PracticeStudy GuidesBlogFlashcardsEspañol
All Practice Exams

100+ Free CTIA Practice Questions

Pass your Certified Threat Intelligence Analyst (CTIA v2) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which definition best distinguishes intelligence from information?

A
B
C
D
to track
2026 Statistics

Key Facts: CTIA Exam

50

Exam Questions

EC-Council CTIA v2 Blueprint

2 hours

Exam Duration

EC-Council

70%

Passing Score

EC-Council (60-78% cut score per form)

$450

Exam Voucher Fee

EC-Council Store

8

Content Domains

CTIA v2 Blueprint

3 years

Certification Validity

ECE program required

The CTIA v2 exam (312-85) has 50 multiple-choice questions in 2 hours with a 70% passing score (cut score varies 60-78% per form). It covers eight domains weighted toward Data Collection and Processing (24%), Data Analysis (16%), Requirements/Planning (14%), and Dissemination/Reporting (14%). CTIA v2 expands coverage of Threat Intelligence Platforms, cloud TI, and Python automation.

Sample CTIA Practice Questions

Try these sample questions to test your CTIA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which definition best distinguishes intelligence from information?
A.Intelligence is raw data; information is processed data
B.Intelligence is processed, analyzed, and contextualized information that supports decision-making
C.Intelligence is publicly available; information is classified
D.Intelligence is collected automatically; information is collected manually
Explanation: Intelligence is the product of refining information through analysis, contextualization, and evaluation so that it can drive decisions. Data is raw observations, information is data with context, and intelligence is the actionable insight derived after analysis. The CTIA blueprint emphasizes this distinction in Domain 1 (Introduction to Threat Intelligence).
2Which type of cyber threat intelligence is primarily consumed by C-level executives and board members for strategic decisions?
A.Tactical threat intelligence
B.Operational threat intelligence
C.Strategic threat intelligence
D.Technical threat intelligence
Explanation: Strategic threat intelligence provides high-level analysis of risks, geopolitical trends, and adversary motivations that inform business decisions, budgeting, and policy. It is delivered as narrative reports rather than technical indicators and targets executives, boards, and CISOs.
3Which type of CTI describes adversary tactics, techniques, and procedures (TTPs) used by defenders to design controls and detections?
A.Strategic
B.Tactical
C.Operational
D.Technical
Explanation: Tactical CTI focuses on TTPs — how adversaries operate — and is used by security architects, threat hunters, and detection engineers to harden environments and build detections. ATT&CK techniques are a canonical example of tactical intelligence.
4What are the six stages of the threat intelligence lifecycle in correct order?
A.Collection, Planning, Processing, Analysis, Dissemination, Feedback
B.Planning and Direction, Collection, Processing, Analysis and Production, Dissemination, Feedback
C.Requirements, Hunting, Collection, Reporting, Review, Feedback
D.Direction, Detection, Collection, Correlation, Distribution, Review
Explanation: The classic CTI lifecycle, adopted from the U.S. intelligence community and used in CTIA, has six stages: Planning and Direction, Collection, Processing and Exploitation, Analysis and Production, Dissemination and Integration, and Feedback. This cycle continuously refines requirements based on consumer feedback.
5A Threat Intelligence Platform (TIP) provides which primary capability?
A.Active exploitation of vulnerabilities for testing
B.Aggregation, normalization, enrichment, and sharing of threat data with workflow management
C.Endpoint malware quarantine and removal
D.Real-time blocking of attacks at the network perimeter
Explanation: A TIP (e.g., MISP, ThreatConnect, Anomali, OpenCTI) ingests indicators from many feeds, deduplicates and normalizes them, enriches them with context, supports collaboration and workflow, and pushes curated intelligence to defensive tools via STIX/TAXII or APIs.
6Which open-source platform is purpose-built for sharing structured threat indicators and IOCs across organizations?
A.Splunk
B.MISP (Malware Information Sharing Platform)
C.Wireshark
D.Metasploit
Explanation: MISP is an open-source threat intelligence sharing platform widely deployed by CERTs, ISACs, and enterprises. It supports STIX import/export, taxonomy tagging, sightings, correlation across events, and automated synchronization between MISP instances for community sharing.
7Which characteristic is NOT typically associated with high-quality threat intelligence?
A.Relevance to the consumer's environment and assets
B.Timeliness — delivered before the threat is no longer actionable
C.Volume — the more indicators, the better, regardless of context
D.Accuracy with confidence scoring
Explanation: Volume without context produces noise and alert fatigue. High-quality CTI is judged on relevance, timeliness, accuracy, completeness, and actionability — not raw quantity. A small number of well-contextualized indicators outperforms a flood of unvetted feeds.
8When deploying a TIP in a cloud environment, which deployment consideration is most important for handling sensitive indicators?
A.Choosing the cheapest cloud region
B.Encrypting data in transit and at rest, and ensuring compliance with data residency requirements
C.Using a single shared API key for all integrations
D.Disabling audit logging to reduce storage costs
Explanation: Cloud-hosted TIPs handle TLP:AMBER and TLP:RED indicators that, if leaked, could tip off adversaries or violate sharing agreements. Strong encryption (TLS 1.2+, KMS-managed keys), data residency controls, role-based access, and audit logging are required for safe operation.
9Which emerging trend most directly affects threat intelligence collection in 2026?
A.Decline of cloud computing
B.Rise of AI-generated phishing, deepfake social engineering, and adversarial use of LLMs
C.Phasing out of all encryption
D.Removal of MITRE ATT&CK from public use
Explanation: Adversaries now use generative AI to scale spear-phishing, create deepfake voice/video for social engineering, and automate reconnaissance. CTI teams must update collection requirements to track AI-enabled TTPs, monitor underground LLM offerings, and adapt detections accordingly.
10An organization that consumes only IOC feeds without doing any analysis or contextualization is operating at which CTI maturity level?
A.Mature, intelligence-driven defense
B.Initial / consumption-only — receiving information but not producing intelligence
C.Advanced threat hunting
D.Strategic intelligence production
Explanation: Consuming raw feeds without enrichment, prioritization, or analysis represents the lowest level of CTI maturity. Mature programs internalize feeds, correlate against telemetry, build adversary profiles, generate hypotheses, and produce internal intelligence products tailored to stakeholders.

