←Back to 1D7X3 Cable and Antenna Operations — overview, pay, training, civilian translation, reviews
1D7X3E1-E3
Cable and Antenna Operations
E-1 to E-3 (Junior Enlisted) · Air Force
HEADS UP
You will feel behind from day one. The field moves faster than your training pipeline, and the acronyms alone will take six months to internalize. That is normal. Your job right now is to shut up, log everything, and let the senior analysts teach you how to actually see a network.
The Honest MOS Read
You are a Cyberspace Defense Analyst apprentice, which means you are the analyst who does not yet know what they do not know. The 1D7X3 pipeline runs through Keesler AFB where you will get your foundational cyber training, but the real education starts the moment you hit your first operational unit — a Cyberspace Defense Operations (CDO) flight, a Defensive Cyber Operations Element, or a Cyber Protection Team. Most junior 1D7X3s land in a Security Operations Center or a Cyberspace Defense Operations Center (CDOC) working under direct supervision of 5-level and 7-level analysts.
The work at this tier is fundamentally about building pattern recognition. You are watching SIEM dashboards, triaging alerts from tools like Splunk or Elastic, doing initial packet analysis in Wireshark, and writing the first-pass documentation on tickets before a senior analyst reviews your work and tells you why you missed something. You will miss things. That is the process. The senior who marks up your analysis isn't punishing you — they are building the mental model you need to eventually work independently.
Shift work is the reality here and the sooner you make peace with it, the better. CDOCs and SOC environments operate around the clock because adversaries do not keep banker hours. You will work nights, you will work weekends, you will work holidays. Your circadian rhythm will take a beating. Couples and families absorb this differently, and it is worth being honest with yourself about whether you can sustain it before you decide this is a long-term career.
The certification treadmill starts immediately. Security+ is a DoD 8570/8140 baseline requirement and you need it to be considered fully qualified. Your unit will expect you to be working toward it if you don't arrive with it already, and once you have it the expectation quickly shifts to CySA+ or CCNA depending on your assignment. Budget time outside of shift for studying. This is not optional — it is part of the job description whether anyone says so explicitly or not.
Imposter syndrome at this tier is nearly universal among 1D7X3s who were genuinely interested in the field before enlisting. The civilian cybersecurity world is enormous, the tools are constantly changing, and you will encounter contractors and civilians in your work environment who have years of industry experience. You are not failing — you are at the beginning of a long, technically deep career path. The analysts who wash out early are usually the ones who refused to acknowledge how much they didn't know.
Career Arc
["Arrive at first duty station post-Keesler pipeline; assigned to CDO flight or SOC under direct supervision", "Complete Security+ within first 6 months if not already certified \u2014 this gates your 5-level upgrade training", "Begin 5-level Career Development Course (CDC) requirements; expect 12-18 months to complete upgrade", "Start building familiarity with primary SIEM platform and intrusion detection toolset used at your unit", "Work toward first independent alert triage responsibilities under senior analyst oversight", "Identify whether your assignment is ops-center-flavored or CPT-flavored early \u2014 the skill sets diverge"]
Common Screwups
["Failing to get Security+ before your 5-level upgrade board \u2014 this will flag you as not progressing and your supervisor will notice", "Discussing specific network vulnerabilities, sensor placement, or defensive gaps in unsecured channels or outside secure facilities \u2014 OPSEC violations in cyber are career-ending and mission-compromising", "Closing a ticket without adequate documentation because you wanted to clear the queue \u2014 incomplete incident records will bite your unit during audits and you will own the gap", "Missing a PT or medical appointment because you swapped shifts and forgot to coordinate \u2014 administrative failures compound with technical ones and commanders notice patterns"]
A Day in the Life
