From your first IOC to Director of Threat Intel.

Cyber Threat Intelligence (CTI) is a discipline within information security focused on understanding, analyzing, and communicating knowledge about cyber threats — the adversaries behind them, their motivations, capabilities, and likely courses of action.

The field draws from traditional intelligence tradecraft (structured analysis, source evaluation, finished intelligence production) and combines it with deep technical understanding of how computer networks are attacked, what tools adversaries use, and how to detect and respond to intrusions.

Unlike most security roles that are reactive — responding to alerts, patching vulnerabilities, investigating incidents — CTI is proactive. Its purpose is to give organizations advance knowledge of the threats they face, enabling better decisions about where to invest defenses, what to hunt for, and how to respond when an incident occurs.

Who Is This Guide For?

This guide is designed for three audiences:

• Career changers who want to transition into CTI from an adjacent field (security analyst, incident responder, military intelligence, journalism, academic research)
• Junior CTI analysts who want a clear picture of the path ahead and how to accelerate their progression
• Hiring managers and team leads who want a reference for structuring career development frameworks within their teams

The typical CTI career progression follows four to five distinct stages, each with different responsibilities, required competencies, and compensation expectations. Timelines are illustrative — individuals with strong analytical backgrounds or relevant experience may move faster.

Junior CTI Analyst 0 – 3 years

Primary focus: Learning the tools, developing pattern recognition, producing tactical intelligence under supervision.

Typical responsibilities: OSINT collection and research, indicator enrichment, monitoring threat feeds, contributing to situation reports, maintaining threat actor profiles, assisting senior analysts.

Core skills needed: OSINT fundamentals, familiarity with TIP platforms, working knowledge of MITRE ATT&CK, strong research and writing skills, understanding of major threat actor groups.

How to stand out: Produce. Write analytical pieces publicly. Engage in the community. Junior analysts who are visibly building their knowledge differentiate themselves from those who treat it as a job.

Mid-Level CTI Analyst 3 – 6 years

Primary focus: Independent analysis, ownership of specific threat actor tracks or specialties, contributing to operational and strategic products.

Typical responsibilities: Owning threat actor tracking portfolios, producing finished intelligence independently, briefing technical and semi-technical audiences, beginning to mentor junior colleagues, developing collection strategies.

Core skills needed: Deep domain expertise in at least one area (malware, geopolitics, a specific threat actor cluster), experience with intelligence production lifecycle, ability to assess and communicate analytical confidence.

Senior CTI Analyst 6 – 10 years

Primary focus: Technical and analytical depth, driving the team's tradecraft, producing the most complex and high-impact intelligence products.

Typical responsibilities: Leading complex investigations, briefing executive and board audiences, contributing to external publications and conference presentations, driving collection strategy, mentoring the full analyst team.

Core skills needed: Recognized expertise in at least one specialty, experience briefing senior stakeholders, ability to manage competing analytical priorities under pressure.

Lead CTI Analyst / Principal 8 – 12 years

Primary focus: Technical leadership without full people-management responsibility. Setting the analytical direction, owning the team's tradecraft standards, representing the team externally.

Typical responsibilities: Quality assurance across all intelligence products, driving methodology and tooling decisions, representing the team in cross-functional forums, external engagement with community and vendors.

CTI Manager / Intelligence Director 8+ years

Primary focus: People and programme management. Building and sustaining a high-performing intelligence function.

Typical responsibilities: Hiring, developing, and retaining analysts; owning the intelligence programme strategy; managing stakeholder relationships at C-suite level; budget and tooling decisions; defining the team's mission and priorities.

Important note: The management track is not the only path to seniority or compensation growth. Many organizations have well-compensated technical fellow or principal analyst tracks for those who want to remain deeply technical contributors.

The CTI certification landscape is smaller and younger than the broader security certification market. The credentials below represent the most widely recognized options, ordered by market recognition within the intelligence community.

