🌿 Druid → Threat Intelligence Analyst
“Know thy enemy. Their tools, their tactics, their motivations. That’s how you stay ahead.”
Your Role in the Party
You understand the threat ecosystem. While others focus on defending specific systems or investigating specific incidents, you study the adversaries themselves—their motivations, capabilities, infrastructure, and evolving techniques. Your intelligence informs defensive priorities, hunt hypotheses, and strategic security decisions.
Threat Intelligence Analysts operate at the intersection of research and security operations. You consume raw data—malware samples, C2 infrastructure, dark web chatter, geopolitical developments—and transform it into actionable intelligence. Your finished products guide how the organization defends itself.
This role rewards curiosity and pattern recognition. The best CTI analysts can track a threat actor across campaigns spanning years, connect dots others don’t see, and anticipate the next move based on historical behavior. If you’ve ever fallen down a research rabbit hole and emerged hours later with insights no one else has, you’re built for this.
📊 Your Stat Spread
| Stat | Score | What It Means for You |
|---|---|---|
| WIS | ⭐⭐⭐⭐⭐ | Pattern recognition is your superpower. You connect threat actor TTPs across campaigns and years. |
| INT | ⭐⭐⭐⭐ | Deep knowledge of adversary techniques, geopolitics, and threat landscape. |
| DEX | ⭐⭐⭐⭐ | Adapt to changing threat landscape. Today’s priority might not be tomorrow’s. |
| CON | ⭐⭐⭐ | Research sprints require focus. Deep-dive analysis on campaigns and actors. |
| CHA | ⭐⭐⭐ | Brief stakeholders on findings. Translate intelligence into actionable recommendations. |
| STR | ⭐⭐ | Analysis over hands-on exploitation. You study attacks; others execute them. |
🎭 Neurodivergent Advantages
Your traits are class features, not bugs:
-
Special Interests in Geopolitics: If nation-state actors, hacktivism, or cybercrime ecosystems have ever captured your hyperfocus, that knowledge directly translates to CTI work. Your deep knowledge of specific threat actors is your competitive advantage.
-
Pattern Recognition (WIS): Both ADHD and autistic brains excel at connecting disparate data points. The infrastructure overlap, the code similarity, the TTP pattern that links campaigns—your brain notices what others miss.
-
Long-Term Tracking: Autistic ability to maintain interest in specific topics over years is exactly what tracking threat actors requires. Campaigns span months; groups operate for years. Your persistence pays off.
-
Research Hyperfocus: When you find an interesting thread to pull, you follow it completely. Those deep research sessions produce the intelligence others can’t generate.
-
Systematic Analysis: CTI follows structured methodologies—Diamond Model, Kill Chain, ATT&CK mapping. If your brain craves frameworks, intelligence analysis provides them.
-
Written Communication: Intelligence reports are highly structured written products. If you express yourself better in writing, this role plays to that strength.
🗺️ Career Path
SOC Analyst → Threat Hunter → Threat Intel Analyst → Senior Intel Analyst → Intel Team Lead
↓ ↓ ↓ ↓
(Foundation) (Detection (Production) (Leadership or
Experience) Strategic Intel)Alternative Entry Points:
- Geopolitical Analyst → CTI Analyst (geopolitical background)
- Journalist/Researcher → CTI Analyst (OSINT skills)
- Military Intelligence → CTI Analyst (intelligence methodology)
Common Druid Multiclasses:
- Druid/Ranger: CTI Analyst → Threat Hunter (apply intel to active hunting)
- Druid/Monk: CTI Analyst → Malware Researcher (track actors through their tools)
- Druid/Cleric: CTI Analyst → Third-Party Risk (vendor threat assessment)
📜 Certification Pathway
Level 1-5: Foundation (0-2 years)
| Certification | Org | Type | Cost | Why It Fits |
|---|---|---|---|---|
| CompTIA Security+ | CompTIA | Multiple Choice | ~$425 | Foundation. Understand security before analyzing threats to it. |
| CompTIA CySA+ | CompTIA | Multiple Choice | ~$404 | Behavioral analysis. Understand detection before producing intel for it. |
| BTL1 (Blue Team Level 1) | Security Blue Team | Practical (24-hr) | Blue team fundamentals including threat intel basics. |
Neurodivergent Note: Build operational experience first. CTI is most valuable when you understand what defenders actually need. SOC or hunt experience informs better intelligence production.
