Skip to main content
HonestMOS
InvestigationsCongress made VA disability claims free to file. An entire industry charges veterans anyway — and nobody can stop them.
Back to 1B4X1 Cyber Warfare Operations Specialist — overview, pay, training, civilian translation, reviews
1B4X1E4

Cyber Warfare Operations Specialist

E-4 (Specialist/Corporal) · Air Force

HEADS UP

SrA is the first time the ops floor actually depends on you to close tickets without constant oversight. The 5-skill upgrade is signed, the Sec+ is on the wall, and the SSgt is assigning you a real alert queue, not training scenarios. WAPS for SSgt runs on PFE, SKT, time-in-grade, decoration points, and the EPB / Stratification column the section chief writes about you — and the 1B4X1 SKT is technically hard enough that the candidates who pass on first attempt started studying twelve months before the testing window, not ninety days out. ALS timing is the other constraint: without ALS complete, the SSgt stripe does not go on regardless of WAPS score. Talk to your section chief now about the next ALS slate.

The Honest MOS Read
Senior Airman 1B451 is the working-operator tier of the 1B4X1 career field. The 5-skill upgrade is complete, the DoDD 8140 baseline cert is on the wall, and the CFETP is current. At SrA, the section chief expects you to own a defined analytic portfolio or a specific mission lane within the team's task queue without minute-by-minute supervision from the journeyman NCO. You produce, you document, you close, and you brief what you found to the SSgt in language the SSgt can push upstream. The apprentice era of getting walked through every decision is over. The reality of the daily work at SrA 1B451 is better than JCAC made it sound and less glamorous than the recruiting brochure implied. The Cyber Mission Force is real — the Cyber Mission Teams, the Cyber Protection Teams, the Cyber Support Teams under AFCYBER and USCYBERCOM are executing authorized operations against real adversary infrastructure and defending real DoD networks from real threats. But the day-to-day work of a SrA 1B451 at most assignments is CCRI preparation and maintenance of the defensive posture, not the Hollywood version of cyber operations where you are personally burning down an adversary's command-and-control infrastructure on a Thursday afternoon. CCRI preparation — the Command Cyber Readiness Inspection cycle — is the most recurring significant event in most 1B4X1 units' operational calendar, and it is detailed, documentation-intensive work. Evidence packages, configuration pulls, compliance scans, finding remediation documentation. That work matters. The units that pass CCRI do so because someone did the documentation right. The promotion math under DAFI 36-2502 and the WAPS (Weighted Airman Promotion System): SrA to SSgt runs annually through the WAPS cycle. The inputs are PFE (Professional Development Guide and the published AF handbook chapters for that cycle's test), SKT (the 1B4X1-specific knowledge test drawn from the AFSC's CDC volumes and the published SKT reference list), time-in-grade points, time-in-service points, decoration points, and the EPB / Stratification input the section chief writes for the board. The 1B4X1 SKT is technically rigorous — it draws on network analysis, host forensics, malware analysis basics, SIGINT fundamentals, cyber operations doctrine from JP 3-12, and the analytic tradecraft standards from ICD 203 / 206. Candidates who pass on first attempt built a structured study plan twelve to eighteen months before the testing window: systematic CDC review, focused practice on the weak areas the practice tests surface, and engagement with the AFPC-published SKT reference list for the cycle. ALS — Airman Leadership School — is the enlisted PME prerequisite for SSgt pin-on under DAFI 36-2670. Without ALS complete, the stripe does not go on regardless of WAPS score or stratification position. The squadron's ALS slate is competitive — there are more eligible SrAs than ALS slots in most quarters — and the section chief's endorsement determines who gets nominated. The SrA who lets the ALS conversation drift to 'I'll get to it eventually' is the SrA who pins SSgt six months after their WAPS cutoff because ALS was not done. Have the ALS conversation with your section chief at eighteen months SrA or earlier. The contractor pay gap is the defining cultural feature of the SrA 1B451 experience. The government contractor analysts and operators working alongside you in the same SCIF are doing comparable or overlapping work at salaries that are three to four times the SrA base pay. This is not a secret and it is not