Cyberspace Defense Operations Specialist

You are the newest set of eyes on the network — alert queue cannon fodder who is learning, fast, that most alerts are noise and the one that isn't will not announce itself.

You work the SIEM queue. Alerts come in; you triage them, correlate them against known-good baselines, and escalate anything that smells wrong. You run vulnerability scans with ACAS/Nessus under supervision and learn to read the output without panicking about every finding. You pull packet captures, read logs, and slowly build a mental model of what normal traffic looks like on the Air Force Information Network — because that map is the only thing that lets you spot the abnormal. You attend every tech talk, you earn your CompTIA Security+ before the AF deadline, and you shadow incident response actions without yet owning them.

• 01SIEM alert triage (Splunk, ArcSight, or mission-equivalent)
• 02Basic log analysis — Windows Event Log, Syslog, firewall logs
• 03ACAS/Nessus vulnerability scan execution and output reading
• 04OSI model and TCP/IP fundamentals at packet level
• 05STIG checklist application on Windows and Linux endpoints
• 06CompTIA Security+ and Network+ certification

• —AFI 17-130, Cybersecurity Program Management
• —DoD 8570.01-M / DoD 8140.01 (baseline certification requirements)
• —NIST SP 800-53 (Security and Privacy Controls)
• —MITRE ATT&CK Enterprise Matrix (foundational TTPs)

• —Triage and disposition every assigned alert within shift window — no ticket ages out without documentation
• —Achieve DoD 8140 IAT Level II certification (Security+) within required timeline
• —Complete all assigned STIG checklists without supervisor prompting
• —Document actions taken on every incident ticket — if it isn't written, it didn't happen

• —Closing an incident ticket after containment without completing root cause analysis — isolating the compromised host and removing the malware is containment, not eradication; the threat actor who phished a valid credential still has that credential and will return through the same vector until you invalidate it and find every system it touched.

A good AB/A1C 1D7 looks like someone who treats alert fatigue as a professional failure, not an inevitability. They build runbooks for the alerts they see repeatedly. They ask why a rule fired, not just whether to escalate. They read one MITRE ATT&CK technique write-up every week. By the time they pin on SrA, they know what normal looks like on their network better than some NCOs, and they have documented proof of every incident they touched.

You own your lane now. Triage isn't something you watch anymore — you run it, mentor the new ABs, and start doing the threat hunting that the alert queue doesn't show you.

You lead incident response actions for low-to-medium severity events from detection through recovery. You write the after-action report and brief the flight chief on what happened, what you did, and what the network looks like now. You run threat hunting missions using MITRE ATT&CK as your playbook — you pick a technique, pull the relevant telemetry, and determine whether you have evidence of it on the network. You manage STIG compliance for a defined system set and track remediation through closure. You mentor ABs on alert triage, log analysis, and the difference between a misconfigured endpoint and an actual intrusion. You start building toward GIAC certifications or CEH — not because the AF mandates it yet, but because the NCOs who advance fast all have them.

• 01Incident response lifecycle — detection, containment, eradication, recovery, lessons learned
• 02Threat hunting using MITRE ATT&CK TTPs against SIEM and EDR telemetry
• 03Digital forensics basics — disk imaging, chain of custody, Autopsy or equivalent
• 04Packet analysis with Wireshark — identify C2 beaconing, lateral movement, exfiltration patterns
• 05Scripting for automation — PowerShell or Python for log parsing and triage acceleration
• 06Vulnerability management lifecycle — scan, track, remediate, verify closure

• —NIST SP 800-61 Rev 2, Computer Security Incident Handling Guide
• —AFI 17-130, Cybersecurity Program Management
• —MITRE ATT&CK Navigator — hunt hypothesis documentation
• —CJCSI 6510.01F, Information Assurance and Support to Computer Network Defense

• —Own low-to-medium severity incident response end-to-end, including written after-action report
• —Complete at least one proactive threat hunt per quarter with documented hypothesis, methodology, and findings
• —Maintain zero unmitigated critical STIGs on assigned system set
• —Mentor at least one AB through first 90-day alert triage qualification

• —Treating threat hunting as a SIEM query exercise — real hunting starts with a hypothesis about adversary behavior drawn from intelligence, not from looking for alerts the detection rules already cover. If your hunt only finds what the rules would have found anyway, you haven't hunted anything.

A good SrA 1D7 owns their incidents instead of escalating them reflexively. They write after-action reports that go beyond "we found it and fixed it" to explain the full attack chain and what detection capability gaps it revealed. They have a GIAC cert or a clear plan to earn one. They are the person in the flight who built the Splunk dashboard that saves everyone an hour a shift, and they documented it so the next person can maintain it.

You are the technical backbone of the defensive cyber flight — the person who runs complex incidents, trains the junior Airmen, and translates threat intelligence into actionable detection rules.

