Skip to main content
HonestMOS
InvestigationsCongress made VA disability claims free to file. An entire industry charges veterans anyway — and nobody can stop them.
USAF1B4X1

Cyber Warfare Operations Specialist

Conducts offensive and defensive cyber warfare operations in support of Air Force and national missions. Operates cyber tools to protect, detect, and respond to cyber threats and execute authorized cyber operations.

No reviews yet
Watch this MOSGet pinged when 1B4X1 — Cyber Warfare Operations Specialist hits an SRB list, cutoff drop, or BAH change. Free account, anonymous as always.
Recruiter vs. Reality
What they tell you

You'll be on the front lines of America's newest warfare domain. Cyber Warfare Operations is the Air Force's most advanced and elite technical specialty — you'll conduct real offensive and defensive cyber operations against near-peer adversaries.

What it's actually like

1B4 is retraining-only, which means you spent time in another AFSC before competing for one of the most selective jobs in the Air Force. Once you're in, the work lives entirely in SCIFs behind multiple badge readers. The actual offensive operations are genuinely elite-level work. The day-to-day is training pipelines, certifications, compliance documentation, and the classified version of bureaucracy that looks exactly like regular bureaucracy except you can't talk about which specific meetings were the most pointless. The civilian market is exceptional when you get out — cleared offensive cyber operators are among the most sought-after professionals in the tech sector. The social cost of never being able to fully answer 'what do you do?' compounds over time.

First-hand intel neededWrite a Review

Execute the Job — By Rank

How you actually run this job at each rank — what you do, what you drill, which manuals you own, and what good looks like. Written for the soldier, sailor, airman, Marine, or Guardian currently in the seat. Each rank deeplinks into the full Playbook deep-dive: time-blocked schedules, unit-type variations, career decisions, and the read on the next rank.

E1-E3AB — A1C (Apprentice, 1B431)

You are the schoolhouse output. The Cyber Mission Force paid good money for your seat at JCAC and whatever follow-on pipeline your team brought you through — now you have to convert that investment into a tool operator the mission element lead can actually plug into a real operation.

What You Actually Do

You just cleared the Joint Cyber Analysis Course (JCAC) at Corry Station (NAS Pensacola) and landed at your first 16th Air Force (AFCYBER) unit, a Cyber Mission Force element, or a MAJCOM cyber operations squadron. JCAC gave you the networking and systems foundation; the unit is about to show you how far away that is from doing the actual work. Your days are tool operation under direct supervision, building out analysis workstations from the team's gold image, reading logs, running queries the senior analyst hands you, and asking the SSgt next to you what the alert you just flagged actually means in this specific network environment. You will burn significant time studying for the DoDD 8140 certifications you need to hold a billet, working through your CFETP task list, and sitting the CDCs for the 1B451 upgrade. The TS/SCI you carried into this AFSC is a privilege you protect every single day — SCIF discipline, zero personal electronics near classified systems, no social media breadcrumbs about anything you do.

Key Skills to Drill
  • 01Read a packet capture in Wireshark well enough to identify protocol, source, destination, and flag obvious anomalies — without anyone walking you through it — before you bring it to the senior analyst.
  • 02Operate a Linux command line at working fluency: bash, grep, awk, sed, piped commands, basic scripting — at the level the team lead expects the day you arrive in the ops floor.
  • 03Query a SIEM (Splunk or equivalent) using basic SPL filters and search syntax the senior analyst provides, then read the results back accurately and document what you found.
  • 04Image, configure, and harden a Windows or Linux workstation per the relevant DISA STIG before it goes onto any operational network — no shortcuts, no "I'll fix it later."
  • 05Document every action you take on any system in the team's case management or ticketing system — host, timestamp, command, output — the way an analyst reviewing the timeline two months from now can follow it cold.
  • 06Execute TS/SCI security hygiene without prompting: SCIF access discipline, classified-vs-unclassified system separation, proper courier and media procedures, and zero personal electronics in controlled spaces.
Manuals & References
  • CFETP 1B4X1 — Career Field Education and Training Plan: the line-item task list the SSgt signs off against; know which items are open before every shift.
  • DoDD 8140.01 — Cyberspace Workforce Management (formerly DoDD 8570): the policy that gates which billet you are authorized to sit; CompTIA Security+ is the IAT-II floor for entry 1B4 billets.
  • JP 3-12 — Cyberspace Operations: the joint doctrine document every CMF element operates inside; read it once before your first pre-mission brief so the language does not blindside you.
  • DoDI 8530.01 — Cybersecurity Activities Support to DoD Information Network Operations: governs the DCO mission your team likely owns.
  • DISA STIGs (public.cyber.mil): the engineering standards the team holds you to when you are setting up or auditing any system.
  • Your CDC volumes for the 1B431 / 1B451 upgrade: read them, do not just answer the end-of-course test. The SKT draws from these gaps later.
Standards You Must Hit
  • CompTIA Security+ (IAT-II) certification — the DoDD 8140 floor for any 1B4 billet and the baseline your unit will enforce from day one.
  • CDC volumes complete and End-of-Course exam passed inside the AETC-prescribed timeline — late CDCs are the section chief's first counseling entry.
  • 5-skill level (1B451) upgrade task list progressing on the CFETP timeline — open line items get discussed in every performance conversation.
  • TS/SCI clearance maintained without incident — financial, foreign contact, substance, or social-media issue ends the AFSC, not just the assignment.
  • Zero deviations from the team's SOP on any operational network or SCIF-controlled system. The ops floor supervisor notices the Airman who freelances, and not in a good way.
Common Technical Mistakes
  • Running an unauthorized tool or script on an operational network because you "wanted to test it." That is an incident report, a security inquiry, and potentially an AR-equivalent investigation — and your name is at the top of all three.
  • Plugging personal media — USB, phone, smartwatch, anything — near a classified system. Best case it ends your shift. Worst case it ends your clearance and therefore your career in this AFSC.
  • Logging into any tool or system with a teammate's credentials, even once to "save time." Every action is audited; shared-account use is exactly the kind of finding that gets a team lead relieved.
  • Closing a ticket or marking an alert "no impact" without a senior analyst reviewing it. The miss surfaces at the next read-out, the team chief briefs it, and you are the junior analyst who missed it.
  • Talking about anything that happened in the ops floor outside cleared spaces — bar, family group chat, social media, personal phone. There is no version of that conversation that does not end at the Security Forces Squadron or the SSO's desk.
What Good Looks Like

