  • Threat Intel Analyst (senior), moving into lead scope<\/li>\n<\/ul>\n\n\n\n

                                                                                                    Domain knowledge expectations<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Strong understanding of:<\/li>\n
                                                                                                    • attacker lifecycle and common intrusion chains,<\/li>\n
                                                                                                    • phishing and credential theft patterns,<\/li>\n
                                                                                                    • ransomware ecosystem and initial access vectors,<\/li>\n
                                                                                                    • cloud identity threats and misconfiguration abuse,<\/li>\n
                                                                                                    • software supply-chain risks (in software companies).<\/li>\n
                                                                                                    • Familiarity with regulatory constraints is helpful (e.g., SOC2, ISO 27001, GDPR) but not always central unless the environment is regulated.<\/li>\n<\/ul>\n\n\n\n

                                                                                                      Leadership experience expectations (Lead level)<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Demonstrated ability to:<\/li>\n
                                                                                                      • lead cross-functional initiatives,<\/li>\n
                                                                                                      • mentor analysts,<\/li>\n
                                                                                                      • establish standards and repeatable processes,<\/li>\n
                                                                                                      • communicate with executives and influence priorities.<\/li>\n
                                                                                                      • Direct people management experience is optional<\/strong> unless the organization explicitly defines \u201cLead\u201d as a formal manager.<\/li>\n<\/ul>\n\n\n\n
                                                                                                        \n\n\n\n

                                                                                                        15) Career Path and Progression<\/h2>\n\n\n\n

                                                                                                        Common feeder roles into this role<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Senior Threat Intelligence Analyst<\/li>\n
                                                                                                        • Senior SOC Analyst \/ SOC Shift Lead<\/li>\n
                                                                                                        • Detection Engineer (senior)<\/li>\n
                                                                                                        • Incident Response analyst (senior)<\/li>\n
                                                                                                        • Vulnerability Analyst with strong exploitation intel capability<\/li>\n<\/ul>\n\n\n\n

                                                                                                          Next likely roles after this role<\/h3>\n\n\n\n

                                                                                                          Individual Contributor progression:<\/strong>\n– Principal Threat Intelligence Analyst<\/strong>\n– Staff Security Analyst (Detection & Response \/ Threat Intel)<\/strong>\n– Threat Intelligence Architect<\/strong> (context-specific; more design\/operating model heavy)<\/p>\n\n\n\n

                                                                                                          Management progression:<\/strong>\n– Threat Intelligence Manager<\/strong> (builds team, budgets, formal strategy)\n– SOC Manager \/ Detection & Response Manager<\/strong> (broader operational scope)\n– Director of Security Operations<\/strong> (longer-term path)<\/p>\n\n\n\n

                                                                                                          Adjacent career paths<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Detection Engineering (specialize in rule development and telemetry)<\/li>\n
                                                                                                          • Incident Response \/ DFIR leadership<\/li>\n
                                                                                                          • Cloud Security Engineering (identity-first detection focus)<\/li>\n
                                                                                                          • Product Security \/ Abuse & Fraud (for consumer products)<\/li>\n
                                                                                                          • Security Risk Strategy (if leaning toward executive reporting and governance)<\/li>\n<\/ul>\n\n\n\n

                                                                                                            Skills needed for promotion (to Principal or Manager)<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Proven TI program impact over multiple quarters (measurable outcomes).<\/li>\n
                                                                                                            • Broader strategic thinking (multi-year threat outlook, investment recommendations).<\/li>\n
                                                                                                            • Stronger operating model design (tooling roadmap, staffing model, service catalog).<\/li>\n
                                                                                                            • Greater ability to influence and align across engineering\/product leadership.<\/li>\n
                                                                                                            • For management: hiring, performance management, budget ownership, stakeholder portfolio management.<\/li>\n<\/ul>\n\n\n\n

