EC-Council CTIA Module 1.1 Practice Test 001

This practice test covers Module 1 (Introduction to Threat Intelligence) Sub-module 1 (Intelligence).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 1.1 Practice Test 001

10 questions • Single best answer

Question 1

A CTI program manager at a global manufacturing company is onboarding new analysts. She explains that raw event logs and IP addresses collected from sensors do not yet constitute intelligence. What distinguishes threat intelligence from threat data?

A. Threat intelligence is machine-readable and structured, while threat data is human-readable and unstructured. B. Threat intelligence is analyzed, contextualized, and actionable information derived from processed threat data. C. Threat intelligence refers only to information gathered from classified government sources. D. Threat intelligence is another term for threat data enriched with geolocation metadata.

Question 2

A SOC analyst at a financial institution receives a high-priority alert and needs to act immediately to block an active intrusion. The CTI team provides firewall rules and malicious IP lists derived from the ongoing attack. What type of threat intelligence is being provided?

A. Strategic intelligence B. Operational intelligence C. Tactical intelligence D. Technical intelligence

Question 3

An executive team at a healthcare provider requests a briefing to understand the broader cyberthreat landscape and how nation-state actors might impact their industry over the next 12 months. Which type of threat intelligence best serves this audience?

A. Technical intelligence B. Tactical intelligence C. Strategic intelligence D. Operational intelligence

Question 4

A threat intelligence analyst is documenting the responsibilities of her role for a new hire orientation guide. Which of the following tasks is most accurately aligned with the core responsibility of a cyber threat analyst?

A. Configuring firewall rules and updating IDS signatures based on vendor advisories B. Collecting, analyzing, and disseminating intelligence to support organizational security decisions C. Conducting penetration tests to identify exploitable vulnerabilities in production systems D. Managing SIEM dashboards and responding to tier-1 security alerts in real time

Question 5

A risk committee at a regional bank compares their current reactive, signature-based detection model to a threat intelligence-driven approach. What is the primary advantage of a threat intelligence-led security model over traditional cybersecurity approaches?

A. It eliminates the need for endpoint detection tools by replacing them with threat feeds. B. It enables proactive defense by providing context on adversary intent, capabilities, and likely targets before attacks occur. C. It reduces the number of security analysts needed by automating all threat response workflows. D. It focuses exclusively on known malware families identified through antivirus signature databases.

Question 6

An intelligence team at a government agency is asked to explain who should consume different types of threat intelligence. A senior analyst notes that operational intelligence is often confused with tactical intelligence. Who is the primary consumer of operational threat intelligence?

A. C-suite executives and board members making long-term investment decisions B. Intrusion detection systems and SIEM platforms ingesting automated threat feeds C. Security managers and incident response teams planning responses to specific adversary campaigns D. Threat hunters conducting hypothesis-driven investigations across endpoint telemetry

Question 7

A CTI team lead at an MSSP is formalizing the organization's intelligence workflow. She wants to ensure that intelligence is consistently planned, collected, processed, analyzed, disseminated, and reviewed. Which framework describes this end-to-end intelligence production process?

A. The Cyber Kill Chain B. The Threat Intelligence Lifecycle C. The MITRE ATT&CK Framework D. The Diamond Model of Intrusion Analysis

Question 8

A threat intelligence manager at a cloud services company is developing a multi-year roadmap for her CTI program. She wants to align intelligence production to business objectives and ensure resources are focused on the most relevant threats. What is the primary purpose of a threat intelligence strategy?

A. To define the tools and vendors the CTI team will use for data collection and storage B. To document the specific indicators of compromise the team will track on a daily basis C. To establish the goals, scope, priorities, and direction of the threat intelligence program aligned to organizational objectives D. To set response time SLAs for the SOC when handling intelligence-derived alerts

Question 9

A newly hired threat intelligence analyst at a critical infrastructure firm asks her manager what differentiates intelligence from raw security data. Her manager explains using a three-tier hierarchy. Which statement correctly represents the relationship between data, information, and intelligence in a CTI context?

A. Data is analyzed intelligence that has been validated; information is raw and unprocessed. B. Intelligence is raw and unprocessed; data is analyzed and contextualized for decision-making. C. Data is raw and unprocessed; information is processed data; intelligence is analyzed information made actionable. D. Information and intelligence are interchangeable terms representing the same level of analysis.

Question 10

An MSSP is evaluating the maturity of its threat intelligence capabilities. The team collects threat feeds and produces ad hoc reports but lacks a repeatable process or program governance structure. According to the Threat Intelligence Maturity Model, which level best describes this program?

A. Optimized — the program continuously improves based on lessons learned and defined metrics B. Managed — the program has documented processes and measurable performance indicators C. Initial — the program is reactive and relies on ad hoc, undocumented processes D. Integrated — the program feeds intelligence directly into SIEM and SOAR platforms automatically

EC-Council CTIA Module 1.1 Practice Test 001

Related Posts

Leave a Comment Cancel Reply