The good A1C 1B4X1 is the apprentice the senior analyst hands a complex log set on a Tuesday and gets a clean, documented write-up back by Thursday — no ego, no shortcuts, no unsupervised tool runs. By the BTZ window they have Sec+ in hand, the CDC volumes are closing on schedule, and the team lead is making the case for early SrA because the ops floor would notice if they were gone.

Go Deeper at E1-E3
Time-blocked daily schedule, unit-type variations, career decisions, full reading list with chapters — written for the soldier in this seat.
Full E1-E3 Playbook →
E4SrA (Journeyman, 1B451)

You are the journeyman operator. The 5-skill upgrade is done, you hold a real seat in the mission element, and the team lead is writing bullets about you that will decide whether you pin SSgt on the next WAPS cycle.

What You Actually Do

You sit a billed position on a Cyber Mission Force element under 16th Air Force — a Cyber Mission Team, Cyber Protection Team, Cyber National Mission Team, or a Cyber Support Team element — and you are producing analysis, not being carried through it. You write the SIEM queries yourself, you triage alerts inside the standing playbook, you own at least one piece of the team's tool stack as the designated tool admin, and your findings have to read clean enough that the SSgt can hand them to the mission element lead without a rewrite. You train the new A1C the same way you got trained — CFETP task demonstrations, supervised execution, documented sign-off — and you are burning through the 7-skill CDCs while studying for the SSgt WAPS cycle. The contractor sitting next to you is doing the same work for significantly more pay and has already asked your ETS date. That conversation is happening whether you invited it or not.

Key Skills to Drill
  • 01Write a SIEM query (Splunk SPL or equivalent) that returns the right answer with reasonable performance — not the copy-paste from the senior analyst's notes, yours, that you can explain step by step.
  • 02Map an observed behavior or indicator to a MITRE ATT&CK technique by ID and tactic, not by intuition — and defend that mapping when the team chief questions it at the read-out.
  • 03Operate at least one piece of the team's real tool stack as the designated tool admin — endpoint EDR, full-packet capture, host-forensic suite — with the configuration documented and current.
  • 04Run host-side triage through the NIST SP 800-61 incident handling phases — detection, containment, eradication, recovery, lessons learned — producing a usable written timeline, not just verbal conclusions.
  • 05Train and sign off CFETP apprentice-level task items for the A1C in your section — demonstrate the task to standard, supervise execution, sign it off when it is actually clean, document it correctly.
  • 06Write a clean EPB self-input with measurable results — the bullets your SSgt carries into the EPR are the ones you wrote; the ones you did not write are the ones nobody can defend.
Manuals & References
  • CFETP 1B4X1 — you sign at the apprentice level when delegated; your 7-skill line items are the next milestone.
  • DoDD 8140.01 — Cyberspace Workforce Management: read your assigned work role's task list line by line; that is the bar the team audits you against.
  • NIST SP 800-61 — Computer Security Incident Handling Guide: the IR playbook every DCO and CPT mission execution maps to; know it well enough to execute it, not just describe it.
  • MITRE ATT&CK (attack.mitre.org): the framework the entire CMF speaks — learn the matrix and the technique IDs, not just the top-level tactic names.
  • DAFMAN 36-2406 — Officer and Enlisted Evaluation Systems: the EPB / Stratification framework your SSgt is writing about you; verify the current revision on e-Publishing before you build your self-input.
  • DAFI 36-2502 — Enlisted Promotions: WAPS mechanics — pull the current AFPC promotion message, know your eligibility window, and start the SKT study 90 days out, not 30.
Standards You Must Hit
  • 5-skill level (1B451) upgrade complete; CFETP at the journeyman level current and auditable.
  • IAT-II maintained without lapse (Security+ CE or equivalent) — the section chief audits this; you do not want to be the lapse.
  • CySA+ or GIAC GCIA / GCIH on the wall or in active progress — the work role is the standard, not just the baseline cert, and the team lead knows the difference.
  • ALS slot held and graduated — ALS in residence is required before pinning SSgt; do not let the class date slide because the ops schedule is heavy.
  • WAPS first attempt for SSgt taken inside the window — PFE and the 1B4X1 SKT; pull the current AFPC promotion message and follow it exactly.
Common Technical Mistakes
  • Coasting on Security+. The work role is the standard, not the cert. Operators who do not push into CySA+ / GCIH end up at the bottom of the team's rank-ordered readiness list and the SSgt knows it.
  • Sloppy case notes. Your work product is evidence in an incident report and your professional reputation in a single document — the SSgt and the mission element lead read every line.
  • Running a tool against an operational target without the SSgt and mission element lead's explicit sign-off. That is not a counseling conversation; that is a JAG-adjacent conversation.
  • OPSEC on social media — LinkedIn job title mentioning your unit or mission, deployment hints, badge selfies, unit insignia. AFCYBER and USCYBERCOM are explicit on this and the SSO is watching.
  • Skipping the ALS slot because "the mission needs me." You are still an Airman in the Air Force; the SSgt board does not accept operational tempo as an excuse for a missed PME prerequisite.
What Good Looks Like

