Cyber Threat Intelligence & Data Manager, Top Secret

The Cyber Threat Intelligence & Data Management Lead oversees teams that collect, process, organize, and analyze cyber threat data transforming it into actionable intelligence that informs decision‑makers and strengthens national cyber defense. In this role, the successful candidate governs TIP data quality and tagging, manages the intelligence production cycle, and drives targeted notifications, RFIs, dashboards, and event‑driven reporting that enhances threat visibility and mission impact. The candidate directs operations within a threat intelligence platform (TIP), ensuring analysts can receive, share, enrich, correlate, and disseminate timely intelligence to reduce cyber risk across various agencies to such as, FCEB agencies, SLTT partners, and critical infrastructure sectors.

Key Responsibilities

Cyber Threat Intelligence (CTI) Operations Leadership

• Oversee teams delivering strategic, operational, and tactical CTI products

• Enhance national situational awareness by directing monitoring, aggregation, and correlation of cyber incident reports

• Sustain real‑time CTI exchange by coordinating with internal components, FCEB agencies, and external partners to maintain an accurate, timely, and shared threat picture across the full threat lifecycle.

• Detect and characterize threats by continuously monitoring intelligence, media, law enforcement, and third‑party data feeds within the TIP to identify incidents, vulnerabilities, and malicious activity.

TIP & Data Management Governance

• Ensure continuous, reliable operation of the TIP by managing ingestion pipelines, maintaining data quality, and sustaining platform performance .

• Operate robust tipping and queuing workflows (manual and automated) in the TIP, routing, enriching, triaging, and disseminating inbound/outbound intelligence.

• Maintain TIP data integrity via accurate tagging, metadata management, traceability, and feed normalization, adhering to standards such as STIX, JSON, and MISP formatting.

• Implement tagging governance (multi‑tag, rule‑based, hierarchical), including TLP designations, source/analyst attribution, and threat context to support consistent access control and data lineage.

Analytic Frameworks & Requirements Alignment

• Apply recognized analytic models and frameworks—MITRE ATT&CK, Diamond Model, Cyber Kill Chain—to structure intelligence, map adversary behavior, and align reporting to Priority Intelligence Requirements (PIRs) and Threat Branch Information Needs (INs).

• Strengthen threat prioritization by correlating activity, vulnerabilities, and attack surfaces across sectors and threat groups to support campaign tracking, risk scoring, and intelligence‑driven resource allocation.

• Identify and prioritize intelligence requirements for the Threat Branch, tagging reporting to INs nested under PIRs.

Intelligence Production Cycle & Targeted Notifications

• Manage the full intelligence production cycle—topic formation, proposal, development, coordination, review, approval, and dissemination—ensuring compliance with analytic standards.

• Review intelligence products for analytic rigor, technical accuracy, and conceptual soundness.

• Produce targeted notification packages that are timely, accurate, and actionable, integrating classified and unclassified reporting.

• Oversee the issuing, triage, and tracking of RFIs in the TIP, maintaining timely responses, status visibility, and stakeholder coordination.

• Capture customer feedback on threat intelligence products and integrate insights into continuous improvement to enhance relevance, clarity, and mission impact.

Cyber Defense Support & Cross‑Functional Integration

• Strengthen national cyber defense by overseeing continuous monitoring, triage, investigation, and reporting of cybersecurity events and incidents across FCEB, SLTT, and critical infrastructure environments.

• Document all analysis in required formats—ticketing entries, knowledge articles, external reports, incident response playbooks.

• Accelerate threat discovery by directing development of custom scripts and AI/ML‑enabled analytic techniques.

• Create, deploy, and refine detection logic and policies used across monitoring tools and platforms; maintain enterprise‑level incident response and hunt analysis baselines for each supported environment.

SOPs, Training, and Source Repository Management

• Develop, document, and maintain repeatable SOPs and working instructions for targeted notifications and production workflows; train new personnel on current processes and tools.

• Maintain a curated repository of classified and unclassified sources, ensuring traceability and timely aggregation of threat reporting that enables targeted notification and production activities.

• Monitor global events and provide event‑driven intelligence within the TIP, assessing implications of new laws, geopolitical shifts, and natural incidents for CIKR.

• Support exercises and real‑time incident response with TIP‑enabled intelligence, delivering rapid assessments, briefings, and coordination that increase detection, containment, and remediation effectiveness.

Required Qualifications

• Experience leading CTI operations and data management for large‑scale federal or critical‑infrastructure cybersecurity programs.

• Demonstrated ability to oversee TIP operations, data governance, ingestion pipelines, tagging standards, and intelligence production workflows.

• Strong knowledge of analytic frameworks (ATT&CK, Diamond Model, Kill Chain), threat prioritization, and targeted notification practices.

• Experience managing RFIs, dashboards/visualizations, and event‑driven reporting for leadership decision support.

• Excellent communication skills and the ability to drive continuous improvement across CTI products and processes.

• Ten years of overall cybersecurity experience with 5 years of management of cybersecurity teams

Preferred Qualifications

• Experience supporting CISA, DHS, or national‑level cyber missions.

• Familiarity with STIX/JSON/MISP data formats, TLP tagging governance, and NCISS scoring methods.

• Relevant certifications (e.g., GCTI, CISSP, GCIA, GREM, CDMP) and experience with AI/ML‑enabled detection analytics.

• Background integrating CTI with incident response, hunt operations, and vulnerability management programs.

GDIT IS YOUR PLACE

• 401K: With company match.

• Health & Wellness: Comprehensive health and wellness packages.

• Career Growth: Internal mobility team dedicated to helping you own your career.

• Professional Development: Growth opportunities including paid education and certifications.

• Innovative Tech: Access to cutting-edge technology to stay ahead of the mission.

Work-Life Balance: Rest and recharge with paid vacation and holidays