Role Definition
| Field | Value |
|---|---|
| Job Title | Cryptologic Cyberspace Analyst (MOS 35Q — Cryptologic Cyberspace Intelligence Collector/Analyst) |
| Seniority Level | Mid-Level |
| Primary Function | Collects, analyzes, and exploits signals intelligence from cyberspace environments. Performs network traffic analysis, technical SIGINT exploitation, cyber threat identification, and target attribution within digital networks. Creates intelligence products for CYBERCOM, NSA, and tactical intelligence consumers. Works exclusively in classified SCIF environments on air-gapped networks. US Army MOS 35Q (Skill Level 2-3), NSA civilian equivalent, or defense contractor with TS/SCI. |
| What This Role Is NOT | Not a traditional SIGINT Analyst (35N) who focuses on RF/ELINT signals collection. Not a Cyber Operations Specialist (17C) who conducts offensive/defensive cyber operations. Not an all-source intelligence analyst who fuses across all INT disciplines. Not a network engineer who builds infrastructure. |
| Typical Experience | 4-8 years. E-5/E-6 military or GS-11/12 civilian. TS/SCI with CI or Full-Scope Polygraph. 26-week AIT at NAS Pensacola Corry Station plus additional cyber-specific training. |
Seniority note: Junior collectors (E-3/E-4, 0-3 years) who passively operate automated data processing equipment and log digital intercepts would score deeper Yellow or borderline Red — their collection tasks are the first to automate. Senior cyber intelligence leads (E-7+, GS-13+) who own collection strategy, cross-INT fusion, and cyber mission command would score Green (Transforming).
Protective Principles + AI Growth Correlation
| Principle | Score (0-3) | Rationale |
|---|---|---|
| Embodied Physicality | 0 | Desk-based digital analysis inside a SCIF. No physical trade skills. The SCIF and air-gapped networks are physical barriers to AI deployment, but the analyst's work is entirely digital. |
| Deep Interpersonal Connection | 1 | Some collaboration with cyber operations teams, HUMINT, and tactical units. Briefings to commanders on cyber threats. But the core value is technical analytical capability, not relational. |
| Goal-Setting & Moral Judgment | 2 | Significant judgment on cyber target prioritization, attribution confidence levels, and threat assessment. Must interpret ambiguous network activity in operational and geopolitical context. Distinguishing legitimate network behaviour from adversary activity in denied environments requires adversarial thinking and contextual reasoning. |
| Protective Total | 3/9 | |
| AI Growth Correlation | 0 | Neutral. Expanding cyberspace attack surface creates more signals and network traffic to analyze, but AI simultaneously automates network traffic classification, anomaly detection, and initial threat identification. Net effect on cyberspace analyst headcount is roughly neutral — more work exists, but AI handles more of it per analyst. |
Quick screen result: Protective 3 + Correlation 0 = Likely Yellow Zone (proceed to quantify).
