A security intelligence analyst is a cybersecurity professional who collects, analyzes, and transforms raw threat data into actionable intelligence that organizations use to make security decisions, prioritize defensive measures, and respond to active threats. The role sits at the intersection of technical security knowledge and analytical tradecraft: unlike a security operations analyst who primarily responds to alerts, the security intelligence analyst produces the intelligence picture that informs both automated detection systems and human decision-makers about what threats are relevant, how likely they are to materialize, and what protective actions should be taken. The security intelligence analyst role has grown significantly as organizations recognize that the volume of raw threat data — IOC feeds, vulnerability disclosures, dark web monitoring outputs, threat actor reports — far exceeds what can be manually reviewed, requiring analysts who can synthesize diverse intelligence streams into prioritized findings. According to CyberSeek (the cybersecurity workforce analytics platform sponsored by NICE), the United States alone has over 750,000 unfilled cybersecurity positions as of 2025, with threat intelligence analyst roles among the most in-demand specializations due to the skill combination required: technical understanding of attack techniques plus formal analytical methods. Average salaries for security intelligence analysts range from $85,000-$145,000 annually in the United States according to the 2025 ISC2 Cybersecurity Workforce Study, with senior analysts and threat intelligence team leads at the higher end of the range, particularly in financial services, defense, and technology sectors.
- Role definition: security intelligence analyst collects, analyzes, and synthesizes threat data into actionable intelligence — distinct from SOC analyst (reactive) and penetration tester (offensive)
- Salary range: $85,000-$145,000 annually in the US (ISC2 2025 Workforce Study) — senior analysts and team leads at the higher end, especially in financial services and defense
- Key skills: threat actor profiling, OSINT, STIX/TAXII, MITRE ATT&CK framework, SIEM platforms (Splunk/Sentinel), structured analytical techniques, TIP platform operation
- Certifications: SANS GIAC GCTI (Cyber Threat Intelligence), CREST CRTIA, EC-Council CTIA — professional certifications specifically designed for the threat intelligence analyst role
- 750,000+ unfilled US cybersecurity positions (CyberSeek 2025) — threat intelligence analyst among most in-demand specializations due to required skill combination
Security Intelligence Analyst Role: Responsibilities, Skills, and Career Path
What Security Intelligence Analysts Do and What Skills They Need
The security intelligence analyst’s core responsibilities span three operational domains that together define the full intelligence production cycle. Collection involves identifying and monitoring relevant threat intelligence sources — subscribing to commercial feeds, monitoring threat actor forums, tracking vulnerability disclosure channels, and consuming government intelligence (CISA advisories, FBI flash reports, ISAC sector briefings) that provide the raw material for intelligence production. Analysis converts raw data into findings: correlating IOCs from multiple feeds to identify campaign infrastructure, profiling threat actors from observed TTPs and historical attack patterns, evaluating vulnerability intelligence to determine which CVEs represent realistic threats to the organization’s specific technology stack, and assessing geopolitical events for their implications to the organization’s threat environment. Dissemination produces the intelligence products that operationalize findings: tactical intelligence reports (IOC lists for immediate SIEM integration), operational intelligence assessments (threat actor campaign analysis for security operations teams), and strategic intelligence briefings (sector threat landscape analysis for CISO and board-level decision-making). The technical skills that security intelligence analysts need include: fluency with at least one SIEM platform (Splunk and Microsoft Sentinel are the most common in enterprise environments); experience with Threat Intelligence Platform (TIP) software (Recorded Future, ThreatConnect, MISP); STIX/TAXII protocol understanding for threat intelligence sharing and feed integration; MITRE ATT&CK framework proficiency for mapping observed adversary techniques to the standardized taxonomy; and OSINT tools and methodology for open-source research on threat actors and infrastructure. The analytical skills — structured analytical techniques, source reliability evaluation, hypothesis testing — are as important as the technical ones but receive less emphasis in most job descriptions despite being the core differentiator between junior and senior analyst performance. The SANS FOR578 Cyber Threat Intelligence course is the most widely recognized professional training program that explicitly addresses both the technical and analytical dimensions of the security intelligence analyst role.
