Role Definition
| Field | Value |
|---|---|
| Job Title | Threat Intelligence Analyst |
| Seniority Level | Mid-Level |
| Primary Function | Researches threat actors, tracks adversary campaigns, collects and processes IOCs, writes intelligence reports (tactical, operational, strategic), feeds indicators into security tools via STIX/TAXII, monitors dark web and OSINT sources, profiles threat actor TTPs using MITRE ATT&CK, and briefs stakeholders on emerging threats. |
| What This Role Is NOT | Not a SOC analyst (reactive, alert-driven). Not an incident responder (crisis-driven). Not a malware analyst (reverse engineering focus). Not a CISO (strategic leadership). This is the intelligence analyst who understands the adversary and translates threats into organisational context. |
| Typical Experience | 3-7 years. GCTI, CTIA, or equivalent. Background in intelligence analysis, cybersecurity, or military/government CTI. |
Seniority note: A junior "feed analyst" processing IOCs and running threat feeds would score Red. A senior strategic intelligence lead briefing boards and driving security strategy would score Green (Transforming).
Protective Principles + AI Growth Correlation
| Principle | Score (0-3) | Rationale |
|---|---|---|
| Embodied Physicality | 0 | Fully digital, desk-based. All work in threat intelligence platforms, OSINT tools, dark web browsers, and analysis environments. |
| Deep Interpersonal Connection | 1 | Some interpersonal element: briefing executives, building trust with ISACs/ISAOs, coordinating with IR teams. But core value is analytical, not relational. Presentational rather than relationship-dependent. |
| Goal-Setting & Moral Judgment | 2 | Significant judgment at the strategic tier — deciding which threats matter to THIS organisation, assessing adversary intent vs capability, determining when intelligence warrants action. Operates within established frameworks (Diamond Model, Kill Chain, ATT&CK) but interprets within them. |
| Protective Total | 3/9 | |
| AI Growth Correlation | 1 | More AI adoption means more AI-powered attacks (deepfake phishing, AI-generated malware, automated exploitation), creating more adversary activity to track. But the role does not exist BECAUSE of AI — threat intelligence predates AI by decades. Indirect demand increase, not recursive dependency. |
Quick screen result: Protective 3 + Correlation 1 — likely Yellow Zone.
Task Decomposition (Agentic AI Scoring)
| Task | Time % | Score (1-5) | Weighted | Aug/Disp | Rationale |
|---|---|---|---|---|---|
| Collect and process threat feeds / IOCs | 15% | 5 | 0.75 | DISPLACEMENT | STIX/TAXII feeds are machine-readable by design. TIP platforms (Recorded Future, Anomali, ThreatConnect, MISP) ingest, deduplicate, enrich, correlate, and distribute to SIEM/EDR end-to-end. AI output IS the deliverable. |
| Monitor OSINT and dark web sources | 15% | 5 | 0.75 | DISPLACEMENT | Agentic AI (Flare, Flashpoint, ZeroFox) continuously scans dark web forums, paste sites, Telegram channels, classifies relevance, and routes alerts. Agent executes the monitoring workflow without human involvement. |
| Write tactical intelligence reports (IOC-focused) | 10% | 5 | 0.50 | DISPLACEMENT | AI takes IOC data, generates YARA/Sigma/Snort detection rules, writes template-driven tactical reports, and distributes them end-to-end. Recorded Future already does this in production. |
| Write operational/strategic intelligence reports | 15% | 2 | 0.30 | AUGMENTATION | AI gathers data, drafts sections, and correlates across sources. But determining "what does this threat mean for THIS organisation's risk appetite and board priorities?" requires human judgment the agent cannot provide. |
| Profile threat actors and track campaigns | 15% | 2 | 0.30 | AUGMENTATION | Understanding adversary motivations, predicting next moves, identifying false flags, connecting campaigns over months or years. AI correlates known TTPs, but the leap from "what happened" to "who did this and what will they do next" requires human intuition honed by experience. |
| Brief stakeholders on emerging threats | 10% | 1 | 0.10 | NOT INVOLVED | Translating intelligence into business-relevant language for executives requires reading the room, adapting messaging, and building credibility. A CISO does not want an AI agent briefing them on nation-state targeting. |
| Develop and refine detection rules and hunting hypotheses | 10% | 4 | 0.40 | DISPLACEMENT | AI takes IOC data and TTP mappings, generates YARA/Sigma/Snort rules, tests them, and deploys them. Novel hunting hypotheses remain human-led, but the bulk of rule-writing is agent-executable. |
| Collaborate with IR teams during active incidents | 10% | 2 | 0.20 | AUGMENTATION | During active incidents, the analyst provides real-time context under pressure and collaborates with IR teams. AI pulls relevant IOCs and historical context, but the human leads the collaborative analysis. Each incident is different. |
| Total | 100% | 3.30 |
Task Resistance Score: 6.00 - 3.30 = 2.70/5.0
Displacement/Augmentation split: 50% displacement, 40% augmentation, 10% not involved.