subtle — you will know their market rate because they will tell you, because the industry talks, and because LinkedIn exists outside the SCIF. The honest senior NCO in your chain will frame the trade clearly: you are in the equity-accumulation phase. The clearance, the operational reps at a mission-level unit, the DoDD 8140 qualifications, and the specific technical skills in your portfolio are worth more to the contractor market at the eight to ten year mark with a current TS/SCI with CI poly and a GCIA or eCPPT on top of the Sec+ than they are at the four year mark with just a Sec+ and a vague 'I worked in cyber' story. The re-enlistment decision at the SrA tier is the most consequential financial fork in the 1B4X1 career. Make it with the full portfolio math, not the monthly paycheck comparison. At SrA, you are also doing your first real EPB writing — or being written about for the first time by a section chief who has real opinions about your performance. The Air Force performance system under DAFMAN 36-2406 changed from OPRs and EPRs to Officer Performance Briefs and Enlisted Performance Briefs (EPBs). The EPB is a stratification document as much as a performance document — the section chief's Stratification line ('#2 of 7 SrAs in the squadron') and the narrative bullets combine to give the promotion board a relative ranking and a qualitative portrait. SrAs who actively discuss their accomplishments and contributions with the section chief in the months before the EPB cycle close tend to get more accurate bullets than those who assume the section chief remembers what they did. Own the performance narrative.
Career Arc
  • 011B451 5-skill upgrade complete — CFETP signed, DoDD 8140 baseline cert (Security+) in hand, full journeyman qualification on the billet's work-role.
  • 02First real analytic portfolio ownership — assigned alert category, threat actor lane, or network segment baseline; section chief expects products without walk-through.
  • 03ALS nomination sought from section chief — resident ALS is approximately 24 academic days at a regional NCO Academy; ALS complete before the WAPS testing window.
  • 04WAPS study initiated 12-18 months before the testing window — SKT reference list pulled from AFPC, CDC volumes reviewed systematically, PFE from current PDG / AFH 1 study.
  • 05Additional certifications pursued beyond DoDD 8140 baseline — CySA+, CEH, GCIA, or Network+ depending on the billet's work-role alignment and the section chief's recommendation.
  • 06CCAF AAS in Intelligence Studies and Technology in progress via TA-funded coursework at an affiliated institution.
  • 07SSgt WAPS cutoff met on first attempt — or near-miss analysis done immediately and study plan rebuilt for the next cycle.
Common Screwups
  • ×Operating outside the operational authority boundary — executing a tool action, network scan, or defensive measure against a system that is not explicitly within the unit's current operational order and approval chain. Even a well-intentioned defensive action against an in-scope network requires documented authority. The legal and career consequences of unauthorized computer access are the same regardless of intent.
  • ×Clearance-reportable contact not reported — a foreign national contact, an unreported financial development (significant debt, bankruptcy, unexplained income), or a personal relationship with a foreign national that was not disclosed to the unit security manager and the SF office. Continuous Evaluation (CE) flags are real and they are adjudicated. The airman who gets ahead of a reportable contact by self-reporting is in a far better position than the one the CE system surfaces without a prior disclosure.
  • ×WAPS delinquency — failing the SKT or PFE on first attempt because study was deferred to the last ninety days. The 1B4X1 SKT is technically demanding. A first-attempt failure is survivable but it compresses the promotion-points window for the next cycle and gives the section chief an uncomfortable bullet to navigate in the Stratification narrative.
  • ×ALS deferral past the WAPS cutoff — winning the SSgt WAPS score but not having ALS complete by pin-on, causing a delayed pin-on. The months between WAPS cutoff and ALS completion are career-visible; other SSgt selectees who had ALS done are pinning while you wait.
  • ×Social media OPSEC violation — posting anything that reveals the unit's location, mission type, operational involvement, or the existence of an ongoing operation. One screenshot, one geotag, one careless caption. The AFOSI takes these seriously. So does the clearance adjudicator reviewing your next periodic reinvestigation.

