All Classes
blue teamThreat Intelligence Analyst
Druid → Threat Intelligence Analyst character illustration
Earn Some GoldFind remote Threat Intelligence Analyst jobs on Hiring Cafe

🌿 Druid → Threat Intelligence Analyst

“Know thy enemy. Their tools, their tactics, their motivations. That’s how you stay ahead.”

Your Role in the Party

You understand the threat ecosystem. While others focus on defending specific systems or investigating specific incidents, you study the adversaries themselves—their motivations, capabilities, infrastructure, and evolving techniques. Your intelligence informs defensive priorities, hunt hypotheses, and strategic security decisions.

Threat Intelligence Analysts operate at the intersection of research and security operations. You consume raw data—malware samples, C2 infrastructure, dark web chatter, geopolitical developments—and transform it into actionable intelligence. Your finished products guide how the organization defends itself.

This role rewards curiosity and pattern recognition. The best CTI analysts can track a threat actor across campaigns spanning years, connect dots others don’t see, and anticipate the next move based on historical behavior. If you’ve ever fallen down a research rabbit hole and emerged hours later with insights no one else has, you’re built for this.


📊 Your Stat Spread

Stat Score What It Means for You
WIS ⭐⭐⭐⭐⭐ Pattern recognition is your superpower. You connect threat actor TTPs across campaigns and years.
INT ⭐⭐⭐⭐ Deep knowledge of adversary techniques, geopolitics, and threat landscape.
DEX ⭐⭐⭐⭐ Adapt to changing threat landscape. Today’s priority might not be tomorrow’s.
CON ⭐⭐⭐ Research sprints require focus. Deep-dive analysis on campaigns and actors.
CHA ⭐⭐⭐ Brief stakeholders on findings. Translate intelligence into actionable recommendations.
STR ⭐⭐ Analysis over hands-on exploitation. You study attacks; others execute them.

🎭 Neurodivergent Advantages

Your traits are class features, not bugs:

  • Special Interests in Geopolitics: If nation-state actors, hacktivism, or cybercrime ecosystems have ever captured your hyperfocus, that knowledge directly translates to CTI work. Your deep knowledge of specific threat actors is your competitive advantage.

  • Pattern Recognition (WIS): Both ADHD and autistic brains excel at connecting disparate data points. The infrastructure overlap, the code similarity, the TTP pattern that links campaigns—your brain notices what others miss.

  • Long-Term Tracking: Autistic ability to maintain interest in specific topics over years is exactly what tracking threat actors requires. Campaigns span months; groups operate for years. Your persistence pays off.

  • Research Hyperfocus: When you find an interesting thread to pull, you follow it completely. Those deep research sessions produce the intelligence others can’t generate.

  • Systematic Analysis: CTI follows structured methodologies—Diamond Model, Kill Chain, ATT&CK mapping. If your brain craves frameworks, intelligence analysis provides them.

  • Written Communication: Intelligence reports are highly structured written products. If you express yourself better in writing, this role plays to that strength.


🗺️ Career Path

SOC Analyst → Threat Hunter → Threat Intel Analyst → Senior Intel Analyst → Intel Team Lead
       ↓            ↓                ↓                      ↓
  (Foundation)  (Detection       (Production)          (Leadership or
                 Experience)                            Strategic Intel)

Alternative Entry Points:

  • Geopolitical Analyst → CTI Analyst (geopolitical background)
  • Journalist/Researcher → CTI Analyst (OSINT skills)
  • Military Intelligence → CTI Analyst (intelligence methodology)

Common Druid Multiclasses:

  • Druid/Ranger: CTI Analyst → Threat Hunter (apply intel to active hunting)
  • Druid/Monk: CTI Analyst → Malware Researcher (track actors through their tools)
  • Druid/Cleric: CTI Analyst → Third-Party Risk (vendor threat assessment)

📜 Certification Pathway

Level 1-5: Foundation (0-2 years)

Certification Org Type Cost Why It Fits
CompTIA Security+ CompTIA Multiple Choice ~$425 Foundation. Understand security before analyzing threats to it.
CompTIA CySA+ CompTIA Multiple Choice ~$404 Behavioral analysis. Understand detection before producing intel for it.
BTL1 (Blue Team Level 1) Security Blue Team Practical (24-hr) £399 ($500) Blue team fundamentals including threat intel basics.

