EC-Council CTIA Module 1.3 Practice Test 002

This practice test covers Module 1 (Introduction to Threat Intelligence) Sub-module 3 (Intelligence Lifecycle and Frameworks).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Practice Test of the Day 260528

10 questions • Single best answer

Question 1

A CTI program manager at a government defense contractor is launching a new intelligence cycle. Before any data is collected, she convenes meetings with stakeholders from operations, legal, and IT leadership to formally document the specific threat questions they need answered. Which phase of the threat intelligence lifecycle does this activity represent?

A. Collection — gathering raw intelligence from internal sensors and external sources B. Processing — normalizing and structuring raw data for analyst review C. Direction — defining intelligence requirements that guide all subsequent lifecycle phases D. Dissemination — distributing finished intelligence to appropriate consumers

Question 2

A CTI team has finalized its Priority Intelligence Requirements for a new campaign tracking project. They now identify which commercial feeds, OSINT repositories, ISAC reports, and internal sensor data will be used to answer each specific requirement. Which lifecycle phase are they executing?

A. Analysis — correlating data from multiple sources to produce intelligence findings B. Processing — filtering and normalizing raw data for analyst review C. Collection — identifying and activating sources to gather intelligence against defined requirements D. Direction — establishing the intelligence program's requirements and scope

Question 3

A CTI analyst downloads raw threat feeds containing duplicate entries, mismatched timestamps, and inconsistent formats across vendors. Before handing data to the analysis team, she deduplicates records, standardizes date fields, and converts all feeds into a uniform schema. Which lifecycle phase does this represent?

A. Collection — gathering threat data from external and internal sources B. Analysis — interpreting patterns across multiple data sets to produce intelligence findings C. Direction — defining the required data format standards before collection begins D. Processing — transforming raw collected data into a clean, consistent format suitable for analyst review

Question 4

A CTI analyst reviews normalized threat data and applies Analysis of Competing Hypotheses (ACH) to evaluate three possible threat actor attributions. She assesses each hypothesis against available evidence, eliminates inconsistent options, and documents a confidence-rated conclusion in a formal intelligence assessment. Which lifecycle phase best describes this work?

A. Collection — gathering raw data from identified intelligence sources B. Processing — preparing raw data into clean formats for analyst consumption C. Analysis — interpreting evidence and applying structured techniques to produce finished intelligence with context and confidence ratings D. Dissemination — distributing the finished intelligence assessment to stakeholders

Question 5

A CTI lead prepares a finished threat actor report. Before releasing it, she selects format by audience — a PDF executive brief for the CISO, a JSON STIX feed for the SIEM team — determines timing, and applies TLP markings to govern how each recipient may share the content. Which lifecycle phase does this represent?

A. Direction — defining intelligence requirements and target consumer needs before collection begins B. Analysis — contextualizing and interpreting threat data to produce finished intelligence C. Dissemination — delivering finished intelligence to the right consumer in the appropriate format with handling guidance D. Feedback — gathering consumer assessments of intelligence quality and relevance

Question 6

After distributing a quarterly threat assessment, a CTI team sends a structured survey to consuming teams asking whether the intelligence was timely, relevant, detailed enough, and actionable for their roles. They use responses to adjust collection priorities and report formats for the next cycle. Which lifecycle phase does this represent?

A. Direction — establishing intelligence requirements at the start of a new cycle B. Dissemination — delivering intelligence products to stakeholder audiences C. Processing — cleaning and normalizing collected data before analysis D. Feedback — capturing consumer input to close the cycle and improve future intelligence production

Question 7

A CTI team lead is formalizing what her team will track, which threat actors they will monitor, and which attack vectors to prioritize collection on. She documents these as formally approved intelligence gap statements that will drive the team's analytical focus for the quarter. What are these formally called in intelligence practice?

A. Key Performance Indicators (KPIs) used to measure CTI program output volume B. Priority Intelligence Requirements (PIRs) — formally defined intelligence gaps and questions that guide collection and analysis toward the organization's most critical decision needs C. Indicators of Compromise (IoCs) representing specific artifacts of observed adversary activity D. Rules of Engagement (RoE) governing how intelligence may be shared with external partners

Question 8

A CTI manager is selecting an analytical framework for her team. One option is a military-derived targeting cycle using six steps: Find, Fix, Finish, Exploit, Analyze, Disseminate. Another maps real-world adversary behaviors across tactic categories and specific techniques observed in enterprise environments. For enterprise CTI analysis and detection engineering, which framework provides more operational specificity?

A. The F3EAD targeting cycle — it provides the most comprehensive adversary behavior taxonomy for enterprise environments B. MITRE ATT&CK — it maps real-world observed adversary tactics and techniques to enterprise environments with high operational specificity, enabling detection coverage analysis and adversary emulation C. The Diamond Model — it provides the most complete technique taxonomy with sub-technique breakdowns for enterprise detection D. The Cyber Kill Chain — it offers the most granular stage-by-stage sub-technique breakdown across the entire attack lifecycle

Question 9

A CTI team lead notices analysts are collecting data based on personal interest, producing intelligence that key consumers call irrelevant, and never updating work based on consumer input. She decides to implement the full threat intelligence lifecycle. Which core problem does formalizing the complete lifecycle primarily address?

A. It enables analysts to collect data faster using automated ingestion pipelines and API-connected feeds B. It ensures intelligence production remains consistently aligned to organizational needs — from formally defined requirements through collection, analysis, dissemination, and feedback — rather than being driven by analyst preference C. It eliminates the need for formal external intelligence sharing partnerships and information exchange agreements D. It automatically generates IoC feeds and SIEM detection rules without requiring manual analyst effort

Question 10

After distributing several intelligence products, a CTI lead learns that 60% of consumers found reports too technical for their roles, 30% found them insufficiently detailed, and 10% received intelligence they lacked authority to act on. Which lifecycle phases were most poorly executed to produce these specific distribution mismatches?

A. Collection and processing — the wrong sources were used and raw data was not properly normalized B. Collection and analysis — competitive hypothesis testing was not applied and source coverage was insufficient C. Analysis and processing — finished intelligence was incomplete due to raw data quality failures D. Direction and dissemination — inadequate consumer requirements gathering and audience-mapping led to intelligence products misaligned in depth, format, and authorization to their recipients

EC-Council CTIA Module 1.3 Practice Test 002

Related Posts

Leave a Comment Cancel Reply