Cyber threat intelligence analyst jobs sit at the seam between traditional intelligence tradecraft and security operations. The role exists because raw indicators , IPs, hashes, domains — go stale in days, but the techniques behind them persist for years. A good CTI analyst translates a SOC’s avalanche of alerts into a defensible narrative about who is attacking, why, and what they will likely try next. In cleared environments, that narrative gets briefed up to mission owners with budget, authorities, and operational reach. That is where the pay premium comes from, and per the ClearanceJobs 2024 Compensation Report, that premium has compounded every year since 2022.
This guide covers what cyber threat intel analyst jobs actually involve in 2026, the salary bands across cleared and commercial markets, the certifications hiring managers screen for, the analytic frameworks (MITRE ATT&CK, the Lockheed Martin Cyber Kill Chain, the Diamond Model), and the tooling stack , Recorded Future, Mandiant Advantage, ThreatConnect, MISP — you should expect to see on a job description. The first time we use TS/SCI we mean Top Secret / Sensitive Compartmented Information; that single credential is the single biggest swing factor in your offer letter.
What does a cyber threat intelligence analyst actually do day to day?
A CTI analyst’s job is to convert raw collection into decisions. In a Cyber Incident Response Team (CIRT) at Northrop Grumman or a managed defense unit at Mandiant , now integrated into Google Cloud as the Google Threat Intelligence Group — the work splits into three roughly equal buckets: collection and triage, analysis and pivoting, and dissemination to operators or executives. Collection means pulling from commercial feeds (Recorded Future, Mandiant Advantage), open-source reporting, internal telemetry, and , in cleared shops — finished intelligence products from NSA, CIA, and the broader Intelligence Community via ODNI-managed channels across the 18 IC elements. Triage means scoring what is relevant to your sector, your stack, and your adversary set.
Analysis is where the role earns its premium. You correlate indicators of compromise (IOCs) against tactics, techniques, and procedures (TTPs) you have seen before, pivot through ThreatConnect or MISP to find related infrastructure, and map the activity to the MITRE ATT&CK enterprise matrix. Dissemination is the deliverable , a finished intel report, a Slack-channel flash warning, a hunt package for the SOC, or a briefing slide for the CISO. In a Booz Allen federal contract, that briefing might land in front of the customer’s Chief Information Officer the same afternoon you finalize it.
Strategic vs operational vs tactical: which CTI tier should you target?
Threat intelligence work is conventionally split into three tiers, and your salary, clearance, and career trajectory all turn on which one you sit in. Tactical analysts work with IOCs — file hashes, IPs, URLs , on a timescale of hours. They feed detection content into Splunk, Microsoft Sentinel, or QRadar and live next to the SOC. Operational analysts work in TTPs and campaign tracking on a timescale of weeks; they are the ones building the dossier that says, “this looks like APT41 retooling its loader” — and the canonical reference for that dossier work is Mandiant’s APT41 group profile. Strategic analysts produce assessments for executives and policy owners , quarterly threat landscape reports, sector-specific risk pictures, attribution judgments — on a timescale of months.
Most cleared CTI billets sit at the operational tier, with a strategic tilt for senior leads who brief Joint Force Headquarters customers or US Cyber Command (USCYBERCOM) elements. Commercial CTI teams at CrowdStrike’s Falcon Intelligence shop are split similarly, but the strategic tier is often labeled “adversary research” and skews toward people who can write publication-grade reports without giving up sources.
How much do cleared cyber threat intelligence analysts make in 2026?