Level 6-10: Specialization (2-5 years)
| Certification | Org | Type | Cost | Why It Fits |
|---|---|---|---|---|
| GCTI (GIAC Cyber Threat Intelligence) | SANS/GIAC | Practical | ~$999 (exam) + ~$8,500 (FOR578) | Gold standard CTI cert. Full intelligence lifecycle, analytical frameworks, open-book with CyberLive labs. |
| CTIA (Certified Threat Intelligence Analyst) | EC-Council | Multiple Choice | ~$1,000-1,700 | Budget-friendlier option. 15 modules covering CTI lifecycle. Requires 3 years experience or training. |
| GCFA (GIAC Certified Forensic Analyst) | SANS/GIAC | Practical | ~$999 (exam) + course | Forensic skills inform CTI. Understand artifacts threat actors leave behind. |
Neurodivergent Note: GCTI (FOR578) is the premier CTI course—covers Diamond Model, Kill Chain, COA Matrix, and production methodology. CTIA is more accessible if cost is a barrier. Both certifications accelerate CTI careers.
Level 11-15: Advanced (5-8 years)
| Certification | Org | Type | Cost | Why It Fits |
|---|---|---|---|---|
| GCIH (GIAC Certified Incident Handler) | SANS/GIAC | Practical | ~$999 (exam) + ~$8,500 (SEC504) | Understand incident response to produce better intel for responders. |
| GREM (GIAC Reverse Engineering Malware) | SANS/GIAC | Practical | ~$999 (exam) + course | Analyze threat actor tools at the code level. Deep technical CTI. |
| OSINT Certifications | Various | Mixed | $500-2,000 | OSINT skills for open-source intelligence collection. |
Neurodivergent Note: At this level, specialize based on interest: technical CTI (GREM), operational CTI (GCIH), or strategic intelligence. Your special interest should guide this choice.
Level 16-20: Mastery (8+ years)
| Certification | Org | Type | Cost | Why It Fits |
|---|---|---|---|---|
| CISSP | ISC² | Multiple Choice | ~$749 | Strategic credibility. Opens doors to leadership and advisory roles. |
| CISM | ISACA | Multiple Choice | ~$575 (member) | Security management. If leading CTI teams is your goal. |
🛠️ Your Toolkit
Primary Weapons
| Tool | Type | What It Does | Link |
|---|---|---|---|
| MITRE ATT&CK | Framework | Adversary behavior framework. Common language for TTPs. Essential. | attack.mitre.org |
| MISP | Platform | Threat intelligence sharing platform. IOC correlation, sharing, enrichment. | misp-project.org |
| OpenCTI | Platform | Open-source threat intelligence platform. Graph-based analysis, STIX2 native. | opencti.io |
Intelligence Platforms
| Tool | Purpose | Link |
|---|---|---|
| TheHive | Incident and threat intel management | thehive-project.org |
| Maltego | Visual link analysis. Connect entities across investigations. | maltego.com |
| Recorded Future | Commercial threat intel platform (industry leading) | recordedfuture.com |
| Mandiant Advantage | Threat intelligence from incident response leaders | mandiant.com |
OSINT Tools
| Tool | Purpose | Link |
|---|---|---|
| Shodan | Internet-connected device search. Find adversary infrastructure. | shodan.io |
| Censys | Internet asset search. Alternative to Shodan. | censys.io |
| SpiderFoot | Automated OSINT collection | spiderfoot.net |
| Hunchly | Web capture for OSINT investigations | hunch.ly |
| OSINT Framework | Collection of OSINT tools organized by category | osintframework.com |
Threat Data Sources
| Source | Purpose | Link |
|---|---|---|
| VirusTotal | Malware and URL intelligence | virustotal.com |
| URLhaus | Malicious URL database | urlhaus.abuse.ch |
| MalwareBazaar | Malware sample sharing | bazaar.abuse.ch |
| ThreatFox | IOC sharing platform | threatfox.abuse.ch |
| AlienVault OTX | Open threat exchange | otx.alienvault.com |
Fun Tools from Awesome Lists
Source: awesome-threat-intelligence
| Tool | What It Does |
|---|---|
| YETI | Your Everyday Threat Intelligence platform |
| CRITs | Collaborative Research Into Threats |
| IntelMQ | Automated processing of security feeds |
| Harpoon | OSINT CLI tool |
| TheHarvester | Email and domain OSINT |
| Recon-ng | Web reconnaissance framework |
📚 Learning Resources
Free Resources
YouTube Channels:
- SANS Cyber Defense - CTI methodology and case studies
- Katie Nickels (Red Canary) - ATT&CK and threat intel
- MITRE ATT&CK - Official technique breakdowns
- Black Hills Information Security - Threat hunting and intel
Practice & Learning:
- MITRE ATT&CK Navigator - Visualize adversary coverage
- TryHackMe - “Threat Intelligence” rooms
- CyberDefenders - Blue team challenges with intel components
- OSINT Dojo - OSINT training platform
Essential Reading:
- SANS CTI Reading Room - Free research papers
- Mandiant Threat Intelligence Reports - APT research
