Threat Intelligence Analyst Salary: What $110,800 Actually Means for Your Career

This analysis was produced using the CyberPathIQ Methodology, designed by Julian Calvo, Ed.D. (Learning Sciences). It cross-references real-time labor market data from the Bureau of Labor Statistics, threat intelligence frameworks from MITRE ATT&CK, occupational skill profiles from ONET, and community response data from cybersecurity professionals currently in these roles.*

---

The Number You Came Here For, and Why It's Incomplete

The national median for Threat Intelligence Analysts sits at $110,800. That's the headline. But if you're using that number to decide whether to pursue this path, or to walk into a salary negotiation, you're working with about 40% of the information you need.

That $110,800 is a midpoint. Half the people in this role earn less. Half earn more. The spread between the floor and the ceiling in threat intel is wider than almost any other security specialization, because the factors that push compensation up or down here are more variable than in, say, a SOC analyst role. Clearance status, industry vertical, whether you're doing strategic intel versus technical IOC work, and whether your employer actually understands what threat intelligence is worth, all of these move the number significantly.

Here's what the median does tell you: threat intelligence analysts earn 27% more than the median US worker, and they sit comfortably above incident responders ($105,300) and SOC analysts ($87,400). They trail security engineers ($124,900) and architects ($158,600), but the gap to those roles is closeable with 2-4 years of experience and the right specialization.

---

What $110,800 Buys You Nationally (The Rent Math)

Salary without cost-of-living context is noise. Let's make it signal.

At $110,800 gross, your monthly take-home after federal taxes and standard deductions lands around $6,900-$7,400 depending on your state. Here's how that plays out in three different markets:

San Francisco / Bay Area: Median one-bedroom rent runs $2,800-$3,200. After rent, you have roughly $4,000-$4,200 for everything else. You're comfortable but not wealthy. A $110,800 threat intel salary in San Francisco is functionally equivalent to about $72,000 in a mid-tier market. If you're in this city at this salary, your negotiation target should be $135,000 minimum.

Austin, TX / Denver, CO: Rent on a one-bedroom averages $1,400-$1,800. After housing, you're keeping $5,100-$5,500 monthly. This is where $110,800 starts to feel like real money. You're building savings, not just surviving. These markets also have growing cybersecurity ecosystems, particularly Austin with its expanding tech sector and Denver with its defense contractor presence.

Columbus, OH / Kansas City, MO / Raleigh, NC: One-bedrooms run $1,000-$1,400. You're taking home $5,500-$6,400 after rent. At this salary in these markets, you're in the top 15% of local earners. Raleigh specifically has become a legitimate threat intel hub with the Research Triangle's concentration of financial services and healthcare firms.

The takeaway: if you're being offered $110,800 in a high cost-of-living market, that's a below-average offer for the role. If you're being offered $110,800 in a mid-tier market, that's solid. Location isn't just a lifestyle choice. It's a compensation variable.

---

What Drives the Salary Gap in Threat Intelligence

Threat intelligence has one of the widest compensation spreads in cybersecurity, and the reasons are specific.

Security clearance is the single biggest lever. An analyst doing threat intel for a defense contractor or federal agency with a TS/SCI clearance can expect a 20-35% premium over the same role in commercial sector. That's not an exaggeration. Cleared threat intel analysts in the DC metro area regularly see total compensation packages in the $140,000-$175,000 range. The clearance itself is worth roughly $25,000-$40,000 in annual salary premium, and the government or contractor typically sponsors it, meaning you don't pay for it. If you're early in your career and have a clean background, pursuing a cleared role is one of the highest-ROI moves available.

Strategic versus tactical intel work pays differently. Analysts who produce finished intelligence products, briefing C-suite and board-level stakeholders on threat actor TTPs and geopolitical risk, earn more than analysts who are primarily working IOC feeds and updating SIEM rules. The former requires written communication skills and business acumen that are genuinely rare in technical security. If you can write a clear, concise threat brief that a CFO can act on, you're in a smaller talent pool than you think.