Security Intelligence Analyst Certifications and Career Development
Professional Certifications for Security Intelligence Analysts
Professional certifications for security intelligence analysts validate specific knowledge domains and serve as credentialing signals in a job market where self-taught practitioners and formally trained analysts compete for the same roles. The SANS GIAC Cyber Threat Intelligence (GCTI) certification — associated with the FOR578 course — is the most respected specialist certification in the threat intelligence field, testing the application of intelligence tradecraft, OSINT methodology, threat actor profiling, and intelligence production processes to real cybersecurity scenarios. The EC-Council Certified Threat Intelligence Analyst (CTIA) provides a more accessible entry-level certification that covers threat intelligence lifecycle, collection methods, and analysis techniques — appropriate for analysts transitioning from SOC or other security roles into dedicated threat intelligence work. CREST’s Certified Registered Threat Intelligence Analyst (CRTIA) is the UK-based professional certification that aligns with the intelligence community’s tradecraft standards, requiring demonstrated proficiency in both technical threat intelligence and the analytical methodology inherited from national security intelligence practice. For analysts working primarily on the technical side of threat intelligence — integrating feeds, building detection rules, and operating SIEM platforms — certifications like the GIAC Security Essentials (GSEC), Splunk Core Certified User, or Microsoft Certified: Security Operations Analyst Associate validate the platform competencies that complement the intelligence tradecraft skills. Career development for security intelligence analysts typically follows a progression from junior analyst (consuming and operationalizing existing intelligence products) to mid-level analyst (producing tactical and operational intelligence products) to senior analyst (producing strategic intelligence, managing TIP platforms, mentoring junior staff) to team lead or intelligence manager (defining intelligence requirements, managing external vendor relationships, briefing executives). CISA’s NICE Workforce Framework for Cybersecurity defines the specific work roles, competencies, and knowledge/skill requirements for cyber intelligence analysis positions — providing the government-validated role definition that hiring managers and aspiring analysts can use to align career development with recognized standards.
Frequently Asked Questions
What does a security intelligence analyst do?
A security intelligence analyst collects threat intelligence from multiple sources (commercial feeds, government advisories, OSINT, dark web monitoring), analyzes it to identify relevant threats and adversary patterns, and produces intelligence products — from tactical IOC lists to strategic threat landscape briefings — that security teams use to prioritize defensive actions. Core responsibilities: monitoring threat actor campaign activity; profiling adversaries using MITRE ATT&CK framework; evaluating vulnerability intelligence for organizational risk relevance; correlating IOCs across feeds to identify campaign infrastructure; producing finished intelligence reports for SOC, CISO, and executive audiences; and maintaining TIP (Threat Intelligence Platform) configuration and feed management. The role differs from SOC analyst (reactive alert response) and penetration tester (offensive security) in its focus on intelligence production and adversary knowledge.
What certifications does a security intelligence analyst need?
Key certifications for security intelligence analysts: SANS GIAC GCTI (Cyber Threat Intelligence) — most respected specialist certification, validates tradecraft and intelligence production skills, associated with FOR578 course; EC-Council CTIA (Certified Threat Intelligence Analyst) — entry-level accessible certification covering intelligence lifecycle and collection methods; CREST CRTIA (Certified Registered Threat Intelligence Analyst) — UK standard aligned with intelligence community tradecraft; CompTIA CySA+ — covers threat intelligence and security operations, broader than analyst-specific but widely recognized. Platform certifications that complement analyst roles: Splunk Core Certified User, Microsoft SC-200 (Security Operations Analyst). For government/cleared positions, TS/SCI clearance eligibility is more valuable than any commercial certification.
What is the salary for a security intelligence analyst?
Security intelligence analyst salary ranges (United States, 2025): Entry-level (0-2 years) — $70,000-$95,000; Mid-level (3-5 years) — $95,000-$125,000; Senior analyst (5+ years) — $120,000-$165,000; Intelligence team lead/manager — $140,000-$185,000+. Salaries vary significantly by sector: financial services, defense contractors, and technology companies pay at the high end of ranges; government positions (federal civilian) pay lower base salary but offer strong benefits and total compensation. The ISC2 2025 Cybersecurity Workforce Study reports average cybersecurity salaries of $147,000 in North America — threat intelligence specialists tend to land in the middle range of the broader cybersecurity salary distribution due to the combination of technical and analytical requirements.
How do I become a security intelligence analyst?
Path to becoming a security intelligence analyst: (1) Foundation — build cybersecurity fundamentals (CompTIA Security+, network security basics, SIEM exposure through SOC analyst or IT security roles); (2) Intelligence training — complete SANS FOR578 or equivalent threat intelligence training, study MITRE ATT&CK framework, practice OSINT methodology; (3) Certification — earn GIAC GCTI or EC-Council CTIA to validate intelligence analyst skills; (4) Practical experience — contribute to open-source threat intelligence projects (MISP communities, abuse.ch), practice IOC analysis on free platforms, work in SOC role to understand how intelligence is consumed; (5) Job search — target junior threat intelligence analyst or CTI analyst roles at MSSPs, large enterprises with dedicated threat intelligence functions, or government contractors. The combination of a security operations background (understanding how intelligence gets operationalized) plus formal intelligence training (SANS/SANS GIAC) is the most common successful pathway to the role.