Task Decomposition (Agentic AI Scoring)
| Task | Time % | Score (1-5) | Weighted | Aug/Disp | Rationale |
|---|---|---|---|---|---|
| Network traffic analysis & SIGINT exploitation | 25% | 3 | 0.75 | AUGMENTATION | AI excels at deep packet inspection, flow analysis, and anomaly detection at network scale. But interpreting what anomalous traffic means — distinguishing adversary C2 from legitimate CDN behaviour, identifying novel exfiltration techniques, understanding adversary operational security — requires human cyber tradecraft and adversarial thinking. AI processes volume; human identifies intent. |
| Cyberspace threat identification & attribution | 20% | 2 | 0.40 | AUGMENTATION | Attributing cyber activity to specific nation-state actors requires correlating technical indicators with geopolitical context, understanding adversary TTPs across campaigns, and assessing confidence levels for intelligence consumers. AI assists with indicator correlation but attribution judgment — especially in false-flag and denial-and-deception scenarios — remains deeply human. CYBERCOM's AI task force is building tools to assist, not replace. |
| Technical SIGINT collection & processing | 15% | 4 | 0.60 | DISPLACEMENT | Automated collection systems handle bulk digital signal intercept and initial processing. ML-based signal classifiers sort, tag, and prioritize collected data. Analyst configures collection tasking parameters but the system collects and processes. CYBERCOM's FY2026 AI program specifically targets automating data processing in cyber operations. |
| Intelligence reporting & product creation | 15% | 4 | 0.60 | DISPLACEMENT | Structured SIGINT reports and cyber threat products follow rigid templates and classification frameworks. AI generates drafts from structured data. Human reviews for classification markings, source protection, and analytical confidence assessments. Template-driven portions are displacement-dominant. |
| Database/tool maintenance & data correlation | 10% | 4 | 0.40 | DISPLACEMENT | Maintaining analytical databases, correlating network indicators across time and target, updating operational working aids. AI handles data fusion and correlation faster than humans. CYBERCOM's new AI program aims to develop core data standards to curate and tag collected data for ML integration — directly automating this task. |
| Cyber mission coordination & ISR synchronization | 10% | 2 | 0.20 | AUGMENTATION | Coordinating collection priorities across cyber platforms, deconflicting with other INT disciplines, synchronizing with offensive/defensive cyber operations. Requires understanding commander's intent, cross-team negotiation, and real-time reprioritization during cyber operations. AI assists scheduling; human owns the judgment. |
| Mentoring & quality assurance | 5% | 1 | 0.05 | NOT INVOLVED | Teaching junior analysts cyber tradecraft, reviewing products for accuracy, ensuring analytical rigour in a classified team environment. Irreducibly human. |
| Total | 100% | 3.00 |
Task Resistance Score: 6.00 - 3.00 = 3.00/5.0
Displacement/Augmentation split: 40% displacement, 55% augmentation, 5% not involved.
Reinstatement check (Acemoglu): Yes. AI creates new tasks: validating AI-generated cyber threat assessments, tuning ML classifiers for novel network attack signatures, conducting AI-assisted cyber campaign analysis, and assessing adversary use of AI in cyber operations. The role transforms toward AI-human teaming in cyberspace, not disappearing.
Evidence Score
| Dimension | Score (-2 to 2) | Evidence |
|---|---|---|
| Job Posting Trends | 1 | Active hiring for cleared cyberspace analysts across ClearanceJobs, USAJOBS, and IC Candidate Portal. Persistent TS/SCI workforce shortage drives demand. CYBERCOM force generation expanding — Cybercom 2.0 initiative signals growth in cyber intelligence billets. National Guard actively recruiting 35Q positions. |
| Company Actions | 1 | CYBERCOM allocated $5M in FY2026 budget for new "Artificial Intelligence for Cyberspace Operations" program housed within CNMF. Pentagon awarded $200M+ in frontier AI contracts (2025). CACI, Booz Allen, Leidos hiring cyberspace intelligence analysts. No reports of cyber analyst layoffs citing AI. Investment signals AI tools for analysts. |
| Wage Trends | 0 | MOS 35Q compensation follows standard military pay tables by rank and time in service. Selective retention bonuses up to $40K available as incentive. Civilian equivalents (NSA, contractors) command TS/SCI premium. However, no wage acceleration specific to this MOS beyond the broader cleared workforce trend. |
| AI Tool Maturity | 0 | CYBERCOM's AI task force (est. 2024) is piloting AI through agile 90-day cycles within CNMF. LLMs deploying to classified networks as of early 2026. But deployment is nascent — CYBERCOM's five AI application categories (vulnerabilities/exploits, network security/monitoring, modeling/predictive analytics, persona/identity, infrastructure/transport) are in pilot, not production. Air-gapped environments lag commercial adoption by 3-5 years. |
| Expert Consensus | 0 | CYBERCOM leadership frames AI as capability multiplier, not headcount reducer. Pentagon's AI acceleration strategy signals aggressive automation intent. Intelligence oversight laws mandate human review. Mixed consensus — tools augment near-term, but DoD push for AI dominance could compress timelines. |
| Total | 2 |
Barrier Assessment
Reframed question: What prevents AI execution even when programmatically possible?
