Certified Threat Intelligence Analyst (CTIA) Practice Test

The CTIA is designed for mid-to-senior-level cybersecurity professionals who work with or want to specialize in threat intelligence. Primary candidates include threat intelligence analysts, SOC analysts (Tier II and above), incident responders, cybersecurity engineers, malware analysts, and information security managers who want to formalize their threat intelligence skills. It is also pursued by risk management professionals and government or defense personnel who need to integrate intelligence into security operations.

EC-Council recommends that candidates have at least two years of information security experience before attempting the exam. Those who attend EC-Council Authorized Training Center (ATC) classes or iClass online training are generally exempt from the formal experience application requirement, while self-study candidates must submit an eligibility application demonstrating their background. The certification is particularly well-suited for professionals already holding foundational credentials such as CEH or Security+ who are looking to move into a dedicated threat intelligence role.

There are no mandatory formal prerequisites to enroll in CTIA training, but EC-Council strongly recommends a minimum of two years of experience in information security or a related IT field before attempting the certification exam. Candidates pursuing the exam without attending EC-Council authorized training must submit an eligibility application documenting their professional experience for review and approval.

From a knowledge standpoint, candidates benefit most from familiarity with general networking concepts (TCP/IP, DNS, firewalls, proxies), basic cybersecurity principles, and an understanding of common attack techniques. Prior exposure to security operations center (SOC) workflows, incident response processes, or penetration testing concepts — such as that provided by the CEH (Certified Ethical Hacker) certification — will provide a meaningful foundation for the more advanced threat intelligence content covered in the CTIA curriculum.

The CTIA exam (code 312-85) consists of 50 multiple-choice questions to be completed within a 2-hour (120-minute) time limit. The exam is delivered at EC-Council Exam Centers, which support both in-person and remotely proctored formats. The passing score is 70%; however, EC-Council sets cut scores on a per-exam-form basis, meaning the threshold may range between 60% and 78% depending on the specific form administered to ensure consistent assessment standards across versions.

The exam is available in English and covers all domains defined in the official CTIAv2 Exam Blueprint published by EC-Council. Candidates must purchase an exam voucher (CTIAv1/v2 ECC Exam Center Voucher) and pay a one-time application fee. The certification is valid for three years, after which holders must earn 120 EC-Council Continuing Education (ECE) credits to maintain active status.

• 1.Domain 1 — Introduction to Threat Intelligence (14%): Covers foundational terminology, the four types of threat intelligence (strategic, tactical, operational, technical), the threat intelligence lifecycle, Indicators of Compromise (IoCs), the Pyramid of Pain, and an overview of Advanced Persistent Threats (APTs) and their Tactics, Techniques, and Procedures (TTPs).
• 2.Domain 2 — Cyber Threats and Kill Chain Methodology (14%): Addresses threat actor categories (nation-state, hacktivist, insider, cybercriminal), the Lockheed Martin Cyber Kill Chain (all seven phases), the MITRE ATT&CK framework, and other attack modeling frameworks used to structure intelligence analysis.
• 3.Domain 3 — Requirements, Planning, Direction, and Review (16%): Focuses on defining intelligence requirements, establishing Priority Intelligence Requirements (PIRs), planning and directing a threat intelligence program, managing the intelligence cycle, and conducting structured reviews of intelligence products and processes.
• 4.Domain 4 — Data Collection and Processing (24%): The highest-weighted domain, covering OSINT techniques (search engines, DNS interrogation, web footprinting, social media, dark web), HUMINT and technical collection methods, cyber counterintelligence (CCI), malware analysis for intelligence purposes, Python scripting for automated collection, and data processing techniques including de-duplication, tagging, and enrichment.
• 5.Domain 5 — Data Analysis (18%): Covers statistical and machine-learning-based analysis methods, Structured Analytic Techniques (ACH, link analysis, timeline analysis), threat modeling, indicator enrichment and correlation, and the use of Threat Intelligence Platforms (TIPs) to aggregate and analyze threat data.
• 6.Domain 6 — Dissemination and Reporting of Intelligence (14%): Addresses the creation of intelligence reports tailored to different audiences (executive, operational, technical), formatting standards, sharing threat intelligence via ISACs, and using STIX/TAXII protocols to operationalize and distribute intelligence across SOC, IR, and risk management teams.
• 7.Domain 7 — Threat Hunting and Detection (CTIAv2 addition): Introduces threat hunting methodologies (hypothesis-based, indicator-based, machine-learning-assisted), detection engineering principles, and use of SIEM platforms and behavioral analytics to proactively identify threats that evade automated controls.
• 8.Domain 8 — Threat Intelligence in SOC Operations, Incident Response, and Risk Management (CTIAv2 addition): Covers integration of threat intelligence outputs into SOC workflows, incident response playbooks, and enterprise risk management processes, enabling intelligence-driven decision-making across security functions.

• Download and thoroughly review the official CTIAv2 Exam Blueprint PDF from cert.eccouncil.org — it defines every domain, subtopic, and relative weight, making it the single most valuable guide for structuring your study plan.
• Prioritize Domain 4 (Data Collection and Processing, 24%) and Domain 5 (Data Analysis, 18%), as together they account for over 40% of the exam. Practice OSINT collection techniques hands-on using tools like Maltego, Shodan, and TheHarvester, and work through basic Python scripts for data gathering.
• Map your study sessions to the MITRE ATT&CK framework — work through real-world APT group profiles on the MITRE ATT&CK website to internalize how TTPs are documented and used for threat actor profiling, a core skill tested across multiple domains.
• Use EC-Council's official iLearn self-paced courseware or authorized training materials, which include over 800 pages of student manual and 27 hands-on labs. Completing all labs is essential since the exam includes scenario-based questions grounded in practical workflows.
• Practice writing intelligence reports in different formats (strategic executive summaries vs. technical IoC bulletins) to prepare for dissemination-focused questions, and study how STIX/TAXII standards are used to structure and share threat data with platforms and partner organizations.
• Study the Cyber Kill Chain phases in sequence and practice attributing real-world attack scenarios to specific Kill Chain stages — EC-Council exam questions frequently require candidates to identify the correct phase based on attacker behavior descriptions.
• Review the NICE Cybersecurity Workforce Framework roles aligned with threat intelligence (e.g., All-Source Analyst, Cyber Defense Analyst) to understand how CTIA maps to industry job functions, and use EC-Council's CodeRed platform for supplemental practice questions and topic reviews.

The CTIA certification opens doors to dedicated threat intelligence roles that are increasingly in demand as organizations build out intelligence-driven security operations. Common job titles for CTIA holders include Cyber Threat Intelligence Analyst, Threat Intelligence Engineer, SOC Analyst (Senior/Lead), Threat Hunter, and Intelligence Fusion Analyst — roles found across financial services, government, defense contractors, MSSPs, and technology firms. According to EC-Council's published data, salaries for threat intelligence professionals in the United States range from approximately $100,000 to $170,000, with an average around $120,000 annually.

Compared to broader security certifications like CISSP or CEH, the CTIA provides focused, practitioner-level credentialing specifically in threat intelligence — a differentiator valued by hiring managers building dedicated intelligence teams. It complements incident response certifications such as ECIH and is often pursued alongside or after CEH to build a full offensive-awareness-to-intelligence skill set. The certification's alignment with NICE and CREST standards also gives it recognition in government and regulated industry procurement requirements, where framework-aligned credentials carry weight in contract eligibility.