                                                                                                              How this role evolves over time<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Early: establish credibility with quick wins and operationalization.<\/li>\n
                                                                                                              • Mid: build durable processes, SLAs, and high-signal dissemination.<\/li>\n
                                                                                                              • Mature: become the organization\u2019s intelligence authority shaping security strategy and resilience planning (tabletops, architecture guidance, vendor selection).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                \n\n\n\n

                                                                                                                16) Risks, Challenges, and Failure Modes<\/h2>\n\n\n\n

                                                                                                                Common role challenges<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Signal-to-noise overload<\/strong> from feeds and OSINT leading to burnout and low-impact outputs.<\/li>\n
                                                                                                                • Lack of clear PIRs<\/strong> causing reactive, unfocused work.<\/li>\n
                                                                                                                • Operationalization gap<\/strong>: intelligence reports produced but not converted into detections, hunts, or mitigations.<\/li>\n
                                                                                                                • Telemetry gaps<\/strong>: inability to validate or hunt due to missing logs, poor normalization, or access constraints.<\/li>\n
                                                                                                                • Stakeholder mismatch<\/strong>: delivering overly technical reports to executives or overly high-level reports to SOC.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                  Bottlenecks<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • Detection engineering backlog and limited bandwidth to implement TI-driven detections.<\/li>\n
                                                                                                                  • Slow change management for blocks\/config changes (IT or network teams).<\/li>\n
                                                                                                                  • Procurement delays for tooling improvements.<\/li>\n
                                                                                                                  • Incomplete asset inventory affecting vulnerability prioritization accuracy.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                    Anti-patterns<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Measuring success by volume: \u201cnumber of IOCs processed\u201d without actionability.<\/li>\n
                                                                                                                    • Over-indexing on attribution when it doesn\u2019t change decisions.<\/li>\n
                                                                                                                    • Sharing unverified intel broadly, causing unnecessary panic or operational disruption.<\/li>\n
                                                                                                                    • Producing long reports with unclear \u201cdo this now\u201d actions and owners.<\/li>\n
                                                                                                                    • Treating TI as a silo instead of a service integrated into SecOps.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                      Common reasons for underperformance<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Weak analytic writing and inability to synthesize.<\/li>\n
                                                                                                                      • Poor understanding of the company\u2019s environment and what \u201crelevant\u201d means.<\/li>\n
                                                                                                                      • Lack of technical fluency in SIEM\/EDR queries, preventing validation.<\/li>\n
                                                                                                                      • Inability to influence cross-functionally; recommendations consistently ignored.<\/li>\n
                                                                                                                      • Overconfidence and lack of clear confidence levels or evidence.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                        Business risks if this role is ineffective<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Increased likelihood of successful attacks due to missed early warnings and poor prioritization.<\/li>\n
                                                                                                                        • Slower and more expensive incident response due to lack of context and prepared detections.<\/li>\n
                                                                                                                        • Inefficient spend on feeds and tools with minimal security outcomes.<\/li>\n
                                                                                                                        • Leadership blind spots: security strategy not aligned to actual threat landscape.<\/li>\n
                                                                                                                        • Higher customer impact and reputational damage from preventable security incidents.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          \n\n\n\n

                                                                                                                          17) Role Variants<\/h2>\n\n\n\n

                                                                                                                          By company size<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Small (<500 employees):<\/strong> <\/li>\n
                                                                                                                          • Role is broader and more hands-on; may combine TI + hunting + detection engineering support. <\/li>\n
                                                                                                                          • \n

                                                                                                                            Fewer tools; more OSINT and manual workflows; direct access to decision makers.<\/p>\n<\/li>\n

                                                                                                                          • \n

                                                                                                                            Mid-size (500\u20135,000):<\/strong> <\/p>\n<\/li>\n

                                                                                                                          • Balanced TI program with TIP\/SIEM integration. <\/li>\n
                                                                                                                          • \n

                                                                                                                            Strong emphasis on operationalization and cross-team SLAs.<\/p>\n<\/li>\n

                                                                                                                          • \n

                                                                                                                            Enterprise (5,000+):<\/strong> <\/p>\n<\/li>\n

                                                                                                                          • Specialization increases: separate collection team, malware team, brand protection, regional TI. <\/li>\n
                                                                                                                          • Lead TI analyst may focus on program leadership, requirements, and stakeholder-facing products.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                            By industry<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • B2B SaaS:<\/strong> <\/li>\n
                                                                                                                            • \n