You lead the response to high-severity incidents and coordinate with wing leadership, the Communications Squadron commander, and mission partners when the event warrants it. You write and tune SIEM detection rules based on threat intelligence reporting from 16th Air Force and CYBERCOM — you take a MITRE ATT&CK technique, find the telemetry gap, and build the rule that closes it. You own the vulnerability management program for the unit and brief leadership on risk posture monthly. You conduct digital forensics on compromised systems and preserve evidence in ways that survive legal scrutiny. You develop training plans for junior Airmen and run the flight's 5-level upgrade training. You start preparing yourself for functional management — understanding budget cycles, personnel actions, and what it means to be responsible for people, not just systems.

• 01SIEM detection engineering — rule writing, tuning, false-positive reduction
• 02Malware analysis basics — static and behavioral analysis in sandbox environments
• 03Threat intelligence integration — translating ISAC feeds and IC reporting into detection content
• 04Digital forensics and evidence preservation to legal/UCMJ standard
• 05Vulnerability risk prioritization — CVSS scoring in operational context, not just raw score
• 06Training program development — writing 5-level upgrade task qualification checklists

• —AFI 17-101, Risk Management Framework for Air Force Information Technology
• —DoDI 8500.01, Cybersecurity
• —NIST SP 800-137, Information Security Continuous Monitoring
• —MITRE ATT&CK Defender (MAD) detection guidance

• —Lead all high-severity incident responses and produce executive summary brief within 24 hours of containment
• —Maintain current threat intelligence feed integration — no detection content older than 90 days without review
• —Zero Airmen under your supervision miss DoD 8140 certification milestones
• —Monthly vulnerability posture brief to flight chief with trend analysis, not just raw numbers

• —Writing detection rules against indicators (specific IPs, hashes, domains) instead of behaviors — indicators rotate in hours; an adversary who burned one domain has ten more. Rules built on TTPs survive; IOC-based rules are obsolete before the shift ends.

A good SSgt 1D7 has a detection library they built and maintain. When a threat intelligence report drops about a new adversary TTP, they read it the day it arrives and have a hunt or a new rule in the queue by end of week. They brief the flight on what they found. Their Airmen pass upgrade training on schedule because the SSgt treated training as a primary duty, not a paperwork formality. They are the person that the flight chief sends to the hard problem.

You run the flight's day-to-day defensive cyber operations — you are the technical authority, the shift supervisor, the trainer of SSgts, and the person who briefs the DO when something important happens on the network.

You supervise the defensive cyber flight operations — you ensure the alert queue is staffed, incidents are being worked to standard, and the vulnerability management program is producing meaningful risk reduction, not just compliance checkmarks. You brief the squadron DO and Wing/CC on significant cyber events. You coordinate with 16th Air Force, JFHQ-DODIN, and USCYBERCOM during major incidents. You build and maintain the flight's metrics program — you know your mean time to detect and mean time to respond, and you brief those numbers honestly, including when they are bad. You mentor SSgts on the transition to NCO leadership and you ensure the flight's training program actually prepares Airmen for the mission. You represent the unit at Wing Cybersecurity Working Groups and advocate for the resources — personnel, tools, training — the mission requires.

• 01Cyber operations metrics — MTTD, MTTR, detection coverage mapping against ATT&CK
• 02Cross-functional coordination — working with network ops, system admins, and mission owners during incidents
• 03Briefing senior leadership — translating technical events into operational and mission risk language
• 04Flight-level resource management — tool licensing, training budget, personnel assignment advocacy
• 05Continuity of operations planning for cyber defense capability
• 06Advanced threat hunting — multi-stage campaign reconstruction across weeks of telemetry

• —CJCSI 6510.01F, Information Assurance and Support to Computer Network Defense
• —AFI 17-130 Chapter 5, Incident Management
• —NIST SP 800-61 Rev 2, incident response program structure
• —DoD Cyber Strategy (current version) — force posture and defend forward context

• —Flight maintains documented MTTD and MTTR metrics updated monthly
• —Every significant incident produces a lessons-learned brief that updates detection rules or playbooks
• —All NCOs under supervision have current Individual Development Plans with certification goals
• —Zero compliance-only vulnerability management — every remediation priority justified by actual risk

• —Managing to compliance metrics instead of detection effectiveness — a unit that closes 100% of STIG findings and misses a 45-day dwell time intrusion has failed the mission. Teach the flight that the question is always "would we have caught a real adversary this week," not "are our dashboards green."

A good TSgt 1D7 runs a flight where the junior Airmen know why they are doing what they are doing, not just how to do it. The metrics are honest — when MTTD is worse this quarter, they say so and explain the cause. They have personal relationships with the 16th AF and JFHQ-DODIN contacts who matter when a real event happens, because they built those relationships before they needed them. Their SSgts are ready to be TSgts.

You are the functional manager and force developer for the cyber defense career field at the unit level — you own the people, the program health, and the pipeline that produces the next generation of 1D7s.

As flight chief or senior functional, you oversee the entire defensive cyber operations program — not individual incidents, but the health of the capability itself. You assess whether the unit's detection architecture can actually see the threats the IC says are targeting AF networks. You brief the Group CC and Wing CC on cyber risk posture in terms they act on. You manage EPR rack-and-stack for the flight and ensure the best performers are nominated for schoolhouse tours, advanced training, and the assignments that build their careers. You advocate for the 1D7 career field at the wing level — when the manpower document is wrong, you fix it; when the AFSC is hemorrhaging talent to the private sector, you write the retention analysis that goes up the chain. As 1stSgt, you own the health, morale, and welfare of every Airman in the unit and you run them toward both mission excellence and life stability.

