Roadmap

Threat Intelligence Analyst

The analyst who studies adversaries — tracking threat actors, analyzing attack campaigns, producing intelligence that helps the organization defend proactively rather than react after the fact.

OPTIMISTIC 18-24 monthsREALISTIC 2-4 years

Stage 00

Computer & IT Fundamentals

CTI analysts need to understand how attacks work at a technical level to assess their significance and produce actionable intelligence.

Computer Hardware

CPU, RAM, storage types — roles in a system
NIC and networking hardware fundamentals
Physical vs virtual machines

Number Systems

Binary, hexadecimal, decimal — reading and converting
Memory addresses, file hashes — hex literacy for malware and IOC analysis

How Operating Systems Work

Kernel vs user space, processes and threads
Memory management, file systems
System calls, boot process

Software Basics

How programs compile and execute — PE and ELF format basics
Services vs applications, environment variables

Virtualization

Type 1 vs Type 2 hypervisors — safe malware analysis environment
Snapshots — reverting sandboxed analysis environments

Resources

CS50 (Harvard, free)
Professor Messer CompTIA A+ (free YouTube)
TryHackMe Pre-Security path (free)

Stage 01

Operating Systems in Depth

Understanding OS internals enables CTI analysts to assess the technical significance of attacker techniques and accurately describe malware behavior.

Windows

Directory structure and attacker target locations
Registry hives — persistence keys (Run, Services, Tasks, IFEO, AppInit_DLLs)
Windows services, task scheduler, WMI subscriptions
PowerShell — execution, logging, obfuscation techniques
Windows Event Log — structure and key Event IDs for attack recognition
Windows artifacts — Prefetch, Shimcache, Amcache, MFT — what they record
Windows memory — LSASS, credential storage, injection targets
Windows security model — integrity levels, UAC, token privileges

Linux

Filesystem hierarchy and attacker-relevant locations
Terminal proficiency — investigation commands
Linux persistence — cron, systemd, authorized_keys, SUID, LD_PRELOAD
Log locations and content — auth.log, syslog, auditd
Process management and /proc filesystem

Resources

TryHackMe Windows Fundamentals 1/2/3 (free)
TryHackMe Linux Fundamentals 1/2/3 (free)
OverTheWire Bandit (free)

Stage 02

Networking Fundamentals

CTI analysts track attacker infrastructure — C2 servers, domains, IP ranges — and need networking depth to understand and pivot across this infrastructure.

OSI and TCP/IP

OSI Model — All 7 layers; functions and attack surface at each layer
TCP/IP — handshake, teardown, flags, ICMP, UDP

IP Addressing

IP addressing — subnetting, CIDR, private ranges, NAT, IPv6

Protocols

DNS — resolution, record types, zone transfers, DGA, tunneling
HTTP/HTTPS/TLS — headers, certificates, SNI, cipher suites
SMB, RDP, SSH, Kerberos, LDAP — lateral movement protocols
SMTP/IMAP — phishing infrastructure relevance
WHOIS, RDAP — infrastructure attribution tools
BGP basics — ASN, routing, IP block ownership

Network Infrastructure

Firewalls, proxies, DNS resolvers — defensive control context
Bulletproof hosting — infrastructure used by threat actors
Fast-flux DNS — infrastructure resilience technique used by C2 operators
Domain Generation Algorithms (DGA) — how they work, families that use them
CDN abuse — Cloudflare, CloudFront used to proxy C2 traffic

Certification

CompTIA Network+

Resources

Professor Messer Network+ (free YouTube)
TryHackMe networking modules

Stage 03

Security Fundamentals

The full security fundamentals foundation. CTI analysts must understand what they are tracking deeply enough to assess severity and produce accurate intelligence.