A Day in the Life

  • 0530-0630PT. SrA at a cyber operations unit is on a standard AF fitness schedule — DAFMAN 36-2905 standards enforced quarterly. Three days of cardio runs (goal: 1.5-mile time well inside the passing threshold, not just over it), two days of strength work. The cyber community has produced fitness failures that ended promotions. Don't be one.
  • 0630-0730Shower, chow, commute. Cyber units at most installations are on a 0730 initial formation or 0800 first formation depending on the squadron's PT schedule. Personal device lockdown before the SCIF access point.
  • 0730-0800Section standup. SSgt runs through the day's mission tasking, significant events from the night crew if applicable, training agenda, and any administrative actions. SrA journeyman-tier operators get their specific analytic queue or CCRI task assignment for the morning.
  • 0800-1000Primary analytic work block. This is the highest cognitive-demand period — triage of the alert queue, investigation of flagged indicators, correlation of host and network logs, MITRE ATT&CK mapping for open investigations. Products go through SSgt review before they leave.
  • 1000-1030CFETP and training records check — weekly at minimum. Open 7-skill CDCs reviewed (the 1B471 upgrade timeline starts at SSgt but the smart SrA previews the craftsman material). WAPS SKT study calendar checked against the plan.
  • 1030-1200Secondary work block. CCRI evidence collection if the unit is in a CCRI prep cycle, compliance scan execution, tool maintenance, or supporting a TSgt's mission planning segment. The SrA who knows the CCRI SOP cold is the one who gets tasked with the critical evidence packages.
  • 1200-1300Lunch. Real break. Cognitive fatigue accumulates faster in classification-constrained environments than in open offices. Thirty minutes outside the building if the weather allows.
  • 1300-1500Afternoon primary work block. More analytic production, alert closures, investigation write-ups. If the unit is mission-planning for an upcoming operation, the SrA's role is in the supporting analysis — indicator sets, network mapping, threat actor TTPs relevant to the target environment.
  • 1500-1600Administrative and professional development block. CCAF coursework if a class is running. WAPS SKT study from the structured plan. Achievement medal draft for the section chief's review if a contribution warrants recognition. Training records updated in MyLearning.
  • 1600-1630End-of-day section accountability, handoff to evening crew if applicable, SCIF closure check, equipment secured.
  • 1630-2200Off duty — garrison schedule. SKT study in the evenings during the twelve-month build to the WAPS window. CCAF coursework discussion board responses if an async class is running. Personal fitness maintenance beyond the morning formation schedule.

Weekly Cadence

The garrison week for a SrA 1B451 is shaped by three tracks: the operational track (the alert queue, the investigation pipeline, the CCRI preparation cycle), the promotion track (WAPS SKT study, ALS nomination, cert pursuit, EPB cycle management), and the administrative track (fitness, CCAF coursework, training records, base requirements). The operational and promotion tracks compete for the same cognitive bandwidth, and the SrA who does not manage the time deliberately will consistently find the promotion track losing. Monday opens with the week's mission priorities and any training events the NCOIC has scheduled. Tuesday through Thursday are the heavy analytic production days — the section is running its tasked mission work and the SrA is handling the alert queue with increasing independence. Friday is the administrative runoff: training records reconciled, CFETP items documented, any achievement medal nominations drafted for the section chief's review, CCAF coursework closed if a weekly module was due. The CCRI preparation cycle shifts the entire weekly rhythm when it is active. CCRI prep can run for weeks and it is not light administrative work — it is meticulous documentation of the unit's entire cyber defense posture against the inspection criteria. The SrA who understands the CCRI evidence standards before the prep cycle begins — not during it — is the SrA the section chief uses as the evidence lead rather than the one who gets assigned to staple packets together.

