CCTI-A&S: Certified Cyber Threat Intelligence Analyst and Strategist

Course Overview

Operationalize Cyber Threat Intelligence

The Certified Cyber Threat Intelligence Analyst and Strategist (CCTI-A&S) is a five-day intensive certification developed by the Cyber Security Forum Initiative. It prepares CTI professionals to operate effectively across defense, intelligence community, coalition, and enterprise environments by integrating foundational doctrine, structured analytical frameworks, hands-on tooling proficiency, and legal and policy guardrails into a single applied curriculum.

Nine units unfold across five days. Foundational frameworks come first, followed by requirements management, behavioral analysis, role and stakeholder mapping, technical analysis, and a concluding policy and synthesis capstone. Every day pairs structured lecture and instructor-led demonstration with hands-on labs and team exercises with brief-outs.

Diamond Model· MITRE ATT&CK· ODNI CTF· DISARM

Course at a Glance

Tuition: $4,000 per person
Duration: 5 Days (40 Hours)
Schedule: 08:30 to 17:00 daily
Format: Lecture, Lab, Exercise
Curriculum: 9 Units
Credential: CCTI-A&S Certificate

Register for CCTI-A&S

Government, military, and qualified private sector

Course Objectives

What You Will Be Able to Do

Upon successful completion, participants leave with six capabilities that translate directly into finished intelligence and confident decisions.

01

Structured Analytical Frameworks

Apply the Diamond Model and the Cyber Kill Chain to frame intrusion events and adversary activity into disciplined, defensible analytic judgments.

02

Intelligence Requirements, End to End

Manage requirements across IR, GIR, PIR, and RFI levels, capturing them from stakeholders and using them to drive the full intelligence cycle.

03

Hands-On Analytic Tooling

Conduct analysis with Maltego, the MITRE ATT&CK Navigator, JSON tooling, and OSINT methods against real adversary artifacts and telemetry.

04

ODNI Cyber Threat Framework

Map adversary behavior and analytic outputs to the ODNI Cyber Threat Framework, building timelines and layered, confidence-rated judgments.

05

Influence and Information Operations

Analyze disinformation and influence campaigns using the DISARM Red and Blue taxonomies, from lookalike domains to forged content and amplification.

06

Legal and Policy Guardrails

Navigate authorities, intelligence oversight, classification, and controlled dissemination so intelligence is shared lawfully and responsibly.

Curriculum at a Glance

Nine Units Across Five Days

Foundational frameworks are introduced first, followed by requirements management, behavioral analysis, role and stakeholder mapping, technical analysis, and concluding policy and synthesis.

Day	Units	Focus Area
Day 1	Unit 1	Foundations of Cyber Threat Intelligence; the Diamond Model; applied analysis labs.
Day 2	Unit 2	The Cyber Kill Chain; phase-by-phase analyst use; reconnaissance and command-and-control labs.
Day 3	Units 3 & 4	Intelligence Requirements (IR, GIR, PIR, RFI); Pyramid of Pain, MITRE ATT&CK, and D3FEND.
Day 4	Units 5, 9 & 6	CTI roles and stakeholders; DISARM framework; ODNI Cyber Threat Framework with the KONNI case.
Day 5	Units 7, 8 & Capstone	JSON for CTI; legal and policy guardrails; course synthesis and the certification capstone.

The Five-Day Flow

How the Week Builds

Each day builds on the prior day's frameworks and skills, moving from analytical foundations to a full capstone synthesis. Expand any day to see its focus and labs.

DAY 1 Establish the Analytical Foundation Unit 1 · Foundations of CTI

Participants learn the purpose of intelligence, the intelligence cycle, and the Diamond Model, then convert raw artifacts into framed intelligence judgments through four hands-on labs.

Purpose of intelligence and the CTI challenge.
The intelligence cycle and the TCPED core workflow.
The Diamond Model for framing intrusion events.
Maltego link analysis lab: Syrian Electronic Army.
WhisperGate malware analysis lab applying the Diamond Model.
Iranian malware OSINT lab and an EternalBlue PCAP to CTI lab.

DAY 2 Apply the Adversary Lifecycle Unit 2 · The Cyber Kill Chain

A full day phase-by-phase walkthrough of the seven kill chain phases, anchored in observable evidence and detection opportunities and closing with an ICS scenario.

The seven phases of the Cyber Kill Chain and how analysts use each.
Reconnaissance: what to look for and where to collect, with a guided lab.
Weaponization, delivery, exploitation, installation, and footprint.
Command and control: beaconing, tasking, and timing, with an ICMP-tunneling lab.
Actions on objectives and mission outcomes.
ICS scenario: mapping kill chain phases to defensive priorities.

