Blog
Research
Blog White Papers Case Studies Offensive Security SOC GRC Advisory
Guides
Red Team Guide DevSecOps Guides Vulnerability Research
About Us
Blog
HADESS
Cyber Security Magic

HADESS

Cyber Security Knowledge Hub

Threat Intelligence: Skills, Tools, Career

hadess014 mins

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete skills and certifications series.

Threat Intelligence: Skills, Tools, Career

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 11 min read

Table of Contents

What a Threat Intelligence Analyst Actually Does

A threat intelligence analyst collects, processes, and analyzes information about cyber threats to help organizations make better security decisions. The role sits at the intersection of technical security skills and analytical thinking — part researcher, part investigator, part communicator.

On a typical day, a threat intelligence analyst might:

  • Monitor threat feeds and intelligence sources for new indicators of compromise (IOCs)
  • Analyze a malware sample to determine its capabilities and attribution
  • Research a threat actor group’s tactics, techniques, and procedures (TTPs)
  • Write an intelligence report advising the security team on emerging threats relevant to their organization
  • Brief security leadership on the threat landscape and recommend defensive priorities
  • Collaborate with SOC analysts to improve detection rules based on new threat data
  • Assess whether a trending vulnerability affects the organization’s technology stack

The core output is actionable intelligence — information that enables someone to make a decision or take an action they could not have taken without it. Raw data is not intelligence. A list of malicious IP addresses is data. An assessment that a specific threat actor is targeting your industry using specific techniques, along with detection guidance, is intelligence.

For a broader view of where threat intelligence fits in the security skills hierarchy, see our cybersecurity skills guide.

Types of Threat Intelligence

Threat intelligence operates at three levels, each serving different audiences and decision-making timeframes:

Strategic Intelligence

Audience: Executives, board members, and security leadership
Timeframe: Months to years
Format: Written reports, briefings, trend analysis

Strategic intelligence addresses high-level questions: Which threat actors target our industry? What are the emerging threat trends? How should we allocate security resources? This type of intelligence influences budget decisions, security strategy, and risk management.

Strategic analysts need strong writing skills, business acumen, and the ability to translate technical threats into business impact. They read geopolitical analysis, industry reports, and long-term trend data.

Operational Intelligence

Audience: Security managers, incident responders, and hunt teams
Timeframe: Days to weeks
Format: Campaign analysis reports, threat actor profiles, TTP documentation

Operational intelligence describes specific campaigns, threat actor behaviors, and attack methodologies. It answers questions like: How does this threat group gain initial access? What tools do they use for lateral movement? What are their objectives?

Operational analysts map threat actor activity to frameworks like MITRE ATT&CK, profile adversary infrastructure, and track campaigns across organizations. This intelligence drives detection engineering and proactive hunting.

Tactical Intelligence

Audience: SOC analysts, detection engineers, and security tools
Timeframe: Hours to days
Format: IOCs (IP addresses, domains, file hashes), detection signatures, YARA rules

Tactical intelligence provides specific, machine-readable indicators that security tools can use for detection. It is the most technical and the most perishable — an attacker’s IP address may be relevant for hours before they switch infrastructure.

Tactical analysts process threat feeds, validate indicators, and ensure they are operationalized in detection platforms like SIEM systems and EDR tools.

The Intelligence Lifecycle

Threat intelligence follows a structured process, regardless of the type being produced:

1. Planning and Direction: Define intelligence requirements based on organizational needs. What questions do stakeholders need answered? What threats are most relevant to the organization’s industry, geography, and technology stack? This phase prevents wasted effort on intelligence that no one will use.

2. Collection: Gather raw data from multiple sources. Open-source intelligence (OSINT) from public sources, commercial threat feeds, dark web monitoring, information sharing communities (ISACs), government advisories, and internal telemetry from your own security tools.

3. Processing: Convert raw data into a format suitable for analysis. Parse log files, translate foreign language documents, normalize IOC formats, and deduplicate data from multiple sources. Automation plays a significant role here — processing thousands of indicators manually is not feasible.