Core Security Concepts

CIA Triad, AAA, threat/vulnerability/risk
Authentication and cryptography — how each technique works and fails
Malware types — all categories with behavioral and infrastructure characteristics
Attack types — full catalog: phishing, BEC, ransomware, APT techniques, supply chain
Defensive controls — SIEM, EDR, SOAR, DLP, IDS/IPS, network segmentation
Frameworks — NIST CSF, MITRE ATT&CK, Cyber Kill Chain, Diamond Model
Compliance context — PCI-DSS, HIPAA, GDPR, CCPA, CMMC — regulatory environment CTI supports
Vulnerability management — CVE format, CVSS scoring, KEV (Known Exploited Vulnerabilities catalog)

Certification

CompTIA Security+

Resources

Professor Messer Security+ SY0-701 (free YouTube)
Jason Dion Security+ (Udemy)

Stage 04

Intelligence Tradecraft

CTI is an intelligence discipline, not just a security skill. Understanding how to produce, assess, and communicate intelligence is the core competency that separates CTI analysts from security generalists.

Intelligence Fundamentals

What intelligence is — processed information that supports decision-making
Intelligence cycle — Direction, Collection, Processing, Analysis, Dissemination, Feedback
Intelligence types — Strategic (board reports), Operational (campaigns), Tactical (IOCs), Technical (malware/exploits)
Intelligence requirements (IRs) and Priority Intelligence Requirements (PIRs)
Collection plan — identifying sources for each intelligence requirement

Analytical Methods

Analysis of Competing Hypotheses (ACH) — systematically evaluating multiple explanations
Key Assumptions Check — identifying and challenging unstated assumptions
Devil's Advocacy — deliberately arguing against the prevailing assessment
Red Team Analysis — adopting the adversary's perspective
Estimative language — "almost certainly" (>95%), "likely" (55–80%), "possibly" (25–55%), "unlikely" (<25%)
NATO Admiralty Code — source reliability (A-F) and information credibility (1-6)
TLP (Traffic Light Protocol) 2.0 — WHITE/CLEAR, GREEN, AMBER, AMBER+STRICT, RED
BLUF (Bottom Line Up Front) — conclusion first, then supporting evidence
Confidence levels — high vs low confidence vs certain vs uncertain

Attribution

What attribution means — geographic, organizational, individual levels
Technical attribution — infrastructure, code similarity, TTP overlap with known groups
Attribution challenges — false flags, shared tooling, infrastructure reuse
Naming conventions — APT28 = Fancy Bear = Sofacy = Pawn Storm = Sednit
Why attribution is often overconfident — the attribution problem
Responsible attribution — what level of confidence justifies a public claim

Intelligence Sources — OSINT

Search engines — Google, Bing, DuckDuckGo, Yandex advanced operators
Social media — Twitter/X, LinkedIn, Telegram, forums, paste sites
Code repositories — GitHub, GitLab, Pastebin (leaked credentials, malware source, C2 configs)
News and vendor reports — vendor threat reports, CVE announcements, breach disclosures
Government sources — CISA, FBI flash alerts, NSA/NCSC, ENISA
Vendor reports — Mandiant M-Trends, CrowdStrike Global Threat Report, Verizon DBIR, Unit 42, Secureworks CTU, SentinelLabs, Recorded Future, Proofpoint TAP

Intelligence Sources — TECHINT

Malware samples — MalwareBazaar, VirusTotal, ANY.RUN, Hybrid Analysis
Threat feeds — abuse.ch (URLhaus, MalwareBazaar, ThreatFox), AlienVault OTX, Cisco Talos, Recorded Future
Passive DNS — SecurityTrails, DNSDB, RiskIQ — historical resolution data
Certificate transparency — crt.sh — attacker infrastructure discovery
Shodan — internet-exposed infrastructure, C2 server identification
Censys — internet scan data, certificate and protocol analysis
GreyNoise — mass internet scanner vs targeted attacker distinction