The good SrA 1B4X1 is the operator the SSgt tasks with the alert nobody else wants because a clean ATT&CK-mapped write-up comes back by close of business and a working detection rule comes back by the next morning. ALS is done or scheduled, the WAPS study started at 90 days, the A1C training record is current, and the SSgt is fighting to keep them on the same team for the next rotation.

Go Deeper at E4
Time-blocked daily schedule, unit-type variations, career decisions, full reading list with chapters — written for the soldier in this seat.
Full E4 Playbook →
E5SSgt (Craftsman / Crew Lead, 1B451)

You are the new NCO in the ops element. Operators look to you for the technical call on whether the finding is real; the mission element lead looks to you for the truth about how the crew is actually producing.

What You Actually Do

You lead a 3-6 operator crew inside a Cyber Mission Force element under 16th Air Force — a CMT sub-element, a CPT crew, a DCO-Internal Defensive Measures (IDM) team slice, or an OCO support element, depending on your unit's assigned mission sets. You write EPB inputs on the SrAs below you, you sign CFETP task items at the journeyman level, you run the daily crew stand-up and the after-mission read-out, and you brief the senior SSgt or TSgt mission element lead in language they can push upstream without translation. You are working the 7-skill CDCs (1B471) and studying for the TSgt WAPS cycle simultaneously. If your unit has a Defensive Cyber Operations Internal Defensive Measures or an OCO mission lane, you are also sitting pre-mission planning with a government contractor analyst at the same table, and your crew's product has to read like the senior name on it — because the customer and AFCYBER read them both.

Key Skills to Drill
  • 01Run a crew-level mission element through the full NIST SP 800-61 cycle — detection, containment, eradication, recovery, lessons learned — on a contested host or network segment, and deliver a usable timeline to the mission element lead at the end.
  • 02Build and defend an ATT&CK-mapped detection set — Splunk correlation searches, SIEM alerting rules, or equivalent — that produces actionable alerts and not noise, and document the coverage gaps honestly.
  • 03Write a clean AF Form 1137 / EPB self-input and build the same for your SrAs with measurable results — the bullets the TSgt copies are the ones you built; the rest are not defended at the stratification board.
  • 04Brief a Cyber Mission Force crew read-out — what the crew did, what it found, what the recommended action is — in five slides or less without the mission element lead rewriting the product.
  • 05Conduct a DA-equivalent formal feedback session and written counseling for each SrA in your crew: specific certification or work-role gap named, concrete steps and timeline to close it.
  • 06Mentor junior operators into their next certification and DoDD 8140 work-role qualification on a schedule the mission element lead can verify at the next readiness review.
Manuals & References
  • CFETP 1B4X1 — you sign at the journeyman level; the 7-skill line items (1B471) are your upgrade target.
  • DoDD 8140.01 — Cyberspace Workforce Management: you are now signing off junior operators against their work role task lists; own the policy behind the signature.
  • NIST SP 800-61 — Incident Handling; NIST SP 800-53 / 800-171 — Controls (you assess against them on protect and survey missions).
  • JP 3-12 — Cyberspace Operations: the joint doctrine behind both the DCO and OCO mission sets your element may own.
  • DAFMAN 36-2406 — Officer and Enlisted Evaluation Systems: you write EPB / Stratification inputs now — verify the current revision on e-Publishing before building any report.
  • AFI 1-1 — Air Force Standards and DAFMAN 36-2905 — Air Force Physical Fitness: the PT standard does not care how strong the ATT&CK mapping is.
Standards You Must Hit
  • ALS graduate; 7-skill CDCs (1B471) in progress against the CFETP craftsman timeline.
  • NCOA packet built — required before pinning TSgt; the slot is competitive and the mission tempo is not a valid reason to miss it.
  • IAT-II/III and at least one CSSP-level credential (GCIA, GCIH, CEH, or equivalent per the current DoDD 8140 mapping) maintained without lapse.
  • Crew DoDD 8140 work-role qualification status green on the mission element lead's readiness slide — every operator qualified for the billet they are sitting.
  • WAPS for TSgt taken on first attempt inside the window — PFE and the 1B4X1 SKT; pull the current AFPC promotion message; start study 90 days out.
Common Technical Mistakes
  • Issuing a crew finding report without personally verifying the key indicator. The mission element lead hands it to AFCYBER and AFCYBER hands it to the combatant command — "the SrA validated it" is not a brief that ends well.
  • Verbal crew feedback with no written follow-up. If the certification gap or the work-product issue is not documented, the SrA did not know, the senior rater cannot defend the EPB, and the mission element lead loses confidence in your crew leadership.
  • Letting a junior operator sit a billet they are not DoDD 8140-qualified for because the mission needs a body in the seat. The next readiness inspection finds the gap; your name is on the crew manifest.
  • Hiding a real OPSEC issue, security anomaly, or insider indicator from the chain. CMF elements live on trust; one buried indicator surfaces at exactly the wrong moment and takes the whole crew with it.
  • Treating the NCOA / 7-skill upgrade / TSgt WAPS as three separate problems to solve in series. The SSgt who runs them sequentially is explaining to the Functional Manager why the career stalled at TSgt.
What Good Looks Like