DAY 3 Drive Analysis Through Requirements and Behavior Units 3 & 4 · Requirements and CTI Frameworks

The morning shifts to the demand side of intelligence and capturing requirements from stakeholders; the afternoon delivers behavior-to-technique mapping and detect-focused defensive alignment.

Core definitions across IR, GIR, PIR, and RFI.
Requirements as the driver of the intelligence cycle.
Stakeholder interview exercise and requirements capture lab.
Pyramid of Pain and the cost it imposes on the adversary.
MITRE ATT&CK Navigator behavior-to-technique mapping and export.
ATT&CK to D3FEND defensive mapping using the LoJax rootkit case.

DAY 4 Map Roles, Taxonomies, and Integrated Frameworks Units 5, 9 & 6 · Roles, Influence, Frameworks

Three lenses on the same problem space: CTI role and stakeholder mapping, influence-operations analysis with DISARM, and a two-part KONNI lab in the ODNI Cyber Threat Framework.

CTI roles, stakeholders, and the primary outputs teams deliver.
Predictive threat warning, threat awareness, and support to security operations.
The DISARM framework applied to the Doppelganger campaign.
Lookalike domains, forged content, and capturing IOCs to IONs.
The ODNI Cyber Threat Framework and its four-layer structure.
KONNI case lab: build an attack timeline and populate the model with confidence.

DAY 5 Build Technical Proficiency, Governance, and Synthesis Units 7, 8 & Capstone · JSON, Policy, Synthesis

The morning develops JSON literacy for CTI; the afternoon covers legal and policy guardrails and closes with a DoD enclave exercise, full capstone synthesis, and certification preparation.

JSON fundamentals and a rapid reading method applied to a KONNI sample.
Lab: IOC extraction from JSON with group validation.
Lab: identify a persistence mechanism from JSON telemetry.
Title 10, Title 50, and Title 18 authorities and the authority check before sharing.
Intelligence oversight, classification, CAPCO controls, CUI vs. TLP, and tear lines.
DoD enclave compromise exercise, capstone synthesis, and certification prep.

Frameworks & Tools

The Tradecraft You Will Apply

CCTI-A&S is built around the frameworks and tools that working CTI teams rely on every day, applied to real adversary cases throughout the week.

Diamond Model

Framing intrusion events across adversary, capability, infrastructure, and victim.

Cyber Kill Chain

The seven-phase adversary lifecycle, from reconnaissance to actions on objectives.

Pyramid of Pain

Prioritizing indicators by the cost they impose on the adversary.

MITRE ATT&CK

Behavior-to-technique mapping and analysis in the ATT&CK Navigator.

D3FEND

Aligning detections and countermeasures to observed adversary techniques.

ODNI Cyber Threat Framework

A four-layer model for structured, confidence-rated analytic judgments.

DISARM

Red and Blue taxonomies for influence and information operations analysis.

Maltego & OSINT

Link analysis and open-source collection against real-world artifacts.

JSON for CTI

Rapid reading and IOC extraction from structured telemetry and reporting.

Legal & Policy Guardrails

Authorities, oversight, markings, and controlled dissemination.

Intended Audience

Who Should Attend

The curriculum serves government, military, and qualified private sector practitioners alike. It is designed for those who need to integrate cyber threat intelligence into real decisions, products, and workflows.

Mid-career cyber threat intelligence analysts.
All-source intelligence professionals transitioning into cyber.
Security operations personnel moving into intelligence roles.
Joint and coalition cyber operators.
Cyber strategists supporting defense and federal civilian organizations.

Prerequisites

Participants should arrive with:

A foundational understanding of cybersecurity concepts.
Basic familiarity with network defense.
An active operational or analytical need to integrate CTI into decisions, products, or workflows.

CSFI Cyber Threat Intelligence Division seal — The Division

Certification

A Credential Built on Tradecraft

The Certified Cyber Threat Intelligence Analyst and Strategist credential is awarded on successful completion of the five-day program and its capstone. It reflects CSFI's commitment to producing intelligence professionals who can apply rigorous analytic tradecraft, operate confidently within legal and policy guardrails, and translate technical observation into actionable intelligence judgments.

CCTI-A&S is developed and delivered by the CSFI Cyber Threat Intelligence Division, which builds advanced cyber threat intelligence and cyberspace operations curricula for the United States Department of Defense, the Intelligence Community, federal civilian agencies, allied and coalition partners, and qualified private sector practitioners.

Enroll

Reserve Your Seat

Tell us about yourself and your mission. A member of the CSFI team will follow up with scheduling, pricing, and enrollment details for CCTI-A&S.