EC-Council CTIA Module 3.7 Practice Test 001

This practice test covers Module 3 (Requirements, Planning, Direction, and Review) Sub-module 7 (Review Threat Intelligence Program).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 3.7 Practice Test 001

10 questions • Single best answer

Question 1

A CTI program manager at a healthcare organization is asked to demonstrate value to the CISO after 12 months of operation. Which action best reflects a formal threat intelligence program review?

A. Publish a public-facing threat advisory summarizing the year's top threats to build sector credibility B. Evaluate program outputs against predefined requirements, KPIs, and stakeholder expectations C. Conduct a red team exercise to validate the organization's detection and response capabilities D. Migrate all threat intelligence feeds to a new TIP platform to improve data quality

Question 2

A senior threat intelligence analyst is tasked with measuring the effectiveness of her organization's CTI program. Which metric most directly assesses operational value delivery?

A. Number of external threat intelligence feeds subscribed to by the CTI team B. Total volume of raw indicators ingested and stored per month C. Percentage of defined intelligence requirements fulfilled within agreed SLAs D. Number of full-time analysts assigned to the program

Question 3

A CTI team lead is conducting an annual review and identifies several intelligence requirements from the planning phase that were never addressed during the year. Which review activity does this finding best represent?

A. Requirements triage to reprioritize immediate collection tasks B. Gap analysis to identify unmet intelligence needs and program blind spots C. Data normalization review to improve structured feed quality D. Collection plan audit to assess source diversity and coverage overlap

Question 4

After a major industry-wide ransomware campaign, an intelligence lead at a manufacturing firm briefs executives on whether the CTI program detected and provided warning ahead of the threat. This review activity is best categorized as:

A. Tactical debriefing conducted by the incident response team for lessons learned B. Intelligence-led engagement review assessing program performance against a real-world event C. Incident post-mortem focused on containment and eradication effectiveness D. Threat modeling exercise to map attacker TTPs to organizational defenses

Question 5

A government agency's CTI program has been operational for two years. Leadership wants to determine whether it has matured in producing actionable intelligence. Which framework is most appropriate for this assessment?

A. Cyber Kill Chain, to map program outputs to attacker lifecycle phases B. MITRE ATT&CK, to evaluate tactic and technique coverage in intelligence reports C. Threat Intelligence Maturity Model, to assess capability progression across program dimensions D. Diamond Model of Intrusion Analysis, to structure adversary attribution workflows

Question 6

A CTI program manager is drafting a review schedule for the newly established program. Which approach best reflects sound practice for reviewing threat intelligence program effectiveness?

A. Reviews should be conducted only after a confirmed breach or major incident affecting the organization B. Reviews should follow a defined periodic cadence and be supplemented by post-engagement reviews after significant operations C. Reviews are only necessary when transitioning between TIP vendors or updating the collection plan D. A single comprehensive review at program launch is sufficient if no major incidents occur within the first year

Question 7

During a quarterly program review, a CTI team finds that 40% of its intelligence was consumed by only one team and most reports went unactioned by other stakeholders. What should the CTI team prioritize adjusting?

A. Increase raw data collection volumes to broaden threat coverage across more attack surfaces B. Realign intelligence requirements and the dissemination strategy to match actual stakeholder consumption patterns C. Replace all current feeds with OSINT-only sources to reduce vendor dependency and improve relevance D. Transfer the CTI function into the SOC to consolidate intelligence and operations under one team

Question 8

A CTI team lead is preparing a review report to demonstrate program ROI to senior leadership. Which evidence best quantifies operational and financial program value?

A. A comprehensive list of all threat actors and campaigns tracked by the CTI team during the review period B. Documentation of intelligence requirements fulfilled and incidents that were avoided or accelerated through early warning C. The total number of threat intelligence reports published and distributed to organizational stakeholders D. A cost comparison between current TIP licensing fees and equivalent open-source tool alternatives

Question 9

Following a program review, a CTI team finds that its collection plan consistently fails to surface emerging cloud-native threats relevant to the organization's expanding SaaS footprint. Which program review principle does this outcome best illustrate?

A. Threat actor attribution refinement to improve adversary tracking accuracy B. Intelligence dissemination cadence adjustment to accelerate stakeholder delivery C. Continuous improvement through feedback loops that update collection strategy based on identified gaps D. Indicator enrichment processes to add context to collected IoCs before analysis

Question 10

A post-engagement review after CTI support for a nation-state incident response reveals that intelligence was delivered after containment decisions had already been made, rendering it unusable. Which program element should the review prioritize improving?

A. Threat attribution methodology to more accurately identify the sponsoring nation-state actor B. Intelligence timeliness and delivery SLAs within the intelligence lifecycle C. The number of external sharing partners and ISAC relationships maintained by the CTI team D. The classification scheme and TLP markings applied to intelligence products before distribution

EC-Council CTIA Module 3.7 Practice Test 001

Related Posts

Leave a Comment Cancel Reply