The Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework, published by SANS Institute in August 2022, defines the knowledge, skills, and abilities a CTI analyst needs to succeed in the role. Developed by Mandiant with input from CTI professionals inside and outside the company, the framework organizes analyst skills into four pillars and twelve core competencies, updating earlier CTI skills models to reflect the demands of cloud, hybrid environments, and modern adversary tradecraft.
Key findings:
- The framework organizes CTI analyst skills into four pillars: Problem Solving, Professional Effectiveness, Technical Literacy, and Cyber Threat Proficiency
- Each pillar contains three core competencies, for twelve total
- Problem Solving covers Critical Thinking, Research and Analysis, and Investigative Mindset
- Professional Effectiveness covers Communication, Teamwork and Emotional Intelligence, and Business Acumen
- Technical Literacy covers Enterprise IT Networks, Cybersecurity Ecosystem, and Organizational Cybersecurity Roles and Responsibilities
- Cyber Threat Proficiency covers Drivers of Offensive Operations, Threat Concepts and Frameworks, and Threat Actors and TTPs
- Exactly half of the twelve competencies are cognitive and interpersonal skills; the other half are technical and threat-specific knowledge
- The framework updates and expands two earlier CTI skills models: a 2015 framework from the Intelligence and National Security Alliance and a 2012 Carnegie Mellon University study
- The Cybersecurity Ecosystem competency maps directly to NIST Cybersecurity Framework phases: identify, protect, detect, respond, recover
- Threat Concepts and Frameworks references major CTI models including the Lockheed Martin Cyber Kill Chain, the Diamond Model of Intrusion Analysis, and the MITRE ATT&CK Navigator
Rather than treating CTI as a purely technical discipline, the framework splits the role evenly between analytical and technical depth on one side and communication and business fluency on the other. That balance reflects a persistent gap in the field: analysts who can find the signal in the data but struggle to translate it into decisions leadership will act on, and vice versa.
The framework was developed by Mandiant with input from both Mandiant and non-Mandiant CTI professionals, and written up by SANS-certified instructor John Doyle. It reflects the state of the CTI field as of May 2022.