Full route detail

DFIR & Threat Intelligence

When the alert is real. Forensics, IR, malware analysis, threat intel. SANS/GIAC biased.

Last reviewed May 2026·Reviewed by a practitioner working in incident responder / junior dfir analyst hiring·Updated quarterly against live job listings

First role

Incident Responder / Junior DFIR Analyst

Timeline

2–4 years from junior SOC

Difficulty

High

Salary

$110–180k

Phased progression

Foundations → first role → specialisation → advanced. The realistic order, not a script.

010–6 months
Foundations
Literacy, lab habits, the cert that opens first conversations.
GCIH
026–18 months
First paid role
Land a Incident Responder / Junior DFIR Analyst. Operational time, not more certs, earns the next move.
Incident Responder / Junior DFIR Analyst
$110–180k
031.5–3 years
Specialisation
Add a specialist credential aligned to the work you're already doing.
GCFAGREM
$110–180k
043+ years
Advanced
Move into adjacent roles. Long-term credentials become worth their cost.
Threat Intel AnalystGNFA
$110–180k

01Foundations
0–6 months
Literacy, lab habits, the cert that opens first conversations.
GCIH
02First paid role
6–18 months
Land a Incident Responder / Junior DFIR Analyst. Operational time, not more certs, earns the next move.
Incident Responder / Junior DFIR Analyst
$110–180k
03Specialisation
1.5–3 years
Add a specialist credential aligned to the work you're already doing.
GCFAGREM
$110–180k
04Advanced
3+ years
Move into adjacent roles. Long-term credentials become worth their cost.
Threat Intel AnalystGNFA
$110–180k

Certification sequence

Ordered by realistic relevance, not vendor marketing.

Primary

GCIH
GCFA
GCIA

Supporting

GREM
CHFI

Long-term

GNFA

Practical projects

What to actually build, the portfolio that opens interviews.

Memory + disk forensics on a captured Windows image
MITRE ATT&CK mapping for a single intrusion set
Build an IR runbook for one realistic scenario (ransomware, BEC, web shell)

Adjacent roles (after this route)

Threat Intel AnalystMalware AnalystDetection Engineer

Alternative paths in

·Detection engineering instead of IR
·Threat intel via journalism / OSINT background

Realistic expectations

What no recruiter will tell you.

Misconception

That stacking certifications shortcuts the timeline. It doesn't. Operational time and a public portfolio are what compress the path.

Honest window

2–4 years from junior SOC is the realistic time to the first role on this route. Most people overshoot by 6–12 months. Plan for it; don't panic when it happens.

Back to your route Browse certifications Compare other routes All pathways