Neurodivergent Note: Build operational experience first. CTI is most valuable when you understand what defenders actually need. SOC or hunt experience informs better intelligence production.


Level 6-10: Specialization (2-5 years)

Certification Org Type Cost Why It Fits
GCTI (GIAC Cyber Threat Intelligence) SANS/GIAC Practical ~$999 (exam) + ~$8,500 (FOR578) Gold standard CTI cert. Full intelligence lifecycle, analytical frameworks, open-book with CyberLive labs.
CTIA (Certified Threat Intelligence Analyst) EC-Council Multiple Choice ~$1,000-1,700 Budget-friendlier option. 15 modules covering CTI lifecycle. Requires 3 years experience or training.
GCFA (GIAC Certified Forensic Analyst) SANS/GIAC Practical ~$999 (exam) + course Forensic skills inform CTI. Understand artifacts threat actors leave behind.

Neurodivergent Note: GCTI (FOR578) is the premier CTI course—covers Diamond Model, Kill Chain, COA Matrix, and production methodology. CTIA is more accessible if cost is a barrier. Both certifications accelerate CTI careers.


Level 11-15: Advanced (5-8 years)

Certification Org Type Cost Why It Fits
GCIH (GIAC Certified Incident Handler) SANS/GIAC Practical ~$999 (exam) + ~$8,500 (SEC504) Understand incident response to produce better intel for responders.
GREM (GIAC Reverse Engineering Malware) SANS/GIAC Practical ~$999 (exam) + course Analyze threat actor tools at the code level. Deep technical CTI.
OSINT Certifications Various Mixed $500-2,000 OSINT skills for open-source intelligence collection.

Neurodivergent Note: At this level, specialize based on interest: technical CTI (GREM), operational CTI (GCIH), or strategic intelligence. Your special interest should guide this choice.


Level 16-20: Mastery (8+ years)

Certification Org Type Cost Why It Fits
CISSP ISC² Multiple Choice ~$749 Strategic credibility. Opens doors to leadership and advisory roles.
CISM ISACA Multiple Choice ~$575 (member) Security management. If leading CTI teams is your goal.

🛠️ Your Toolkit

Primary Weapons

Tool Type What It Does Link
MITRE ATT&CK Framework Adversary behavior framework. Common language for TTPs. Essential. attack.mitre.org
MISP Platform Threat intelligence sharing platform. IOC correlation, sharing, enrichment. misp-project.org
OpenCTI Platform Open-source threat intelligence platform. Graph-based analysis, STIX2 native. opencti.io

Intelligence Platforms

Tool Purpose Link
TheHive Incident and threat intel management thehive-project.org
Maltego Visual link analysis. Connect entities across investigations. maltego.com
Recorded Future Commercial threat intel platform (industry leading) recordedfuture.com
Mandiant Advantage Threat intelligence from incident response leaders mandiant.com

OSINT Tools

Tool Purpose Link
Shodan Internet-connected device search. Find adversary infrastructure. shodan.io
Censys Internet asset search. Alternative to Shodan. censys.io
SpiderFoot Automated OSINT collection spiderfoot.net
Hunchly Web capture for OSINT investigations hunch.ly
OSINT Framework Collection of OSINT tools organized by category osintframework.com

Threat Data Sources

Source Purpose Link
VirusTotal Malware and URL intelligence virustotal.com
URLhaus Malicious URL database urlhaus.abuse.ch
MalwareBazaar Malware sample sharing bazaar.abuse.ch
ThreatFox IOC sharing platform threatfox.abuse.ch
AlienVault OTX Open threat exchange otx.alienvault.com

Fun Tools from Awesome Lists

Source: awesome-threat-intelligence

Tool What It Does
YETI Your Everyday Threat Intelligence platform
CRITs Collaborative Research Into Threats
IntelMQ Automated processing of security feeds
Harpoon OSINT CLI tool
TheHarvester Email and domain OSINT
Recon-ng Web reconnaissance framework

📚 Learning Resources

Free Resources

YouTube Channels:

  • SANS Cyber Defense - CTI methodology and case studies
  • Katie Nickels (Red Canary) - ATT&CK and threat intel
  • MITRE ATT&CK - Official technique breakdowns
  • Black Hills Information Security - Threat hunting and intel

