EC-Council CTIA Module 3.7 Practice Test 001

This practice test covers Module 3 (Requirements, Planning, Direction, and Review) Sub-module 7 (Review Threat Intelligence Program).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Practice Test of the Day 260525

10 questions • Single best answer

Question 1

A threat intelligence program manager at a regional energy utility conducts a scheduled program review and finds that intelligence products consistently reach operational teams too late to act on. Which program element should she prioritize adjusting to resolve this gap?

A. Intelligence collection sources and feed subscriptions B. Dissemination timelines and intelligence delivery cadence C. Threat actor attribution methodology and confidence scoring D. Number of analysts assigned to strategic reporting functions

Question 2

A CTI program manager is selecting KPIs to evaluate whether the threat intelligence program is improving defensive outcomes. Which metric most directly demonstrates that intelligence is reducing organizational risk?

A. Number of threat intelligence reports published per quarter B. Percentage of external threat feeds actively subscribed to C. Mean time to detect (MTTD) reduction attributable to actionable intelligence D. Percentage of intelligence requirements fulfilled by the collection plan

Question 3

An intelligence lead at a critical infrastructure provider is preparing for a threat intelligence-led engagement review. A junior analyst asks what distinguishes this type of review from a standard program audit. What is the primary purpose of a threat intelligence-led engagement review?

A. To validate threat actor attribution findings for submission to law enforcement B. To assess whether the intelligence program is meeting defined requirements and delivering measurable value C. To determine which threat intelligence feeds should be decommissioned based on cost D. To brief executive leadership on current tactical IoC data and trending malware families

Question 4

During an annual program review, a CTI team at a manufacturing company finds that intelligence processes are fully documented, analyst roles are defined, and intelligence products are produced on a regular schedule—but the program lacks automation and has no integration with risk management. Which maturity stage does this profile most closely represent?

A. Ad hoc B. Defined and repeatable C. Optimized D. Predictive

Question 5

Following a significant breach, a CTI program manager conducts a post-engagement review. The key finding is that relevant adversary TTPs existed in the team's knowledge base but were never correlated with inbound SIEM alerts. What should the review recommend as the highest-priority remediation?

A. Expand the OSINT collection plan to include more external threat sources B. Increase staffing for strategic intelligence report production C. Improve integration between the threat intelligence platform and SIEM for automated TTP correlation D. Conduct analyst training on threat actor attribution frameworks

Question 6

A threat intelligence team is reviewing its Rules of Engagement as part of an annual program review. They discover the current RoE has no provisions for sharing intelligence with a newly established sector ISAC the organization recently joined. What is the most appropriate next step?

A. Begin sharing immediately because ISACs are inherently trusted sharing communities B. Update the RoE to formally define the scope, format, and conditions for sharing with the ISAC C. Redirect all ISAC communications through legal counsel until a formal agreement is signed D. Create a separate, standalone threat intelligence program exclusively for ISAC participation

Question 7

A CTI team collecting stakeholder feedback during a quarterly program review finds that intelligence consumers across the organization rate reports as technically accurate but not useful for their daily decision-making. Which review action most directly addresses this finding?

A. Replace the current threat intelligence platform with a more capable vendor solution B. Increase the classification level of reports to ensure only qualified consumers receive them C. Tailor intelligence report formats and content to match each consumer's role and decision-making context D. Reduce report frequency to allow analysts more time to improve analytic depth

Question 8

During the gap analysis phase of a threat intelligence program review, a team at a global retailer discovers there is no formal, documented process for converting raw threat data into finished intelligence products. Which program component needs to be developed to close this gap?

A. Collection management framework and source registry B. Intelligence production and analysis workflow C. Dissemination policy and distribution matrix D. Threat actor tracking database and attribution registry

Question 9

A CTI program manager is setting the review cadence for her team's intelligence requirements. The requirements were defined 18 months ago and have not been formally revisited despite significant changes in the organization's business operations and threat landscape. Which best practice should guide her decision?

A. Requirements should only be reviewed after a confirmed major incident or breach B. Requirements should be reviewed at regular intervals and whenever significant changes in the organization's threat landscape or business context occur C. Intelligence requirements are permanent documents and should only be revised upon formal written request from executive stakeholders D. Review cadence should align with the organization's quarterly financial reporting cycle regardless of threat environment changes

Question 10

A program review reveals that a CTI team at an MSSP has focused exclusively on producing tactical IoCs—IP addresses, file hashes, and domains—with no operational or strategic intelligence products delivered in the past year. What is the primary risk this imbalance creates for the organization's intelligence consumers?

A. The SIEM will be overloaded with low-fidelity correlation rules and generate excessive false positives B. The organization will lack visibility into long-term adversary campaigns and be unable to support executive-level risk decisions C. Intelligence sharing with external partners will be restricted due to the sensitivity of tactical indicator data D. Threat hunting teams will be unable to perform automated hunting without operational intelligence feeds

EC-Council CTIA Module 3.7 Practice Test 001

Related Posts

Leave a Comment Cancel Reply