[{"time": "0545", "activity": "Arrive early for shift \u2014 check SIEM dashboard and any tickets opened since last check"}, {"time": "0600", "activity": "Formal shift turnover brief from outgoing shift; note any active incidents, ongoing investigations, or sensor issues"}, {"time": "0630", "activity": "Work the alert queue \u2014 triage new alerts from IDS/IPS, endpoint detection, and network sensors"}, {"time": "0800", "activity": "Initial incident documentation for any elevated alerts; update ticket status and begin log analysis"}, {"time": "0900", "activity": "Packet analysis on flagged traffic; pull PCAPs for any alerts escalated from initial triage"}, {"time": "1000", "activity": "Coordination with senior analyst on complex tickets \u2014 review and discuss analysis before closing or escalating"}, {"time": "1100", "activity": "Continue alert queue; begin drafting shift turnover notes for outgoing brief"}, {"time": "1200", "activity": "Lunch \u2014 you eat when the queue allows, not on a schedule. On busy days this happens at 1400 or not at all."}, {"time": "1300", "activity": "CDC study block if shift tempo allows \u2014 structured self-improvement time some units protect, others don't"}, {"time": "1400", "activity": "Threat intel review \u2014 read any new signatures, bulletins, or threat feeds distributed by higher headquarters"}, {"time": "1500", "activity": "Ticket cleanup and documentation audit \u2014 verify all open tickets are current and aging items are escalated"}, {"time": "1700", "activity": "Shift turnover prep \u2014 compile brief for incoming shift, note all open items and watch-ons"}, {"time": "1730", "activity": "Shift turnover brief to incoming shift \u2014 verbal plus written log"}, {"time": "1800", "activity": "Depart \u2014 if you are studying for certs, this is when you do it before the next shift starts at 0600 again"}]
Weekly Cadence
On a rotating continental shift (usually 4 days on, 4 days off or a similar pattern), there is no traditional Monday-Friday rhythm. Your week is defined by where you fall in the rotation. Days on shift are alert-focused — you arrive knowing the current threat picture from turnover, work the queue, document thoroughly, and hand off cleanly. Days off are supposed to be recovery, but for junior analysts in certification mode, a significant portion goes to study.
Administrative tasks like EPR bullets, training documentation, and mandatory unit briefings tend to cluster around normal duty hours when your flight chief is available, which can create friction if you are on a non-standard rotation. Learn to manage your administrative obligations during the windows that overlap with leadership's schedule or they will stack up and surprise you.
Key Skills — How to Drill Each
[{"skill": "SIEM alert triage and initial incident documentation", "how": "Work every alert to its logical end, even the ones that turn out to be nothing. Write the ticket as if the next person reading it knows nothing. Senior analysts will check your work \u2014 let their corrections teach you what you are not seeing yet."}, {"skill": "Packet capture analysis with Wireshark or tcpdump", "how": "Pull the PCAP on every interesting alert you work, even if you cannot fully interpret it yet. Practice identifying normal baseline traffic for your network versus anomalies. The faster you build that baseline intuition, the faster you become useful."}, {"skill": "Log analysis and query construction in your unit's SIEM", "how": "Get hands-on with Splunk SPL or Elastic KQL as quickly as your access allows. Start with canned queries, then learn to build your own. The ability to pivot across log sources quickly is the core technical skill at this tier."}, {"skill": "Security+ and DoD 8140 baseline requirements", "how": "Treat the certification as a minimum floor, not a goal. Use Professor Messer and practice exams. Do not let your CDC and your cert prep fall behind simultaneously \u2014 sequence them so one reinforces the other."}, {"skill": "Incident ticket lifecycle management", "how": "Every ticket you touch should be traceable from first alert to resolution with timestamps, analyst actions, and final disposition. Your SOC's credibility during inspections lives in ticket quality. Own yours."}]
Manuals & References — What Chapters Matter
