Cyber Threat Intelligence (CTI) Analyst.

A specialist who collects, structures, and disseminates intelligence about threat actors, campaigns, and TTPs — at strategic, operational, and tactical tiers — to inform defenders, IR teams, and executive decision-makers. It belongs to the Roles & Careers category of cybersecurity.

A specialist who collects, structures, and disseminates intelligence about threat actors, campaigns, and TTPs — at strategic, operational, and tactical tiers — to inform defenders, IR teams, and executive decision-makers.

A Cyber Threat Intelligence (CTI) analyst produces and curates the actionable intelligence layer that sits between raw threat data and security decisions. The role splits along three classical tiers. Strategic CTI summarizes adversary motivations, geopolitical context, and long-term trends for executives and board audiences. Operational CTI characterizes specific named threat actors and campaigns (TTPs, infrastructure, victimology, targeting) for SOCs, hunt teams, and IR. Tactical CTI is the day-to-day stream of IOCs, YARA/Sigma rules, ATT&CK mappings, and feed entries that detection engineering consumes. Workflow combines OSINT, paid feeds (Mandiant, CrowdStrike Falcon Intelligence, Recorded Future, Intel 471), criminal-forum monitoring, sample collection (MalwareBazaar, VirusTotal Intelligence), and internal SOC telemetry, structured using frameworks such as MITRE ATT&CK, STIX/TAXII, Diamond Model, the Pyramid of Pain, and TLP. Outputs are written reports, intelligence briefings, IOC feeds, ATT&CK navigator layers, and pre-incident hunt packages. CTI analysts often hold GIAC GCTI, SANS FOR-578, eLearnSecurity eCTHP, or Mandiant-style certifications.

Defences for Cyber Threat Intelligence (CTI) Analyst typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Threat intelligence analyst, CTI researcher.