Key Skills — How to Drill Each

  1. 01
    Analytic portfolio ownership — running an assigned alert category or threat indicator set from detection through write-up to closure without requiring walk-through from the SSgt.
    The transition from apprentice to journeyman analytic ownership is the skill the SrA builds in the first six months of the 1B451 tier. The method: ask the SSgt to shadow-review your first twenty solo write-ups — not write them for you, but review them after the fact and mark the gaps. Build a personal template for write-up format that matches the unit's standard (ICD 203-aligned: source, indicator, confidence, alternative analysis, disposition). Use the MITRE ATT&CK framework to structure technical attribution. After twenty reviewed products, you should know where your analytic gaps are. Focus deliberate practice there.
  2. 02
    CCRI evidence collection and compliance documentation — producing inspection-ready evidence packages for Command Cyber Readiness Inspections under applicable DoD cyber security frameworks.
    CCRI prep is a recurring, high-stakes event in most 1B4X1 units. The SrA who runs CCRI evidence collection well — pulling configuration outputs, running compliance scan reports, documenting findings with clean evidence chains — is the SrA the section chief calls first when the inspection notification arrives. Learn the unit's CCRI SOP in the first month at the assignment. Understand what evidence is required for each finding category. Run a practice evidence-collection exercise against a non-operational test environment if the unit has one. The inspection is not the time to figure out the format.
  3. 03
    MITRE ATT&CK-mapped threat analysis — mapping observed behaviors to technique IDs, tactic categories, and known adversary procedure sets in analytic products.
    ATT&CK Navigator is publicly available. Use it on personal equipment outside the SCIF to build familiarity with the framework's depth — particularly the sub-technique layer (T1059.001 vs. T1059.003 matters for detection rule specificity). In analytic products, practice explicitly stating the technique attribution rather than generic behavioral descriptions. 'Lateral movement via Remote Desktop Protocol — T1021.001' is more useful to the customer than 'suspicious RDP activity.' The senior analyst reading your product can upgrade vague behavioral descriptions; they cannot upgrade wrong attribution. Be precise.
  4. 04
    ALS preparation and professional military leadership foundations — the leadership, communication, and EPME material the Airman Leadership School requires.
    ALS is not just an administrative hurdle. The curriculum covers supervision principles, AF leadership doctrine, and the EPME knowledge base the SSgt tier requires. Go into ALS having read the current AFI 36-2618 (The Enlisted Force Structure), the AF NCO Creed, and the current AFH 1 sections on enlisted force structure and leadership. Distinguished Graduate recognition at ALS is visible to the promotion board and is worth the deliberate preparation. Talk to recent ALS graduates in your unit about which curriculum areas they found tested the most.
  5. 05
    WAPS SKT preparation — systematic study of the 1B4X1-specific technical knowledge base from the AFPC-published SKT reference list.
    The 1B4X1 SKT is technical. The published SKT reference list (available from AFPC and the MyFSS portal each cycle) identifies the CDC volumes and their specific subtopics that the test draws from. Build a weekly study calendar from the reference list: one CDC section per day, five days per week, twelve to eighteen months from the testing window. Practice exams (AFPC publishes sample items; the 1B4X1 community sometimes maintains study groups — ask the Functional Manager about any sanctioned study resources) surface the gaps. The SKT is not passable on recollection alone at this technical depth.