| Barrier | Score (0-2) | Rationale |
|---|---|---|
| Regulatory/Licensing | 2 | FISA, Executive Order 12333, UKUSA/Five Eyes agreements, and intelligence oversight laws mandate human review and approval of intelligence products. Congressional oversight requires human accountability for collection and analysis decisions. Cyber operations add additional legal frameworks (Law of Armed Conflict applied to cyberspace, PPD-20) that require human judgment on targeting and proportionality. |
| Physical Presence | 2 | SCIF-only work environment. Air-gapped classified networks physically isolated from the internet. AI tools must be separately certified and deployed to each classified enclave (JWICS, NSANet). CYBERCOM's 90-day agile pilot cycles demonstrate how slowly AI deploys in these environments compared to commercial networks. |
| Union/Collective Bargaining | 1 | Military service obligations create retention floor. Government civilian employees have civil service protections. Not at-will employment. Force structure changes can reduce billets over time, but Cybercom 2.0 expansion is growing billets in the near-term. |
| Liability/Accountability | 2 | Cyber intelligence failures have national security consequences — missed intrusions, wrongful attribution, escalatory responses. Human accountability is legally and politically non-negotiable. No AI system can be held accountable before Congress for a cyber intelligence failure that led to a misattributed operation. |
| Cultural/Ethical | 1 | IC culture values human analytical judgment and tradecraft. CYBERCOM's approach of 90-day agile pilots signals careful, measured adoption rather than wholesale replacement. Younger cyber workforce is receptive to AI tools but institutional trust-building is slow. Pentagon pushing hard, but cultural barriers real. |
| Total | 8/10 |
AI Growth Correlation Check
Confirmed at 0 (Neutral). AI adoption expands the cyberspace attack surface — more encrypted channels, more adversary use of AI-generated malware, more IoT devices creating network signals. This creates marginally more collection targets for cyberspace analysts. But AI simultaneously automates network traffic classification, initial anomaly detection, and indicator correlation — absorbing work that would have gone to human analysts. CYBERCOM's Cybercom 2.0 expansion grows billets, but AI efficiency gains could offset new positions. Net effect approximately neutral.
JobZone Composite Score (AIJRI)
| Input | Value |
|---|---|
| Task Resistance Score | 3.00/5.0 |
| Evidence Modifier | 1.0 + (2 x 0.04) = 1.08 |
| Barrier Modifier | 1.0 + (8 x 0.02) = 1.16 |
| Growth Modifier | 1.0 + (0 x 0.05) = 1.00 |
Raw: 3.00 x 1.08 x 1.16 x 1.00 = 3.7584
JobZone Score: (3.7584 - 0.54) / 7.93 x 100 = 40.6/100
Zone: YELLOW (Green >=48, Yellow 25-47, Red <25)
Sub-Label Determination
| Metric | Value |
|---|---|
| % of task time scoring 3+ | 65% |
| AI Growth Correlation | 0 |
| Sub-label | Yellow (Urgent) -- >=40% task time scores 3+ |
Assessor override: None — formula score accepted. The 8/10 barriers provide a 16% boost, keeping this role in mid-Yellow. Without barriers, the score drops to 34.0 — still Yellow but significantly more exposed. This is honest: SCIF requirements and intelligence oversight mandates are genuine structural barriers that compress slowly.
Assessor Commentary
Score vs Reality Check
The 40.6 score sits slightly above the traditional SIGINT Analyst (39.9), and that marginal difference is warranted. Cyberspace analysts work with more technically complex data — network protocols, malware signatures, adversary TTPs in digital environments — that require deeper technical tradecraft than RF/ELINT analysis. The attribution task (20% of time, scored 2) is the key differentiator: attributing cyber operations to specific nation-state actors in false-flag scenarios is one of the hardest analytical problems in intelligence, and AI is not close to solving it independently. The barrier profile is identical to SIGINT Analyst — same SCIFs, same oversight laws, same air-gapped deployment lag.