Industry vertical matters more than most people realize. Financial services and critical infrastructure pay the most for threat intel, because the cost of a breach is existential. A threat intel analyst at a top-tier bank or a major energy company is not doing the same job as one at a mid-market SaaS company, and the compensation reflects that. Healthcare and retail are catching up, but finance and energy remain the premium verticals.

Tooling depth creates salary separation. Analysts who can work across the full stack, pulling from Recorded Future or Mandiant Advantage for strategic intel, pivoting through Maltego for link analysis, writing YARA rules for malware detection, and mapping findings to MITRE ATT&CK with precision, command more than analysts who primarily consume threat feeds. The ability to produce intelligence, not just consume it, is where the money is.

---

Where Threat Intel Sits in the Security Career Stack

Comparing this role to its neighbors tells you something useful about trajectory.

Role	Median Salary	Delta from Threat Intel
CISO	$232,000	+$121,200
Security Architect	$158,600	+$47,800
Security Engineer	$124,900	+$14,100
Penetration Tester	$112,200	+$1,400
Threat Intel Analyst	$110,800	baseline
Incident Responder	$105,300	-$5,500
SOC Analyst	$87,400	-$23,400

A few things stand out here.

Threat intel and penetration testing are nearly identical at the median, separated by only $1,400. But their career trajectories diverge significantly. Senior pen testers move toward red team lead, then principal consultant or practice director roles. Senior threat intel analysts move toward intel team lead, threat intel program manager, or into hybrid roles that blend intel with DFIR. Both paths are viable. The choice depends on whether you prefer offensive simulation or analytical research.

The gap between threat intel and security engineering ($14,100) is closeable. Many analysts who develop strong technical depth in malware analysis, reverse engineering with Ghidra, or adversary emulation using MITRE ATT&CK cross over into engineering roles within 3-5 years. That's not a lateral move. That's a $14,000 raise with the same foundational knowledge base.

The gap to CISO ($121,200) looks enormous, but threat intelligence is actually one of the better paths to that seat. CISOs who came up through intel have a distinct advantage: they understand adversary behavior at a strategic level, which is exactly what boards want when they're asking "who's targeting us and why?" That framing is more valuable in the boardroom than a background in compliance or network engineering.

---

Global Context: The Same Role, Different Markets

If you're outside the US, or considering remote work for US employers, these numbers shift considerably.

United Kingdom: Threat intelligence analysts in London earn roughly £55,000-£80,000 ($68,000-$99,000 USD at current exchange). The UK market is mature, with strong demand from financial services in the City and government agencies including GCHQ's commercial ecosystem. CREST certifications carry significant weight in UK hiring, alongside SANS GIAC credentials.

Canada (Toronto/Ottawa): Expect CAD $85,000-$120,000 ($62,000-$88,000 USD). Ottawa is the cleared-work hub, similar to DC's role in the US market. Toronto's financial sector drives commercial demand. The Canadian Centre for Cyber Security (CCCS) is an active employer.

Germany/Netherlands: EUR €65,000-€95,000 ($70,000-$103,000 USD). BSI (Germany's federal cybersecurity agency) and the financial sector in Frankfurt are primary employers. English is widely accepted in multinational firms, but German language skills open government and critical infrastructure roles.

LATAM (Remote for US employers): This is where the math gets interesting. US companies are actively hiring threat intelligence talent in Brazil, Colombia, Mexico, and Argentina at $40,000-$65,000 USD. In those markets, that salary puts you in the top 5% of earners. The demand for Spanish and Portuguese-speaking threat intel professionals who can brief on regional threat actors (particularly Latin American cybercrime groups and state-sponsored activity) is real and underserved. Spanish-language cybersecurity career resources are nearly nonexistent, which means bilingual professionals who can operate in both markets have leverage that's not reflected in any salary survey.

One thing that doesn't change across borders: MITRE ATT&CK, NIST CSF, and ISO 27001 are internationally recognized. A SANS GIAC Cyber Threat Intelligence (GCTI) certification is as credible in Singapore as it is in Seattle.