4. Analysis: Apply analytical techniques to processed data to produce intelligence. Identify patterns, assess threat actor capabilities and intent, evaluate reliability of sources, and develop judgments about future activity. This is the step that transforms data into intelligence.

5. Dissemination: Deliver intelligence to the right audience in the right format at the right time. A CISO needs a one-page briefing. A SOC analyst needs IOCs loaded into the SIEM. A detection engineer needs TTP analysis mapped to MITRE ATT&CK. Same intelligence, different delivery formats.

6. Feedback: Collect input from consumers on the usefulness of delivered intelligence. Did it answer their questions? Was it timely? Was the format useful? Feedback drives continuous improvement of the intelligence program.

Technical Skills Required

Threat intelligence analysts need a blend of security operations experience and specialized technical skills:

Malware analysis: At minimum, you need static analysis skills — examining a malware sample without executing it. Extract strings, identify file type, check against known signatures, and examine metadata. Dynamic analysis (running malware in a sandbox and observing behavior) is increasingly expected for mid-level roles.

Network analysis: Read and interpret packet captures, understand network protocols, and identify command-and-control (C2) communication patterns. Familiarity with Wireshark, Zeek, and network flow analysis is expected.

OSINT: Ability to gather information from public sources — domain registration data (WHOIS), certificate transparency logs, social media, forums, paste sites, and code repositories. Tools like Maltego, Shodan, and SpiderFoot automate portions of this work.

Scripting: Python is the primary language for threat intelligence automation. You will write scripts to parse threat feeds, query APIs, process IOCs, and generate reports. See our Python for cybersecurity guide for a structured learning path.

SIEM and security tools: You need to query SIEMs, write detection rules, and work with EDR platforms. Intelligence that cannot be operationalized in security tools has limited value. Proficiency in at least one SIEM platform is expected.

Data analysis: Work with large datasets to identify patterns. Excel/Sheets for basic analysis, Python (pandas) for larger datasets. Visualization skills help communicate findings.

Analytical Skills That Set You Apart

Technical skills get you into the field. Analytical skills determine how far you advance.

Structured analytical techniques: Methods like Analysis of Competing Hypotheses (ACH), link analysis, and timeline analysis provide rigor to assessments. They prevent confirmation bias and ensure conclusions are supported by evidence.

Source evaluation: Not all intelligence sources are equally reliable. Assess source reliability (has this source been accurate historically?) and information credibility (does this specific piece of information make sense given what we know?). The Admiralty Code provides a standardized framework for this evaluation.

Attribution assessment: Linking cyberattacks to specific threat actors requires careful analysis of TTPs, infrastructure, malware, and targeting patterns. Attribution is never certain — it is always an assessment with an associated confidence level. Understand the difference between high confidence and low confidence attribution.

Writing and communication: Intelligence products are written deliverables. Clear, concise, well-structured writing is a core professional skill. Use active voice. State findings directly. Separate facts from assessments. Indicate confidence levels. If you cannot write clearly, your intelligence will not be read or acted upon.

Critical thinking: Question assumptions, consider alternative explanations, and recognize when evidence is insufficient to support a conclusion. The most damaging intelligence failures come from analysts who see what they expect to see rather than what the evidence supports.

Threat Intelligence Platforms and Tools

Threat Intelligence Platforms (TIPs):

  • MISP (open source): Collaborative threat intelligence sharing platform. Widely used in the security community. Good for learning because it is free to deploy.
  • OpenCTI (open source): Structured threat intelligence platform based on STIX/TAXII standards. Strong visualization capabilities.
  • Anomali ThreatStream: Commercial platform with threat feed aggregation, curation, and integration
  • Recorded Future: Commercial platform combining machine learning with human analysis for real-time intelligence
  • ThreatConnect: Commercial platform with built-in analytics, orchestration, and collaboration features

Analysis tools:

  • Maltego: Visual link analysis for mapping relationships between entities (domains, IPs, organizations, people)
  • Shodan: Search engine for internet-connected devices and services
  • VirusTotal: File and URL analysis against multiple antivirus engines and threat intelligence sources
  • Any.Run / Joe Sandbox: Interactive malware analysis sandboxes
  • CyberChef: Browser-based data transformation tool (encoding, decoding, parsing)