What the Numbers Don't Capture
- CYBERCOM AI acceleration. The FY2026 $5M "Artificial Intelligence for Cyberspace Operations" program within the CNMF directly targets this role's workflows. The 90-day agile pilot cycle means AI capabilities will iterate faster than traditional DoD acquisition allows. This could compress the 5-10 year timeline to 3-7 years for cyber-specific tasks.
- Adversary AI arms race. As adversaries deploy AI-generated malware, polymorphic attacks, and AI-assisted operational security, the cyberspace analyst's job becomes both harder (more sophisticated threats) and more dependent on AI tools (human speed insufficient for AI-speed attacks). This creates a treadmill effect where the analyst must adopt AI tools to keep pace.
- Clearance bottleneck as moat. The TS/SCI with Polygraph requirement creates an artificial demand floor. Clearance processing takes 12-18 months. The cleared cyber workforce pipeline is critically short while demand grows under Cybercom 2.0. This protects existing cleared cyberspace analysts even as AI augments their work.
- MOS consolidation risk. The Army discontinued the original 35Q MOS in 2020, folding capabilities into broader intelligence MOSs. Future force structure changes could further consolidate cyberspace intelligence roles, compressing billets even without AI displacement.
Who Should Worry (and Who Shouldn't)
If you are a junior collector whose primary function is operating automated data processing equipment, logging digital intercepts, and performing initial data classification — you are closer to Red Zone. These are exactly the tasks CYBERCOM's AI program is automating first. 2-4 year window.
If you perform deep network traffic analysis, cyber threat attribution, and adversary campaign tracking in complex geopolitical contexts — you are safer than Yellow suggests. Determining whether a network intrusion is Chinese state-sponsored, Russian criminal, or a false-flag operation requires intelligence tradecraft that AI cannot replicate. This work is genuinely augmented.
If you combine technical depth with cyber mission coordination and cross-INT fusion — briefing commanders, coordinating with offensive cyber teams, integrating SIGINT with HUMINT/GEOINT for cyber attribution — you are the most protected version of this role.
The single biggest separator: whether you are processing network data (automatable) or attributing adversary intent in cyberspace (human stronghold). The processor is being replaced by ML classifiers. The attributor is being augmented to analyze operations at scale.
What This Means
The role in 2028: The surviving cyberspace analyst is an AI-augmented cyber intelligence professional who directs ML-based network classifiers, validates AI-generated threat assessments, and focuses on adversary attribution and campaign analysis. CYBERCOM's AI tools handle bulk traffic analysis and anomaly detection. The analyst interprets what the patterns mean — who is behind the intrusion, what they want, and how confident we are in the attribution.
Survival strategy:
- Master AI-augmented cyber analysis. Learn to direct and validate ML-based network classifiers and anomaly detection tools. The analyst who can tune an AI model for a novel adversary technique is worth three who cannot.
- Deepen attribution expertise. Specialise in a threat actor group, region, or adversary TTP set. AI handles indicator matching at scale; humans provide the intelligence judgment on attribution confidence.
- Build cross-domain cyber-INT fusion skills. The highest-value cyberspace intelligence integrates network SIGINT with HUMINT sources, OSINT, and offensive cyber operations. Multi-domain analysts who synthesize across cyber and traditional intelligence are the last to be automated.
Where to look next. If you are considering a career shift, these Green Zone roles share transferable skills with Cryptologic Cyberspace Analyst:
- Cyber Crime Investigator (AIJRI 56.4) — Network analysis, digital forensics, and adversary attribution skills transfer directly to investigating cyber intrusions in law enforcement and private sector
- Incident Response Specialist (AIJRI 55.3) — Cyber tradecraft in identifying adversary TTPs, network traffic analysis, and rapid threat triage maps directly to IR and threat hunting roles
- OT/ICS Security Engineer (AIJRI 73.3) — Network protocol expertise and understanding of adversary cyber operations translate to securing industrial control systems and critical infrastructure
Browse all scored roles at jobzonerisk.com to find the right fit for your skills and interests.
Timeline: 3-7 years for significant headcount compression. CYBERCOM's active AI investment and agile pilot cycles compress the timeline compared to traditional SIGINT roles, but air-gapped deployment lag and intelligence oversight mandates remain the primary brakes.