Manuals & References — What Chapters Matter

  • DAFI 36-2502 — Enlisted Airmen Promotions and Demotions.
    DAFI 36-2502 governs the WAPS and all enlisted promotion processes. SrAs preparing for the SSgt WAPS cycle need to read the current publication to understand the point calculation, testing window, and eligibility requirements — not rely on a peer's summary from a prior cycle. The WAPS formula, the decoration-point limits, and the testing-window dates all move. Pull the current publication from e-Publishing.af.mil.
  • DAFMAN 36-2406 — Officer and Enlisted Evaluation Systems (EPB guidance).
    DAFMAN 36-2406 defines the Air Force Enlisted Performance Brief (EPB) system — the format, the Stratification line requirements, the rating officer responsibilities, and the prohibited content. SrAs need to understand the EPB system well enough to have an informed conversation with the section chief about what the performance narrative should reflect. The airman who understands what the board reads from the EPB is the airman who actively manages the performance documentation.
  • ICD 203 — Standards for Analytical Tradecraft in the Intelligence Community (DNI/IC-wide standard).
    ICD 203 is the IC-wide analytic tradecraft standard: sourcing requirements, confidence level expression, alternative analysis acknowledgment, and analytic line clarity. The 1B4X1 community writes to ICD 203 standards in its analytic products regardless of classification level. SrAs who have internalized ICD 203 write products that require minimal rework before they leave the section. SrAs who have not are writing products that the SSgt rewrites before they hit the customer.
  • JP 3-12 — Cyberspace Operations.
    JP 3-12 defines the joint cyberspace operations framework: OCO, DCO, and DODIN Operations; the CYBERCOM and AFCYBER command relationships; the authorities chain under Title 10 and Title 50; and the targeting and legal review process. The SrA who understands JP 3-12 at the journeyman tier — not as a test question but as the legal and operational framework for the work — is the operator who understands why the approval chain for any cyber action exists and what the consequence of bypassing it is.
  • NIST SP 800-53 — Security and Privacy Controls for Information Systems and Organizations.
    NIST SP 800-53 is the foundational control framework that DoD systems (under DODI 8510.01 / the RMF process) are assessed against. CCRI inspection findings map to NIST 800-53 control families. The SrA who understands the 800-53 control families — Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Incident Response (IR), System and Communications Protection (SC) — can read a CCRI finding and understand immediately what the remediation requires. It is the diagnostic language of defensive cyber work.

Standards — How to Hit Each

  • WAPS SSgt cutoff score met on first attempt — SKT, PFE, time-in-service/grade points, decoration points, EPB Stratification all contributing.
    SKT study starts twelve months before the testing window from the AFPC-published reference list. PFE study from the current PDG and AFH 1 sections identified for the cycle. Decoration nominations submitted before the EPB close — do not let the section chief write the EPB without having seen a clean achievement medal nomination for a significant contribution in the past rating period. Time-in-service and TIG points are fixed; make sure the decoration and EPB inputs are maximized where you have influence.
  • ALS complete before SSgt WAPS cutoff notification or promptly after — no delayed pin-on due to EPME gap.
    Ask the section chief about the next ALS slate at eighteen months SrA. If the squadron's slot is competitive, make the case for the nomination: CFETP current, no adverse actions, strong EPB cycle. The SrA who gets nominated for ALS and uses the preparation time productively — reading AFI 36-2618, the AF NCO Creed, the leadership curriculum material — is the ALS attendee who competes for Distinguished Graduate.
  • Additional DoDD 8140 work-role qualifications beyond IAT-II baseline — CySA+, CEH, GCIA, or equivalent depending on the billet's work-role coding.
    Check the billet's work-role designation with the unit Manpower and Personnel section. Work-roles that require CySA+ or a CSSP Analyst-level qualification (under the DCWF framework) have a specific qualification requirement beyond Security+. Pursue the next cert that aligns to the billet's work-role — the unit's training NCO can identify which cert applies and whether the unit's training budget supports a voucher.