HUMINT and Dark Web

HUMINT sources — industry sharing groups, ISACs, trusted colleague networks
Understanding .onion routing — Tor network basics
Dark web forums — RaidForums successors, Russian-language XSS/Exploit/RAMP, BreachForums
Ransomware leak sites — victim listings, data samples
Initial access broker markets — compromised credentials and network access for sale
Safe monitoring practices — operational security, isolated VMs, Tor browser
Commercial dark web monitoring — Recorded Future, Flashpoint, DarkOwl, SpyCloud

Resources

SANS FOR578 (Cyber Threat Intelligence) course materials where available
MITRE ATT&CK website (free)
CISA advisories (cisa.gov, free)
TryHackMe Threat Intelligence rooms (free)

Stage 05

MITRE ATT&CK — Operational Mastery

ATT&CK is the operating language of CTI. Mastery at this depth is required before producing intelligence that is useful to detection and response teams.

ATT&CK Enterprise Matrix — Tactics

All 14 Tactics — purpose and defensive significance of each
Initial Access — T1566 Phishing, T1190 Exploit Public-Facing App, T1133 External Remote Services, T1195 Supply Chain Compromise
Execution — T1059 Command/Scripting Interpreter sub-techniques, T1047 WMI, T1053 Scheduled Task
Persistence — T1543 Create or Modify System Process, T1547 Boot/Logon Autostart, T1505 Server Software Component
Privilege Escalation — T1068, T1055 Process Injection, T1134 Access Token Manipulation
Defense Evasion — T1027 Obfuscated Files, T1036 Masquerading, T1070 Indicator Removal, T1562 Impair Defenses
Credential Access — T1003 OS Credential Dumping, T1110 Brute Force, T1558 Steal/Forge Kerberos Tickets
Lateral Movement — T1021 Remote Services, T1550 Use Alternate Authentication Material (PTH/PTT)
Collection — T1560 Archive Collected Data, T1005 Data from Local System, T1114 Email Collection
Command and Control — T1071 App Layer Protocol, T1095 Non-App Layer, T1572 Protocol Tunneling, T1573 Encrypted Channel
Exfiltration — T1048 Exfil Over Alternative Protocol, T1041 Exfil Over C2 Channel
Impact — T1486 Data Encrypted, T1490 Inhibit Recovery, T1485 Data Destruction
Sub-technique specifics — T1059.001 (PowerShell) vs T1059.003 (cmd) matters for detection
Data sources per technique — what logs and artifacts each produces
Detection recommendations per technique — what controls catch it
Mitigations per technique — what prevents it

ATT&CK Beyond Enterprise

ATT&CK for ICS — 12 tactics covering industrial control system attack patterns
ATT&CK for Mobile — iOS and Android specific techniques
PRE-ATT&CK concepts — reconnaissance and resource development (now in Enterprise)

Threat Actor Profiles

APT28 (Fancy Bear, Sofacy) — Russian GRU Unit 26165; targets gov/military/NATO/elections; spearphishing, X-Agent, VPNFilter
APT29 (Cozy Bear, Midnight Blizzard) — Russian SVR; SolarWinds; living-off-the-land, OAuth token theft, MagicWeb, FOGGYWEB
APT41 — Chinese MSS dual espionage + financial; targets healthcare/telecom/tech/gaming; supply chain, CVE exploitation, MESSAGETAP
Lazarus Group (HIDDEN COBRA) — North Korean RGB Bureau 121; targets financial/crypto/defense; SWIFT attacks, BLINDINGCAN, HOTCROISSANT, WannaCry
FIN7 (Carbanak) — financially motivated; retail/hospitality/POS; Cobalt Strike, JSSLoader, elaborate spearphishing
FIN11 / Clop — ransomware; MO-OP; Clop ransomware; GoAnywhere and MOVEit zero-days
BlackCat/ALPHV — RaaS; Rust-based ransomware; triple extortion; affiliate program
LockBit — largest RaaS by volume; LockBit 3.0; affiliate disputes and disruption
Scattered Spider / UNC3944 — social engineering specialists; MFA bypass, SIM swapping; MGM/Caesars compromise
Volt Typhoon — Chinese APT; US critical infrastructure pre-positioning; living-off-the-land only
Using ATT&CK Navigator group overlays — visualizing which techniques each group uses
Tracking actor TTPs over time — infrastructure reuse, tooling evolution, targeting shifts