About the CTIA Exam

The Certified Threat Intelligence Analyst (CTIA v2) validates skills across the full threat intelligence lifecycle, including requirements planning, data collection, processing, analysis, and dissemination. CTIA prepares analysts to operationalize CTI within SOCs, incident response, and risk management using frameworks like MITRE ATT&CK, the Cyber Kill Chain, and the Diamond Model.

Questions

50 scored questions

Time Limit

2 hours

Passing Score

70%

Exam Fee

$450 (exam voucher) (EC-Council / ECC Exam Center)

CTIA Exam Content Outline

12%

Introduction to Threat Intelligence

Intelligence vs. information vs. data, CTI types (strategic, tactical, operational, technical), TI lifecycle, frameworks, TIPs, and cloud TI

8%

Cyber Threats and Attack Frameworks

APT lifecycles, Cyber Kill Chain stages, MITRE ATT&CK tactics/techniques, Diamond Model, and IoC types

14%

Requirements, Planning, Direction, and Review

Threat landscape analysis, PIR development, program planning, management buy-in, team building, and program review

24%

Data Collection and Processing

OSINT, HUMINT, SIGINT, CCI, malware analysis, feeds, bulk collection, normalization, structuring, and Python scripting

16%

Data Analysis

Statistical analysis, ACH (Analysis of Competing Hypotheses), threat analysis process, runbooks, and TI tools (MISP, OpenCTI)

14%

Dissemination and Reporting of Intelligence

TI report formats, sharing relationships, STIX/TAXII, sharing platforms, ISACs, sharing acts/regulations, and Python automation

6%

Threat Hunting and Detection

Hunt hypotheses, TTP-based hunting, pyramid of pain, and detection engineering with Sigma rules

6%

CTI in SOC, IR, and Risk Management

Operationalizing CTI in SOC workflows, enrichment of IR processes, and integration with enterprise risk management

How to Pass the CTIA Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 50 questions
  • Time limit: 2 hours
  • Exam fee: $450 (exam voucher)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CTIA Study Tips from Top Performers

1Memorize the six-stage threat intelligence lifecycle: planning, collection, processing, analysis, dissemination, feedback
2Know the four CTI types and their consumers: strategic (executives), tactical (defenders), operational (IR teams), technical (SOC tools)
3Master MITRE ATT&CK tactics in order and practice mapping reported campaigns to specific techniques
4Understand the Diamond Model's four vertices (adversary, capability, infrastructure, victim) and how pivoting works
5Learn STIX 2.1 SDO types (indicator, malware, threat-actor, campaign) and TAXII 2.1 collection vs channel concepts
6Study the Pyramid of Pain — hash IOCs are trivial to change, TTPs are hardest for adversaries to alter
7Practice Analysis of Competing Hypotheses (ACH) — list hypotheses, evaluate evidence against each, and find the most defensible
8Memorize Cyber Kill Chain stages (recon, weaponization, delivery, exploitation, installation, C2, actions on objectives) and detection opportunities at each

Frequently Asked Questions

What is the CTIA exam format?

The CTIA v2 exam (code 312-85) consists of 50 multiple-choice questions to be completed in 2 hours. The passing score is 70%, though EC-Council uses a per-form cut score that can range from 60% to 78%. The exam is delivered through the ECC Exam Center with remote proctoring available.

How much does the CTIA certification cost?

The CTIA v2 exam voucher costs $450. Self-study candidates without official training must also submit an Exam Eligibility Application with a $100 non-refundable processing fee. EC-Council training packages range from approximately $850 (e-courseware bundle) up to several thousand dollars for instructor-led options.

What is the difference between CTIA and ECIH?

CTIA focuses on cyber threat intelligence — collecting, analyzing, and disseminating intelligence about adversaries. ECIH focuses on incident handling — detecting, containing, and recovering from incidents. CTIA is upstream (intelligence informs defense); ECIH is downstream (acting when an incident occurs). The two certifications are complementary.

Do I need experience to take the CTIA exam?

Yes — self-study candidates need at least 2 years of information security work experience and must submit an Exam Eligibility Application with a $100 fee. Candidates who complete official EC-Council CTIA training (iLearn, iWeek, or accredited training partner) have the experience requirement waived.

What jobs can I get with a CTIA certification?

CTIA prepares you for roles including Threat Intelligence Analyst, Cyber Threat Hunter, SOC Analyst (Tier 2/3), CTI Lead, Threat Researcher, Security Operations Engineer, Incident Response Analyst, and Cybersecurity Consultant focused on intelligence-led defense.