Reference Quantity: ST0114

Particulars of normal

Role profile


The first position of a Cyber Intrusion Analyst is to detect breaches in community safety for escalation to incident response or different decided perform. An Intrusion Analyst will sometimes use a variety of automated instruments to watch networks in actual time, will perceive and interpret the alerts which might be mechanically generated by these instruments, together with integrating and correlating info from quite a lot of sources and in several kinds and the place essential search extra info to tell the Analyst’s judgement on whether or not or not the alert represents a safety breach. When an Analyst has determined {that a} safety breach has been detected, she or he will escalate to an incident response group, or different decided motion, offering each notification of the breach and proof with reasoning that helps the judgement {that a} breach has occurred. An Analyst will sometimes work as a part of a group (or could lead a group) and can work together with exterior stakeholders, together with prospects and third occasion sources of risk and vulnerability intelligence and recommendation.

Typical job roles:

Safe Operations Centre (SOC) Analyst, Intrusion Analyst, Community Intrusion Analyst, Incident Response Centre (IRC) Analyst, Community Operations Centre (NOC) Safety Analyst

Entry necessities

Particular person employers will set the choice standards, however that is prone to embody A’ Ranges, stage 3 apprenticeship or different related qualification related expertise and/or a flair take a look at with a concentrate on practical maths.

Technical competencies

  • Integrates and correlates info from numerous sources (together with log information from completely different sources, community monitoring instruments, Safe Info and Occasion Administration (SIEM) instruments, entry management methods, bodily safety methods) and evaluate to identified risk and vulnerability knowledge to kind a judgement based mostly on proof with reasoning that the anomaly represents a community safety breach.
  • Recognises anomalies in noticed community knowledge constructions (together with. by inspection of community packet knowledge constructions) and community behaviours (together with by inspection of protocol behaviours) and by inspection of log information and by investigation of alerts raised by automated instruments together with SIEM instruments.
  • Precisely, impartially and concisely data and stories the suitable info, together with the flexibility to jot down stories (inside a construction or template supplied).
  • Recognises and identifies all the primary regular options of log information generated by typical community home equipment, together with servers and digital servers, firewalls, routers.
  • Recognises and identifies all the primary options of a usually working community layer (together with TCP/IP, transport and session management or ISO OSI layers 2-5), together with knowledge constructions and protocol behaviour, as introduced by community evaluation and visualisation instruments.
  • Makes use of and results primary configuration of the required automated instruments, together with community monitoring and evaluation instruments, SIEM instruments, correlation instruments, risk & vulnerability databases.
  • Undertakes root trigger evaluation of occasions and make suggestions to cut back false positives and false negatives.
  • Interprets and follows alerts and advisories provided by sources of risk and vulnerability (together with OWASP, CISP, open supply) and relate these to regular and noticed community behaviour.
  • Undertakes personal analysis to search out info on risk and vulnerability (together with utilizing the web).
  • Manages native response to non-major incidents in accordance with an outlined process.
  • Interacts and communicates successfully with the incident response group/course of and/or buyer incident response group/course of for incidents.
  • Operates in line with service stage agreements or employer outlined efficiency targets.

Technical information and understanding

  • Understands IT community options and capabilities, together with digital networking, rules and customary follow in community safety and the OSI and TCP/IP fashions, and the perform and options of the primary community home equipment
  • Understands and may utilise at the very least three Working System (OS) safety capabilities and related options.
  • Understands and may apply the foundations of knowledge and cyber safety together with: explaining the significance of cyber safety and primary ideas together with hurt, id, confidentiality, integrity, availability, risk, danger and hazard, belief and assurance and the ‘insider risk’ in addition to explaining how the ideas relate to one another and the importance of danger to a enterprise.
  • Understands and may suggest acceptable responses to present and new assault strategies, hazards and vulnerabilities related to the community and enterprise surroundings.
  • Understands and may suggest cope with rising assault strategies, hazards and vulnerabilities related to the community and enterprise surroundings.
  • Understands lifecycle and repair administration practices to Info Know-how Infrastructure Library (ITIL) basis stage,
  • Understands and may advise others on cyber incident response processes, incident administration processes and proof assortment/preservation necessities to assist incident investigation.
  • Understands the primary options and applicability of regulation, rules and requirements (together with Information Safety Act/Directive, Pc Misuse Act, ISO 27001) related to cyber community defence and follows these appropriately.
  • Understands, can adhere to and may advise on the moral tasks of a cyber safety skilled.

Underpinning abilities, attitudes and behaviours

  • Logical and inventive pondering abilities
  • Analytical and downside fixing abilities
  • Potential to work independently and to take accountability
  • Can use personal initiative
  • An intensive and organised strategy
  • Potential to work with a variety of inside and exterior individuals
  • Potential to speak successfully in quite a lot of conditions
  • Keep productive, skilled and safe working surroundings
  • Potential to interpret written necessities and technical specification paperwork
  • Efficient phone and e mail abilities, together with capacity to speak successfully with strangers beneath strain, together with reporting a safety breach


Apprentices should obtain every of the Ofqual-regulated Data Modules, as summarised beneath. Additional particulars can be found within the occupational temporary accessible from

Data Modules

  • Data Module 1: Networks (for stage 4 Cyber Intrusion Analyst Apprenticeship)
  • Data Module 2: Working Methods (for stage 4 Cyber Intrusion Analyst Apprenticeship)
  • Data Module 3: Info and Cyber Safety Foundations (for stage 4 Cyber Intrusion Analyst Apprenticeship)
  • Data Module 4: Enterprise Processes (for stage 4 Cyber Intrusion Analyst Apprenticeship)
  • Data Module 5: Legislation, Regulation and Ethics (for stage 4 Cyber Intrusion Analyst Apprenticeship

English and Maths

Degree 2 English and maths will should be achieved, if not already, previous to taking the top level evaluation.

Skilled recognition:

This apprenticeship is recognised for entry to IISP Affiliate Membership and for entry onto the Register of IT Technicians confirming SFIA stage 3 skilled competence. These finishing the apprenticeship are eligible to use for registration.


The length of this apprenticeship is often 24 months.


This can be a stage 4 apprenticeship.

Review date:

This normal will probably be reviewed in 3 years.

Crown copyright © 2022. You might re-use this info (not together with logos) freed from cost in any format or medium, beneath the phrases of the Open Authorities Licence. Go to


Leave a Reply

Your email address will not be published. Required fields are marked *