Certification	Issuer	Difficulty	Cost (approx.)	Relevance	Best For
GCTI	GIAC / SANS	Intermediate–Advanced	$979 (exam only) / $8,000+ (with FOR578)	★★★★★	All levels — the recognized standard
FOR578	SANS	Intermediate–Advanced	$7,800 – $9,000	★★★★★	Early-to-mid career analysts building foundations
CPTIA	EC-Council	Intermediate	$499 – $999	★★★☆☆	Budget-conscious candidates, clear screening filters
CTIA	EC-Council	Entry–Intermediate	$299 – $699	★★★☆☆	Entry-level candidates with no prior credentials
CompTIA CySA+	CompTIA	Entry–Intermediate	$392	★★☆☆☆	Entry level, meeting baseline HR filters
FOR610 / GREM	SANS / GIAC	Advanced	$8,000+ / $979	★★★★☆	Malware-focused CTI analysts

Certification Strategy

Certifications are necessary but not sufficient. They help you clear automated screening filters and signal commitment to the field, but they do not substitute for demonstrated analytical ability. If you can only invest in one credential, GCTI is the clearest signal to the market.

Do not pursue certifications in order to appear more qualified than you are. Misrepresenting your ability will surface quickly in technical interviews and in the job itself. Pursue certifications when you are ready for the knowledge they require.

The following matrix outlines the key technical and analytical competencies expected at each career stage. This is not a checklist — depth matters more than breadth, especially at senior levels.

Skill Area	Junior	Mid	Senior	Lead/Manager
OSINT	Basic tools, WHOIS, passive DNS	Advanced pivoting, infrastructure mapping	Novel technique development	Collection strategy ownership
MITRE ATT&CK	Framework familiarity	Proficient TTP mapping	ATT&CK contribution, detection alignment	Framework strategy integration
Malware Analysis	Sandbox analysis, indicator extraction	Static analysis, code review	Reverse engineering, capability assessment	RE team direction
Intelligence Writing	Draft SITREPs and briefs with supervision	Independent finished product production	Executive briefs, complex assessments	Quality standards ownership
Threat Actor Tracking	Maintain existing profiles	Own actor portfolios	Multi-actor campaign analysis	Programme-level tracking strategy
Geopolitical Analysis	Basic context awareness	Operational context integration	Strategic assessment production	Geopolitical intelligence ownership
Scripting/Automation	Basic Python for enrichment	Tool development, pipeline scripting	Advanced automation, custom tooling	Technology direction
Structured Analytic Techniques	ACH introduction	Regular SAT application	SAT facilitation and training	Analytical standards setting
Stakeholder Communication	Written reports	Team briefings	Executive and C-suite briefings	Board-level engagement

The following salary ranges are based on our job board data, community surveys, and public market data as of 2025. All figures represent base salary. Ranges reflect 25th–75th percentile; outliers (particularly in financial services and cleared positions) fall outside these bounds.

Seniority	US (USD)	UK (GBP)	EU/DACH (EUR)	MENA (USD eq.)	APAC (USD eq.)
Junior	$65k – $95k	£35k – £50k	€45k – €65k	$45k – $70k	$30k – $55k
Mid	$95k – $135k	£50k – £70k	€65k – €90k	$65k – $100k	$50k – $80k
Senior	$130k – $175k	£65k – £90k	€85k – €120k	$90k – $130k	$70k – $110k
Lead	$155k – $210k	£80k – £110k	€100k – €140k	$110k – $160k	$90k – $130k
Manager	$160k – $220k	£85k – £120k	€110k – €150k	$120k – $175k	$95k – $145k

Factors That Affect Compensation

• Security clearance (US) — TS/SCI adds 15–25% to base compensation
• Specialization — Malware RE and detection engineering command 15–30% premiums
• Sector — Financial services and critical infrastructure pay above-market; MSSPs typically pay below-market
• Remote flexibility — Fully remote roles compete in national talent pools, compressing geographic differentials
• Tax environment — UAE and Bahrain roles are tax-free, making nominal salaries substantially more valuable

This section is specifically for people who are not currently working in CTI and want to get their first role. The advice here is structured, specific, and honest about timelines.

Step 1: Assess Your Starting Position Honestly

The most important question is whether your current background includes analytical experience, technical experience, or neither. Each starting point requires a different approach.