Salary depends on three axes: clearance level, tier (tactical / operational / strategic), and locality. Washington DC, Northern Virginia, and the Maryland Fort Meade corridor command the deepest premiums; Colorado Springs, San Antonio, and Tampa pay solidly but trail DC by roughly 10 to 14 percent locality. The clearance premium itself is the single biggest lever , ZipRecruiter’s TS/SCI clearance salary aggregation pegs the average TS/SCI cyber analyst at $149,398 in the DC metro (2025 pull), against the commercial baseline from the May 2024 BLS OEWS release for Information Security Analysts (SOC 15-1212) — national median wage of $124,910 and a 90th-percentile wage of $182,370.
| Career level (2026) | Commercial range | Cleared range (TS/SCI) | Typical clearance premium |
|---|---|---|---|
| Junior CTI analyst (0-3 yrs) | $82,000-$110,000 | $98,000-$128,000 | +$16,000-$22,000 |
| Mid CTI analyst (3-7 yrs) | $98,000-$135,000 | $115,000-$148,000 | +$20,000-$30,000 |
| Senior CTI analyst (7+ yrs) | $120,000-$160,000 | $140,000-$185,000 | +$30,000-$45,000 |
| Lead / Principal CTI | $150,000-$190,000 | $170,000-$210,000+ | +$30,000-$45,000 |
Add a counterintelligence (CI) polygraph and the top of the senior band stretches another $20,000 to $35,000, particularly at federal systems integrators working ODNI or CIA contracts. Two caveats: government-direct civilian roles under the General Schedule trade salary ceiling for stability , per OPM’s 2026 DC locality table, a GS-13 Step 5 in DC lands at $138,024 and a GS-12 Step 5 at $116,071, with GS-14 Step 5 reaching $163,104 and GS-15 Step 5 at $191,850. Contractors at the same desk frequently outpace their government counterparts on base, but lose access to certain mission systems and benefits.
Which analytic frameworks do hiring managers expect you to know?
Three frameworks dominate CTI job descriptions in 2026, and you should be able to use each in a working interview without notes. The Lockheed Martin Cyber Kill Chain breaks an intrusion into seven stages from reconnaissance to actions on objectives — useful for explaining where in an attack you have signal and where you don’t. The Diamond Model of Intrusion Analysis , Caltagirone, Pendergast, and Betz, 2013 — maps every event to four vertices (adversary, capability, infrastructure, victim) and is the analytic tradecraft most often graded in cleared interviews. The MITRE ATT&CK matrix is the lingua franca of detection engineering and CTI handoffs; if you can’t articulate the difference between T1059 Command and Scripting Interpreter and T1218 System Binary Proxy Execution, the conversation will stall.
You should also expect to be asked about the intelligence cycle (planning, collection, processing, analysis, dissemination, feedback) and about how all-source intelligence , combining HUMINT, SIGINT, OSINT, and CYBINT — differs from a purely technical, indicator-driven approach. All-source analysts trained in the Intelligence Community framework are scarce in commercial CTI and explicitly preferred by federal customers under DoD 8140 work-role coding for All-Source Analyst (per the DCWF work-role lookup).
Which named threat groups should a cleared CTI candidate know cold?
The single fastest way to fail a cleared CTI interview is to fumble named-actor taxonomy. Different vendors track the same actor under different designations, which makes the public reporting an unintentional Rosetta stone. Mandiant uses APT numbers; CrowdStrike uses animal names (Bear for Russia, Panda for China, Kitten for Iran, Chollima for North Korea); Microsoft adopted a weather-system naming scheme in 2023 (Blizzard for Russia, Typhoon for China, Sandstorm for Iran, Sleet for North Korea). A cleared CTI candidate should be able to cross-walk the names and cite the primary public attribution for each. The table below is the working baseline:
| Mandiant (2026) | CrowdStrike | Microsoft | Public attribution | Primary public source |
|---|---|---|---|---|
| APT29 | Cozy Bear | Midnight Blizzard | Russia , SVR | Microsoft + CrowdStrike |
| APT41 | Wicked Panda | Brass Typhoon | China — MSS-linked, dual espionage/criminal | Mandiant + DOJ indictments |
| Volt Typhoon | Vanguard Panda | Volt Typhoon | China , state-sponsored | CISA AA24-038A + Microsoft |
| APT28 | Fancy Bear | Forest Blizzard | Russia — GRU Unit 26165 | Mandiant + DOJ |
| Lazarus | Labyrinth Chollima | Diamond Sleet | North Korea , RGB | CISA + Treasury OFAC |
| Sandworm | Voodoo Bear | Seashell Blizzard | Russia — GRU Unit 74455 | CISA + CrowdStrike |
| Charming Kitten | Charming Kitten | Mint Sandstorm | Iran , IRGC | CISA + Microsoft |
| MuddyWater | Static Kitten | Mango Sandstorm | Iran — MOIS | CISA + Mandiant |
If you can walk a senior analyst through the difference between APT28 (military intelligence, GRU) and APT29 (foreign intelligence, SVR), and explain why Volt Typhoon’s living-off-the-land tradecraft is a different operational signature than the data-exfiltration APT41 has historically practiced, the interview shifts from screening to substance. The named actors are the language of the field, and the field grades you on whether you speak it without hedging.