The good SSgt 1B4X1 runs a crew the TSgt mission element lead names when the readiness slide goes up — DoDD 8140 work-role qualifications green, detection set covering the threat categories the element owns, junior operators on a real cert timeline, after-action products going out without rework. ALS is done with the NCOA packet submitted, the TSgt WAPS is a first attempt, and the 1B471 CDCs are closing on schedule.

Go Deeper at E5
Time-blocked daily schedule, unit-type variations, career decisions, full reading list with chapters — written for the soldier in this seat.
Full E5 Playbook →
E6TSgt (7-Level Craftsman / Mission Element Lead, 1B471)

You are the mission element NCOIC and the senior technical voice the operations officer reaches for when a real finding comes off the wire at 0200. Every product your element issues has your name on it, and AFCYBER reads them.

What You Actually Do

You are the NCOIC of a Cyber Mission Force element or a senior crew lead in a Cyber Operations Squadron under 16th Air Force — running 5-15 Airmen across the SSgt and SrA bench, owning the element's DoDD 8140 work-role readiness posture, and leading mission execution from pre-mission planning through the final product. You sit at planning tables with the mission element OIC, a 17S or equivalent mission commander, and supported-customer leadership. You write 2-3 EPB / Stratification reports per cycle that decide whether your SSgts pin TSgt. You conduct and review all high-impact analysis — adversary attribution findings, zero-day indicators, high-confidence network-anomaly reports — and you are the Airman the ops floor calls when the watch officer cannot wait until morning. The Defensive Cyber Operations-IDM and the assigned OCO mission sets running simultaneously in your element require you to hold both lanes technically, even if you are not personally on the keyboard for both.