MITRE Frameworks Beyond ATT&CK

D3FEND — defensive technique taxonomy, pairing with ATT&CK for defensive gap analysis
MITRE ENGAGE — adversary engagement framework — honeypots, deception operations
MITRE ATLAS — adversarial threats to AI/ML systems

Resources

MITRE ATT&CK website (attack.mitre.org, free)
ATT&CK Navigator (free)
Threat actor group pages (free)
CrowdStrike Global Threat Report (free)
Mandiant M-Trends (free)
Unit 42 Threat Reports (free)

Stage 06

Threat Intelligence Platforms & Standards

CTI analysts manage the platforms that collect, organize, and distribute intelligence. MISP and OpenCTI are the primary open-source options.

STIX 2.1

STIX Domain Objects (SDOs) — Attack Pattern, Campaign, Course of Action, Identity, Indicator, Intrusion Set, Malware, Threat Actor, Tool, Vulnerability, Infrastructure, Location
STIX Cyber Observable Objects (SCOs) — Domain, Email, File w/hashes, IPv4/v6, Network Traffic, Process, URL, User Account, Registry Key, X509 Certificate
STIX Relationship Objects (SROs) — uses, attributed-to, targets, indicates, mitigates
STIX Bundle — packaging multiple objects for sharing
Indicator pattern language — [ipv4-addr:value = '1.2.3.4'], [file:hashes.'SHA-256' = 'abc...'], [domain-name:value = 'evil.com']
Comparing STIX 2.0 vs 2.1 — key changes (SCO observation, language updates)

TAXII 2.1

API roots, collections, discovery endpoint
GET /collections/ — listing available feeds
GET /collections/{id}/objects/ — pulling indicators
POST /collections/{id}/objects/ — pushing intelligence
Using TAXII with MISP and OpenCTI for automated feed ingestion

MISP

Event structure — event date, threat level, analysis state, distribution
Attributes — type:value pairs (ip-dst, domain, md5, email-src, url, filename), categories, to_ids flag
Objects — structured groups of related attributes (file, email, network connection)
Galaxies — MITRE ATT&CK, threat actors, ransomware, malware families, country clusters
Tags — TLP, PAP, workflow state, custom organizational tags
Sharing groups — controlling which organizations receive an event
Correlation — automatic indicator correlation across events
Feeds — CIRCL OSINT, abuse.ch, AlienVault OTX, Botvrij.eu, ISAC feeds
Export formats — MISP JSON, STIX 2.1, OpenIOC, CSV, Snort/Suricata rules, YARA
API and PyMISP — programmatic event creation, attribute search, bulk operations
Sightings — reporting when an IOC is observed in your environment
Warning lists — known-good values that prevent false-positive alerts

OpenCTI

Data model — STIX 2.1 native, entity relationship graph
Entity types — Threat Actors, Intrusion Sets, Campaigns, Malware, Tools, Attack Patterns, Indicators, Observables, Infrastructure
Relationships — linking entities; types match STIX SROs
Investigation view — graphical relationship exploration
Knowledge base — structured intelligence repository
Streams — real-time data push to consumers
Connectors — MITRE ATT&CK, abuse.ch (URLhaus, MalwareBazaar, ThreatFox), MISP bidirectional, Shodan, VirusTotal, SIEM export (Splunk, Elastic, Sentinel)
Dashboard — custom widgets for threat landscape visualization
Reports — publishing finished intelligence products within OpenCTI