What does the CTI tooling stack look like in 2026?
A typical cleared CTI workstation talks to five categories of tooling. Threat intelligence platforms , ThreatConnect or MISP on the open-source side — house your indicators and relationships. Commercial intel feeds , Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence, Palo Alto Networks Unit 42, Cisco Talos — supply finished reporting and curated IOC streams. SIEM and detection content lives in Splunk, Microsoft Sentinel, Elastic, or QRadar. Endpoint and EDR pivots run through CrowdStrike, SentinelOne, or Microsoft Defender. And case management ties the workflow together , usually Jira or ServiceNow on the unclassified side, mission-specific systems on the high side.
Public-sector teams at CISA, the Defense Information Systems Agency (DISA), and the FBI Cyber Division layer in additional mission systems and access to classified threat data not available commercially. Skill with one commercial intel platform and one SIEM is usually table stakes; skill with MITRE ATT&CK Navigator and a TIP like ThreatConnect or MISP is what separates the hireable from the also-rans.
Which certifications actually move the needle for CTI hiring?
CTI is one of the few cyber subspecialties where vendor certifications matter less than analytic tradecraft. That said, hiring managers screen on a short list, and DoD 8140 — the workforce qualification program codified by DoDM 8140.03 in October 2023, replacing the legacy DoD 8570.01-M , mandates specific certs for cleared work-role codes mapped to the NIST NICE Workforce Framework for Cybersecurity (SP 800-181 Rev 1). The single most CTI-relevant credential is GIAC’s GCTI (Cyber Threat Intelligence) credential at $2,499 standalone, paired with SANS FOR578 for prep. The GIAC GCFA (Forensic Analyst) at $2,499, roughly 150 prep hours via SANS FOR508, is the gold-standard intrusion analysis credential for IR-leaning CTI tracks. CompTIA’s CySA+ at $404 (2026) with about 120 prep hours covers the ground at the junior tier and counts toward 8140 compliance. Senior roles often pair CISSP from ISC2 ($749, 150 prep hours) with a hands-on cert like GCIH, GIAC’s Certified Incident Handler.
| Certification (2026) | Issuer | Typical cost | Prep hours |
|---|---|---|---|
| GCTI (CTI-specific) | GIAC | $2,499 | ~150 |
| CySA+ (junior tier) | CompTIA | $404 | ~120 |
| GCIH (incident handler) | GIAC | $2,499 | ~120 |
| GCFA (forensic analyst) | GIAC | $2,499 | ~150 |
| CISSP (senior tier) | ISC2 | $749 | ~150 |
Why is attribution so hard, and how should you talk about it in interviews?
Attribution — assigning an intrusion to a specific actor, group, or nation , is the most politically loaded part of the analyst’s day. Sophisticated adversaries use commodity tooling, lease infrastructure, and reuse capabilities across operations specifically to muddy the picture. Public reporting from Mandiant on APT41 or from CrowdStrike on Cozy Bear works because those teams aggregate years of incident data, internal telemetry, and — in some cases , government-sourced context that is not available to commercial customers. A good CTI candidate is honest about confidence levels: “low confidence, single source” beats a confident wrong call every time.