Technical Mistakes — Concrete Consequences

  • Closing an alert as false positive without adequate investigation — dismissing an indicator because the initial look did not surface obvious malicious activity.
    A missed true-positive that gets closed as a false positive can sit in the queue for weeks before the adversary's next action surfaces the same indicator set with more context. The post-incident review will return to the initial closure decision. If the analyst who closed it did so without documenting the investigation steps and the evidence basis for the false-positive determination, the audit trail looks like negligence rather than a judgment call. Document every closure. State what you checked, what the indicator looked like against baseline, and what made you confident it was benign.
  • Producing an analytic product with a confidence level that is not supported by the available indicators — asserting 'high confidence' attribution when the evidence supports 'moderate' or 'low.'
    Overclaiming confidence in analytic products is an ICD 203 violation and a professional credibility problem. A customer who acts on a 'high confidence' attribution that turns out to be incorrect — and that the analyst's evidence could not actually support — will not trust the section's products the next time. Confidence level inflation is one of the most common tradecraft failures at the journeyman tier. State what the indicators actually support. If the evidence is thin, say so.
  • SCIF physical security violation — propping the SCIF door, allowing tailgating, leaving classified material unattended in a workspace with mixed access levels.
    SCIF physical security violations are reported to the unit security manager and can trigger a formal security incident report. Repeat violations — even minor ones — generate a pattern record that the security manager tracks. In a career field where the clearance is the entire foundation, a pattern of physical security carelessness is a Continuous Evaluation flag waiting to happen.
  • Assuming a cyber defensive action is authorized because it seems obviously defensive — scanning a network segment, deploying a detection rule, or blocking a suspicious IP without verifying the action is within the unit's current DCO-IDM authority.
    DCO-IDM actions require documented authority tied to the applicable operational order or DCO authority granted by the DODIN operator. An action that seems obviously defensive — blocking a suspicious IP that is hammering the perimeter — may cross into OCO territory depending on attribution and the target's ownership. The AFCYBER J3 authority chain exists for this reason. Verify before you act.

Career Decisions at This Rank

  • Four-year re-enlistment vs. ETS with current clearance and early certifications.
    This is the most consequential financial decision in the 1B4X1 career and it almost always hits at the SrA tier. The private-sector market is actively recruiting cleared cyber professionals and the entry-level contractor salary at three to four years out of JCAC — with a Security+ and some operational reps — is real money compared to SrA base pay. The honest case for staying: the operational depth, the advanced certifications, the network inside AFCYBER and CYBERCOM, and the 20-year retirement math get meaningfully stronger at the SSgt, TSgt, and MSgt tiers. The contractor market pays more for the operator with a GCIA or GREM and eight to ten years of clearable operational history than for the SrA with a Sec+ and four years. The honest case for leaving: the pay gap is real and it starts now. Do the full math — not just the monthly paycheck comparison, but the long-term career portfolio math. Where are you on the cert stack? What operational lane do you own? What does your resume say about specific technical work you can describe without violating classification? Answer those questions honestly before signing or ETS'ing.
  • WAPS first-attempt SSgt vs. deliberate timeline management to hit the promotion at the most competitive portfolio point.
    WAPS is not purely on your schedule — the testing window is set by AFPC. But the preparation is entirely on your schedule. The SrA who starts SKT study at eighteen months SrA, closes the Security+ and a second cert in the first two years, gets ALS done before the WAPS window, and has a strong EPB Stratification narrative for two cycles is structurally more competitive than the one who studies in the last ninety days. First-attempt SSgt promotion matters for the timeline to TSgt and MSgt — each year of delay compounds across the career arc. Treat the promotion prep as the operational mission it is.
  • Cert pursuit strategy — breadth (more certs, broader coverage) vs. depth (fewer certs, specialist profile in a specific mission lane).
    The DoD market values depth over breadth more than the commercial market does. A SrA with a Security+, a CySA+, and a GCIA who can articulate three years of specific DCO-IDM alert analysis work is more legible to the contractor market than a SrA with six certs and no operational specialty they can discuss. The AF promotion system values the DoDD 8140 qualifications alignment with the billet; the contractor market values demonstrated expertise in a specific technical lane. Build the cert stack around the mission lane you actually own — if you are doing network forensics, the GCIA is the cert; if you are doing incident response, the GCFE or eCIR; if you are doing threat hunting, the GREM. Breadth is for the generalist; depth is for the 1B4X1 operator.