Key Skills to Drill
  • 01Run a Cyber Mission Force element through a full mission cycle — planning, execution, exploitation, reporting — against a real tasking or a CCRI remediation package, and deliver the product to the mission commander in a format AFCYBER and the supported command can consume.
  • 02Conduct a Command Cyber Readiness Inspection (CCRI) preparation and execution for a supported unit: survey scope, findings brief, remediation prioritization, and final report to the IG team — this is one of the primary mission deliverables your element owns.
  • 03Write 2-3 EPB / Stratification inputs under DAFMAN 36-2406 that the mission commander can defend at the squadron roll-up — measurable crew-output-driven bullets, not adjectives.
  • 04Operate the element's senior technical quality gate: review all findings before they go on distribution, write the correction entry when analysis fails verification, and brief the negative trend to the ops officer before the IG asks.
  • 05Mentor SSgts through the NCOA packet, the TSgt WAPS study cycle, and the 7-skill upgrade on a parallel timeline — the one who waits for you to sequence them will miss a window.
  • 06Translate cyber threat findings to non-technical operational risk language for a supported commander, a CISO, or a combatant command J6 — in language they will repeat accurately to the next echelon.
Manuals & References
  • CFETP 1B4X1 — you sign at the craftsman level and own the element's audit posture against the 7-skill line items.
  • DoDD 8140.01 — Cyberspace Workforce Management: you audit your section against the work-role task lists; this is the standard behind the readiness slide.
  • JP 3-12 — Cyberspace Operations: you brief the element's mission posture using joint doctrine terminology to mission commanders and supported commanders who speak it.
  • NIST SP 800-53 — Security and Privacy Controls; NIST SP 800-61 — Incident Handling: the two frameworks CCRIs and CPT missions are assessed against.
  • DAFMAN 36-2406 — Officer and Enlisted Evaluation Systems: you write 2-3 EPR / EPB / Stratification per cycle; verify the current revision on e-Publishing.
  • DAFI 36-2502 — Enlisted Promotions: MSgt board mechanics — PFE only at the MSgt level; pull the current AFPC promotion message and verify your sequence number on vMPF.
Standards You Must Hit
  • NCOA graduate; SNCOA packet built (resident vs correspondence — verify current eligibility on MyFSS and e-Publishing).
  • 7-skill level (1B471) complete; element DoDD 8140 work-role currency defensible at the Functional Manager review.
  • IAT-III credential (CASP+, CISSP, or equivalent per current DoDD 8140 mapping) maintained; at least one CSSP-level specialty (GCIA, GCIH, GCFA, or equivalent) current.
  • Element CCRI and CPT mission delivery metrics defensible at the squadron weekly — the operations officer tracks these even when they do not say so.
  • MSgt WAPS taken inside the window — PFE only at this level; pull the current AFPC promotion message.
Common Technical Mistakes
  • Pushing a high-impact finding out the door without documenting the analytic reasoning chain behind it. When the assessment is questioned by AFCYBER or a supported command, "we had high confidence" is not a methodology — the audit trail is.
  • Letting the senior SSgt carry the element's technical quality review because she is the strongest analyst. The day she PCSes the element is exposed — and AFCYBER calls you, not her.
  • Hiding a product quality gap from the ops officer to fix it before the next brief. It surfaces at the squadron weekly; TSgts lose element NCOIC billets over this pattern.
  • Treating the SNCOA / career-broadening / MSgt WAPS / 8-skill upgrade as a serial problem set. The TSgt who sequences them ends up explaining to the Functional Manager why they are still a TSgt.
  • Confusing technical depth with mission authority. The OIC and the mission commander make the final go/no-go call. Your job is to give them the honest analysis — including the uncertainty that makes the call harder — and then execute without revisionism.
What Good Looks Like

The good TSgt 1B4X1 is the element NCOIC the ops officer puts on the CCRI delivery brief for the supported wing commander and the senior analyst who also has name recognition at AFCYBER for clean, defensible product. The element's DoDD 8140 readiness is green, SSgt bench is hitting WAPS on first attempts, the SNCOA packet is in, and the Functional Manager has the MSgt case half-built before the stratification suspense lands.

Go Deeper at E6
Time-blocked daily schedule, unit-type variations, career decisions, full reading list with chapters — written for the soldier in this seat.
Full E6 Playbook →
E7MSgt (Senior NCO / Flight Superintendent)

You are the flight superintendent or the senior enlisted leader at a 16th Air Force squadron, a MAJCOM cyber staff, or a USCYBERCOM element. The wing operations officer and the squadron commander know your name before you introduce yourself.

What You Actually Do

You are the flight superintendent of a Cyber Operations Squadron, a Cyber Mission Force group element, a MAJCOM cyber operations staff section, or a career-broadening billet (AFIT cyber programs, instructor tour, AFRC Functional Area Manager, joint cyber billet at USCYBERCOM or NSA). You run 15-40 Airmen across the SSgt and TSgt bench, you write four-to-five EPB / Stratification reports per cycle that shape the next TSgt and MSgt slates, and you defend the flight's DoDD 8140 readiness posture and mission product quality to the squadron commander and the operations officer at every weekly stand-up. You sit on the squadron's CCRI quality gate, you own the flight's technical workforce pipeline — certification progression, work-role qualification, retention against the contractor market — and you brief the senior enlisted advisor of AFCYBER and the squadron commander on the enlisted workforce posture when the numbers shift. You mentor the TSgt bench toward SNCOA, MSgt broadening assignments, and the SMSgt board — being honest about who is on track and who needs a different conversation.