                                                                                                                              Heavy focus on identity threats, cloud control plane abuse, supply-chain and CI\/CD risks, customer trust communications.<\/p>\n<\/li>\n

                                                                                                                            • \n

                                                                                                                              IT services \/ MSP \/ MSSP:<\/strong> <\/p>\n<\/li>\n

                                                                                                                            • \n

                                                                                                                              TI tailored to client environments; emphasis on broad threat coverage, repeatable intel packages, and rapid dissemination across many tenants.<\/p>\n<\/li>\n

                                                                                                                            • \n

                                                                                                                              Consumer tech:<\/strong> <\/p>\n<\/li>\n

                                                                                                                            • More emphasis on fraud, account takeover, impersonation, and brand protection.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                              By geography<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Regional differences show up in:<\/li>\n
                                                                                                                              • threat actor targeting patterns,<\/li>\n
                                                                                                                              • regulatory constraints on data sharing,<\/li>\n
                                                                                                                              • language requirements for OSINT,<\/li>\n
                                                                                                                              • time-zone coverage expectations.<\/li>\n
                                                                                                                              • Global companies often require TLP discipline and clear sharing policies across regions.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                Product-led vs service-led company<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Product-led:<\/strong> TI integrates with product security, abuse cases, and secure-by-design changes. <\/li>\n
                                                                                                                                • Service-led:<\/strong> TI integrates with client advisory, SOC operations, and standardized playbooks.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                  Startup vs enterprise<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Startup:<\/strong> fast decisions, fewer controls; TI must be pragmatic, focusing on top risks and immediate actions. <\/li>\n
                                                                                                                                  • Enterprise:<\/strong> complex stakeholder environment; TI must be process-driven, auditable, and aligned with governance.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                    Regulated vs non-regulated<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Regulated (finance\/health\/critical infra):<\/strong> stricter evidence and reporting requirements; TI outputs may support audits and formal risk management; sharing constraints are stricter. <\/li>\n
                                                                                                                                    • Non-regulated:<\/strong> more flexibility; faster iteration; still needs strong handling discipline.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      \n\n\n\n

                                                                                                                                      18) AI \/ Automation Impact on the Role<\/h2>\n\n\n\n

                                                                                                                                      Tasks that can be automated (high leverage)<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Indicator enrichment and pivoting<\/strong>: automated WHOIS\/passive DNS lookups, reputation checks, sandbox detonation workflows.<\/li>\n
                                                                                                                                      • Deduplication and scoring<\/strong>: clustering similar intel items, reducing feed noise, prioritizing by relevance tags and asset exposure.<\/li>\n
                                                                                                                                      • Report drafting assistance<\/strong>: first-pass summaries of long reports (with human verification and citations).<\/li>\n
                                                                                                                                      • Dissemination routing<\/strong>: automatically notify the right channels\/owners based on tags (cloud, identity, endpoint, product).<\/li>\n
                                                                                                                                      • IOC lifecycle management<\/strong>: expiry, suppression, and revalidation workflows integrated into TIP\/SIEM.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                        Tasks that remain human-critical<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Relevance judgment<\/strong>: deciding what matters to this<\/em> business, now<\/em>.<\/li>\n
                                                                                                                                        • Analytic rigor<\/strong>: weighing conflicting sources, assessing deception, articulating confidence and uncertainty.<\/li>\n
                                                                                                                                        • Tradeoff decisions<\/strong>: recommending disruptive mitigations with awareness of operational impact.<\/li>\n
                                                                                                                                        • Stakeholder influence and alignment<\/strong>: securing buy-in for prioritization, SLAs, and investments.<\/li>\n
                                                                                                                                        • Incident leadership support<\/strong>: real-time decision support in ambiguous, high-stakes situations.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                          How AI changes the role over the next 2\u20135 years<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • The role shifts from \u201ccollect and summarize\u201d toward curate, validate, and operationalize<\/strong> at scale.<\/li>\n
                                                                                                                                          • Leads will be expected to:<\/li>\n
                                                                                                                                          • implement AI-assisted workflows safely (governance, evaluation, auditing),<\/li>\n
                                                                                                                                          • measure model output quality (false summaries are dangerous),<\/li>\n
                                                                                                                                          • develop standards for AI usage in TI products (citation requirements, labeling, handling restrictions),<\/li>\n
                                                                                                                                          • build and maintain high-quality datasets (internal incident learnings, detections, outcomes) to improve automation.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                            New expectations caused by AI, automation, or platform shifts<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Ability to design human-in-the-loop<\/strong> pipelines where AI accelerates triage but humans control final analytic judgments.<\/li>\n
                                                                                                                                            • Increased emphasis on identity and SaaS telemetry<\/strong> as attackers leverage AI for phishing, social engineering, and faster infrastructure churn.<\/li>\n
                                                                                                                                            • Stronger integration with security data engineering: normalized schemas, entity resolution, and scalable analytics.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              \n\n\n\n

