CTI Analyst
Produce intelligence that drives detection, hunting, and incident response decisions.
8 modules Β· ~8 weeks
Modules
01Intelligence Fundamentals β Cycle, Types, and Requirements
beginnerMaster the intelligence cycle, distinguish strategic/operational/tactical CTI, write Priority Intelligence Requirements, and understand what separates finished intelligence from raw data.
2 lessons
02OSINT Collection β Sources, Tradecraft, and Analyst OPSEC
intermediateSystematically collect open-source intelligence from clearnet, paste sites, code repositories, and dark web sources while maintaining operational security to avoid tipping off adversaries.
1 lesson
03STIX/TAXII and CTI Platforms β Structured Intelligence at Scale
intermediateModel threat intelligence in STIX 2.1, share via TAXII, and operate MISP and OpenCTI platforms to ingest, enrich, and disseminate structured intelligence across teams and organizations.
1 lesson
04Threat Actor Profiling and Campaign Tracking
intermediateBuild defensible threat actor profiles, track campaigns across intrusion sets, cluster activity by TTP/infrastructure/malware overlap, and maintain living profiles that update as new evidence emerges.
1 lesson
05Indicators of Compromise β Types, Quality, Lifecycle, and Decay
intermediateEvaluate IOC quality across atomic/computed/behavioral types, understand indicator decay and when to retire stale indicators, and prioritize which IOCs actually belong in detection tools vs. intelligence records.
1 lesson
06Finished Intelligence Products β Strategic, Operational, and Tactical
intermediateProduce intelligence products that actually drive decisions: strategic threat landscape reports for executives, tactical threat briefs for SOC/IR teams, and flash reports for urgent emerging threats.
1 lesson
07Intelligence-to-Detection Pipeline β From Threat Reports to Sigma Rules
advancedOperationalize threat intelligence into working detections: extract TTPs from reports, write Sigma rules from adversary playbooks, assess ATT&CK detection coverage gaps, and close the feedback loop with detection engineers.
1 lesson
08Vulnerability Intelligence and Patch Prioritization
advancedMove beyond CVSS scores: assess exploitation probability using EPSS and KEV, track threat actor exploitation of specific CVEs, and deliver vulnerability intelligence that focuses limited patching resources on actual risk.
1 lesson
// final assessment
Final Exam
20 hard, scenario-based questions spanning the full curriculum. Pass at 80% to earn your certificate.