John Doyle

John has over sixteen years of experience working in Cyber Threat Intelligence, Digital Forensics, Cyber Policy, and Security Awareness and Education. John is a Principal Intelligence Enablement Consultant for Mandiant, a Google Cloud company, where he helps clients evaluate their CTI programs, builds roadmaps, and upskills team capability and organizational reach. He tracks intrusion activities from Russian and North Korean cyber threat groups. Prior to joining Mandiant, John spent a decade working for the Central Intelligence Agency (CIA) tracking multiple state-sponsored cyber actors (APTs).

More About John


At the CIA, John served as the team lead for a transnational and emerging cyber technology team that, in addition to driving intelligence collection and analytic production, examined the implications of paradigm shifts in the cyber threat landscape. John would often provide support to combat large-scale cyber-attacks, including such notable attacks as WannaCry, NotPetya, and OlympicDestroyer.

John’s cybersecurity interests largely reside in understanding adversary operations and tradecraft by analyzing forensic artifacts, and in enriching data to provide actionable intelligence.

John has developed and taught cybersecurity and cyber threat courses for more than five years at Mandiant, within the U.S. government, and at George Mason University. He decided to start teaching at SANS because he believed that’s where he could have the greatest impact in empowering, educating, and equipping the next generation of cyber defenders and analysts.

“I am passionate about instruction, and I believe that anyone with enough passion, dedication, and willingness can master the core skills and competencies required to perform cyber threat intelligence analysis.” he explains. John believes that his role as instructor of the SANS FOR578: Cyber Threat Intelligence course allows him to draw on his experience in the field to teach the core skills and tools of the trade to track and combat an ever-evolving and growing number of cyber threat actors.

John has often found that students who take cyber threat intelligence courses tend to come either from a traditional intelligence analysis background, where cyber security concepts are new, or from a cybersecurity background, where analytic tradecraft concepts are new. In his teaching, he bridges this gap by providing useful insights to help students understand traditional intelligence analysis tradecraft and its application using different data sets to support multiple cybersecurity missions; the complexities involved in tracking clusters of intrusion activities over time; and the forensic psychology involved because there are humans behind these cyber operations and, as a result, patterns can be established that identify their unique operational fingerprints.

Finally, John’s classes are participatory, drawing on the knowledge of the students as well as the teacher. “I tend to draw out student experiences as a way to augment teaching so that we learn from the work and experience we all have in order to grow the collective knowledge base together as a community,” he says.

In his spare time John enjoys rock climbing jogging, biking, painting, craft beer, and whiskey.

Get to know John Doyle:

  • SANS Instructor for the FOR578: Cyber Threat Intelligence course
  • More than 14 years of experience in the cybersecurity field, with the past 11 years working in cyber threat intelligence.
  • Covered North Korean, Russian, Chinese, and Iranian intrusion sets, as well as cyber-adjacent topics such as companies offering turnkey cyber espionage capabilities and hacking on behalf of a government.
  • Received several awards for innovation in intelligence analysis, including for his use of non-traditional data sources to derive novel insights about cyber actors and for developing a training curriculum for cyber threat analysts.
  • He is currently a Principal Analyst at FireEye Mandiant.


  • GREM - GIAC Reverse Engineering Malware Certification
  • GCTI - Cyber Threat Intelligence
  • GDAT - GIAC Defending Against Advanced Adversaries
  • GCFA - GIAC Certified Forensic Analyst
  • GCFE - GIAC Certified Forensic Examiner
  • GNFA - GIAC Certified Network Forensics Analyst
  • GPEN - GIAC Certified Penetration Tester
  • CISSP® - Certified Information Systems Security Professional



John's Contributions