Practice & Learning:

Essential Reading:


Books for Druids

Book Author Why Read It
Intelligence-Driven Incident Response Scott Roberts & Rebekah Brown CTI for incident response. Practical integration.
The Threat Intelligence Handbook Recorded Future Comprehensive CTI methodology. Free from Recorded Future.
Practical Threat Intelligence and Data-Driven Threat Hunting Valentina Costa-Gazcón Combining CTI with hunting. ATT&CK focused.
The Diamond Model Sergio Caltagirone et al. Core CTI analytical framework. Original paper.
Structured Analytic Techniques Richards Heuer & Randolph Pherson Intelligence analysis methodology from CIA.
Psychology of Intelligence Analysis Richards Heuer Cognitive biases in analysis. Free from CIA.

Podcasts

Podcast Why Listen
SANS Internet Storm Center Daily threat updates
Risky Business Weekly security news with intel context
Darknet Diaries Threat actor stories
The CyberWire Daily security intelligence briefing
Malicious Life Historical threat actor campaigns

🎓 SANS Courses for Druids

Course Cert Focus Best For
FOR578: Cyber Threat Intelligence GCTI Full CTI lifecycle and methodology Essential for all Druids
FOR508: Advanced IR & Threat Hunting GCFA Threat hunting informed by intel Operational CTI
FOR610: Reverse-Engineering Malware GREM Technical malware analysis Technical CTI
SEC487: Open-Source Intelligence (OSINT) GOSI OSINT collection and analysis Collection-focused CTI
SEC599: Defeating Advanced Adversaries GDAT Purple team with intel focus Understanding adversary perspective

🏆 Building Your Magic Items

Early Career Achievements:

  • Map a threat actor to MITRE ATT&CK
  • Produce your first threat intelligence report
  • Set up a MISP instance
  • Complete TryHackMe CTI path
  • Subscribe to and consume 5 threat intel feeds

Mid-Career Achievements:

  • Track a campaign across multiple reports
  • Earn GCTI certification
  • Present intelligence briefing to stakeholders
  • Contribute to threat intel sharing community
  • Build detection rules from CTI analysis

Senior Achievements:

  • Lead threat intel production for your organization
  • Publish original threat research
  • Speak at a CTI conference (FIRST, CTI Summit)
  • Mentor junior analysts
  • Shape organizational security priorities with strategic intel

🧭 Multiclassing Guide

Adding Ranger Levels (Threat Hunting)

Apply intelligence to active hunting:

  • Use CTI to develop hunt hypotheses
  • SANS FOR508 for hunt methodology
  • Convert intelligence into detection rules

“I don’t just produce intel—I hunt for the threats I track.”

Adding Monk Levels (Malware Analysis)

Track threat actors through their tools:

  • SANS FOR610 for malware reverse engineering
  • Attribute samples to threat actors through code analysis
  • Understand TTPs at the technical level

“I track threat actors through the fingerprints they leave in their malware.”

Adding Cleric Levels (Third-Party Risk)

Combine CTI with vendor risk assessment:

  • Assess vendor exposure to threat actors
  • Supply chain threat intelligence
  • Integrate CTI into procurement decisions

“I assess whether vendors are in the crosshairs of threats targeting our sector.”


💡 Neurodivergent Learning Strategies

For ADHD:

  • CTI’s variety helps—new actors, new campaigns, new geopolitics
  • Use breaking news and current events to maintain interest
  • Switch between collection, analysis, and production tasks
  • The “puzzle” of attribution captures hyperfocus

For Autism:

  • Frameworks (Diamond Model, Kill Chain, ATT&CK) provide satisfying structure
  • Build comprehensive personal databases of threat actors and TTPs
  • Deep-dive on specific threat actors or regions as special interests
  • Written report production plays to common strengths

For Both:

  • Pattern recognition across campaigns is your superpower
  • Long-term tracking of actors suits persistent focus
  • Research hyperfocus produces insights others can’t generate
  • Your attention to detail catches the infrastructure overlap

🎯 Not Sure If You’re a Druid?

Take the Character Creation Quiz to discover your cybersecurity class and get personalized recommendations!


📖 Continue Your Journey


“The adversary evolves. Your intelligence keeps defenders one step ahead.”