Reinstatement check (Acemoglu): AI creates new tasks: validate AI-generated threat assessments and detection rules, analyse AI-specific threat vectors (prompt injection, model poisoning, adversarial ML), tune and QC AI-powered TIP outputs. The role is transforming — the data-pipeline variant disappears while the strategic variant enriches.
Evidence Score
| Dimension | Score (-2 to 2) | Evidence |
|---|---|---|
| Job Posting Trends | 1 | Cybersecurity postings up 21% YoY broadly, with threat intelligence a growing specialty facing "months-long delays filling roles" (IronCircle 2026). LinkedIn shows 3,000+ CTI roles in the US. Steady growth, not surging. ISC2 2025 shifted focus from headcount to skills — market maturing. |
| Company Actions | 0 | Recorded Future survey: 91% of organisations plan to increase CTI spending, 87% expect to advance program maturity. But spending increase goes toward AI-powered platforms, not necessarily more human analysts. Recorded Future itself (acquired by Mastercard for $2.65B) automates analyst workflows. More investment in the function, unclear on headcount. |
| Wage Trends | 0 | Stable. PayScale median ~$75K, ZipRecruiter averages $100-110K, senior roles $123K. Not declining but not keeping pace with premium growth in AI security, cloud security, or AppSec. Mid-pack for cybersecurity. |
| AI Tool Maturity | -1 | AI tools in strong early-to-mid adoption. Recorded Future 2025: 93% see AI/automation as important to CTI, 85% of implementations meeting/exceeding expectations. But tools automate the LOW-VALUE tasks (feed processing, IOC enrichment) rather than HIGH-VALUE tasks (strategic analysis, adversary profiling). |
| Expert Consensus | 0 | Genuinely mixed. Recorded Future: "junior analysts won't be replaced, but workflows evolve significantly." Cyware: 2026 "the year CTI evolves into proactive AI." Redbud Cyber: "Human analysts bring creative thinking AI models miss." Consensus: transformation, not elimination — but headcount won't stay the same. |
| Total | 0 |
Barrier Assessment
Reframed question: What prevents AI execution even when programmatically possible?
| Barrier | Score (0-2) | Rationale |
|---|---|---|
| Regulatory/Licensing | 0 | No licensing required in the private sector. GCTI, CTIA are voluntary. Government/military roles require clearances, but the broad commercial market has no regulatory barrier to AI execution. |
| Physical Presence | 0 | Fully remote capable. CTI work is entirely digital. |
| Union/Collective Bargaining | 0 | Tech and cybersecurity sectors non-unionised. At-will employment. |
| Liability/Accountability | 1 | If intelligence is wrong — false attribution, missed threats, unnecessary incident response — there are consequences. But the analyst is part of a team with management oversight, not personally liable. For data-pipeline tasks, the stakes are low enough for AI execution. |
| Cultural/Ethical | 1 | Intelligence analysis has a long tradecraft history — the "art" of analysis is culturally valued. Some resistance to trusting AI for attribution decisions, particularly in government/defence. But commercial sector actively embraces AI-powered CTI for automatable tasks. |
| Total | 2/10 |
AI Growth Correlation Check
Confirmed at 1 (Weak Positive). AI adoption meaningfully increases the threat landscape — AI-generated malware, deepfake-enabled social engineering, automated exploitation, AI-assisted disinformation campaigns. Northwave (Nov 2025) explicitly identifies AI-driven cyberattacks as reshaping the 2026 threat landscape. But the role is not recursively dependent on AI the way AI Security Engineer is — threat intelligence existed long before AI and would persist if AI development stopped. Indirect demand increase, not structural dependency.