John Hultquist, who leads threat intelligence analysis as Chief Analyst of the Google Threat Intelligence Group (the Mandiant team integrated into Google Cloud), has repeatedly framed attribution as the convergence of multiple independent evidence streams — telemetry, infrastructure, capability, and victimology , rather than the conclusion of any single one. The framing appears across Mandiant’s M-Trends annual reports, Hultquist’s RSA Conference keynotes, and his trade-press interviews. For a cleared CTI candidate, that means a public attribution from Mandiant or CISA on a named actor — APT41, Volt Typhoon, Sandworm , is the result of months of corroboration across exactly the sources a cleared analyst will also be expected to weigh in a SCIF: signals intelligence, finished reporting from peer agencies, and commercial telemetry.
In a cleared interview, you will often be asked how you would phrase an attribution judgment for a customer. The expected answer references analytic standards from ICD 203 — the Intelligence Community Directive on Analytic Standards , and uses the Intelligence Community’s standardized confidence language and probability terms. Borrowing that discipline from the IC is one of the fastest ways to look senior.
How does the Intelligence Community confidence language work for CTI analysts?
ICD 203 codifies the probability terms IC analysts use to communicate confidence to a non-analyst audience — most often a policymaker or a mission commander. The terms are not interchangeable. They map to approximate likelihood bands, and a cleared CTI analyst is expected to pick the band that matches the evidence and to stay inside it. Hedging language (“seems,” “appears,” “may potentially”) is discouraged because it forces the reader to infer the analyst’s actual confidence.
| Probability term (ICD 203, 2026) | Approximate likelihood band | When to use it |
|---|---|---|
| Almost no chance / Remote | 1-5% | Strong negative finding |
| Very unlikely / Highly improbable | 5-20% | Low-confidence rebuttal |
| Unlikely / Improbable | 20-45% | Adverse-evidence-weighted finding |
| Roughly even chance / Roughly even odds | 45-55% | Genuine uncertainty |
| Likely / Probable | 55-80% | Standard positive finding |
| Very likely / Highly probable | 80-95% | High-confidence finding |
| Almost certain / Nearly certain | 95-99% | Maximum-confidence finding |
The discipline is symmetric. A cleared CTI analyst who writes “China almost certainly conducted this campaign” is making a specific claim about a 95-99% confidence band, and the underlying evidence had better match. An analyst who hedges on a high-confidence finding (“China likely conducted this campaign” when the evidence justifies “almost certain”) understates the risk to the customer. The vocabulary is small. Learning it is part of the job.
Who hires cleared CTI talent right now?
The cleared hiring base in 2026 is concentrated in a small number of well-known buyers. Federal systems integrators , Booz Allen Hamilton, Leidos, Northrop Grumman, ManTech, SAIC, CACI, Peraton, GDIT — supply contractor CTI to most DoD components and Intelligence Community customers. Commercial vendors with cleared programs include Mandiant (Google Cloud), CrowdStrike, Microsoft, and Palantir. Direct civilian employers include CISA, the FBI, DIA, NSA, NRO, and DCSA, all of which run their own CIRTs or threat-focused mission teams.
The Defense Counterintelligence and Security Agency (DCSA) handles most of the clearance lifecycle for cleared industry, so applicants moving between contractors usually carry their clearance with them. Cleared CTI churn is real, but the cleared-cyber premium documented by the 2024 ClearanceJobs Compensation Report sits in a $30,000 to $45,000 band for TS/SCI cyber analysts and stretches above $60,000 for a TS/SCI with full-scope polygraph. Most analysts stay within the same agency program for three to five years to vest accumulated mission knowledge.
Sandra Joyce, who runs Google Threat Intelligence as Vice President of the integrated Mandiant intelligence team at Google Cloud, has spoken publicly about the scale of China’s cyber espionage program at venues including RSA Conference and Mandiant’s M-Trends launches. Her framing on the “scale and aggression” of Chinese state-sponsored activity is documented across Mandiant publications and Congressional testimony. For cleared CTI hiring, the operational consequence is straightforward: every CISA China-nexus advisory pulls more cleared analyst billets through DoD-component and IC-element contracting vehicles than the prior year’s report. The February 2024 Volt Typhoon advisory alone reshaped the federal cleared-CTI hiring map by reclassifying every installation-utility OT system as contested.