Key Skills to Drill
  • 01Run a flight superintendent's portfolio in a Cyber Operations Squadron — DoDD 8140 readiness, EPB / Stratification slate, CCRI and mission product quality, certification pipeline, retention — and defend it to the squadron commander without notes.
  • 02Brief the operations officer, the wing commander, or a combatant command J6 on the flight's mission product quality and workforce posture — in language that carries unchanged to the next echelon.
  • 03Own the flight's DoDD 8140 readiness audit posture: every operator qualified for the billet they sit, every work-role qualification current, every certification within the renewal window, every gap documented before the inspection team finds it.
  • 04Mentor TSgts through SNCOA, the MSgt broadening slate, and the SMSgt board case — including honest conversations about who is ready and who needs 12 more months of proof.
  • 05Translate AFCYBER and USCYBERCOM strategy into enlisted-talent decisions at the flight level — who goes to AFIT, who broadens to a joint billet, who reclasses out, who the Functional Manager needs on the next retention bonus offer.
  • 06Run the flight's senior-NCO talent review: career-broadening sequence, CCAF / bachelor's timing, SMSgt board posture, and the post-AF transition runway for the 1Bs who will ETS before they pin SMSgt.
Manuals & References
  • CFETP 1B4X1 — you audit at the flight superintendent level; 9-skill (1B491) upgrade documentation in motion.
  • DoDD 8140.01 — Cyberspace Workforce Management: you enforce the qualification and certification floor for the full enlisted bench; this document is how you explain the readiness slide to a commander who does not know why it matters.
  • JP 3-12 — Cyberspace Operations; DoDI 8530.01 — Cybersecurity Activities Support: the joint-doctrine pair you enforce at flight scope and brief at squadron and wing.
  • DAFMAN 36-2406 — Officer and Enlisted Evaluation Systems: four-to-five EPB / Stratification per cycle — verify current revision on e-Publishing before every stratification window.
  • DAFI 36-2502 — Enlisted Promotions: SMSgt board mechanics — the board reads the package; no WAPS test at this level.
  • AFPC-published Functional Manager guidance for the 1B4X1 enlisted workforce; AFIT cyber education program criteria; USCYBERCOM and 16th AF enlisted workforce planning products.
Standards You Must Hit
  • SNCOA graduate (resident or correspondence — verify current Senior NCO PME eligibility on MyFSS and e-Publishing).
  • CCAF AAS complete; bachelor's in active progress if SMSgt / CMSgt-track; CISSP or equivalent IAT-III / CSSP credential current.
  • Flight DoDD 8140 work-role readiness metrics green across the mission set — defensible at the squadron monthly and the wing semi-annual.
  • EPB / Stratification slate producing TSgt selectees at or above the squadron flight average — the Functional Manager reads this trend.
  • Career-broadening assignment completed or on the SMSgt case slate: AFIT cyber program, AFRC FAM, USCYBERCOM joint billet, NSA detail, or instructor tour at a cyber schoolhouse.
Common Technical Mistakes
  • Discovering a systematic DoDD 8140 work-role qualification gap — operators sitting billets they are not documented-qualified for — and fixing it quietly without briefing the squadron commander. The IG or the Functional Manager finds the pattern and asks why the flight superintendent knew first and briefed second.
  • Letting the senior TSgt run the flight's mission product quality review while you focus on the SMSgt package. The flight is the package — the SMSgt board reads the unit climate before the bullets.
  • Building EPB / Stratification reports without measurable input from the TSgts you rate. The senior rater downgrades quietly; your bench misses TSgt, and you explain it at the Functional Manager call.
  • Treating the career-broadening pipeline as somebody else's problem. At MSgt, you are either building the next wave of senior enlisted cyber leaders or explaining to AFCYBER why the flight's pipeline is dry.
  • Pretending to be the senior technical SME in a room full of TSgts who are sharper on the current tool stack. Senior NCOs in 1B4X1 lose authority by faking depth. Know what you know; empower the people who know it better.
What Good Looks Like

The good MSgt 1B4X1 is the flight superintendent the squadron commander names when AFCYBER asks who runs the DoDD 8140 compliance program — and whose name also appears on the list of TSgts who pinned MSgt on first or second looks. The readiness metrics are in the wing slide with no asterisks, SNCOA is done, the CCAF AAS is on the wall, and the Functional Manager has the SMSgt case half-built two stratification cycles before the board slate publishes.

Go Deeper at E7
Time-blocked daily schedule, unit-type variations, career decisions, full reading list with chapters — written for the soldier in this seat.
Full E7 Playbook →
E8-E9SMSgt — CMSgt (Superintendent, 1B491)

You are the squadron superintendent, the group senior enlisted leader, the 16th Air Force senior enlisted advisor for a mission type, or the 1B4X1 Functional Manager at AFPC. The AFCYBER commander and the combatant command J6 know your name and use it.

What You Actually Do

As a SMSgt you are the superintendent of a Cyber Operations Squadron or a MAJCOM cyber staff senior NCO, a USCYBERCOM joint billet, or an NSA enlisted leadership element. As a CMSgt you are the 1B4X1 AFSC Functional Manager at AFPC, the senior enlisted advisor to a numbered Air Force or MAJCOM cyber command, a USCYBERCOM command-level senior NCO, or an NSA senior enlisted leader. You set the standard for the 1B4X1 enlisted workforce: accession targets, certification pipeline throughput, DoDD 8140 compliance posture, career-broadening sequencing, the SMSgt and CMSgt board slate, the retention strategy against a contractor market that will pay double for the same cleared talent. You sit alongside O-5s, O-6s, and the operations staff in the workforce-strategy conversation. You write SMSgt and CMSgt board endorsements that determine who sits the next slate. You walk the line during the AFCYBER-level IG cycle and the USCYBERCOM readiness review. And — two to three years before retirement — you are building the post-AF transition runway: the master's in cybersecurity or information systems, the CISSP that transfers, the defense contractor billet in the cleared workforce, the federal civil-service GS-14/15 cyber billet, or the intelligence community senior analyst track that recognizes what you actually did in the ops floor for 20 years.