- Microsoft Security Blog - Threat actor tracking
- CrowdStrike Blog - Adversary intelligence
Books for Druids
| Book | Author | Why Read It |
|---|---|---|
| Intelligence-Driven Incident Response | Scott Roberts & Rebekah Brown | CTI for incident response. Practical integration. |
| The Threat Intelligence Handbook | Recorded Future | Comprehensive CTI methodology. Free from Recorded Future. |
| Practical Threat Intelligence and Data-Driven Threat Hunting | Valentina Costa-Gazcón | Combining CTI with hunting. ATT&CK focused. |
| The Diamond Model | Sergio Caltagirone et al. | Core CTI analytical framework. Original paper. |
| Structured Analytic Techniques | Richards Heuer & Randolph Pherson | Intelligence analysis methodology from CIA. |
| Psychology of Intelligence Analysis | Richards Heuer | Cognitive biases in analysis. Free from CIA. |
Podcasts
| Podcast | Why Listen |
|---|---|
| SANS Internet Storm Center | Daily threat updates |
| Risky Business | Weekly security news with intel context |
| Darknet Diaries | Threat actor stories |
| The CyberWire | Daily security intelligence briefing |
| Malicious Life | Historical threat actor campaigns |
🎓 SANS Courses for Druids
| Course | Cert | Focus | Best For |
|---|---|---|---|
| FOR578: Cyber Threat Intelligence | GCTI | Full CTI lifecycle and methodology | Essential for all Druids |
| FOR508: Advanced IR & Threat Hunting | GCFA | Threat hunting informed by intel | Operational CTI |
| FOR610: Reverse-Engineering Malware | GREM | Technical malware analysis | Technical CTI |
| SEC487: Open-Source Intelligence (OSINT) | GOSI | OSINT collection and analysis | Collection-focused CTI |
| SEC599: Defeating Advanced Adversaries | GDAT | Purple team with intel focus | Understanding adversary perspective |
🏆 Building Your Magic Items
Early Career Achievements:
- Map a threat actor to MITRE ATT&CK
- Produce your first threat intelligence report
- Set up a MISP instance
- Complete TryHackMe CTI path
- Subscribe to and consume 5 threat intel feeds
Mid-Career Achievements:
- Track a campaign across multiple reports
- Earn GCTI certification
- Present intelligence briefing to stakeholders
- Contribute to threat intel sharing community
- Build detection rules from CTI analysis
Senior Achievements:
- Lead threat intel production for your organization
- Publish original threat research
- Speak at a CTI conference (FIRST, CTI Summit)
- Mentor junior analysts
- Shape organizational security priorities with strategic intel
🧭 Multiclassing Guide
Adding Ranger Levels (Threat Hunting)
Apply intelligence to active hunting:
- Use CTI to develop hunt hypotheses
- SANS FOR508 for hunt methodology
- Convert intelligence into detection rules
“I don’t just produce intel—I hunt for the threats I track.”
Adding Monk Levels (Malware Analysis)
Track threat actors through their tools:
- SANS FOR610 for malware reverse engineering
- Attribute samples to threat actors through code analysis
- Understand TTPs at the technical level
“I track threat actors through the fingerprints they leave in their malware.”
Adding Cleric Levels (Third-Party Risk)
Combine CTI with vendor risk assessment:
- Assess vendor exposure to threat actors
- Supply chain threat intelligence
- Integrate CTI into procurement decisions
“I assess whether vendors are in the crosshairs of threats targeting our sector.”
💡 Neurodivergent Learning Strategies
For ADHD:
- CTI’s variety helps—new actors, new campaigns, new geopolitics
- Use breaking news and current events to maintain interest
- Switch between collection, analysis, and production tasks
- The “puzzle” of attribution captures hyperfocus
For Autism:
- Frameworks (Diamond Model, Kill Chain, ATT&CK) provide satisfying structure
- Build comprehensive personal databases of threat actors and TTPs
- Deep-dive on specific threat actors or regions as special interests
- Written report production plays to common strengths
For Both:
- Pattern recognition across campaigns is your superpower
- Long-term tracking of actors suits persistent focus
- Research hyperfocus produces insights others can’t generate
- Your attention to detail catches the infrastructure overlap
🎯 Not Sure If You’re a Druid?
Take the Character Creation Quiz to discover your cybersecurity class and get personalized recommendations!
📖 Continue Your Journey
- View All Classes
- Blue Team: Ranger - If proactive hunting calls to you
- Red Team: Monk - If malware analysis is your focus
- Blue Team: Cleric - If GRC and risk management interest you
“The adversary evolves. Your intelligence keeps defenders one step ahead.”