C)TIA: Threat Intelligence Analyst

In today’s evolving cyber landscape, reactive security isn’t enough—organizations need a proactive, intelligence-driven defense to stay ahead of adversaries. The Certified Threat Intelligence Analyst (CTIA) course equips SOC teams, security engineers, and cyber threat intelligence (CTI) professionals with the practical skills and technical expertise to implement real-world threat intelligence strategies effectively.

This comprehensive, hands-on course covers threat intelligence gathering, operationalization, and automation, ensuring students build and deploy intelligence-driven detection rules across SIEMs, Snort, Elastic Security, MISP, and more.

With real-world labs, practical case studies, and deep technical insights, participants will master Sigma rule creation, OpenIOC structuring, STIX/TAXII automation, and custom scripting—empowering them to detect, analyze, and mitigate cyber threats before they strike.

Whether you’re building a new threat intelligence program or enhancing SOC operations, CTIA delivers the skills needed to turn intelligence into action.

Key takeaways

Upon completion you will know to perform thorough threat analysis on any information system, and be able to accurately report on your findings. 

By completing this course you will earn 40 CEUs.

Prerequisites

Suggested Prerequisites:

  • 12 months vulnerability testing
  • Mile2’s C)SP, C)IHE, and C)PTE

Or equivalent

Target audience
  • Penetration Testers
  • Microsoft Administrator
  • Security Administrators
  • Active Directory
  • Administrators
  • Anyone looking to learn more about security

 

 

Modules: 

  • Module 01: Threat Intelligence Basics
  • Module 02: Security Analysis Basics
  • Module 03: Cyber Threats
  • Module 04: Threat Actors
  • Module 05: Case Studies
  • Module 06: Threat Identification
  • Module 07: Proactive Approach

Hands-On Labs:

  • Lab 01: Setting up SIEM Environment
  • Lab 02: Practical Threat Analysis          
  • Lab 03: Hunting for Active Threats through Collected Logs       
  • Lab 04: Defensive Threat Intelligence Development     
  • Lab 05: Threat Intelligence Data Integration with SIEM 
  • Lab 06: Leveraging MISP for Threat Intelligence
  • Lab 07: OSINT Methodology to Identify Threats
  • Lab 08: Exploitation, Analyzing, and Research  
  • Lab 09: Integrating Elastic & MISP

Detailed Outline:

Course Introduction

Module 1:  Threat Intelligence Basics     

  1. Threat Intelligence Basics
  2. Threat Intelligence Use Cases
  3. Threat Intelligence Development
  4. Types of Threat Intelligence
  5. Tools of the Trade

Module 2:  Security Analysis Basics       

  1. What is Security Analysis
  2. How Security Analysis support Threat Intelligence
  3. Static Analysis
  4. Dynamic Analysis
  5. Rule Based Detection

Module 3:  Cyber Threats

  1. Cyber Threat Overview
  2. Cyber Threats Classification
  3. Prevention Against Cyber Threats
  4. Examples of Cyber Threats in History

Module 4:  Threat Actors

  1. Threat Actors Overview
  2. Threat Actors Classification
  3. Examples of threat Actors in History

Module 5: Cyber Threats & Malicious Actors Case Studies                 

  1. Stuxnet
  2. EternalBlue
  3. WannaCry
  4. Wizard Spider Group
  5. Operation Aurora
  6. Zerologon
  7. MOVEit

Module 6: Threats Identification

  1. Threat Hunting
  2. Threats Analysis Frameworks
  3. Leveraging Tools for Threat Discovery

Module 7: Implementing a Proactive Threat Intelligence Approach

  1. Foundations of Proactive Threat Intelligence
  2. Operationalizing Threat Intelligence in an Organization
  3. Threat Intelligence Sharing & Exchange Standards
  4. Rule Creation for Threat Hunting & Automation

Detailed Lab Outline:

Lab 1 – Setting up SIEM Environment

Section 1 – Setup Elastic Search    

Lab 2 – Practical Threat Analysis 

Section 1 – Static Analysis on WannaCry Threat   

Section 2 – Dynamic Analysis on WannaCry Threat          

Section 3 – Perform an Analysis on your own        

Lab 3 – Hunting for Active Threats through Collected Logs    

Section 1 – Hunting for Backdoors  

Section 2 – Hunting for Intrusions    

Section 3 – Threat Actor Profiling using MITRE ATT&CK. 