Key Skills to Drill
  • 01Run a squadron or group superintendent's portfolio in a 16th Air Force or USCYBERCOM element — DoDD 8140 readiness culture, EPB / Stratification slate, certification pipeline, retention, mission product quality — and brief it to the commander without notes.
  • 02Brief the AFCYBER commander, the combatant command J6, or the AFPC Functional Manager on the enlisted 1B4X1 workforce posture: accession trends, certification pipeline health, retention against the contractor market, career-broadening gaps.
  • 03Write SMSgt and CMSgt board endorsements the board can defend at AFPC — unit-impact bullets, honest assessment of board readiness, no boilerplate, no padding.
  • 04Mentor the next MSgt and SMSgt bench: career-broadening sequence, CCAF / bachelor's / master's timing, CMSgt board posture, and the post-AF transition runway — including the cleared contractor market, the GS-1800 series cyber track, and the USCYBERCOM / NSA civilian conversion path.
  • 05Set the standard for the 1B4X1 certification and DoDD 8140 qualification pipeline: identify which SSgts and TSgts are on the trajectory the mission set requires, brief the gaps to the Functional Manager and the operations commander, and build the timeline to close them before the next IG cycle.
  • 06Represent the 1B4X1 enlisted workforce at AFPC functional conferences, AFCYBER senior enlisted reviews, and USCYBERCOM workforce planning sessions — carrying the ops-floor reality into the policy decisions that affect the Airman who does not have a seat at that table.
Manuals & References
  • CFETP 1B4X1 — you own the field-level audit posture and provide Functional Manager input on CFETP revisions when the career field content changes.
  • DoDD 8140.01 — Cyberspace Workforce Management: you enforce and advise on this document at the AFSC scope; when the policy updates, your workforce feels it first.
  • JP 3-12 — Cyberspace Operations; DoDI 8530.01 — Cybersecurity Activities Support: the joint-doctrine pair you brief at senior-leader scope and enforce at career-field scope.
  • DAFMAN 36-2406 — Officer and Enlisted Evaluation Systems: SMSgt / CMSgt-level endorsements — verify current revision; these documents determine careers.
  • DAFI 36-2502 — Enlisted Promotions: SMSgt / CMSgt board mechanics — Functional Manager nomination weight is real; understand how it works before the board convenes.
  • AFPC Functional Manager guidance for 1B4X1; AFCYBER and USCYBERCOM workforce planning products; Chief Leadership Course reading list for CMSgt selectees.
Standards You Must Hit
  • Chief Leadership Course complete for CMSgt selectees before pin-on; SNCOA completed earlier in the career arc.
  • CCAF AAS complete; bachelor's complete; master's in cybersecurity, information assurance, or a related field in motion or complete if CMSgt / Functional Manager track.
  • CISSP or equivalent IAT-III credential current — the post-AF job market requires this regardless of what the uniform says about your rank.
  • Squadron or group DoDD 8140 readiness record clean during your tenure — zero IG or readiness-review findings attributable to workforce qualification failures under your watch.
  • Zero senior-NCO-level integrity, OPSEC, classification, clearance-adjudication, or UCMJ incidents. One ends the career permanently at this rank — and in this community, it ends it publicly and permanently, with no contractor billet waiting on the other side.
Common Technical Mistakes
  • Pretending to be the senior technical voice in a room full of current operators. Senior enlisted 1B4X1 leaders who stopped being current on the tool stack 8 years ago lose credibility the moment the TSgt asks about the current detection suite. Know what you know; know what the operators next to you know better, and let them.
  • Letting the squadron or group DoDD 8140 compliance posture drift because "the training NCO owns the tracking." You own it at the senior enlisted scope; the IG reads the posture report before the debrief.
  • Treating the career-broadening pipeline as a downstream problem for the Functional Manager to solve. If the SMSgt superintendent is not actively identifying, routing, and mentoring qualified TSgts toward AFIT, joint billets, and USCYBERCOM assignments, the 1B4X1 senior-NCO bench goes dry — and the contractor market takes the talent before the career-broadening slot opens.
  • Building SMSgt or CMSgt board endorsements from memory or from the subordinate's self-input alone. The endorsement you write is the most consequential document in the career of the person it covers — it deserves three drafts and a direct honest conversation about readiness before it goes to the board.
  • Going public — in any forum — with disagreement over a commander's or combatant command's cyber operational or workforce decision. Take it in the office. Walk out aligned. The community is small enough and the cleared-contractor market close enough that everyone in the field knows within 48 hours, and neither outcome serves the Airman whose career you are supposed to be protecting.
What Good Looks Like

The good SMSgt / CMSgt 1B4X1 is the senior enlisted voice the AFCYBER commander names when the USCYBERCOM readiness review asks who owns the 1B4X1 workforce — and whose name is also on the list of MSgts and SMSgts who pinned on first looks for the last three cycles. The DoDD 8140 readiness posture is clean, the certification pipeline is producing, the master's is finishing or done, and the post-AF transition runway is already built: the cleared contractor billet is in the queue, the GS-1800 application is drafted, or the IC senior-analyst pathway is open. The Functional Manager has the CMSgt board case half-built before the package suspense drops.

