CTI Engineer IV

About The Position

Requirements

• Proven experience leading a CTI team or program, including stewardship of intelligence requirements, program strategy, KPI reporting, and stakeholder management at the executive level.
• Expert-level knowledge of the intelligence lifecycle across all three tiers: tactical (IOC production, detection engineering support), operational (threat actor tracking, campaign analysis), and strategic (threat landscape assessment, executive risk briefing).
• Deep applied knowledge of MITRE ATT&CK, Cyber Kill Chain, and Diamond Model including ability to apply and teach these frameworks in operational contexts.
• Hands-on experience with Threat Intelligence Platforms (TIPs), SIEM tools, EDR platforms, SOAR integration, OSINT methodologies, malware analysis (static and dynamic), network traffic analysis (NETFLOW, PCAP), and dark web monitoring.
• Demonstrated experience managing external intelligence partnerships including ISAC participation, government stakeholder relationships (CISA, FBI, MS-ISAC), and commercial vendor management.
• Strong written and verbal communication skills with the proven ability to produce and present executive-level intelligence products and risk briefings to non-technical audiences including CISO, and business leadership.
• Healthcare sector experience including working knowledge of healthcare-specific threat actors, attack patterns, and the regulatory environment (HIPAA, HITECH, HITRUST, PCI-DSS).
• Familiarity with GDPR and EU data protection requirements relevant to intelligence operations supporting international business units.
• Bachelor's or master's degree in Computer Science, Cybersecurity, Information Security, Intelligence Studies, or related discipline.
• Generally, requires a Bachelor's degree and 12 years of related experience or a Master's degree and 8 years of related experience.
• 10+ years of progressive experience in cyber threat intelligence, information security, or related fields, with demonstrated advancement from Engineer to senior practitioner to program leadership responsibilities.
• May require availability outside of normal business hours in response to critical threat events or time-sensitive intelligence requirements that demand senior CTI leadership involvement.
• High degree of integrity, discretion, and judgment in handling sensitive threat intelligence, organizational risk data, and confidential stakeholder information.
• Ability to manage competing priorities in a fast-paced environment, balancing tactical daily operations with strategic program development responsibilities.

Nice To Haves

• GCTI (GIAC Cyber Threat Intelligence) or equivalent intelligence-focused certification.
• CISM, CISSP, GCIH, GCFA, GDAT, CEH, or equivalent advanced security certifications.
• Experience building or significantly maturing a CTI program from foundational to advanced practices, including development of governance structures, PIR frameworks, and intelligence product taxonomies.
• Proficiency in scripting and automation (Python, PowerShell, or equivalent) for threat data enrichment, collection automation, and reporting pipelines.
• Experience with TLP governance, formal intelligence sharing agreements, and operating within trusted community frameworks (H-ISAC, FS-ISAC, or equivalent sector ISACs).
• Familiarity with capital program management, budget management support, and vendor contract management in an enterprise security context.

Responsibilities

• Program Leadership & Governance Lead the CTI program strategy, roadmap, and continuous maturation plan, driving the program from a foundational state toward advanced and leading practices across all CTI Framework domains.
• Chair the CTI Working Group and serve as the primary CTI representative to the CTI Steering Committee, presenting program performance, intelligence outcomes, and KPI results to the CISO and executive stakeholders on the established cadence.
• Maintain and annually refresh the Intelligence Requirements Document (IRD) and Priority Intelligence Requirements (PIRs) across all three intelligence tiers ensuring collection and production remain aligned with evolving organizational risk priorities and stakeholder needs.
• Define, track, and report program KPIs including PIR collection coverage, intelligence utilization rates, SLA adherence, stakeholder satisfaction scores, and strategic intelligence production metrics, providing transparent performance visibility to leadership.
• Support CTI program budget planning and manage vendor relationships and platform licensing in coordination with the CISO and procurement, ensuring capital assets are maintained, optimized, and protected.
• Intelligence Production & Quality Provide oversight and quality assurance across all CTI intelligence products, ensuring tactical, operational, and strategic outputs meet defined standards for accuracy, relevance, timeliness, and actionability.
• Lead production of high-complexity strategic intelligence products including Quarterly Threat Landscape Reports, Annual Threat Assessments, Executive Risk Briefings, and geopolitical risk analyses relevant to the U.S. and Ireland enterprise footprint.
• Direct and review operational intelligence products including threat actor profiles, campaign analyses, and TTP assessments targeting the healthcare sector, ensuring findings are integrated into SOC detections, IR playbooks, and vulnerability management prioritization workflows.
• Establish and enforce intelligence quality standards, structured analytical techniques, and production SLAs across all team outputs; conduct periodic product reviews and drive continuous improvement through Engineer feedback and stakeholder input.
• Maintain authoritative expertise in adversary TTPs, healthcare-sector threat actors, and emerging attack methodologies, applying frameworks such as MITRE ATT&CK, Cyber Kill Chain and Diamond Model.
• Collection Management & Technology Oversee and optimize the CTI collection ecosystem including commercial threat feeds, open-source intelligence (OSINT), dark web monitoring, H-ISAC and relevant ISAC participation, and internal telemetry ingestion from other sources such as SIEM, EDR, and firewall sources.
• Govern Threat Intelligence Platform (TIP) architecture and integration health, ensuring data flows between the TIP and SIEM, SOAR, and EDR platforms are operational, documented, and continuously monitored.
• Manage information sharing relationships with H-ISAC, peer healthcare organizations, and public sector partners (CISA, FBI), ensuring reciprocal intelligence exchange and compliance with Traffic Light Protocol (TLP) classification standards and applicable sharing agreements.
• Drive automation and integration initiatives to reduce manual collection and processing burden, improve intelligence velocity, and expand program coverage.
• Team Leadership & Development Lead, mentor, and develop a team of CTI Engineers, providing technical guidance, structured feedback, and career development support to build individual tradecraft and collective program capability.
• Establish and maintain a structured Engineer onboarding curriculum covering CTI lifecycle, tools, collection procedures, analysis methodologies, and report writing standards; support Engineer pursuit of industry certifications such as GCTI and CTIA.
• Foster a culture of analytical rigor, continuous learning, and intelligence-led thinking; encourage application of structured analytical techniques.
• Collaborate on platform development, automation pipelines, and technical infrastructure, providing programmatic direction and ensuring technical work is aligned with intelligence requirements and program objectives.
• Stakeholder Engagement & Cross-Functional Integration Serve as the senior CTI point of contact for SOC, Incident Response, Vulnerability Management, Risk, Compliance, Legal, Third-Party Risk teams, and others ensuring CTI outputs are consumed, acted upon, and providing measurable value across security and business functions.
• Lead CTI engagement in active incident response investigations, providing attribution analysis, actor context, predictive next-step assessments, and post-incident intelligence review to improve detection and response for future events.
• Provide intelligence support to brand protection, third-party risk management, and compliance initiatives, translating threat intelligence into risk context relevant to each function’s decision-making needs.
• Deliver regular stakeholder briefings and education sessions to ensure intelligence consumers across SOC, leadership, and business units understand how to interpret CTI products, submit intelligence requirements, and provide structured feedback.
• Compliance & Documentation Ensure all CTI activities, products, and data handling practices comply with applicable governance, including HIPAA, HITECH, HITRUST, PCI-DSS, NIST 800-53/61/150, and GDPR requirements.
• Maintain comprehensive program documentation including SOPs, platform runbooks, collection management frameworks, sharing agreements, and governance records; ensure documentation is current, accessible, and audit ready.
• Support internal audits, regulatory examinations, and third-party assessments requiring evidence of CTI program operations, controls, and effectiveness.