Sharing standards:

  • STIX (Structured Threat Information Expression): Standard language for representing threat intelligence
  • TAXII (Trusted Automated eXchange of Intelligence Information): Protocol for exchanging STIX data between systems
  • OpenIOC: Framework for describing IOCs in a structured format

Frameworks: MITRE ATT&CK, Diamond Model, Kill Chain

Three frameworks dominate threat intelligence analysis. You need working knowledge of all three.

MITRE ATT&CK

The MITRE ATT&CK framework catalogs adversary tactics and techniques observed in real-world attacks. It organizes techniques into a matrix covering the attack lifecycle from initial access through exfiltration.

How analysts use it: Map observed threat actor behavior to ATT&CK techniques. Create threat profiles showing which techniques a group uses. Identify detection gaps by comparing your coverage against techniques used by relevant threat actors. Communicate TTPs to detection engineers using a common language.

ATT&CK is the most widely used framework in threat intelligence and detection engineering. Familiarity with it is a baseline requirement for any threat intelligence role.

Diamond Model of Intrusion Analysis

The Diamond Model examines intrusions through four vertices: adversary, infrastructure, capability, and victim. Every intrusion event involves an adversary using a capability over infrastructure against a victim.

How analysts use it: Structure analysis of individual intrusion events. Pivot between vertices to discover new information — if you know the adversary and capability, search for the infrastructure they use. Link related intrusion events into activity threads and campaigns.

Lockheed Martin Cyber Kill Chain

The Kill Chain describes seven phases of a cyberattack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.

How analysts use it: Map defensive controls to each phase, identify where an attack can be disrupted, and communicate the progression of an attack to non-technical audiences. The Kill Chain is simpler than ATT&CK but less granular.

Career Path and Progression

Entry point: Most threat intelligence analysts start in adjacent roles — SOC analyst, security operations, or IT security. Few people enter threat intelligence directly without security operations experience.

Typical progression:

1. SOC Analyst / Security Analyst (1-3 years): Learn security monitoring, incident triage, and tool familiarity. Develop technical foundations.

2. Junior Threat Intelligence Analyst (1-2 years): Focus on tactical intelligence — processing feeds, validating IOCs, writing basic reports. Develop OSINT and analysis skills.

3. Threat Intelligence Analyst (2-4 years): Produce operational and strategic intelligence. Lead campaign analysis. Specialize in a threat actor group or industry vertical. Mentor junior analysts.

4. Senior Threat Intelligence Analyst / Lead (3-5+ years): Define intelligence requirements, manage intelligence programs, brief executive leadership. May specialize in a domain (nation-state threats, financial crime, insider threats).

5. Threat Intelligence Manager / Director: Build and lead threat intelligence teams. Define strategy, manage vendor relationships, and integrate intelligence across security operations.

Salary ranges (U.S., 2026 estimates):

  • Junior TI Analyst: $70,000-$90,000
  • TI Analyst: $90,000-$120,000
  • Senior TI Analyst: $120,000-$155,000
  • TI Manager/Director: $150,000-$200,000+

Breaking Into Threat Intelligence

The most common path into threat intelligence follows these steps:

1. Build a security operations foundation: Spend one to two years in a SOC or security analyst role. Learn to use SIEM tools, investigate alerts, and understand how security operations function. This experience provides context that makes intelligence production meaningful.

2. Develop OSINT skills: Practice gathering and analyzing open-source information. Follow threat actors on social media. Monitor dark web forums (through legal and ethical means). Learn to use Maltego, Shodan, and certificate transparency logs.

3. Learn MITRE ATT&CK: Map real-world threat reports to ATT&CK techniques. Create threat actor profiles using ATT&CK Navigator. This demonstrates that you understand how to structure threat analysis.

