Threat Essentials Blog

A day-in-the-life of a Cyber Threat Intelligence Analyst

Cyber Threat Intelligence (CTI) is the new kid on the block when it comes down to roles both within cyber security and within the wider practice of threat intelligence research. CTI is different from conventional “bomb and bullet” research both in terms of the skills that you use and the career path that you follow. This blog is intended to give a brief snapshot of the day-to-day of a typical CTI role and some of its key features.

Cyber threat intelligence analyst role at a glance

The role of a Cyber Threat Intelligence analyst varies hugely.. Some of us spend our days analysing the technical infrastructure of cyber threats at a tactical level, others spend their days considering geostrategic developments at the strategic level. There are however common strands that unite all CTI analysts regardless of the organisation or technical specialism that they work within. 

So, what can you expect from a day-to-day CTI analyst role if you aspire to this career path? Outlined below are some of the most common aspects of the CTI role. 

What does a cyber threat intelligence analyst do?

Working with the intelligence cycle 

The intelligence cycle with its four steps (direction, collection, analysis, dissemination) is the core of the intelligence analyst role, and the job is a constant flow across the four stages that never ends. Within the context of cyber threat intelligence numerous unique aspects apply, going into more depth on these phases:

    • Direction: this first stage is where we as analysts define what the customer wants from the intelligence product.  Within the practice of CTI, this can often be the most challenging step as we try to first match customer problems to defined intelligence requirements and then match these requires to our intelligence collection capabilities.
    • Collection: in order to create intelligence, we need data; it’s within this phase that we gather this data from our Sources and Agencies (SandA) to push into the analysis phase. The trick at this point is matching the intelligence requirements that we defined within the direction phase to the SandA that we have available. 
    • Analysis: this stage is still the make-or-break aspect of the cycle. Within this phase we apply multiple techniques such as Analysis of Competing Hypothesis, Cone of Plausibility, Social Network Analysis, SWOT and PESTEL (political, economical, social, technological, environmental, legal)analysis amongst other techniques.
    • Dissemination: intelligence is of no use to anyone if you keep it to yourself. In this critical final stage, we pass the intelligence back to the customer who initiated the project in the direction phase. This can be in a written format or something more interactive such as a verbal briefing. 

Developing primary and secondary sources

Gaining access to data is critical to the success of the CTI enterprise. Although not all of us develop sources, many of us are involved in developing new sources of data. These sources can be divided down into two broad categories

    • Primary: this refers to sources we have direct access to i.e. Dark Web cyber-criminal forums or malware analysis.
    • Secondary: these are sources that we have access to but who are not the primary source of the data i.e. journalists, a malware analyst’s blog or another CTI researcher’s work.
The art of Cyber Threat Intelligence

The trick with sources is getting just the right “blend” that match up to your intelligence requirements. This is where the art of CTI comes into play as there is not much point in having a load of primary sources gathered from the dark web if the majority of your intelligence requirements are around nation state espionage activity. 

Cyber Threat Intelligence Training

Cyber threat intelligence training never really ends for the professional CTI analyst. As the threat evolves, our skills and knowledge must continuously develop to be able to identify and analyse it. Training takes many forms from informal research to study towards more formal qualifications such as the CREST CTI analyst and management qualifications.


No one person knows everything about the threat landscape and there are always different viewpoints that can be taken towards the often highly subjective issues that surround CTI practice. While client confidentiality is always paramount, there is a very strong cross industry CTI community with many formal and informal gatherings on both the local and global levels. For many, this community is not only an invaluable source of data on new cyber threats but is a key contributor to the community spirit of CTI. 

The perks of being a cyber threat intelligence analyst

This blog has intended to give a brief taster of some of the key points of being a CTI analyst and touches on the essentials of what is a fascinating role and a genuine career path into infosec. There are, of course, more technical roles in information security but being a CTI analyst presents you with a unique opportunity to engage with the cutting edge of security issues as well as getting privileged security insights into issues that most people are unaware of.