← All Roles

CTI Analyst

Produce intelligence that drives detection, hunting, and incident response decisions.

8 modules Β· ~8 weeks

Modules

01Intelligence Fundamentals β€” Cycle, Types, and Requirements

beginner

Master the intelligence cycle, distinguish strategic/operational/tactical CTI, write Priority Intelligence Requirements, and understand what separates finished intelligence from raw data.

2 lessons

02OSINT Collection β€” Sources, Tradecraft, and Analyst OPSEC

intermediate

Systematically collect open-source intelligence from clearnet, paste sites, code repositories, and dark web sources while maintaining operational security to avoid tipping off adversaries.

1 lesson

03STIX/TAXII and CTI Platforms β€” Structured Intelligence at Scale

intermediate

Model threat intelligence in STIX 2.1, share via TAXII, and operate MISP and OpenCTI platforms to ingest, enrich, and disseminate structured intelligence across teams and organizations.

1 lesson

04Threat Actor Profiling and Campaign Tracking

intermediate

Build defensible threat actor profiles, track campaigns across intrusion sets, cluster activity by TTP/infrastructure/malware overlap, and maintain living profiles that update as new evidence emerges.

1 lesson

05Indicators of Compromise β€” Types, Quality, Lifecycle, and Decay

intermediate

Evaluate IOC quality across atomic/computed/behavioral types, understand indicator decay and when to retire stale indicators, and prioritize which IOCs actually belong in detection tools vs. intelligence records.

1 lesson

06Finished Intelligence Products β€” Strategic, Operational, and Tactical

intermediate

Produce intelligence products that actually drive decisions: strategic threat landscape reports for executives, tactical threat briefs for SOC/IR teams, and flash reports for urgent emerging threats.

1 lesson

07Intelligence-to-Detection Pipeline β€” From Threat Reports to Sigma Rules

advanced

Operationalize threat intelligence into working detections: extract TTPs from reports, write Sigma rules from adversary playbooks, assess ATT&CK detection coverage gaps, and close the feedback loop with detection engineers.

1 lesson

08Vulnerability Intelligence and Patch Prioritization

advanced

Move beyond CVSS scores: assess exploitation probability using EPSS and KEV, track threat actor exploitation of specific CVEs, and deliver vulnerability intelligence that focuses limited patching resources on actual risk.

1 lesson

MITRE ATT&CK Coverage

Green = at least one covering lesson completed

// final assessment

Final Exam

20 hard, scenario-based questions spanning the full curriculum. Pass at 80% to earn your certificate.