Go Deeper at E8-E9
Time-blocked daily schedule, unit-type variations, career decisions, full reading list with chapters — written for the soldier in this seat.
Full E8-E9 Playbook →
Training Pipeline
1
BMT8w
Lackland AFB (TX)
2
Cyber Warfare Operations Course38w
Keesler AFB (MS)
Most demanding cyber enlisted course in the AF. Offensive/defensive ops, malware analysis. TS/SCI.
On the Outside

What this actually is in the real world

Your skills translate. Here's what civilian employers call this job — and what they pay.

Information Security Analysts

Strong match
$120,360$75,100$187,490/yr median
Job market: Much faster than average (33%)

Software Developers

Related field
$130,160$81,870$208,620/yr median
Job market: Much faster than average (25%)

Intelligence Analysts

Related field
$103,880$64,430$159,720/yr median
Job market: Average (4%)

Salary data from the U.S. Bureau of Labor Statistics Occupational Employment and Wage Statistics program, retrieved Feb 2026. BLS.gov cannot vouch for the data or analyses derived from these data after the data have been retrieved from BLS.gov.

MOS Pulse

Anonymous · One tap · No account

Three seconds of your time, zero of your identity. This is how the honest picture of 1B4X1 gets built — one tap at a time.

Knowing what you know now — would you pick 1B4X1 again?

Did your recruiter describe this job accurately?

Hours per week this job actually takes in garrison?

That tap took 3 seconds. A full review takes 10 minutes — and does about 100x more for the next person staring at this contract.

Write the Full Review →
Reviews
Founding ReviewUnclaimed

Nobody’s gone first. Yet.

Zero reviews for 1B4X1. Not because nobody has opinions — anyone who’s actually done Cyber Warfare Operations Specialist is carrying a full magazine of them — but because nobody’s put theirs on the record.

So here’s the deal: the first approved review of every MOS becomes its Founding Review. Permanently badged, permanently first. Every person who looks up 1B4X1 from now on reads it before anything else — including the recruiter’s version.

We could fill this page with fake reviews tonight. Plenty of sites do. We never will — which means this space stays exactly this empty until someone who lived it goes first.

Sign Up & Claim ItFree account · takes two minutes

Anonymous by default — no name, no unit, fuzzy timestamps. Your chain of command never knows it was you.

FAQ

1B4X1 Cyber Warfare Operations Specialist — FAQ

Q01What does a 1B4X1 do in the Air Force?
You just cleared the Joint Cyber Analysis Course (JCAC) at Corry Station (NAS Pensacola) and landed at your first 16th Air Force (AFCYBER) unit, a Cyber Mission Force element, or a MAJCOM cyber operations squadron.
Q02How long is 1B4X1 training and where is it held?
1B4X1 training is approximately 24 weeks of Advanced Individual Training (AIT) after Basic Combat Training, held at Keesler AFB, MS.
Q03What does a day in the life of a 1B4X1 look like?
A typical junior-enlisted 1B4X1 day: 0530-0630 PT formation. Unit PT varies by commander preference — typically 3-4 days per week with a mix of cardio runs, strength circuits, and team events. The 1B4X1 community is not a physically demanding operational community but fitness standards are enforced under DAFMAN 36-2905 and the EPB cares about fitness rating, 0630-0730 Shower, chow, commute to the unit. SCIF access requires badge swipe, PIN,…
Q04What are the most common career-ending mistakes for a 1B4X1?
TS/SCI clearance violation — any form: failing to report a foreign national contact, allowing personal electronics into a classified workspace, discussing classified information outside approved channels, social media post that reveals unit identity or operational nature. Clearance revocation ends the 1B4X1 AFSC and follows you into the private sector on background investigations;…
Q05What civilian jobs does 1B4X1 translate to?
1B4X1 maps most directly to civilian occupations including Information Security Analysts. Translation quality varies by skill — see the Honest MOS Civilian Translation block for full O*NET matches and salary data.
Q06What's the career progression for a 1B4X1?
JCAC graduation at Corry Station — TS/SCI in hand before arrival; first unit report-in as 1B431 apprentice; First 90-120 days: OJT under SSgt supervision, CFETP task list building, CompTIA Security+ or equivalent IAT-II cert completed under DoDD 8140 timeline; 6-18 months: CDC volumes for the 1B451 upgrade underway, CFETP line items accumulating, first real analytic product reviewed and critiqued by journeyman or craftsman
Q07What's the recruiter not telling me about 1B4X1?
1B4 is retraining-only, which means you spent time in another AFSC before competing for one of the most selective jobs in the Air Force.
How does 1B4X1 compare?
See side-by-side ratings, quality of life, and community takes.
Published by the Honest MOS Editorial DeskVerified against DoD/.gov sourcesUpdated May 2026Editorial standards

Sources:Branch MOS catalog · DTMO pay tables · DoD/.gov benefits references · O*NET civilian career mapping · verified service-member reviews