What does the CTI hiring picture look like through 2027?
Two trends shape cleared CTI hiring through 2027. The first is the structural mismatch between FBI and IC investigative capacity and China-nexus cyber activity. Bryan Vorndran, the FBI Cyber Division’s Assistant Director, told the House Select Committee on the Chinese Communist Party in January 2024 that the FBI’s investigative caseload on China cyber actors “is more than the cyber personnel of every other federal agency combined” and that “if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to one.” The CISA China cyber overview corroborates the structural picture: nation-state cyber activity from the PRC is escalating, and federal CTI hiring is the binding lever.
The second is the DoDM 8140.03 enforcement curve. Program offices have been steadily folding the October 2023 manual into contract language, and the credential-as-checkbox filter for All-Source Analyst, Cyber Defense Analyst, and Threat/Warning Analyst DCWF work roles is getting more rigid, not less. If China-nexus activity continues to accelerate through 2026 and the cleared CTI pipeline does not materially widen , both of which are the consensus expectation among cleared-industry hiring leaders — the cleared CTI premium expands, not compresses. For a cleared CTI candidate on the senior or lead track in 2026, that turns the prep cycle into one of the cleaner ROI bets available in the cleared cyber career stack. The math is the math.
Frequently asked questions about CTI analyst jobs
Do I need a clearance to break into cyber threat intelligence?
No. Most commercial CTI teams , Recorded Future, Mandiant, CrowdStrike Falcon Intelligence, ThreatConnect — hire entry-level analysts without a clearance. The clearance comes into play if you target federal contracts or direct-hire roles at agencies like CISA, NSA, or DIA. Plenty of senior CTI analysts spend full careers without ever clearing in.
Is a CTI analyst the same as a SOC analyst?
No, but they sit next to each other. SOC analysts work alerts and incidents in near-real-time; CTI analysts produce the context that explains what the alerts mean, who is likely behind them, and what the team should hunt for next. Many CTI analysts come up through Tier 2 or Tier 3 SOC roles before pivoting, and the DoD 8140 DCWF work-role taxonomy actually codes them differently , Cyber Defense Analyst for SOC tier work, All-Source Analyst / Threat-Warning Analyst for CTI work.
How long does it take to get a TS/SCI for a CTI job?
Initial Top Secret with SCI eligibility typically takes 6 to 12 months for a clean background, processed through DCSA. Polygraph access can add another 3 to 6 months. Many integrators sponsor uncleared candidates into the pipeline for harder-to-fill billets.
Which writing samples should I bring to a CTI interview?
A short-form indicator analysis (one or two paragraphs explaining a single IOC’s significance), a mid-form campaign overview (Diamond Model or ATT&CK-mapped), and a strategic assessment paragraph aimed at a non-technical executive. Hiring managers care more about clarity, confidence calibration (per ICD 203), and analytic structure than about the volume of words.
Is the CTI job market still hiring in 2026?
Yes, with caveats. Commercial CTI hiring tightened modestly after the 2024-2025 vendor consolidation, but federal CTI demand is steady to up — driven by CISA’s expanding mission set and DoD component CIRT growth in response to Volt Typhoon-class advisories. Cleared analysts with operational tier experience and a current TS/SCI are still in clear excess demand.
Where to look next
- Threat hunter cleared salary 2026: TS/SCI premium analysis
- SOC analyst salary 2026: cleared vs commercial pay
- TS/SCI cyber jobs in 2026: the cleared cybersecurity career guide
- DoD 8140 framework explained: cyber workforce requirements
- CISSP for cleared cyber analysts: cost, ROI, and hiring impact
- CrowdStrike for cleared endpoint security skills guide
- Splunk for cleared SOC analysts skills guide
- Microsoft Sentinel for cleared cloud security skills guide