Threat Intel · Domain 07/10

Threat Intelligence & OSINT

The closest cyber role to investigative journalism. Research, verify, write.

No code required⏱ 9–18 monthsRemote Media transfer

01 · A realistic Tuesday

What the day actually looks like.

Read the morning intel feed (Recorded Future, Mandiant, The Record, X, niche Telegram). Pivot a suspicious domain through VirusTotal, urlscan.io, DomainTools, Maltego, Shodan. Verify a screenshot circulating on X with reverse image search and EXIF; cross-reference with breach forums. Write a tactical brief for the SOC, an operational report on a campaign, or a one-paragraph executive summary for the CISO. Writing is 40–60% of the job. The OSINT–journalism overlap is direct.

02 · Who hires

Where the work lives.

Recorded FutureMandiantCrowdStrikeFlashpointIntel 471Group-IBBellingcatAmnesty TechOCCRPMeta TAGGoogle TAGTikTokCloudflare

03 · Skills

What you actually need.

Technical

Search operators (Google, X, Telegram)transferable
Researchers already have this.
Maltego CE / SpiderFoot / Shodan / Censys / Hunchly
MITRE ATT&CK / Diamond Model
OPSEC (sock puppets, VMs, Tails)
Archive.org + reverse image searchtransferable

Soft

Source verificationtransferable
Documentary fact-checking transfers verbatim.
Narrative writingtransferable
A great threat report is a great article.
Social-platform fluencytransferable
TikTok/IG/X investigation skill is rare and paid.
Visual literacytransferable
Editor's eye spots the photoshop.
OPSEC discipline

04 · Career ladder

The shape of the journey.

1
Junior / OSINT / Trust & Safety Analyst0–2 yr
2
CTI Analyst II2–4 yr
3
Senior CTI / Adversary Hunter4–8 yr
4
Head of Threat Intelligence8–15 yr

9–18 monthsto break in

36121824

Note. Times reflect typical paths for someone with strong communication and 10–15 hrs/week of focused study.

05 · Salary explorer

What it pays.

Ranges are directional. Currency: USD · annual. Last updated: 2025.

06 · Certifications

The cert sequence that won't bankrupt you.

Trace Labs CTFs

Trace Labs

Free missing-persons OSINT CTFs. The single best portfolio builder.

Free starter

Free

Bellingcat Online Open Source Investigations Toolkit

Bellingcat

Free, comprehensive, and respected by employers.

Free starter

Free

Amnesty Open Source Investigations course

Amnesty International

Mission-driven entry path.

Free starter

Free

Security+

CompTIA

Vocabulary baseline.

Recommended

$404 · ₦606k

TCM PORP (Practical OSINT Research Professional)

TCM Security

Hands-on, well-respected, affordable.

Recommended

$300 · ₦450k

IntelTechniques OSIP

IntelTechniques

Michael Bazzell's certification — gold standard if employer-funded.

Nice-to-have

$949 · ₦1424k

SANS GCTI / GIAC

SANS

Employer-funded only. Never self-fund SANS.

Eventually needed

$9800 · ₦14700k

07 · Remote-friendliness

Working from Lagos, Abuja, or anywhere.

5/5

US-cleared roles are off-limits to non-US persons. Commercial vendors and NGOs are wide open. Lagos timezone aligns with London, partial US East.

08 · Trade-offs

The good, the gritty, and who this suits.

Pros

+Closest cyber role to journalism.
+Strong USD potential.
+Mission-driven options at Amnesty, Bellingcat, OCCRP.

Cons

−Severe local-vs-remote pay gap.
−Exposure to disturbing content.
−Strict OPSEC discipline required.

Personality fit

If you've ever pieced together a story from screenshots and a reverse image search, you already do this work — they just call it something else.

09 · Watch this

Three to five hours that beat any cert.

Open source intelligence with Bellingcat's Giancarlo Fiorella

Reuters Institute

Why watch. How Bellingcat actually does the work.

Presenting: The Bellingcat Online Open Source Investigations Toolkit

Bellingcat

Why watch. Tool walkthrough — your starter kit.

OSINT: You can't hide

NetworkChuck

Why watch. Approachable intro to the field.

10 · Next step for this path

Do this by Friday.

This weekend: enter the next free Trace Labs CTF (they run roughly monthly). Document your methodology in a public Notion page. That's your portfolio piece.