Commercial TIPs

Recorded Future — predictive intelligence, dark web monitoring, browser extension IOC lookup, API integration
Anomali ThreatStream — enterprise TIP, ISAC integration, analyst portal
ThreatConnect — TIP + SOAR combined, playbook-driven intelligence operationalization
Intel 471 — underground intelligence, actor profiling, marketplace monitoring
Mandiant Advantage — curated threat actor profiles, vulnerability intelligence, breach analytics
Flashpoint — dark web and technical intelligence, ransomware tracking

Resources

MISP project documentation (misp-project.org, free)
OpenCTI documentation (docs.opencti.io, free)
STIX 2.1 specification (oasis-open.org, free)
TryHackMe MISP room (free)
TryHackMe OpenCTI room (free)

Stage 07

OSINT & Infrastructure Analysis

CTI analysts track adversary infrastructure — finding C2 servers, identifying malware distribution networks, and pivoting across attacker-controlled assets.

OSINT Foundations

OSINT framework — osintframework.com — comprehensive taxonomy of OSINT sources
OPSEC for OSINT — sock puppet accounts, isolated VMs, Tor/VPN; legal and ethical boundaries
Search operator mastery — site:, filetype:, intitle:, inurl:, exclusions, date ranges
Google Dorking — finding exposed configs, credential leaks, sensitive documents
Shodan mastery — basic searches, filters (before/after, asn, net, geo), C2 framework dorks, favicon hashing, certificate search, historical data
Censys — TLS certificate analysis, protocol version scanning, service detection
GreyNoise — mass internet scanner context for IOC triage
crt.sh — certificate transparency log search; pivoting via shared certificates; tracking provisioning timing
Wayback Machine — archived versions of attacker websites, C2 panels, phishing pages
Passive DNS — SecurityTrails, DNSDB, RiskIQ PassiveTotal; historical resolutions; subdomain enumeration; infrastructure pivot
BGP and ASN analysis — bgp.he.net, ipinfo.io, RIPEstat — IP block ownership, routing history

Malware Infrastructure Analysis

Cobalt Strike fingerprinting — default TLS certs, JARM fingerprint, Malleable C2 profiles, specific HTTP headers and URI patterns
Metasploit — default staging certificate, meterpreter communication patterns
Sliver — TLS certificate patterns, implant communication signatures
Havoc — newer C2 framework, increasing adoption by threat actors
Brute Ratel C4 — commercial C2 used by nation-state actors
Domain age — newly registered domains higher risk; check creation vs first seen in attacks
Registrar patterns — Namecheap, domains.google, Porkbun for bulletproof
Registrant data — WHOIS privacy services vs exposed registrant details
Typosquatting analysis — identifying domains mimicking legitimate brands
DGA analysis — recognizing algorithmically generated domain patterns
Domain categorization — how proxy/DNS filters categorize a domain; miscategorization as legitimate
Hosting provider context — DigitalOcean, Vultr, Hetzner, Linode commonly used by threat actors
Bulletproof hosting — Shinjiru, ColoCrossing, specific ASNs
Shared hosting context — multiple sites on one IP, one malicious actor among legitimate
Geolocation accuracy — IP geolocation is approximate, VPN/proxy context
Infrastructure clustering — shared TLS certs, common HTTP headers, identical favicon hashes, similar open ports, common URL paths

Tools

Maltego — visual link analysis, automated pivoting via transforms (domain→IP, IP→registrant, domain→cert, person→social media)
SpiderFoot — automated OSINT collection and correlation across dozens of sources
theHarvester — email, domain, subdomain, host, name harvesting
Recon-ng — modular OSINT framework, workspace management, module ecosystem
Amass — in-depth DNS enumeration, ASN discovery, CIDR sweep
DNSdumpster — DNS recon and visualization
FOCA — metadata extraction from public documents

Resources

TryHackMe OSINT rooms (free)
OSINT Framework (osintframework.com, free)
Shodan free tier
crt.sh (free)
SecurityTrails free tier
Maltego community edition (free)
SpiderFoot HX community (free)

Stage 08

Malware Analysis for CTI

CTI analysts extract intelligence from malware samples — identifying threat actor TTPs, C2 infrastructure, and targeting indicators without needing full reverse engineering capability.

