Torchora
Back to Home

Key Responsibilities and Required Skills for Security Intelligence Manager

💰 $120,000 - $180,000

SecurityCybersecurityThreat IntelligenceManagementSOC

🎯 Role Definition

The Security Intelligence Manager leads the threat intelligence function to proactively identify, analyze, and communicate cyber threats that impact the organization's people, systems, and data. This role designs and executes an enterprise threat intelligence strategy, manages a team of analysts and hunters, operationalizes intelligence into detection and response workflows, and advises senior leadership and product teams on strategic and tactical risk. The Security Intelligence Manager partners closely with SOC, incident response, vulnerability management, risk, and engineering teams to close the loop between intelligence, detection, and remediation.

📈 Career Progression

Typical Career Path

Entry Point From:

  • Senior Cyber Threat Intelligence Analyst
  • SOC Team Lead or SOC Analyst III
  • Incident Response/Forensics Lead

Advancement To:

  • Director of Threat Intelligence
  • Head of Security Operations (Head of SOC)
  • VP of Cybersecurity / Director of Security Strategy
  • Chief Information Security Officer (CISO)

Lateral Moves:

  • Incident Response Manager
  • Risk & Compliance Manager
  • Fraud Intelligence or Threat Hunting Lead

Core Responsibilities

Primary Functions

  • Build, lead and mentor a cross-functional threat intelligence team responsible for tactical, operational and strategic intelligence: hiring, performance management, career development and resource planning to scale the function.
  • Design and implement the enterprise threat intelligence program and roadmap, defining the intelligence lifecycle (collection, processing, analysis, dissemination) and aligning outputs to business objectives and risk appetites.
  • Produce actionable intelligence briefings and decision-grade reports for technical teams, product owners and executive leadership that summarize threat actor profiles, motivations, TTPs, targeting trends, and recommended mitigations.
  • Translate threat intelligence into detection content and response playbooks: develop use cases, detection rules, SIEM correlations (Splunk, QRadar, Elastic), endpoint detections, and SOAR playbooks to operationalize threat indicators.
  • Lead threat hunting initiatives using intelligence-driven hypotheses; design hunts, leverage telemetry (endpoint, network, cloud) and triage findings to close detection gaps and inform controls.
  • Map threats and incidents to MITRE ATT&CK and other frameworks; maintain attacker TTP libraries and provide engineering teams with prioritized mitigation guidance.
  • Manage intelligence collection across multiple sources — OSINT, commercial feeds (Recorded Future, Anomali, ThreatConnect), dark web monitoring, partner sharing groups (ISACs), and internal telemetry — ensuring source diversity and quality assurance.
  • Oversee classification, enrichment, validation and ingestion of indicators of compromise (IOCs) and threat feeds; implement STIX/TAXII, indicator lifecycle policies, and automated enrichment pipelines.
  • Coordinate with SOC and incident response teams during active incidents to provide attribution, identify lateral movement patterns, recommend containment strategies, and support root cause analysis.
  • Develop and report on KPIs and metrics that demonstrate program effectiveness: mean time to detect, time to remediate, intel-to-detection conversion rate, analyst throughput and threat coverage.
  • Establish and manage external relationships with vendors, industry peers, ISACs, law enforcement and intelligence-sharing communities to enhance situational awareness and accelerate threat mitigation.
  • Lead tabletop exercises, red/blue team integrations, and simulation-based training to validate detection and response capabilities with intelligence-driven scenarios.
  • Define and maintain intelligence governance: data retention, classification, privacy, legal considerations, and compliance with regulatory and contractual requirements for intelligence handling.
  • Drive integration of threat intelligence into product security and secure development lifecycle (SDLC): threat modeling, supply chain risk assessments, and secure design recommendations for engineering teams.
  • Prioritize and manage the threat intelligence budget, tooling acquisitions, and proof-of-concept evaluations to ensure ROI and alignment with strategic objectives.
  • Champion automation and machine-assisted analysis: design pipelines for enrichment, clustering, alert scoring, and anomaly detection leveraging Python, analytics, and ML where applicable.
  • Provide rapid-response intelligence support for high-priority incidents and external communications, including post-incident reporting, remediation recommendations, and executive incident summaries.
  • Create and maintain a library of standardized intelligence deliverables: daily/weekly threat briefs, targeted threat dossiers, kill-chain timelines, and IOC packages for operational teams.
  • Conduct adversary profiling and attribution: analyze malware, command-and-control infrastructure, infrastructure reuse, and campaign timelines to identify threat actors and their motives.
  • Evaluate the effectiveness of threat feeds, detection rules, hunting hypotheses and refine priorities based on business risk, industry context and emerging trends.
  • Drive continuous improvement by conducting post-incident intelligence reviews, lessons learned sessions and updating intelligence playbooks and runbooks accordingly.
  • Ensure cross-functional knowledge transfer through training sessions, brown-bags and documentation to raise organizational cyber threat awareness and strengthen defensive posture.
  • Develop and enforce SOPs for indicator handling, threat sharing, and escalations ensuring quick, auditable workflows from detection to remediation.
  • Translate complex technical intelligence into concise, non-technical executive summaries to support risk discussions, budget requests, and strategic planning.