Lab 4 – Defensive Threat Intelligence Development     

Section 1 – YARA Rules Usage, Development, and Improvement

Section 2 – Snort Rules Usage, Development, and Improvement 

Lab 5 – Threat Intelligence Data Integration with SIEM

Section 1 – Implement Real-Time Threat Intelligence within SIEM

Lab 6 – Leveraging MISP for Threat Intelligence

Section 1 – Analyzing an Attack by adding an Event         

Section 2 – Add an event based on actual attack   

Section 3 – Decay and Warning Lists          

Section 4 – MISP feeds        

Lab 7 – OSINT Methodology to Identify Threats

Section 1 – Discovering Threats through Google Dorks OSINT    

Section 2 – Discovering Threats through Social Media OSINT     

Section 3 – Discovering Threats through Intelligence Sharing

Section 4 – Discovering Threats through Dark Web OSINT          

Section 5 – Discovering Threats through Vulnerabilities Databases OSINT         

Lab 8 – Exploitation, Analyzing, and Research  

Section 1 – Exploitation and Analysis of SIEM Logs          

Section 2 – Analyzing Exported SIEM logs 

Section 3 – Researching OTX for threats affecting a specific industry      

Lab 9 – Integrating Elastic and MISP       

Section 1 – Manual Ingestion of MISP Events into Elastic 

Section 2 – Visualize Threat Feeds in Elasticsearch          

Section 3 – Ingesting MISP Events to Elastic Defender Rules      

Section 4 – Automate IOC Ingestion into Elastic’s Detection Rules

Objective:

Upon completion, Certified Threat Intelligence Analyst course students will be ready to sit for the C)TIA exam.

Exam information:

The exam is taken online through Mile2’s Learning Management System and is accessible on your Mile2.com account. The exam will take approximately 2 hours and consist of 100 multiple choice questions. 

A minimum grade of 70% is required for certification.

Your exam is included in the course fee!

Re-certification requirements:

All Mile2 certifications will be awarded a 3-year expiration date.

There are two requirements to maintain Mile2 certification:

  • Pass the most current version of the exam for your respective existing certification
  • Earn and submit 20 CEUs per year in your Mile2 account  

1. Hvem passer dette kurset for?

For SOC-team, CTI-analytikere (trusselintelligens), sikkerhetsingeniører og sikkerhetsadministratorer, Microsoft- og Active Directory-administratorer samt penetrasjonstestere – og alle som vil bygge en proaktiv, etterretningsdrevet forsvarsevne.

2. Hvilke forkunnskaper bør jeg ha?

Anbefalt: ca. 12 mnd. erfaring med sårbarhetstesting, og Mile2-kurs som C)SP, C)IHE, C)PTE – eller tilsvarende kompetanse.

3. Hva lærer jeg i kurset?

Å innhente, operasjonalisere og automatisere trusseletterretning: bygge deteksjonsregler i SIEM, Snort, Elastic Security og MISP; lage Sigma-regler, OpenIOC, bruke STIX/TAXII og enkel skripting. Du dekker også trusler, aktører, rammeverk og caser (f.eks. Stuxnet, WannaCry, Zerologon).
Fullført kurs gir 40 CEUs og forbereder deg til C)TIA-eksamen.

4. Hvordan foregår kurset?

Leveres som klasseromskurs, live virtuelt eller bedriftsinternt/skreddersøm. Varighet: 4 dager, undervisningen er på engelsk.

5. Er dette kurset praktisk?

Ja – omfattende hands-on-labber: oppsett av SIEM/Elastic, praktisk trusselanalyse (statisk/dynamisk, bl.a. WannaCry), threat hunting i logger, utvikling av YARA/Snort-regler, integrasjon av intel i SIEM, arbeid i MISP (events/feeds/decay), OSINT (Google dorks, sosiale medier, dark web, vulndatabaser) og automatisert IOC-innlasting til Elastic-regler.

6. Hvor mye koster kurset?

Kursavgiften er 30 000 NOK, og eksamen er inkludert i prisen.

7. Hva slags materiell får jeg?

Du får tilgang til Mile2 sitt digitale læringssystem, offisielt kursmateriell, videoer og øvelser.

8. Gir kurset sertifisering?

Ja – kurset inkluderer sertifiseringseksamnen Certified Threat Intelligence Analyst.

  • Eksamen varer ca. 2 timer og består av 100 multiple-choice spørsmål

  • Du må ha minst 70 % riktig for å bestå.

Eksamen tas online via Mile2 sin læringsplattform.

9. Hvor lenge varer sertifiseringen?

Sertifiseringen er gyldig i 3 år. For å beholde den må du:

  1. Bestå den nyeste versjonen av eksamen
  2. Opparbeide og registrere 20 CEUs per år i Mile2-kontoen din

10. Kan jeg delta digitalt?

Ja – kurset tilbys både som fysisk kurs i klasserom og som live, virtuelt kurs.

11. Kan jeg få kurset spesialtilpasset?

Ja – kurset kan tilbys bedriftsinternt og tilpasses organisasjonens behov.

12. Kan jeg bestille kurset for min organisasjon?

Ja – vi tilbyr bedriftsinterne kurs både fysisk og virtuelt.

Andre relevante kurs

C)CSA: Cybersecurity Analyst
5 dager
Classroom Virtual
C)CSO: Cloud Security Officer
5 dager
Classroom Virtual
C)CSSA: Cybersecurity Systems Auditor
4 dager
Classroom Virtual
C)CSSM: Certified Cybersecurity Systems Manager
4 dager
Classroom Virtual