EC-Council CTIA Module 1.3 Practice Test 001

This practice test covers Module 1 (Introduction to Threat Intelligence) Sub-module 3 (Threat Intelligence Lifecycle and Frameworks).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 1.3 Practice Test 001

10 questions • Single best answer

Question 1

A threat intelligence lead at a regional healthcare network is orienting new analysts to the CTI program. She asks them to place the lifecycle phases in the correct order before they begin their first project. Which sequence correctly represents the Threat Intelligence Lifecycle?

A. Collection → Processing → Direction → Analysis → Dissemination → Feedback B. Direction → Collection → Processing → Analysis → Dissemination → Feedback C. Analysis → Collection → Direction → Dissemination → Processing → Feedback D. Processing → Direction → Collection → Analysis → Feedback → Dissemination

Question 2

A CTI analyst at a large retail organization is meeting with business stakeholders before beginning a new intelligence cycle. The team documents Priority Intelligence Requirements (PIRs) and defines the scope of collection. This best describes which phase of the Threat Intelligence Lifecycle?

A. Dissemination B. Processing C. Analysis D. Direction

Question 3

A CTI team receives raw feeds from multiple vendors containing STIX bundles, CSV threat lists, and unstructured PDF reports. Before analysis can begin, analysts convert all data into a normalized, structured format compatible with their TIP. This step represents which lifecycle phase?

A. Collection B. Processing C. Analysis D. Dissemination

Question 4

A government agency CTI analyst has processed a large dataset of network indicators tied to a suspected nation-state campaign. She applies structured analytic techniques to assess adversary capability, intent, and likely next steps. Which lifecycle phase is she performing?

A. Collection B. Direction C. Dissemination D. Analysis

Question 5

A CTI team at an insurance company has completed its analysis of a ransomware campaign. The team lead determines that findings should be formatted as a technical advisory for the SOC and an executive summary for the CISO. Distributing these tailored products represents which lifecycle phase?

A. Analysis B. Feedback C. Processing D. Dissemination

Question 6

After delivering a threat landscape report, a CTI analyst at a cloud services provider surveys the security operations team to determine whether the report addressed their needs and whether new intelligence requirements should be incorporated into the next cycle. This activity represents which lifecycle phase?

A. Direction B. Collection C. Dissemination D. Feedback

Question 7

A CTI analyst supporting a military cyber operations team uses a framework that begins by identifying high-value targets, locating them within adversary infrastructure, and then actioning intelligence through a continuous operational loop. Which threat intelligence framework does this describe?

A. MITRE ATT&CK B. Diamond Model of Intrusion Analysis C. F3EAD D. Cyber Kill Chain

Question 8

An assessor evaluating a financial firm's CTI program finds that the team collects threat feeds and generates ad-hoc reports, but has no repeatable processes, formal intelligence requirements, or automation in place. The assessor places the program at the lowest tier of the CTI Maturity Model. What best characterizes this maturity level?

A. Intelligence is proactively shared with industry peers and sector-specific ISACs. B. Collection and reporting are reactive and informal, with no structured lifecycle in place. C. Threat intelligence is fully integrated into security controls and automated across the enterprise. D. The program has a documented intelligence strategy aligned with measurable business risk objectives.

Question 9

A CISO at an energy sector company tasks the CTI lead with formalizing the intelligence program. The lead defines which threats are most relevant to the organization, which stakeholders will consume intelligence products, and how intelligence activities will align with risk management objectives. What is the CTI lead developing?

A. A threat intelligence collection plan B. A threat intelligence sharing agreement C. A threat intelligence report template D. A threat intelligence strategy

Question 10

A CTI analyst notes that her organization uses a six-phase framework with a Feedback loop, while a colleague from a defense background prefers a framework oriented around target development and continuous operational action cycles. Which pair of frameworks best describes these two approaches?

A. Diamond Model and MITRE ATT&CK B. Cyber Kill Chain and STIX/TAXII C. Threat Intelligence Lifecycle and F3EAD D. MITRE ATT&CK and the Pyramid of Pain

EC-Council CTIA Module 1.3 Practice Test 001

Related Posts

Leave a Comment Cancel Reply