EC-Council CTIA Module 1.5 Practice Test 001

This practice test covers Module 1 (Introduction to Threat Intelligence) Sub-module 5 (Threat Intelligence in the Cloud Environment).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 1.5 Practice Test 001

10 questions • Single best answer

Question 1

A CTI analyst at a cloud-native e-commerce company is building the organization's first threat intelligence capability. When comparing cloud environments to traditional on-premise infrastructure, which characteristic most significantly complicates continuous threat intelligence collection in the cloud?

A. Cloud providers do not publish threat intelligence reports or security research B. Ephemeral compute resources, API-driven architectures, and shared tenancy create visibility gaps not present in static on-premise environments C. Cloud environments generate fewer threat events because they are inherently more secure than on-premise deployments D. Threat intelligence platforms are architecturally incompatible with cloud-hosted security tooling

Question 2

A threat intelligence engineer at a financial services company migrating workloads to AWS is defining the scope of internal CTI monitoring. Under the cloud shared responsibility model for IaaS, which security layer remains the customer's primary responsibility and thus the primary focus of the CTI program?

A. Physical data center security and hypervisor integrity B. Customer data, identity and access management, applications, and OS-level controls C. Network backbone infrastructure and inter-region routing security D. Cloud provider API security and managed service patching

Question 3

A SOC analyst at a healthcare system recently migrated critical workloads to AWS. The security team needs continuous, ML-driven threat detection that analyzes CloudTrail logs, VPC Flow Logs, and DNS query logs for anomalous activity without requiring the team to manage detection infrastructure. Which AWS-native service meets this requirement?

A. AWS Config B. AWS GuardDuty C. AWS Inspector D. AWS CloudWatch

Question 4

During a cloud incident investigation, a CTI analyst at a global logistics company determines that attackers obtained AWS access keys from a publicly exposed GitHub repository, provisioned hundreds of EC2 instances across multiple regions, and deployed cryptocurrency mining software at scale. Which threat actor motivation best characterizes this campaign?

A. Espionage — collecting and exfiltrating sensitive business data for competitive advantage B. Financial gain — leveraging hijacked cloud compute resources for unauthorized cryptomining C. Disruption — degrading cloud service availability through deliberate resource exhaustion D. Hacktivism — making a public statement through defacement of cloud-hosted web properties

Question 5

A threat intelligence lead at a multinational manufacturing company oversees CTI operations across AWS, Azure, and GCP. She is documenting the primary challenge unique to multi-cloud threat intelligence operations. Which challenge is most distinct to multi-cloud architectures compared to single-cloud or on-premise deployments?

A. The absence of STIX/TAXII support in cloud-native threat intelligence tooling B. Inconsistent telemetry formats, proprietary logging schemas, and fragmented visibility across cloud providers C. The inability to integrate commercial threat intelligence feeds into cloud-hosted security platforms D. Cloud providers blocking third-party security tool integrations to eliminate competitive alternatives

Question 6

A cloud security architect at an insurance company is designing threat intelligence integration for containerized workloads running in Kubernetes on GCP. The team needs runtime threat detection, vulnerability scanning, and TI feed integration specifically for cloud workloads. Which platform category is best suited for this requirement?

A. Web Application Firewall (WAF) B. Cloud Workload Protection Platform (CWPP) C. Database Activity Monitor (DAM) D. Security Information and Event Management (SIEM)

Question 7

A CTI analyst at a professional services firm is asked to improve threat intelligence coverage for the company's SaaS portfolio, including Microsoft 365 and Salesforce. The team needs visibility into user behavior anomalies, unauthorized data access, and shadow IT usage across these platforms. Which tool provides the most direct source of SaaS-specific threat intelligence?

A. A network-based intrusion prevention system (IPS) at the corporate perimeter B. A Cloud Access Security Broker (CASB) C. A host-based intrusion detection system (HIDS) deployed on managed endpoints D. A data loss prevention (DLP) agent running on managed employee devices

Question 8

A cloud security manager at an energy company wants a capability that continuously identifies misconfigurations, policy deviations, and security risks in Azure resource configurations — feeding the CTI team with proactive exposure context before attackers can exploit them. Which tool category directly serves this function?

A. Cloud Workload Protection Platform (CWPP) B. Cloud Security Posture Management (CSPM) C. Security Orchestration, Automation, and Response (SOAR) D. Threat Intelligence Platform (TIP)

Question 9

A threat intelligence analyst at a SaaS technology startup is building a cloud-native data collection plan for their AWS-hosted environment. She is identifying telemetry sources that provide threat-relevant signals for the CTI program. Which of the following represents a cloud-native AWS data source for threat intelligence collection?

A. Syslog streams exported from on-premise network switches and firewalls B. AWS CloudTrail API activity logs and VPC Flow Logs C. Windows Event Logs collected from on-premise Active Directory domain controllers D. NetFlow records captured from physical perimeter edge routers

Question 10

A threat intelligence lead at a global technology company is briefing the cloud security architecture team on adapting the Threat Intelligence Lifecycle for cloud operations. She explains that one phase requires the most significant adaptation because cloud environments change continuously and intelligence becomes stale far faster than in static on-premise environments. Which lifecycle phase requires the most significant re-engineering for cloud-speed operations?

A. Direction — defining intelligence requirements specific to cloud threat scenarios B. Collection — gathering cloud-native telemetry from ephemeral and auto-scaling resources in near-real time C. Dissemination — delivering finished intelligence reports to cloud security stakeholders D. Feedback — soliciting consumer input on intelligence quality after each reporting cycle

EC-Council CTIA Module 1.5 Practice Test 001

Related Posts

Leave a Comment Cancel Reply