                                                                                                                                              19) Hiring Evaluation Criteria<\/h2>\n\n\n\n

                                                                                                                                              What to assess in interviews<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              1. \n

                                                                                                                                                Threat intelligence tradecraft<\/strong>\n – Can they define PIRs, evaluate sources, and articulate confidence?\n – Do they understand the TI lifecycle and feedback loops?<\/p>\n<\/li>\n

                                                                                                                                              2. \n

                                                                                                                                                Operationalization mindset<\/strong>\n – Do they naturally translate intel into detections, hunts, mitigations, and prioritized actions?\n – Can they define SLAs and success criteria?<\/p>\n<\/li>\n

                                                                                                                                              3. \n

                                                                                                                                                Technical fluency<\/strong>\n – SIEM query ability, indicator validation, ATT&CK mapping, and basic scripting.\n – Ability to reason about cloud\/identity threats.<\/p>\n<\/li>\n

                                                                                                                                              4. \n

                                                                                                                                                Communication quality<\/strong>\n – Can they write and speak clearly to both operators and executives?\n – Are outputs concise, structured, and action-oriented?<\/p>\n<\/li>\n

                                                                                                                                              5. \n

                                                                                                                                                Leadership (Lead-level)<\/strong>\n – Mentoring approach, ability to influence without authority, program improvement track record.<\/p>\n<\/li>\n<\/ol>\n\n\n\n

                                                                                                                                                Practical exercises or case studies (recommended)<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                1. \n

                                                                                                                                                  Intel-to-action case<\/strong> (60\u201390 minutes)\n – Provide: a vendor report on an active campaign + a handful of IOCs + brief company context.\n – Ask candidate to produce:<\/p>\n

                                                                                                                                                    \n
                                                                                                                                                  • a one-page operational bulletin (actions + owners),<\/li>\n
                                                                                                                                                  • ATT&CK mapping,<\/li>\n
                                                                                                                                                  • 3\u20135 hunting hypotheses with sample queries (pseudo-SPL\/KQL acceptable),<\/li>\n
                                                                                                                                                  • an executive summary paragraph with confidence statements.<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                  • \n

                                                                                                                                                    Vulnerability exploitation prioritization scenario<\/strong> (30\u201345 minutes)\n – Provide: 3 CVEs with mixed signals (KEV status, EPSS, exploit PoC, limited telemetry).\n – Ask: which gets escalated, recommended patch SLA, and what evidence would change the decision.<\/p>\n<\/li>\n

                                                                                                                                                  • \n

                                                                                                                                                    Writing sample<\/strong> (take-home, time-boxed)\n – Candidate rewrites a noisy intel feed item into a crisp, internally shareable note with citations and handling label.<\/p>\n<\/li>\n<\/ol>\n\n\n\n