4. Start writing: Produce intelligence-style reports even if you are not in an intelligence role. Analyze a public threat report, add your own assessment, and publish it on a blog or share it with your team. Writing quality is a primary hiring criterion for intelligence roles.

5. Join intelligence communities: Participate in information sharing groups, attend threat intelligence conferences (SANS CTI Summit, FIRST), and contribute to open-source threat intelligence projects.

Use our career skills assessment to evaluate your readiness for threat intelligence roles and identify development priorities.

Certifications for Threat Intelligence

SANS GIAC Cyber Threat Intelligence (GCTI): The most respected threat intelligence certification. Covers the intelligence lifecycle, analysis techniques, and frameworks. Requires SANS FOR578 training or equivalent knowledge. Cost: $2,000-$8,000 (including training).

EC-Council Certified Threat Intelligence Analyst (CTIA): Covers threat intelligence methodology, tools, and frameworks. More accessible than GCTI. Cost: $1,200-$3,000 (depending on training format).

CREST Practitioner Threat Intelligence (CPTI): UK-based certification recognized in international markets. Covers strategic, operational, and tactical intelligence production.

CompTIA CySA+: While not exclusively a threat intelligence certification, CySA+ covers threat analysis, vulnerability management, and security operations that overlap with intelligence roles. Good foundational credential before pursuing specialized TI certifications.

For broader certification path planning, see our top cybersecurity skills employers want and explore how certifications map to career objectives.

Building a Threat Intelligence Portfolio

A portfolio demonstrates analytical ability in ways that certifications and resumes cannot. Here is how to build one:

Threat actor profiles: Choose three to five publicly documented threat actor groups. Create detailed profiles including targeting patterns, TTPs mapped to MITRE ATT&CK, known infrastructure, and historical campaigns. Use only public sources and cite everything.

Campaign analysis reports: Take a publicly reported cyber incident and produce your own analysis. Add context from additional sources. Map the attack to the Kill Chain and ATT&CK. Include detection guidance.

IOC research: Investigate a set of IOCs from a public threat feed. Pivot from known indicators to discover related infrastructure. Document your methodology and findings.

Industry threat assessments: Write a quarterly threat assessment for a specific industry (healthcare, financial services, manufacturing). Cover the threat actors, techniques, and vulnerabilities most relevant to that sector.

Tools and automation: Build Python scripts that automate intelligence tasks — IOC enrichment, threat feed parsing, MISP integration, or automated report generation. Share them on GitHub.

Publish your work on a personal blog, Medium, or LinkedIn. Quality writing that demonstrates analytical rigor is the single best portfolio item for threat intelligence roles.

Related Guides in This Series

Take the Next Step

Evaluate your readiness — Use our Career Skills Assessment to identify where your threat intelligence capabilities stand and what to develop next.
Plan your certification path — Visit the Certificate Roadmap to see how threat intelligence certifications fit into your career trajectory.

Frequently Asked Questions

Do I need a military or government background for threat intelligence?

No. While the intelligence community and military provide excellent training in analytical methodology, many successful threat intelligence analysts come from IT security, SOC operations, or academic research backgrounds. The analytical frameworks used in cyber threat intelligence (ACH, link analysis, structured analysis) can be learned through training courses and self-study. What matters most is demonstrated analytical ability and security domain knowledge.

What is the difference between a SOC analyst and a threat intelligence analyst?

SOC analysts are reactive — they respond to alerts, investigate incidents, and triage events as they occur. Threat intelligence analysts are proactive — they research threats before they arrive, identify patterns across campaigns, and provide context that helps SOC analysts make better decisions. In practice, many organizations blur this line, and SOC analysts often perform intelligence functions as part of their role. Threat intelligence is a specialization that typically requires SOC experience as a foundation.

Is threat intelligence a good career path in 2026?

Threat intelligence demand continues to grow as organizations recognize that reactive security alone is insufficient. The role requires a combination of technical skills and analytical thinking that is difficult to automate, making it relatively resistant to AI displacement. Salary growth has been strong, particularly for analysts with specialization in specific threat actor groups or industry verticals. The field rewards continuous learning and intellectual curiosity.

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News