Static Analysis for CTI

File identification and hashing — md5sum, sha256sum, CertUtil, ssdeep (fuzzy hashing for variant identification)
PEStudio — imports, exports, strings, metadata, VirusTotal detection ratio
PEview — manual PE section inspection
DIE (Detect-It-Easy) — packer, compiler, protector identification
Exiftool — metadata extraction from all file types
strings command — extracting printable strings
FLOSS (FLARE Obfuscated String Solver) — extracting obfuscated and stack strings
String targets — C2 URLs/IPs, registry keys, file paths, mutex names, error messages, debug strings, PDB paths
Import analysis network — WS2_32.dll (sockets), WinInet.dll (HTTP), WinHTTP.dll
Import analysis crypto — CryptEncrypt, CryptGenRandom, BCryptEncrypt (ransomware indicators)
Import analysis injection — VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, NtCreateThreadEx
Import analysis credentials — LsaEnumerateLogonSessions, SamQueryInformationUser
Import analysis evasion — IsDebuggerPresent, CheckRemoteDebuggerPresent, VirtualProtect
Code signing analysis — Authenticode validation, stolen/self-signed/expired certs, certificate pivoting
YARA rules — string-based, hex pattern, condition logic; running yara, VirusTotal YARA hunt, LOKI scanner

Dynamic Analysis for CTI

Any.run — interactive analysis, process tree, network connections, file drops, registry changes
Hybrid Analysis — automated report, IOC extraction, ATT&CK mapping
Joe Sandbox — most detailed automated analysis
Triage (Hatching) — rapid triage sandbox, free community tier
IOC extraction — network: C2 IPs, domains, URLs, User-Agent, URI path patterns
IOC extraction — host: dropped files/hashes, registry persistence keys, service names, mutex names, scheduled tasks
IOC extraction — behavioral: process injection, credential access, defense evasion indicators
ATT&CK mapping from sandbox — validating automated mapping, adding missed techniques
Safe sandbox environment — isolated VM with snapshot (REMnux, FlareVM)
INetSim — simulating internet services locally (DNS, HTTP, SMTP) to capture C2 traffic
FakeDNS — resolving all domains to analysis host
Wireshark — capturing all network traffic during detonation
Procmon, Process Explorer, Regshot — monitoring system changes during execution

Malware Families CTI Analysts Track

Commodity loaders — QakBot (dismantled 2023), IcedID, Emotet, BazarLoader, Bumblebee — initial access for ransomware
RATs — AsyncRAT, NjRAT, Remcos, QuasarRAT — persistence and surveillance
Information stealers — RedLine, Raccoon, Vidar, Aurora — credential and browser data theft
Ransomware families — LockBit 3.0, BlackCat/ALPHV, Cl0p, BlackSuit, Rhysida — operator TTPs, RaaS models, negotiation patterns
C2 frameworks — Cobalt Strike (most common), Metasploit, Sliver, Havoc, Brute Ratel
Wipers — AcidRain, HermeticWiper, CaddyWiper — nation-state destructive capability
Tracking malware evolution — versioning, new capabilities, detection evasion updates

Resources

Any.run (free community tier)
Hybrid Analysis (free)
MalwareBazaar (free samples)
REMnux (free malware analysis distro)
FlareVM (free Windows analysis VM)
TryHackMe Malware Analysis rooms
YARA documentation (free)
Valhalla YARA rules (Nextron Systems, community free tier)

Stage 09

Intelligence Production & Dissemination

CTI analysts produce finished intelligence products that drive decisions. Writing clearly and structuring intelligence for different audiences is the output that justifies the role.

