Senior Cyber Threat Analyst / Active TS/SCI

Required

• Bachelor’s degree (STEM/Business Admin) and a minimum of 5 years of cyber threat analysis and intelligence experience; or an associate’s degree and a minimum of 7 years specialized experience; or 11 years of experience (no degree)
  • Must meet TESA Qualifications
• DoW 8140 - Cybersecurity (Cyber Defense Analyst) - Advanced
• Certifications — must hold active certifications (one of the following):
  • GNFA (GIAC Network Forensic Analyst)
  • GCIH (GIAC Certified Incident Handler)
  • GCTI (GIAC Cyber Threat Intelligence)
  • GDSA (GIAC Defensible Security Architecture)
  • GCDA (GIAC Certified Detection Analyst)
  • GREM (GIAC Reverse Engineering Malware)
  • Blue Team Level 2
  • Microsoft Certified: Cybersecurity Architect Expert
  • Zero Point RTO
  • OSDA (Offensive Security Operations and Defensive Analysis)
• Demonstrated experience in threat analysis of vulnerabilities and penetration techniques; expert knowledge of network logs (firewall, PCAP, NetFlow, Zeek, DNS, web proxy); alert and activity correlation; network diagram review; RAM/system dump analysis; and cyber threat awareness product development
• U.S. citizenship required
• Active DoW TS/SCI security clearance

Preferred

• Expert proficiency with Zeek/Bro for network security monitoring and custom script development for traffic analysis
• Experience with NetFlow analysis tools (SiLK, nfdump, Elastic) for large-scale network behavior analysis and anomaly detection
• Advanced Wireshark skills for deep packet inspection and protocol-level adversary activity reconstruction
• Strong working knowledge of the MITRE ATT&CK framework for threat modeling, TTP mapping, and detection gap identification
• Experience with threat intelligence platforms (MISP, OpenCTI, Anomali) for IOC management and intelligence sharing
• Proficiency with Elastic Stack or Splunk for log aggregation, correlation, and threat hunting query development
• Experience with memory forensics tools (Volatility, Rekall) for RAM dump analysis and malware artifact extraction
• Familiarity with structured analytic techniques and intelligence community reporting standards for finished product development

Location: On-site, Wiesbaden, Germany

Responsibilities

• Analyze advanced persistent threat (APT) activity targeting DoDIN-Europe by correlating indicators from multiple intelligence sources, network telemetry, and endpoint data to characterize adversary campaigns and assess risk to Army operations
• Produce finished cyber threat intelligence products — including threat assessments, trend analyses, and adversary TTPs reports — tailored for both technical operators and senior Army leadership at RCC-E and NETCOM
• Perform expert-level analysis of network logs including firewall events, PCAP captures, NetFlow records, Zeek/Bro connection logs, DNS query logs, and web proxy data to reconstruct adversary activity and identify lateral movement or exfiltration
• Conduct RAM and system memory dump analysis to identify malicious processes, injected code, persistence mechanisms, and artifacts of compromise that may not be visible through traditional log-based analysis
• Lead and support proactive threat hunting operations across RCC-E-managed networks, developing hypothesis-driven hunt packages based on current threat intelligence and MITRE ATT&CK TTPs to uncover undetected adversary activity
• Develop cyber threat awareness products and briefings for distribution to supported Army units, providing actionable intelligence on emerging threats, vulnerabilities, and recommended defensive measures relevant to the USAREUR-AF operational environment