How the Seat Varies by Unit Type

  • Wing or base-level cyber operations squadron (DCO-IDM focus)
    The SrA journeyman at a wing or installation-level cyber operations squadron is the primary alert analyst and CCRI evidence lead for the section. The mission is DCO-Internal Defensive Measures: monitoring the wing's DODIN enclave, responding to alerts from the SIEM, preparing CCRI documentation packages, and maintaining the unit's defensive posture. The work is technically valid and professionally developmental, but it is not the CMF operational tempo. The upside: the scope is manageable, the NCO mentorship pool is present, and the CCRI cycle provides recurring high-stakes documentation discipline.
  • Cyber Mission Force element (CMT, CPT, CST) under AFCYBER / USCYBERCOM
    The SrA journeyman at a CMF billet is working beside the operators who execute the full CYBERCOM mission stack. The reps are better. The expectations are also higher — CMF mission work requires procedural discipline and documentation rigor at every step that the wing-level DCO assignment teaches gradually. The SrA who arrives at a CMF billet without strong analytic product discipline will get corrected quickly by the TSgt or MSgt mission element lead. The CMF assignment at the journeyman tier is the most professionally developmental assignment in the 1B4X1 community; it is also the assignment where sloppy tradecraft is most immediately visible to the senior operators.
  • National-level or CCMD-assigned cyber team (CYBERCOM HQ, NSA-adjacent, combatant command J6 cyber element)
    A small number of SrA 1B451 operators end up in national-level or CCMD-adjacent assignments — either through deliberate career management or through targeted selection by a unit whose mission requires specific skill-set alignment. These assignments have exceptional senior-operator mentorship exposure and national-intelligence analytic product context that a wing or even a CMF team cannot replicate. They also carry the heaviest classification burden and the most restrictive operational need-to-know environment. The SrA who lands one of these assignments should treat every day as a graduate seminar.

What Good Looks Like at This Rank

The good SrA 1B451 is the operator the SSgt names when an alert comes in at 1400 on a Friday that nobody wants to triage because it looks like a false positive but has enough anomalous indicators that it probably is not. The product that comes back by 1600 is ATT&CK-mapped, ICD 203-compliant on sourcing and confidence level, and cites the indicators with enough specificity that the TSgt mission element lead can read it and immediately decide whether to escalate or close. That write-up does not get sent back for rework. That is the standard. By the time the SSgt WAPS cycle opens, the good SrA 1B451 has done the following things without being asked: enrolled in CCAF coursework via TA within the first year at the unit; pursued the next cert beyond Security+ that aligns with the billet's work-role; discussed the ALS slate with the section chief and has a nomination in for the next available class; has been submitting clean achievement medal nominations for the section chief's review; and has been systematically working the CDC volumes from the SKT reference list since eighteen months before the testing window. None of those things required a counseling to initiate. That is what the stratification narrative reads as 'top performer.' The other quality the good SrA 1B451 has that is harder to manufacture: they understand why the contractor sitting next to them makes three times their salary and they are not bitter about it in a way that affects the quality of their work. They have thought through the career decision — stay four more years and build the portfolio that commands the contractor premium, or exit early and accept the entry-level pay gap — and they have made a deliberate choice rather than drifting. The good SrA at 1B451 is building the equity. They know what it is worth. They will collect it at the right time.