Secondary Functions

  • Support ad-hoc intelligence requests and investigative deep dives for business units, legal and product teams.
  • Contribute to the organization's threat intelligence data strategy and roadmap, including data pipelines, normalization and enrichment requirements.
  • Collaborate with data engineering and SIEM teams to operationalize telemetry ingestion, normalization and retention policies for intelligence use-cases.
  • Participate in sprint planning and agile ceremonies with security engineering and detection teams to prioritize intel-driven deliverables.
  • Assist procurement and vendor assessment for intelligence tooling, including POCs and vendor scoring against technical and privacy requirements.
  • Represent the organization in industry working groups, ISACs and closed intelligence communities to exchange indicators and best practices.
  • Support vulnerability management by feeding exploitability intelligence into remediation priorities and patch planning.
  • Mentor junior analysts and rotate analysts through SOC and IR shifts to ensure alignment between intelligence and operations.
  • Maintain up-to-date documentation, runbooks and playbooks for the intelligence program and ensure knowledge continuity.
  • Participate in regulatory and compliance audits related to security monitoring, incident response and intelligence handling.

Required Skills & Competencies

Hard Skills (Technical)

  • Threat intelligence lifecycle management (collection, analysis, dissemination).
  • Deep familiarity with MITRE ATT&CK mapping, adversary profiling and TTP analysis.
  • Experience with commercial and open-source threat intelligence platforms: Recorded Future, ThreatConnect, Anomali, MISP.
  • SIEM and detection engineering experience: Splunk, Elastic, QRadar, ArcSight — writing correlation searches and alert tuning.
  • Incident response and digital forensics fundamentals; ability to support triage and forensic analysis.
  • Proficiency with OSINT techniques, dark web monitoring and investigative tooling.
  • Scripting and automation: Python, PowerShell, or equivalent for enrichment, parsing and analyst tooling.
  • Knowledge of STIX/TAXII, OpenIOC and indicator sharing best practices.
  • Experience with endpoint and network telemetry (EDR platforms like CrowdStrike, SentinelOne; network detection sensors).
  • Malware analysis basics (static and dynamic analysis) or close collaboration with malware analysts.
  • Threat hunting methodologies and hands-on experience using telemetry to validate hypotheses.
  • Cloud security intelligence: AWS, Azure and GCP telemetry and identity-focused threat detection.
  • Data analysis and SQL for querying datasets and producing intelligence metrics.
  • Familiarity with SOAR platforms and automation of playbooks (e.g., Phantom, Demisto).
  • Understanding of regulatory requirements and privacy issues related to intelligence collection and sharing.

Soft Skills

  • Strong leadership and team-building capability; proven experience managing technical analysts.
  • Excellent written and verbal communication, with the ability to translate technical findings into business risk language for executives.
  • Strategic thinking and the ability to align intelligence outputs to business objectives and risk priorities.
  • Stakeholder management and cross-functional collaboration across engineering, legal, product and operations.
  • High attention to detail and strong analytical/problem-solving skills for pattern recognition and attribution.
  • Prioritization and time-management skills in ambiguous, high-pressure incident conditions.
  • Influence and persuasion skills to drive change in detection, process and tooling adoption.
  • Mentoring and training ability to grow junior practitioners and disseminate knowledge across teams.
  • Ethical judgment and sound decision-making around sensitive intelligence handling and disclosure.
  • Adaptability to rapidly evolving threat landscapes and new attack techniques.

Education & Experience

Educational Background

Minimum Education:

  • Bachelor's degree in Computer Science, Cybersecurity, Information Security, Intelligence Studies, Computer Engineering or a related technical discipline.

Preferred Education:

  • Master's degree in Cybersecurity, Information Assurance, Intelligence Studies, or MBA with a technology focus.

Relevant Fields of Study:

  • Cybersecurity / Information Security
  • Computer Science / Software Engineering
  • Intelligence Studies / National Security
  • Network Engineering / Digital Forensics

Experience Requirements

Typical Experience Range: 5–10+ years in cybersecurity roles with at least 3–5 years focused on threat intelligence, SOC, or incident response and a minimum of 2 years in a people-management or team lead role.

Preferred:

  • 7–12 years of progressive experience in threat intelligence or security operations with demonstrated leadership of intelligence or detection teams.
  • Hands-on experience integrating intelligence into SIEM/SOAR, threat platforms, and detection engineering.
  • Experience working with external intelligence sharing groups (ISACs), law enforcement or third-party intelligence providers.
  • Relevant certifications preferred: CISSP, CISM, GCTI (GIAC Cyber Threat Intelligence), GCIA, GREM, OSCP or equivalent professional certifications.
Explore More Careers