John Doyle

John Doyle has over 14 years of experience in the cybersecurity field. He has spent the past 11 years working in cyber threat intelligence, primarily for the U.S. government. John is currently a Principal Analyst at FireEye Mandiant, where his main role is to track intrusion activities from Russian and North Korean cyber threat groups.

More About John


John previously served as the team lead for a transnational and emerging cyber technology team that, in addition to driving intelligence collection and analytic production, examined the implications of paradigm shifts in the cyber threat landscape. John would often provide support to combat large-scale cyber-attacks, including such notable attacks as WannaCry, NotPetya, and OlympicDestroyer.

John’s cybersecurity interests largely reside in understanding adversary operations and tradecraft by analyzing forensic artifacts, and in enriching data to provide actionable intelligence.

John has developed and taught cybersecurity and cyber threat courses for more than five years at FireEye Mandiant, within the U.S. government, and at George Mason University. He decided to start teaching at SANS because he believed that’s where he could have the greatest impact in empowering, educating, and equipping the next generation of cyber defenders and analysts.

“I am passionate about instruction, and I believe that anyone with enough passion, dedication, and willingness can master the core skills and competencies required to perform cyber threat intelligence analysis.” he explains. John believes that his role as instructor of the SANS FOR578: Cyber Threat Intelligence course allows him to draw on his experience in the field to teach the core skills and tools of the trade to track and combat an ever-evolving and growing number of cyber threat actors.

John has often found that students who take cyber threat intelligence courses tend to come either from a traditional intelligence analysis background, where cyber security concepts are new, or from a cybersecurity background, where analytic tradecraft concepts are new. In his teaching, he bridges this gap by providing useful insights to help students understand traditional intelligence analysis tradecraft and its application using different data sets to support multiple cybersecurity missions; the complexities involved in tracking clusters of intrusion activities over time; and the forensic psychology involved because there are humans behind these cyber operations and, as a result, patterns can be established that identify their unique operational fingerprints.

Finally, John’s classes are participatory, drawing on the knowledge of the students as well as the teacher. “I tend to draw out student experiences as a way to augment teaching so that we learn from the work and experience we all have in order to grow the collective knowledge base together as a community,” he says.

In his spare time John enjoys rock climbing jogging, biking, painting, craft beer, and whiskey.

Get to know John Doyle:

  • SANS Instructor for the FOR578: Cyber Threat Intelligence course
  • More than 14 years of experience in the cybersecurity field, with the past 11 years working in cyber threat intelligence.
  • Covered North Korean, Russian, Chinese, and Iranian intrusion sets, as well as cyber-adjacent topics such as companies offering turnkey cyber espionage capabilities and hacking on behalf of a government.
  • Received several awards for innovation in intelligence analysis, including for his use of non-traditional data sources to derive novel insights about cyber actors and for developing a training curriculum for cyber threat analysts.
  • He is currently a Principal Analyst at FireEye Mandiant.


  • GCTI - Cyber Threat Intelligence
  • GDAT - GIAC Defending Against Advanced Adversaries
  • GCFA - GIAC Certified Forensic Analyst
  • GCFE - GIAC Certified Forensic Examiner
    GNFA - GIAC Certified Network Forensics Analyst
    GPEN - GIAC Certified Penetration Tester
  • CISSP® - Certified Information Systems Security Professional