---

Negotiation Leverage: Specific Points to Use

Generic negotiation advice is everywhere. Here's what actually moves the number in threat intelligence specifically.

Quantify your intelligence production. "I produced 47 finished intelligence reports last year" is more powerful than "I have strong analytical skills." If you can attach outcomes to those reports, even better. "My analysis of a specific threat actor campaign led to a proactive block that security engineering implemented before the attack materialized" is a sentence worth $10,000-$15,000 in a negotiation.

Name your MITRE ATT&CK coverage. Analysts who can say "I track 12 threat actor groups across the financial sector, with documented TTP mappings across 8 ATT&CK tactics" are demonstrating something specific. Most hiring managers in threat intel have seen enough vague resumes to immediately recognize specificity as a signal of genuine expertise.

Clearance status is non-negotiable leverage. If you hold an active clearance, say so early and explicitly. Cleared analysts should not accept the same offer as non-cleared candidates for the same role. The clearance has a market value. Use it.

Reference the skills gap data. The ISC2 2024 Workforce Study documented a global cybersecurity workforce gap of 4.8 million professionals. Threat intelligence is one of the most acutely understaffed specializations within that gap. You're not asking for a favor. You're pricing a scarce skill in a supply-constrained market.

Push on total compensation, not just base. Training budget matters in threat intel more than most roles because the threat actor landscape changes faster than almost any other domain. A $5,000 annual training budget for SANS courses or threat intel platform access is worth negotiating for explicitly. So is conference attendance (RSA, Black Hat, SANS CTI Summit). These aren't perks. They're how you stay current enough to do the job.

---

The Catch-22 in Threat Intelligence (And How People Break It)

Gerald Auger frames the central problem of cybersecurity hiring precisely: how do you get experience without a job, but how do you get a job without experience? Threat intelligence has its own version of this problem, and it's worth naming directly.

Most threat intel job postings want 3-5 years of experience, familiarity with specific platforms like Recorded Future or Anomali, and demonstrated analytical output. Entry-level threat intel roles are rare. The path most people actually take goes through the SOC first, spending 1-2 years doing alert triage and incident response, then transitioning into intel as they develop the pattern recognition that underlies good analytical work.

The alternative path is building a demonstrable body of work before you have the title. Writing threat actor profiles on a public blog. Contributing to open-source threat intelligence communities like OpenCTI or MISP. Participating in CTF competitions that include threat intel tracks. Getting the SANS GCTI or the Recorded Future Certified Threat Intelligence Analyst (CTIA) certification to signal domain knowledge. None of these replace experience, but they break the cycle by creating proof of capability that a resume alone can't provide.

The market right now has 514,000 open cybersecurity positions according to BLS data, and threat intelligence is one of the specializations where demand consistently outpaces supply. That's not a reason to rush. It's a reason to build deliberately and move with confidence when you're ready.

---

The Trend Signal Worth Watching

Threat intelligence as a function is maturing from a nice-to-have into a core security program component. Five years ago, most organizations below enterprise scale didn't have dedicated threat intel analysts. That's changing, driven by two forces.

First, cyber insurance requirements are increasingly mandating threat-informed defense practices, which means organizations need someone who can speak the language of adversary behavior and map it to their specific risk profile. Second, AI-assisted threat intelligence platforms are changing the analyst's job, not eliminating it. Analysts who can direct AI tooling, validate its outputs, and produce the strategic analysis that automation can't replicate are becoming more valuable, not less.

The salary trend for this role has been upward for five consecutive years. There's no credible signal that reverses in the near term. Geopolitical instability, which drives cyberattack volume, is not decreasing. Every escalation in state-sponsored activity creates more demand for analysts who understand adversary behavior at the TTP level.

If you're deciding whether to specialize here, the market conditions support the move. The work itself, understanding who's targeting you, why, and what they'll do next, is the kind of problem that doesn't get automated away. It requires judgment, context, and the ability to think like the adversary. That's a human skill set with a long shelf life.