[{"ref": "DAFI 17-101, Cyberspace Operations", "why": "The foundational Air Force instruction governing how cyber operations are organized and conducted \u2014 understand the command relationships and authority structures your unit operates under."}, {"ref": "NIST SP 800-61, Computer Security Incident Handling Guide", "why": "The incident response lifecycle in this publication is the mental framework for every ticket you will work \u2014 detection, analysis, containment, eradication, recovery, post-incident. Internalize the phases."}, {"ref": "NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems", "why": "Explains how IDS/IPS sensors work and what their limitations are \u2014 essential for understanding why your detection coverage has gaps and what attackers can do to evade your sensors."}, {"ref": "MITRE ATT&CK Framework (publicly available, attack.mitre.org)", "why": "The adversary tactics and techniques matrix your unit references when categorizing threat activity \u2014 knowing the framework cold lets you map observed behavior to known adversary patterns faster."}, {"ref": "Unit-level TTP library and SOC runbooks", "why": "Every CDO flight or CDOC publishes internal procedures for their specific environment \u2014 these are more immediately actionable than any external publication and you should have them memorized within 90 days."}]
Standards — How to Hit Each
[{"standard": "Security+ (CompTIA) for DoD 8140 baseline \u2014 IAT Level II", "how": "Required to fully qualify at the 5-level. Take a practice exam cold first week, identify gaps, use Professor Messer free course, schedule the exam within 90 days of arrival at your unit."}, {"standard": "5-level CDC completion within 12-18 months of arrival", "how": "Do not let CDC fall behind shift schedule. Most units have protected study time \u2014 use it. CDCs lag behind real-world tools but the foundational concepts map directly to your daily work."}, {"standard": "Zero unresolved tickets older than 24 hours without supervisory coordination", "how": "If a ticket is aging, you escalate it before it ages. Your senior analysts would rather hear from you at hour 18 than discover a stale ticket during a shift turnover brief."}, {"standard": "Shift turnover briefing completion before departing post", "how": "Your replacement needs to know what you touched, what is still open, and what to watch. A 30-second verbal brief is not enough \u2014 the written turnover log is the record. Treat it as a deliverable."}]
Technical Mistakes — Concrete Consequences
[{"mistake": "Closing an alert as false positive without documenting your analysis", "consequence": "The next analyst sees a clean queue and assumes coverage. If the alert was actually a real intrusion you missed, the gap in documentation means the dwell time grows and nobody knows why. This becomes your name on an incident report."}, {"mistake": "Pivoting out of scope during an incident investigation without coordinating with the lead analyst", "consequence": "You may inadvertently tip off a threat actor, modify forensic artifacts, or create legal chain-of-custody issues that compromise the investigation and any subsequent reporting."}, {"mistake": "Running an active scan or enumeration tool on a production segment without authorization", "consequence": "You can crash sensors, trigger defensive countermeasures on your own network, or generate traffic that analysts at a higher tier escalate as a potential insider threat. Authorization before action is not bureaucracy \u2014 it is how you stay employed."}, {"mistake": "Sharing indicator of compromise data in unclassified channels before proper handling review", "consequence": "IOC data tied to active investigations may be classified or operationally sensitive. Releasing it externally can compromise ongoing operations and will result in an Article 15 if the data was classified."}]
Career Decisions at This Rank
[{"decision": "Get Security+ before your CDC is complete or pursue them in parallel?", "analysis": "Get Security+ first. It is a hard gate for 5-level qualification in the DoD 8140 framework and your supervisor will track it. The CDC content will make more sense after you have the Security+ conceptual foundation anyway. Parallel track is possible but creates unnecessary pressure."}, {"decision": "Volunteer for additional duties or focus on technical development?", "analysis": "At E-1 through E-3, your primary currency is technical competence. Additional duties look good on EPRs but a junior analyst who cannot independently work a ticket is not competitive. Do the additional duty if it genuinely interests you or if the flight chief specifically needs the help \u2014 not to pad a bullet."}, {"decision": "Apply for 5-level upgrade as soon as eligible or wait until fully prepared?", "analysis": "Apply when your CDC is complete and your skill set is honest. Do not rush an upgrade board you are not ready for \u2014 a weak upgrade performance follows you in your record. Your supervisor should be telling you clearly when you are ready. If they are not communicating, ask directly."}]