                                                                                                                                                    Strong candidate signals<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Uses structured thinking: facts vs assumptions, clear confidence levels.<\/li>\n
                                                                                                                                                    • Prior experience operationalizing intel into detections\/hunts with measurable outcomes.<\/li>\n
                                                                                                                                                    • Comfortable with SIEM queries and can explain what data is needed to validate a claim.<\/li>\n
                                                                                                                                                    • Communicates with clarity and brevity; includes owners and next steps.<\/li>\n
                                                                                                                                                    • Demonstrates humility and willingness to update judgments with new evidence.<\/li>\n
                                                                                                                                                    • Has built or improved TI processes (templates, cadences, scoring systems).<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                                      Weak candidate signals<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Focuses heavily on attribution without tying it to actions.<\/li>\n
                                                                                                                                                      • Produces long summaries with no prioritization, no owners, and no decision points.<\/li>\n
                                                                                                                                                      • Cannot explain how they validated indicators or assessed source reliability.<\/li>\n
                                                                                                                                                      • Limited understanding of ATT&CK or inability to translate TTPs into detections.<\/li>\n
                                                                                                                                                      • Treats TI as separate from SecOps rather than integrated.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                                        Red flags<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Overconfidence: states conclusions without evidence or confidence framing.<\/li>\n
                                                                                                                                                        • Recommends disruptive blocks\/patching without considering operational risk.<\/li>\n
                                                                                                                                                        • Poor handling discipline: willing to overshare restricted intel or ignore privacy constraints.<\/li>\n
                                                                                                                                                        • Blames other teams for lack of action without demonstrating influence or collaboration.<\/li>\n
                                                                                                                                                        • Cannot describe a single example where their TI work changed an outcome.<\/li>\n<\/ul>\n\n\n\n

                                                                                                                                                          Scorecard dimensions (with suggested weighting)<\/h3>\n\n\n\n
                                                                                                                                                          \n\n\n\n\n\n\n\n\n\n
                                                                                                                                                          Dimension<\/th>\nWhat \u201cmeets bar\u201d looks like<\/th>\nWeight<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                          TI tradecraft & analytic rigor<\/td>\nClear PIR thinking, source evaluation, confidence scoring<\/td>\n20%<\/td>\n<\/tr>\n
                                                                                                                                                          Operationalization & impact orientation<\/td>\nConverts intel into actions; defines outcomes and SLAs<\/td>\n20%<\/td>\n<\/tr>\n
                                                                                                                                                          Technical fluency (SIEM\/EDR, ATT&CK, infra)<\/td>\nCan validate\/pivot; produces workable hunting\/detection ideas<\/td>\n20%<\/td>\n<\/tr>\n
                                                                                                                                                          Communication (written + verbal)<\/td>\nConcise, structured, executive-ready<\/td>\n15%<\/td>\n<\/tr>\n
                                                                                                                                                          Collaboration & influence<\/td>\nWorks across SOC\/IR\/VM\/Eng; constructive conflict handling<\/td>\n15%<\/td>\n<\/tr>\n
                                                                                                                                                          Leadership (Lead-level mentoring\/process)<\/td>\nMentors others; improves programs; sets standards<\/td>\n10%<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                          \n\n\n\n

