RiskIQ is the leader in attack surface management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by thousands of security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk and take action to protect the business, brand, and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners and MassMutual Ventures.

We are looking for a Senior Cyber Intelligence Analyst to join our i3 team. This position can be based at our office in Lenexa, KS or remotely anywhere in the US. 

The Role
The Incident Investigations and Intelligence (i3) Program within RiskIQ is built to oversee managed services of the External Threats Product workspaces for clients and the Executive Guardian product workspaces for clients. Executive Guardian is designed to protect C-Suite and high net worth individuals from physical threats, exposures of Personally Identifiable Information (PII), and instances of social media account impersonation thereby safeguarding the individual, their reputation, family, and by extension, the company. External Threats protects clients from phishing attacks, domain infringement, mobile app impersonation, social & brand impersonation, and data leakage. The i3 Senior Cyber Intelligence Analyst (SCIA) is responsible for leading time sensitive, TLP:Red level cyber investigations while working with a team of intelligence analysis professionals. Additionally, the SCIA will analyze advanced, targeted instances of phishing and impersonation of domain, social media and brand as well as data leaks to provide deeper intelligence around infrastructure, threat actors and groups (APTs), and provide finished intelligence to clients while also working with clients to better understand how to derive intelligence out of the RiskIQ platform. The SCIA will also oversee and participate in the production and dissemination of time-sensitive cyber threat analysis relevant to the security of clients, their corporate assets and operations. The SCIA is technically proficient and is able to lead the team as a strong individual contributor when needed. The SM must be proactive, consultative, and business-minded using both available open source and proprietary data sets to confidently develop technical and innovative solutions in response to client needs, and to attribute virtual threat actors with their actions as threats arise. This is a high visibility, client facing role with opportunity for growth within RiskIQ.


  • Effectively lead cyber investigations around events surfaced in the RiskIQ platform looking for relevant threat
    actor infrastructure, IOCs, and TTPs
  • Advise stronger configuration of technical collection in the ET and EG platforms to identify data on the web
    in accordance with client security expectations
  • Maintain and review complex detection logic and offer tuning suggestions based on the quality/volume of
  • Review and appropriately escalate detections based on the urgency of the discovered data/threat
  • Collaborate with i3 analysts working in the EG and ET platforms to conduct security/threat investigations into
    threat actors and their activities world-wide, using industry tools and proprietary information to attribute
    threat actors
  • Assist in the production and review of threat analysis for dissemination to consumers on the safety and
    security of clients, assets and operations, including threat profiles, impact assessments and mitigation
  • Ensure clear, concise and timely responses to requests for information (RFI) from clients
  • Include solution-oriented recommendations in all analyses, as appropriate
  • Identify opportunities to predict and prevent future security issues and/or incidents via analytic trends
  • Collaborate with client security teams to constantly improve analytic standards, workflows, and success
    metrics and develop/improve analytic and technical products as appropriate
  • Collaborate with RiskIQ Legal and Engineering teams to ensure appropriate mitigation of identified risks


  • Bachelor's degree required; Masters preferred
  • Professional Experience in Cyber Threat Intelligence best practices to include identification of IOC types,
    TTPs, indicator pivoting, and indicator attribution strength
  • Technical skill proficiency in network communications (TCP/IP, OSI Model), malware
    analysis(communication/installation/behavior) and computer network defense operations
  • Familiarization with social media investigative tools with exceptional research skills around online behaviors
    and attribution of online threat actors
  • Technical proficiency with open source intelligence(OSINT) research tools
  • Strong written and verbal communication skills
  • Experience managing multiple projects, and the ability to flex quickly as required by evolving corporate
  • Technical proficiency with applications such as Crowdstrike, Splunk, Maltego, PassiveTotal®
  • Familiarity with Threat Models such as MITRE ATT&CK® , Diamond Model and Cyber Kill Chain®
  • Ability to function as a strong individual contributor using technical cybersecurity/threat intelligence skills
  • Understanding of investigative analysis, and communicating findings to consumers
  • Proficient knowledge in any of the following: JavaScript, SQL, Regex and/or Python3
  • Approximately 5-20% global travel required
    Desired Experience
  • Previous cyber-investigations or US intelligence community targeting experience highly preferred
  • Advanced knowledge of JavaScript, SQL, Regex and/or Python a plus
  • Ability to obtain a US Security Clearance

Why work at RiskIQ?

  • Fascinating work - Welcome to the dark underbelly of the Internet. RiskIQ’s ability to help organizations map and monitor their attack surface, detect internet-scale threats, and investigate adversaries led to skyrocketing adoption by security teams around the world. It is the golden age of internet crime, and we are at the forefront of defensive efforts to stem the tide. Internet security is a global growth industry, and the knowledge you acquire here will be a marketable skill for decades to come.
  • We’re a company on the forefront of a burgeoning industry - RiskIQ experienced explosive growth in 2018, including a 362.5 percent increase in net new product sales due to the steady adoption of attack surface management across the world. We also experienced a 365 percent increase in registration for RiskIQ community, our freemium entry-level product, showing the increasing role of security outside the firewall to the growth of businesses.
  • Top Leadership - Our CEO is a renowned cybersecurity veteran known for his expertise. Our leadership group is poised and experienced with a track record in technology and cybersecurity.
  • Unbounded opportunity - We’re growing! At RiskIQ, you’ll be provided with as much responsibility as you can handle—new career development opportunities constantly arise given our rate of growth.
  • Flexibility - You’ll have a large workload, but also the freedom to accomplish it on your own terms.

Apply for this Job

* Required

U.S. Equal Opportunity Employment Information (Completion is voluntary)

Individuals seeking employment at RiskIQ are considered without regards to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. You are being given the opportunity to provide the following information in order to help us comply with federal and state Equal Employment Opportunity/Affirmative Action record keeping, reporting, and other legal requirements.

Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Form CC-305

OMB Control Number 1250-0005

Expires 05/31/2023

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

We are a federal contractor or subcontractor required by law to provide equal employment opportunity to qualified people with disabilities. We are also required to measure our progress toward having at least 7% of our workforce be individuals with disabilities. To do this, we must ask applicants and employees if they have a disability or have ever had a disability. Because a person may become disabled at any time, we ask all of our employees to update their information at least every five years.

Identifying yourself as an individual with a disability is voluntary, and we hope that you will choose to do so. Your answer will be maintained confidentially and not be seen by selecting officials or anyone else involved in making personnel decisions. Completing the form will not negatively impact you in any way, regardless of whether you have self-identified in the past. For more information about this form or the equal employment obligations of federal contractors under Section 503 of the Rehabilitation Act, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

  • Autism
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, or HIV/AIDS
  • Blind or low vision
  • Cancer
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or hard of hearing
  • Depression or anxiety
  • Diabetes
  • Epilepsy
  • Gastrointestinal disorders, for example, Crohn's Disease, or irritable bowel syndrome
  • Intellectual disability
  • Missing limbs or partially missing limbs
  • Nervous system condition for example, migraine headaches, Parkinson’s disease, or Multiple sclerosis (MS)
  • Psychiatric condition, for example, bipolar disorder, schizophrenia, PTSD, or major depression

1Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.