JobZone Composite Score (AIJRI)
| Input | Value |
|---|---|
| Task Resistance Score | 2.70/5.0 |
| Evidence Modifier | 1.0 + (0 × 0.04) = 1.00 |
| Barrier Modifier | 1.0 + (2 × 0.02) = 1.04 |
| Growth Modifier | 1.0 + (1 × 0.05) = 1.05 |
Raw: 2.70 × 1.00 × 1.04 × 1.05 = 2.9484
JobZone Score: (2.9484 - 0.54) / 7.93 × 100 = 30.4/100
Zone: YELLOW (Green ≥48, Yellow 25-47, Red <25)
Sub-Label Determination
| Metric | Value |
|---|---|
| % of task time scoring 3+ | 50% |
| AI Growth Correlation | 1 |
| Sub-label | Yellow (Urgent) — ≥40% task time scores 3+ |
Assessor override: None — formula score accepted.
Assessor Commentary
Score vs Reality Check
The Yellow (Urgent) label is honest but masks a bimodal reality. The 2.70 Task Resistance Score represents an average of two very different clusters: 50% of task time scores 4-5 (full displacement — feed collection, OSINT monitoring, tactical reporting, detection rules) and 50% scores 1-2 (augmentation/irreducible — strategic reports, adversary profiling, IR collaboration, stakeholder briefing). No individual analyst lives at 2.70. They are either doing displacement-grade work or augmentation-grade work, and the ratio determines their personal outlook — Red or Green. The average is mathematically correct and practically misleading.
What the Numbers Don't Capture
- Bimodal distribution. The 2.70 average hides the sharpest role fracture assessed in this project. The "feed analyst" doing IOC collection, OSINT monitoring, and tactical reporting is functionally Red Zone. The "strategic analyst" doing adversary profiling, strategic assessments, and stakeholder briefings is functionally Green. Same job title, opposite trajectories.
- Function-spending vs people-spending. Recorded Future's survey shows 91% of organisations plan to increase CTI spending — but spending goes to AI-powered platforms (Recorded Future, Anomali, ThreatConnect), not analyst headcount. Market growth does not equal hiring growth.
- Rate of AI capability improvement. AI-powered CTI platforms went from experimental to production-ready in 2-3 years. Recorded Future reports 85% of implementations meeting or exceeding expectations. The displacement portion of this role is not approaching — it has arrived.
Who Should Worry (and Who Shouldn't)
If your daily work is collecting IOCs, processing threat feeds, monitoring OSINT sources, and writing tactical reports — you are functionally Red Zone regardless of the Yellow label. Agentic platforms execute this entire workflow end-to-end. 2-3 year window.
If you profile threat actors, write strategic intelligence assessments, brief CISOs, and collaborate with IR teams during active incidents — you are safer than Yellow suggests. Creative adversarial thinking, contextual judgment, and trust-based communication remain human strongholds.
The single biggest separator: whether you process data or produce insight. The data pipeline analyst is being replaced by agents. The strategic analyst is being augmented by them.
What This Means
The role in 2028: The surviving threat intelligence analyst is a "strategic intelligence analyst" — using AI platforms for data collection, enrichment, and tactical reporting while spending their time on adversary profiling, strategic assessments, and stakeholder communication. The feed-processing variant is fully automated. Teams shrink from 5 analysts to 1-2 strategic analysts overseeing AI platforms.
Survival strategy:
- Move up the intelligence pyramid. Tactical intelligence (IOCs, detection rules) is agent-executed. Strategic intelligence (threat landscape, geopolitical context, board-level briefings) is where the human premium persists.
- Specialise in AI-specific threat intelligence. AI-powered attacks, adversarial ML, deepfake-enabled social engineering — growing threat categories requiring human understanding.
- Build the stakeholder relationship. The analyst who briefs boards, builds trust with ISACs, and drives security strategy is the last one automated.
Where to look next. If you're considering a career shift, these Green Zone roles share transferable skills with this role:
- Digital Forensics Analyst (AIJRI 61.1) — Threat research methodology and indicator analysis transfer directly to forensic investigation
- Malware Analyst / Reverse Engineer (AIJRI 54.4) — Threat actor TTPs and reverse engineering familiarity map to dedicated malware analysis
- Red Team Leader (AIJRI 57.1) — Adversary simulation knowledge and attack pattern expertise inform red team engagement leadership
Browse all scored roles at jobzonerisk.com to find the right fit for your skills and interests.
Timeline: 3-5 years for the data-pipeline variant. The strategic variant faces transformation, not elimination — the analyst who adapts is functionally Green.