How the Seat Varies by Unit Type
[{"unitType": "Cyberspace Defense Operations (CDO) Flight / CDOC", "reality": "This is where most junior 1D7X3s land. Ops-center environment, shift work, alert-queue focus. Heavy SIEM and intrusion detection work. The pace is steady but the depth can feel shallow \u2014 you are triaging a lot of volume rather than hunting specific adversaries."}, {"unitType": "Cyber Protection Team (CPT)", "reality": "CPT assignments at this tier are rare for E-1 through E-3 but they exist. The work is more proactive \u2014 hunt operations, network hardening assessments, supported unit defense. More technically intense but less structured than a CDO flight. Getting here early accelerates your technical development significantly."}, {"unitType": "AFIN / AFNET Operations Center", "reality": "Larger enterprise-level visibility with more complex infrastructure. The toolsets are broader and the traffic volumes are enormous. Good exposure to enterprise-scale operations but less individual engagement with specific incidents at the junior level."}]
What Good Looks Like at This Rank
A strong junior 1D7X3 is the analyst who consistently writes tickets that senior analysts do not need to significantly rewrite. The documentation is clear, the timeline is accurate, and the initial assessment is defensible even if wrong — because the reasoning is visible. They show up to shift knowing what was happening when they left and they ask specific questions rather than general ones.
The best apprentices at this tier also start building their own indicator lists, keep personal notes on recurring threat patterns, and study for their next cert before anyone tells them to. They are not trying to be the smartest person in the SOC — they are trying to become useful to the team as quickly as possible. That posture is visible and it gets noticed by the 7-levels who write the EPRs that follow you everywhere.
Preview — The Next Rank
At SrA you are expected to work the alert queue with minimal supervision and begin mentoring incoming apprentices. The 5-level upgrade board is the gate — pass it and your scope expands. You will start owning specific detection categories, contributing to shift turnover briefs as a primary analyst rather than a shadow, and possibly beginning to interact with supported unit POCs during incidents. The cert treadmill does not stop — CySA+ or CCNA becomes the next expectation, and depending on your unit you may be looking at CEH or more specialized vendor certs. Senior analysts will start asking what you want to do with your career — CPT or ops center track — and the answer shapes your next assignment request.
FAQ
1D7X3 E1-E3 — Frequently Asked Questions
Q01What does a E1-E3 1D7X3 (Cable and Antenna Operations) actually do?
Complete the 1D7X3 initial skills training pipeline at Keesler AFB, MS. Learn network defense fundamentals — intrusion detection, security information and event management (SIEM) tools, network traffic analysis, log review, and the indicators of compromise that signal malicious activity.
Q02What's the most important thing to know as a E1-E3 1D7X3?
You will feel behind from day one.
Q03What mistakes get E1-E3 1D7X3 soldiers fired or relieved?
["Failing to get Security+ before your 5-level upgrade board \u2014 this will flag you as not progressing and your supervisor will notice", "Discussing specific network vulnerabilities, sensor placement, or defensive gaps in unsecured channels or outside secure facilities \u2014 OPSEC violations in cyber are career-ending and mission-compromising",…
Q04What's next after E1-E3 for a 1D7X3 (Cable and Antenna Operations) in the Air Force?
At SrA you are expected to work the alert queue with minimal supervision and begin mentoring incoming apprentices.
Q05What manuals and regulations does a E1-E3 1D7X3 need to know cold?
AFMAN 17-1303 (Cyberspace Defense), NIST publications applicable to federal network defense, DISA STIGs for Air Force networks, Air Forces Cyber (AFCYBER) tactics publications
This playbook has no tips yet. Be the first to share what you know.
Published by the Honest MOS Editorial DeskVerified against DoD/.gov sourcesUpdated May 2026Editorial standards