• Analytical background, no tech (journalism, academia, intelligence, law enforcement) — You need to build technical credibility. Prioritize: OSINT tools, malware family knowledge, ATT&CK proficiency, indicator enrichment workflows.
• Technical background, no analysis (SOC analyst, sysadmin, developer) — You need to build analytical credibility. Prioritize: intelligence writing, structured analytic techniques, threat actor research, finished product production.
• Neither — You have a longer path. Consider working in a SOC or adjacent role for 12–18 months to build technical exposure before making the move into CTI specifically.

Step 2: Build a Portfolio

The CTI hiring process is heavily resume-screened at large organizations but often portfolio-evaluated at boutique vendors and MSSPs. Build work you can show:

• Write and publish threat actor profiles using only open-source information
• Contribute to open-source CTI projects (MISP, OpenCTI, threat-intel repositories on GitHub)
• Publish analytical pieces on Substack, Medium, or your own site
• Create OSINT write-ups for public exercises (TraceLabs, OSINT challenges)
• Participate in CTI sharing communities (ISACs, CTI League)

Step 3: Get the Credentials

At minimum, achieve CompTIA Security+ to clear basic HR filters. Then pursue GCTI or CPTIA depending on your budget. Do not get certifications before you have the underlying knowledge — it shows in interviews.

Step 4: Target the Right First Role

Your first CTI role should be an entry-level analyst position at an MSSP, threat intelligence vendor, or a large enterprise with a mature CTI function. MSSPs are often more accessible first employers because they have higher throughput and broader exposure. Avoid trying to land directly at prestigious firms (CrowdStrike, Mandiant, Recorded Future) as your first CTI role — the bar is high and competition is intense.

Step 5: Engage the Community

The CTI community is small, collegial, and pays attention to who is contributing. Be present on LinkedIn and social media. Attend CTI Summit, Virus Bulletin, or regional security conferences. Join the FIRST CTI SIG or similar groups. People hire people they have encountered and respected.

Realistic Timelines

From adjacent security role (SOC/IR) with active portfolio building: 6–18 months to first CTI role.

From non-security analytical role with active technical upskilling: 12–24 months to first junior CTI role.

From no relevant background: 2–3 years is realistic. The path goes through an adjacent technical role first.

Books

• The Cuckoo's Egg — Cliff Stoll. The foundational narrative of cyber threat investigation. Required reading for context and methodology.
• Intelligence-Driven Incident Response — Scott Roberts & Rebekah Brown. The most directly applicable book to applied CTI work.
• The Art of Intelligence — Henry Crumpton. CIA case officer memoir; excellent tradecraft context for the intelligence lifecycle.
• Structured Analytic Techniques for Intelligence Analysis — Heuer & Pherson. Essential reference for rigorous analytical methodology.
• Sandworm — Andy Greenberg. Definitive account of Russia's cyber operations; essential background for nation-state tracking.
• This Is How They Tell Me the World Ends — Nicole Perlroth. Comprehensive account of the zero-day market and its geopolitical implications.

Free Courses and Training

• MITRE ATT&CK Fundamentals — Free from MITRE; complete before any CTI role application
• Recorded Future University — Free platform training from RF; practical and credential-bearing
• OpenCTI Training — Free training on the leading open-source TIP platform
• Cybrary CTI Path — Structured learning path, partially free
• Antisyphon Training — Budget-friendly, practitioner-taught CTI courses

Open-Source Tools

• MISP — Malware Information Sharing Platform; the standard open-source TIP
• OpenCTI — Modern, STIX-native TIP with strong visualization capabilities
• Maltego CE — Free tier of the most widely used OSINT visualization tool
• SpiderFoot — Automated OSINT reconnaissance framework
• TheHive — Incident response platform with CTI integration
• Cortex — Observable analysis engine, pairs with TheHive
• Yeti — Threat intelligence encyclopedia and indicator management

Communities

• CTI Summit — Annual conference dedicated to threat intelligence; community-run
• FIRST CTI SIG — Forum of Incident Response and Security Teams, CTI special interest group
• ISACs — Information Sharing and Analysis Centers (sector-specific; FS-ISAC, H-ISAC, etc.)
• Slack: ThreatIntel — Active practitioner Slack community
• LinkedIn CTI Community — Follow practitioners and engage with published content