Don't miss an insight. Subscribe to Techopedia for free.


What does a threat intelligence analyst do?

By Gene Yoo | Last updated: May 29, 2019

Fundamentally, a cyber threat intelligence analyst is someone who specializes in collecting, interpreting and understanding the significance of threat intelligence information. Unlike a security incident responder, who’s looking at threat information generated by an internal system, such as a telemetry system or an endpoint monitoring system, a cyber threat intelligence analyst is primarily looking at external threat intelligence. They’re taking the pulse of the internet, as it were. What are known threat actors talking about? What new threat actors are showing up in dark web bulletin boards and chat rooms? Who’s buying and selling what information, tools and tradecraft? What information is popping up in the botnet world that might be relevant to an individual organization or to a set of clients?

Threat intelligence analysts are looking for indicators that will foster an understanding of what storms may be brewing out over the digital ocean but have not yet hit land — so that when these storms do arrive, we can be prepared. They’re uniquely positioned to help an enterprise proactively position its defenses and to help internal security professionals know where to look for vulnerabilities or potential cracks in the existing cybershield. If they detect discussion of a newly discovered vulnerability in an IoT appliance, for example, they can alert other security professionals to determine if that appliance is part of the corporate IoT infrastructure — and, if so, they can help advise on steps that can be taken to reduce the risk posed by that vulnerability.

It’s important to point out that threat intelligence analysts are not typically looking for known threats. They’re not looking for an improperly configured device on the corporate internet; they’re keeping their eyes and ears open for indicators that someone has begun to discuss how to exploit such an improperly configured device. Upon discovering an indicator that such discussions are taking place, that intelligence can trigger an action within the enterprise to discover whether such devices have been deployed and whether they have been properly configured.

Threat intelligence analysts also operate in a much more speculative manner. They may look at the activities of a known threat actor — actions that might appear on the surface to be perfectly benign — and speculate on the motives that the threat actor might have for undertaking those actions. Because the threat intelligence analyst may be aware of other seemingly unrelated activities — political unrest in this region or an economic tension growing in that region — the threat intelligence analyst is uniquely positioned to connect the dots into a picture that has real meaning, a picture that an AI system or big data analyst might miss entirely. Where an AI system may simply detect that a threat actor is standing dominoes on end, the threat intelligence analyst may be able to infer what effect those dominoes will have when they begin to fall — and prepare accordingly.

Share this Q&A

  • Facebook
  • LinkedIn
  • Twitter


Cybersecurity IT Business Alignment IT Careers

Written by Gene Yoo | Chief Executive Officer at Resecurity

Profile Picture of Gene Yoo

Gene Yoo is CEO at Resecurity, which provides endpoint protection, risk management, and threat intelligence for large enterprises and government agencies worldwide. He has more than 25 years of experience in cybersecurity for some of the world’s largest brand names, such as Warner Bros., Sony, Computer Science Corporation, Coca-Cola Enterprise, Capgemini, and Symantec.

Most recently, he served as senior vice president and head of information security for Los Angeles-based City National Bank. He also served in an advisory role to Phantom (acquired by Splunk), ProtectWise (acquired by Verizon), Elastica (acquired by Blue Coat), and Vorstack (acquired by ServiceNow).

For more information on Resecurity, please visit; follow the company blog at and on LinkedIn and Twitter.

More Q&As from our experts

Related Terms

Related Articles

Term of the Day

Human Interface Device Protocol

The Human Interface Device (HID) protocol is a diverse USB protocol that is a very commonly used in consumer electronics,...
Read Full Term

Tech moves fast! Stay ahead of the curve with Techopedia!

Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.

Go back to top