EC-Council CTIA Module 1.1 Practice Test 002

This practice test covers Module 1 (Introduction to Threat Intelligence) Sub-module 1 (Intelligence).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Practice Test of the Day 260528

10 questions • Single best answer

Question 1

A security operations manager at a regional power utility receives an automated feed of 50,000 flagged IP addresses from a commercial provider and immediately routes the raw list to the firewall team for direct implementation. Which fundamental limitation does this approach demonstrate?

A. The manager is applying operational intelligence when technical intelligence is more appropriate for firewall use cases B. Unprocessed feeds without analysis or contextualization are raw threat data — acting on them without validation or adversary context risks false positives and misses the intent behind the indicators C. Commercial IP feeds are not recognized as valid data sources for enterprise security programs D. Firewall teams are not authorized to receive threat intelligence directly without CISO approval

Question 2

A CTI team distributes three weekly products. The first covers geopolitical actor motivations for the board. The second describes adversary TTPs for IR and SOC teams. The third delivers malware hashes, C2 IP addresses, and YARA rules formatted for direct ingestion into security tools. Which best describes the third product?

A. Strategic intelligence — it informs long-term investment decisions at the executive level B. Operational intelligence — it provides campaign-level context for security planning C. Tactical intelligence — it maps adversary techniques to specific defensive procedures D. Technical intelligence — it consists of machine-consumable IoCs and signatures used directly in detection and blocking systems

Question 3

A CISO at a national telecommunications company is creating a job description for a senior CTI analyst role. The posting must clearly distinguish the position from a general SOC analyst. Which responsibility best defines the CTI analyst function?

A. Monitoring and triaging real-time security event alerts generated by SIEM platforms B. Producing finished intelligence products that contextualize adversary behavior and support informed security decision-making across the organization C. Managing firewall rule sets and configuring network access control policies D. Remediating software vulnerabilities identified during penetration tests and security assessments

Question 4

An intelligence team at a regional bank is finalizing its distribution list for a newly launched CTI program. Their geopolitical threat landscape report covers adversary motivations, sector-level risk trends, and long-term security investment recommendations. Who is the primary intended audience for this type of intelligence product?

A. Tier-1 SOC analysts conducting real-time alert triage on the security operations floor B. Malware reverse engineers analyzing code samples in the forensics lab C. Executive leadership and board-level decision makers D. Network engineers maintaining perimeter firewall rules and VPN configurations

Question 5

A CTI analyst receives raw honeypot logs, dark web forum scrapes, and commercial feed data. She filters irrelevant noise, correlates patterns across all three sources, and authors a report documenting an emerging threat actor campaign with recommended defensive countermeasures. What has she completed?

A. A passive DNS collection exercise producing raw records for archival B. A vulnerability disclosure report submitted to the affected software vendor C. Bulk threat data collection and storage for future use by the analysis team D. The intelligence production process, resulting in a finished intelligence product ready for dissemination

Question 6

A CISO at an insurance company is presenting to the board about the value of building a CTI capability. She contrasts it with the existing perimeter-defense and signature-based detection approach. Which statement best articulates the primary advantage CTI offers over traditional reactive security methods?

A. CTI replaces firewalls, endpoint security tools, and SIEMs with intelligence-driven automation platforms B. CTI enables adversary-focused, proactive defense — providing context about who is targeting the organization, why, and how — before attacks succeed rather than only after detection C. CTI primarily accelerates the patch management lifecycle by automating vulnerability prioritization D. CTI eliminates insider threat risk by monitoring all employee behavioral patterns continuously

Question 7

A CTI program manager assesses her team: analysts produce reports only when incidents occur, no formal requirements process exists, collection is unplanned and source-driven, and consumer feedback is never gathered. Which maturity level best characterizes this CTI program?

A. Optimized — processes are automated and continuously improved through performance metrics B. Defined — collection plans and stakeholder requirements are formally documented and followed C. Initial/Ad Hoc — intelligence is produced reactively with no standardized or repeatable processes D. Managed — KPIs and performance baselines govern the quality of all intelligence activities

Question 8

A CTI team receives a report indicating a ransomware group is planning a campaign against North American retail organizations during the upcoming holiday shopping season, including victim selection criteria, initial access methods, and the geographic region targeted. A SOC lead uses this to pre-position monitoring. Which intelligence type does this represent?

A. Technical intelligence — it provides IoC-level data formatted for direct security tool ingestion B. Strategic intelligence — it addresses industry-level risk trends intended for executive decision-making C. Tactical intelligence — it maps individual adversary techniques to specific defensive security controls D. Operational intelligence — it describes campaign-level targeting, timing, and adversary planning relevant to near-term defensive preparation

Question 9

A newly appointed CTI director at a logistics company begins by documenting the organization's critical assets, identifying which threat actors target the sector, gathering intelligence requirements from business and IT stakeholders, and building a consumer feedback process. What is she developing?

A. An incident response plan for handling ransomware and data breach events B. A penetration testing scope and rules of engagement document C. A threat intelligence strategy aligned to organizational risk and stakeholder requirements D. A security operations runbook for Tier-2 SOC analyst workflows

Question 10

A CTI team lead at a global pharmaceutical company is overwhelmed with intelligence requests from IT, legal, executive staff, and procurement. She establishes a formal prioritization framework to determine which topics receive the most analytical resources. What concept should anchor this framework?

A. The volume of open-source reporting available on each threat actor or campaign B. The CTI team's existing tooling capabilities and current data source coverage C. The frequency of CVE disclosures affecting the organization's technology stack D. Key Intelligence Requirements derived from organizational risk priorities and stakeholder decision-making needs

EC-Council CTIA Module 1.1 Practice Test 002

Related Posts

Leave a Comment Cancel Reply