Intelligence Report Types

Strategic reports — audience CISO/board/executives; annual threat landscape, industry briefing, emerging tech analysis; 2–10 pages, business impact focused
Operational reports — security leadership/IR team leads; campaign update, exploitation advisory, pre-incident briefing; 1–3 pages, moderate technical
Tactical reports — SOC analysts/detection engineers; new malware family with IOCs and detection, active campaign IOC package, vuln intel; heavy technical detail
Flash reports — SOC/IR teams; breaking threat notification within hours; new high-severity CVE; new ransomware variant; 1 page maximum

Writing Intelligence Products

BLUF structure — conclusion and key action first, always
Confidence language — matching words to probability levels consistently
Sourcing — attributing claims to specific intelligence sources, noting source limitations
Avoiding analytical bias — confirming hypotheses too quickly, mirror imaging, anchoring
Audience calibration — same event requires different language for SOC analyst vs CFO
Caveats and uncertainty — explicitly noting what you do not know
Avoiding technical jargon without explanation for non-technical audiences
Intelligence vs raw data — IOCs with context, confidence, expiry, recommended action vs raw IOCs

IOC Management

IOC lifecycle — creation, confidence assessment, expiry, retirement
Confidence scoring — how confident that an IOC is malicious, not just shared
Expiry — IPs and domains have short shelf lives; stale IOCs generate false positives
PAP (Permissible Actions Protocol) — WHITE, GREEN, AMBER, RED — what analysts can do
IOC deduplication and normalization — CIDR notation, domain lowercasing, hash format
FP risk assessment — widely-used shared infrastructure (Cloudflare, CDN ranges) must not be blocked without context

Dissemination

ISACs — FS-ISAC, H-ISAC, Auto-ISAC, MS-ISAC, E-ISAC — sector-specific sharing
ISAOs — sector-agnostic sharing organizations
FIRST (Forum of Incident Response and Security Teams) — global sharing community
InfraGard — FBI public-private partnership
Briefing delivery — verbal intel briefings for SOC, tabletop exercises, leadership briefings
SIEM/EDR integration — pushing IOCs to blocklists, Splunk lookups, Sentinel watchlists, CrowdStrike custom IOCs

Resources

SANS CTI Summit talks (many free on YouTube)
Jon Friedman and Mark Bouchard intelligence writing resources
CISA threat reports (free)
Mandiant/CrowdStrike/Secureworks public threat reports (free annual reports)
TryHackMe Cyber Threat Intelligence room

Stage 10

Scripting & Automation for CTI

CTI analysts use Python to automate feed ingestion, IOC enrichment, report generation, and platform management.

Python for CTI

Python fundamentals — variables, types, conditions, loops, functions, error handling, file I/O
Requests library — REST API calls to VirusTotal, Shodan, Censys, MISP, OpenCTI
JSON handling — parsing API responses, extracting nested fields
CSV/Excel handling — pandas basics for IOC list processing
Regex (re module) — extracting IOCs from unstructured text (emails, reports, paste sites)
Bulk IOC enrichment — read CSV, query VirusTotal, write enriched output with detection ratio, malware family, last seen
MISP event creator — read IOCs from CSV, create MISP event with tags and attributes via PyMISP
Feed aggregator — pull from multiple TAXII feeds, deduplicate, normalize, output to SIEM lookup
Threat report IOC extractor — regex extraction of IPs, domains, hashes, URLs from PDF or text
Shodan C2 hunter — search for specific C2 framework fingerprints, output new infrastructure
Passive DNS lookup — query SecurityTrails for historical resolutions, pivot to related infrastructure
Stale IOC cleaner — flag IOCs older than threshold for review and expiry

PyMISP

Authentication — API key setup
Creating events — event object, threat level, analysis state, distribution
Adding attributes — type, value, category, to_ids, comment
Adding tags — TLP, PAP, Galaxy clusters
Searching attributes — by type, value, timestamp
Exporting to STIX — misp.get_event() with STIX output parameter
Batch operations — bulk attribute creation from IOC list