                                                                                                                                                          20) Final Role Scorecard Summary<\/h2>\n\n\n\n
                                                                                                                                                          \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                          Category<\/th>\nSummary<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                          Role title<\/strong><\/td>\nLead Threat Intelligence Analyst<\/td>\n<\/tr>\n
                                                                                                                                                          Role purpose<\/strong><\/td>\nTurn internal and external threat signals into actionable intelligence that improves detection, response, and risk prioritization across a software\/IT organization.<\/td>\n<\/tr>\n
                                                                                                                                                          Top 10 responsibilities<\/strong><\/td>\n1) Define TI operating model and PIRs 2) Produce actionable intel products (weekly\/monthly) 3) Operationalize intel into detections\/hunts\/mitigations 4) Support incidents with rapid enrichment 5) Map TTPs to MITRE ATT&CK and drive coverage 6) Lead vulnerability exploitation prioritization inputs 7) Manage TI tooling workflows and integrations 8) Maintain adversary\/campaign dossiers 9) Govern intel quality, confidence, and handling (TLP) 10) Mentor analysts and drive continuous improvement KPIs<\/td>\n<\/tr>\n
                                                                                                                                                          Top 10 technical skills<\/strong><\/td>\n1) TI lifecycle & tradecraft 2) MITRE ATT&CK mapping 3) SIEM querying (SPL\/KQL\/Elastic) 4) IOC validation and infra pivoting 5) Incident response collaboration 6) Vulnerability exploitation intelligence (KEV\/EPSS) 7) Scripting\/automation (Python\/APIs) 8) Cloud security fundamentals (IAM\/logs) 9) TIP\/SOAR concepts and integrations 10) Detection content fundamentals (Sigma\/YARA\/queries)<\/td>\n<\/tr>\n
                                                                                                                                                          Top 10 soft skills<\/strong><\/td>\n1) Analytic rigor 2) Executive synthesis 3) Operational empathy 4) Influence without authority 5) Prioritization under ambiguity 6) Clear writing 7) Incident calmness 8) Collaboration & conflict navigation 9) Mentoring\/teaching 10) Accountability for outcomes<\/td>\n<\/tr>\n
                                                                                                                                                          Top tools or platforms<\/strong><\/td>\nSIEM (Splunk\/Sentinel\/Elastic), EDR (CrowdStrike\/Defender), TIP (Recorded Future\/ThreatConnect\/Anomali\u2014context-specific), SOAR (XSOAR\/Splunk SOAR), OSINT enrichment (VirusTotal\/urlscan\/GreyNoise\/Shodan), ITSM (ServiceNow\/Jira), Cloud logs (AWS\/Azure\/GCP), Collaboration (Slack\/Teams), Docs (Confluence\/SharePoint), Python + Git<\/td>\n<\/tr>\n
                                                                                                                                                          Top KPIs<\/strong><\/td>\nIntel-to-action cycle time; % curated intel operationalized; TI-driven detection coverage lift; incident enrichment SLA; patch acceleration for exploited vulns; source value score; analytic quality score; stakeholder satisfaction; report timeliness; hunt yield rate<\/td>\n<\/tr>\n
                                                                                                                                                          Main deliverables<\/strong><\/td>\nPIRs and TI operating model; weekly intel notes; monthly threat landscape reports; campaign\/adversary dossiers; hunting packages; detection requests and rule artifacts; vulnerability exploitation advisories; TI dashboards\/KPI reports; TI runbooks; training briefings<\/td>\n<\/tr>\n
                                                                                                                                                          Main goals<\/strong><\/td>\nFirst 90 days: establish cadence, scoring standards, and TI-to-action workflow with measurable early wins. 6\u201312 months: mature program into a trusted, metrics-driven intelligence-led defense capability integrated across SOC\/IR\/VM\/Product Security.<\/td>\n<\/tr>\n
                                                                                                                                                          Career progression options<\/strong><\/td>\nPrincipal\/Staff Threat Intelligence Analyst; Threat Intelligence Manager; SOC\/Detection & Response Manager; Security Operations Director path; adjacent: Detection Engineering lead, IR lead, Cloud Security lead, Product Security\/Abuse lead<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

                                                                                                                                                          The **Lead Threat Intelligence Analyst** is a senior, hands-on security analyst who designs, runs, and continuously improves an organization\u2019s threat intelligence (TI) capability to reduce cyber risk. The role turns raw signals (telemetry, OSINT, vendor feeds, dark web monitoring, incident learnings) into **actionable intelligence** that informs detection engineering, incident response, vulnerability management, and security strategy.<\/p>\n","protected":false},"author":61,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[24453,24460],"tags":[],"class_list":["post-72702","post","type-post","status-publish","format-standard","hentry","category-analyst","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/72702","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=72702"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/72702\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=72702"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=72702"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=72702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}