• 01Cyber risk communication to non-technical senior leaders
• 02Manpower and personnel program management for a technical AFSC
• 03Career field health analysis — retention trends, fill rates, certification pipeline
• 04Advanced cyber operations program assessment — red team/blue team exercise design
• 05AETC coordination — schoolhouse feedback loop on training currency vs. mission requirements
• 06Congressional/IG response preparation for cyber incidents with public visibility

• —AFI 36-2618, The Enlisted Force Structure (rank responsibilities)
• —AF Cyberspace Operations career field education and training plan (CFETP) for 1D7X1
• —DoD Cyber Workforce Framework (DCWF)
• —HAF/A6 annual cyber workforce reporting requirements

• —Every Airman in the flight has a documented career vector with a certification and assignment plan
• —Unit cyber capability self-assessment conducted annually with honest findings briefed to Wing CC
• —Retention data tracked and analyzed — every voluntary separation from the career field generates an exit analysis
• —Schoolhouse feedback submitted annually on training gaps between initial skills and mission requirements

• —Letting the best technical performers stagnate in the same billet because their technical skills are too valuable to move — the 1D7 who never leaves their home unit becomes the world's best local expert and a career field liability. The mission needs leaders who have seen multiple networks, multiple threat environments, and multiple unit cultures. Move your best people even when it hurts.

A good MSgt 1D7 is the person who can walk into a Wing CC brief and explain in three sentences why the network is more or less defensible than it was six months ago, and what it would take to close the gap. They have Airmen at every base who call them when something goes sideways, because they invested in those relationships when they were TSgts. Their unit has a lower-than-average attrition rate, and when you ask their Airmen why they stayed, they name the MSgt.

You are the senior enlisted voice for defensive cyber operations across the Air Force — you shape the career field, set the standards, and ensure the AFSC is producing the defenders the nation needs against the threat that exists now, not the threat from ten years ago.

At SMSgt and CMSgt, you operate at command, MAJCOM, AFSC, or joint staff level. You advise commanders on cyber workforce posture across entire commands — not individual units. You shape the 1D7 CFETP and initial skills training at Keesler AFB, ensuring the schoolhouse produces Airmen who can defend a network the day they arrive at their first unit rather than spending two years catching up. You represent the 1D7 career field in joint forums — USCYBERCOM, JFHQ-DODIN, NSA/CSS — and you ensure Air Force defensive cyber equities are understood and resourced in joint planning. You advise the HAF/A6 and MAJCOM/A6 on manning requirements, tooling investments, and whether the force structure matches the threat. CMSgts in this AFSC often serve as the senior enlisted advisor for entire cyber wings or numbered air forces, and many serve at NSA/CSS as senior civilian or enlisted leaders in national-level cyber defense operations.

• 01AFSC-level career field management — CFETP revision, training pipeline oversight, fill rate strategy
• 02Joint cyber operations — USCYBERCOM, JFHQ-DODIN, NSA/CSS coordination and representation
• 03Senior leader cyber risk advising — translating operational cyber risk to resourcing decisions
• 04Congressional and OSD engagement on cyber workforce legislation and policy
• 05Cyber exercise program design at MAJCOM and joint command level
• 06Retention and accession program design for a technically competitive career field

• —National Cyber Strategy (current) — workforce and defense priorities
• —DoD Cyber Strategy and Implementation Plan
• —AF Cyberspace Superiority (AFDD 3-12 successor documents)
• —HAF/A6 Cyberspace Operations Division program guidance
• —USCYBERCOM Campaign Plan — defended asset list and priority network defense requirements

• —CFETP reviewed and updated on minimum 2-year cycle with schoolhouse, major commands, and CYBERCOM input
• —Career field fill rate, retention rate, and certification attainment briefed to CSAF/CMSAF chain annually
• —Joint cyber workforce interoperability maintained — 1D7 Airmen can integrate into CYBERCOM and NSA billets on day one
• —Honest career field health assessment — if the AFSC is losing to the private sector, the senior enlisted say so loudly and publicly

• —Letting the career field define its own success by compliance measures because compliance is easy to count — if the 1D7 community can recite every STIG and still miss a nation-state intrusion that lived on AF networks for six months, the training pipeline and the performance standards failed. The measure is whether adversaries find AF networks hard. Everything else is supporting evidence.

A CMSgt 1D7 who did it right leaves a career field that is harder to hollow out after they retire. The schoolhouse produces Airmen who can hunt. The retention rate ticked up because the senior enlisted fought for the authorities and the pay supplements that made staying rational. The joint partners trust the 1D7s who show up in their billets. And somewhere, a TSgt who was a struggling A1C eight years ago is running a flight because the CMSgt saw something in them and refused to let them leave the Air Force.