The dedicated cyber-threat-intelligence credential. Strategic, operational and tactical intel — collection, analysis, dissemination, dark-web monitoring and intel-driven hunting.
⏱Duration: 3 days / 24 hrs
💻Format: Instructor-Led + Intel Range
🌐Delivery: On-site · Virtual · Hybrid
✅Pass rate: 92%
📅Next intake: 26 May 2026
🕵️
Strategic & operational intel
Cyber Kill Chain, Diamond Model, F3EAD process applied
🌐
Collection & sources
OSINT, dark-web, sectoral ISACs, vendor and government feeds
📝
Analysis & writing
Production of reports that survive board, exec and analyst readers
🔍
Intel-driven hunting
Translate finished intel into hunting hypotheses and detection rules
What this course is
Where threat intel stops being a buzzword.
CTIA is the dedicated cyber-threat-intelligence credential. It validates the full intelligence lifecycle — planning, collection, processing, analysis, dissemination and feedback — mapped to the technical reality of running an in-house intel team or function.
At Nexperts, CTIA is delivered on our Intel Range — a working environment with simulated dark-web sources, OSINT pivots, MISP, an internal CMS and a stream of real (anonymised) intel reports. By day 3 you've produced four finished intel products of different audience tiers.
Threat intel without action is gossip. CTIA teaches the discipline that turns raw signals into decisions, hunts and detections.
The 2026 CTIA objectives sharpened the focus on dark-web monitoring, ransomware-affiliate tracking, supply-chain threat intel and AI-augmented intel triage. We cover all four with hands-on labs.
Who should take this course
🕵️
Existing SOC analysts
Wanting to step up to the senior tier and add intel to your skill stack.
🔐
Threat hunters
Already hunting but want a formal intel framework to drive hypotheses.
📚
Intel team members
On a corporate or MSSP intel team. CTIA is the formal credential.
💼
Security managers
Owning an intel function. CTIA gives you the language and the operational lens.
🌟
CSA / CHFI / CySA+ holders
Natural progression. CTIA stacks cleanly on operational SOC credentials.
🌟
Threat-intel consultants
Working independently or for a specialist firm. CTIA is the standard.
Prerequisites
✓ 2–3 years in cybersecurity operations (SOC, IR, hunt, vuln management)
✓ Comfortable reading logs, alerts and detection rules
✓ Familiarity with MITRE ATT&CK at intermediate level
✓ Willingness to write — intel is a writing discipline
→ Don't have CSA or CySA+? Not strictly required, but recommended for context.
Course Curriculum
Four domains. One intel discipline.
CTIA is structured into Intelligence Lifecycle, Data Collection, Analysis & Production, and Dissemination & Operationalisation. We deliver in lifecycle order, so you produce a finished intel product on day 1.
Hands-On Intel Range
9 intel sprints. Real sources & writing.
The Nexperts Intel Range simulates dark-web sources, OSINT pivots and an internal MISP. You produce real intel artefacts that an MSSP would actually deliver to a client.
01
KIQ Definition Workshop
Define Key Intelligence Questions for an MY financial-services target.
Planning
02
OSINT Collection Sprint
Run 90 minutes of disciplined OSINT on a target threat actor.
Collection
03
Dark-Web Monitoring
Set up monitoring on simulated dark-web sources for ransomware leak data.
Collection
04
ACH Analysis
Run a structured Analysis of Competing Hypotheses on a real (anonymised) intrusion.
Analysis
05
Threat Actor Profile
Build a threat-actor profile under the Diamond Model framework.
Analysis
06
Finished Intel Production
Produce a finished intel report — BLUF, exec summary, body, recs.
Production
07
Audience Adaptation
Take one finished intel. Adapt for board, exec, ops and analyst audiences.
Dissemination
08
MISP Operationalisation
Push intel into MISP. Generate STIX. Push to a downstream SIEM.
Tooling
09
Intel-Driven Hunt Plan
Translate finished intel into 5 detection rules and 3 hunting hypotheses.
Operations
+ 11 micro-tasks. All produced intel reviewed for tradecraft by a working intel analyst.
Exam Information
One exam. Heavy on tradecraft.
CTIA is delivered as a 2-hour exam with 50 questions. Items emphasise tradecraft — the disciplined judgement that distinguishes good intel from gossip. Most candidates fail on the tradecraft items, not the recall.
EC-Council CTIA Exam
Questions50 (MCQ + tradecraft scenarios)
Duration2 hours
Passing score70%
FormatECC Exam Center / online proctored
Validity3 years (CE renewal)
Industry avg pass rate~73% first attempt
Nexperts pass rate92% first attempt
Tradecraft Drill
Drill length3-hour structured drill
FormatWhiteboard — you analyse, peers challenge
Items practised15 tradecraft scenarios
Common gotchasConfusing observation with assessment
StrategyIdentify the bias before the answer
OutcomeTradecraft score uplift averages +20%
WalkthroughPast scenario archive provided
Our 3-Mock Programme
01
Diagnostic Mock
End of day 1. Sets the baseline. Average score: 62%.
02
Tradecraft Mock
Mid-course. 60% tradecraft items. Average score: 74%.
03
Final Clearance
Full timed simulation. 80%+ before we book. Average score: 86%.
0%
Pass Rate
92% of our CTIA candidates pass on first attempt.
The EC-Council global first-attempt rate for CTIA sits around 73%. We hit 92% by treating it as a tradecraft exam, drilling structured-analytic techniques and gating booking on a clearance mock.
Real Intel RangeWorking analyst instructor92% first attemptFree retake voucherBridge to senior intel
Why our pass rate is 92%
Industry average: ~73%
Most candidates revise terminology but never produce a finished intel report under tradecraft review. The exam tests tradecraft and they walk in untested.
Nexperts: 92%
We produce real intel artefacts. We run ACH on real intrusions. We critique under tradecraft review. By exam day, the discipline is muscle memory.
Your Threat Intel Path
CTIA opens senior intel and hunting.
CTIA stacks naturally with CSA (SOC), CHFI (forensics), CISM (governance) or CCISO (executive). Most graduates pivot into senior intel or threat-hunting roles within 12 months.
Before this
CSA or CySA+ (helpful)
Operational SOC experience helps. Not strictly required.
Expected salary range after CTIA: RM 8,500 – RM 14,500/month for threat intelligence and senior hunt roles in MY MSSPs and enterprises.
Student Reviews
What our CTIA graduates say.
4.8
★★★★★
86 reviews
5★
83%
4★
14%
3★
3%
★★★★★
"Best intel course in MY by a country mile. The Intel Range and the dark-web monitoring labs are unique. Got promoted to senior intel analyst three months after."
DA
Daniel Aaron
Senior Threat Intel Analyst · Maybank
✓ Passed first attempt
★★★★★
"ACH analysis sprint changed how I look at every alert. The discipline behind 'good intel vs gossip' is genuinely teachable, and Nexperts teaches it."
RR
Rashidah Roslan
Threat Intel Lead · PETRONAS
✓ Passed first attempt
★★★★
"Coming from SOC L2. CTIA was the credential and the bridge into our intel team. The audience-adaptation lab is what got me an internal transfer."
KW
Khairul Wahab
Threat Hunter · NTT MY
✓ Passed first attempt
★★★★★
"The MISP / STIX operationalisation lab tied everything together. We're building an intel function at my company and I now own that workstream entirely."
SS
Saraswathi Subramanian
Cyber Intel Manager · RHB
✓ Passed first attempt
Copy page link
Share this course page with your team or save the URL for later.