Preview — The Next Rank

SSgt (1B451 Craftsman / Crew Lead) is the first NCO rank and the first leadership rank. The stripe changes the identity of the job — you are no longer the analyst who produces; you are the crew lead who produces AND writes the EPB bullets AND runs the daily section standup AND is responsible for whether the SrA below you is hitting their upgrade timeline. Both responsibilities are real. Both are graded. The analytic product that has your name on it still needs to be right. The EPB you write for the SrA who is not making progress has to be honest and actionable. The 7-skill CDCs (1B471) start at SSgt. The craftsman upgrade target is 12-24 months into the SSgt tier. The NCOA (NCO Academy) is the EPME prerequisite for TSgt pin-on — the SSgt who does not get into the NCOA queue early will be waiting behind the ones who did. The TSgt WAPS SKT is more technically demanding than the SSgt SKT because it draws from the full 7-skill CDC material on top of the 5-skill base. The SSgts who pin TSgt on first attempt started studying the 7-skill material while they were still wearing the SrA stripe. The contractor conversation gets louder at SSgt. A cleared SSgt 1B451 with a GCIA and four to six operational years — especially one who has sat a CMF billet — is a serious candidate for the contractor roles that pay significantly above what MSgt base pay will ever reach. The WAPS math at the SSgt-to-TSgt step and the TSgt-to-MSgt step is slower and more selective than the earlier tiers; the SSgt who has done the full portfolio math and chosen to stay is choosing deliberately, not defaulting.
FAQ

1B4X1 E4 — Frequently Asked Questions

Q01What does a E4 1B4X1 (Cyber Warfare Operations Specialist) actually do?
You sit a billed position on a Cyber Mission Force element under 16th Air Force — a Cyber Mission Team, Cyber Protection Team, Cyber National Mission Team, or a Cyber Support Team element — and you are producing analysis, not being carried through it.
Q02What's the most important thing to know as a E4 1B4X1?
SrA is the first time the ops floor actually depends on you to close tickets without constant oversight.
Q03What does a typical day look like for a E4 1B4X1?
Time-blocked day at the E4 1B4X1 rank tier: 0530-0630 PT. SrA at a cyber operations unit is on a standard AF fitness schedule — DAFMAN 36-2905 standards enforced quarterly. Three days of cardio runs (goal: 1.5-mile time well inside the passing threshold, not just over it), two days of strength work. The cyber community has produced fitness failures that ended promotions. Don't be one, 0630-0730 Shower, chow, commute. Cyber units at most installations are on a 0730 initial formation or 0800 first formation depending on the squadron's PT schedule.…
Q04What mistakes get E4 1B4X1 soldiers fired or relieved?
Operating outside the operational authority boundary — executing a tool action, network scan, or defensive measure against a system that is not explicitly within the unit's current operational order and approval chain. Even a well-intentioned defensive action against an in-scope network requires documented authority. The legal and career consequences of unauthorized computer access are the same regardless of intent; Clearance-reportable contact not reported — a foreign national contact,…
Q05What career decisions matter most at the E4 1B4X1 rank tier?
Four-year re-enlistment vs. ETS with current clearance and early certifications — This is the most consequential financial decision in the 1B4X1 career and it almost always hits at the SrA tier. The private-sector market is actively recruiting cleared cyber professionals and the entry-level contractor salary at three to four years out of JCAC — with a Security+ and some operational reps — is real money compared to SrA base pay. The honest case for staying: the operational depth, the advanced certifications, the network inside AFCYBER and CYBERCOM,…
Q06What's next after E4 for a 1B4X1 (Cyber Warfare Operations Specialist) in the Air Force?
SSgt (1B451 Craftsman / Crew Lead) is the first NCO rank and the first leadership rank.
Q07What manuals and regulations does a E4 1B4X1 need to know cold?
CFETP 1B4X1 — you sign at the apprentice level when delegated; your 7-skill line items are the next milestone.; DoDD 8140.01 — Cyberspace Workforce Management: read your assigned work role's task list line by line; that is the bar the team audits you against.; NIST SP 800-61 — Computer Security Incident Handling Guide: the IR playbook every DCO and CPT mission execution maps to; know it well enough to execute it, not just describe it.

This playbook has no tips yet. Be the first to share what you know.

Published by the Honest MOS Editorial DeskVerified against DoD/.gov sourcesUpdated May 2026Editorial standards