API Integrations

VirusTotal API v3 — file, URL, domain, IP endpoints; quota management; relationship graph API
Shodan API — host info, search, DNS, certificates
Censys API v2 — hosts, certificates search
SecurityTrails API — domains, IPs, history
GreyNoise API — community API for IP context
MISP REST API — events, attributes, objects, galaxies, tags
AbuseIPDB API — check IP, report IP

Resources

PyMISP documentation (github.com/MISP/PyMISP, free)
VirusTotal API documentation (free tier)
Shodan API documentation (free tier)
Automate the Boring Stuff with Python (free)
TryHackMe Python basics rooms

Stage 11

Hands-On Practice & Portfolio

CTI is a research discipline — your published analysis, MISP contributions, and documented methodology demonstrate capability.

Practice Platforms

TryHackMe — Cyber Threat Intelligence path, MISP room, OpenCTI room, Threat Hunting rooms
HTB Academy — Threat Hunting module, DFIR track for investigation depth
CyberDefenders — network and endpoint investigations providing raw artifacts for CTI analysis practice
AttackIQ Academy — ATT&CK defender training (free)
Cybrary CTI courses — free tier available

Home Lab for CTI

MISP instance — deploy via Docker on home server or cloud VM; ingest free feeds; create practice events
OpenCTI instance — deploy with docker-compose; configure ATT&CK and abuse.ch connectors
REMnux + FlareVM — safe malware analysis environment
INetSim — internet service simulation for sandboxed malware analysis
Wireshark + Any.run — combined static and dynamic analysis workflow practice
Practice malware samples — MalwareBazaar tagged samples (NEVER run outside isolated sandbox)

What to Document on LabList

Threat intelligence reports authored — strategic, operational, and tactical samples with methodology notes
Malware family analysis writeups — IOC extraction process and ATT&CK mapping
Infrastructure analysis posts — documenting pivot chain from IOC to C2 cluster identification
YARA rules written — with explanation of what they detect and why
MISP event examples — structured intelligence with tagging and distribution markings
Cert progression — Security+ → CySA+ → GCTI documented with context
Platform completions — TryHackMe CTI path, MISP and OpenCTI rooms with notes

FAQ

Common questions

How long does it take to become a Threat Intelligence Analyst?

18–24 months optimistic at 20–25 hours/week, 2–4 years realistic. CTI typically requires 1–2 years in a SOC or security analyst role first because operational security depth — understanding how attacks actually work — is required before you can meaningfully analyze them. CTI adds research, writing, intelligence tradecraft, and platform management on top of operational security depth. Pure self-taught paths exist but rarely match SOC-experience-plus-CTI-specialization candidates.

Which certifications matter for CTI roles?

GCTI (GIAC Cyber Threat Intelligence) is the most-listed CTI cert by significant margin and maps to SANS FOR578. CySA+ as baseline. EC-Council CTIA appears less frequently but consistently. MITRE ATT&CK Defender (MAD) is emerging. CTI tradecraft (structured analytical techniques, estimative language, confidence levels) distinguishes CTI analysts from security analysts who 'also look at threat intel.'

Do I need a degree?

Helpful but not required. Self-taught CTI analysts with published threat actor profiles, malware analysis writeups, or infrastructure pivot chains compete effectively. Foreign language capability (Russian, Chinese, Farsi) is a significant differentiator in government and advanced commercial CTI roles. What you do need: prior security operations experience, deep MITRE ATT&CK knowledge, OSINT and infrastructure analysis skills, and clear written communication.

What separates a hired Threat Intelligence Analyst?

Published threat intelligence work. A blog post, threat actor profile, or malware analysis write-up publicly available demonstrates real-world production capability. Other differentiators: ATT&CK fluency under pressure (mapping artifacts to specific technique IDs in interview), OSINT pivot chain documentation, and platform experience (deployed and managed MISP or OpenCTI). CTI is a specialized and growing field commanding above-average compensation.

Threat Intelligence Analyst

Common questions

Related roles