About This Course

The "Godfather of Threat Intelligence" delivers the definitive course on Cyber Threat Intelligence. Ready for the equivalent of a Masters Degree in Threat Intelligence?

The course uses real-world "war stories" from hunting, analyzing, and disrupting the world's worst cyber threats. With guided reading across various of domains including military, psychology, history, communication, and technology, this course will impart wisdom and lessons learned from a career in the trenches.

This multi-month 800-level course requires deep and comprehensive examination of the questions, challenges, and opportunities in Cyber Threat Intelligence.  This course will not only create an experienced intelligence practitioner but those ready to lead and build threat intelligence practices themselves.

This course is for those wanting to become a principal-level analyst and leader in cyber threat intelligence. As described by course students, it would be best to consider this course a "Masters Degree in Threat Intelligence."

This course is currently under development and new material is released when it is ready. The price provides students a discount based on this fact.  After completion the course price will increase.

Who Should Take This Course?

  • Cybersecurity practitioners or students who want to learn how to apply Threat Intelligence to their domain
  • Existing Threat Intelligence professionals who want to dive deeper into tradecraft and practice
  • Anyone who wants to start or expand their career into Threat Intelligence and intrusion analysis.

Learning Objectives

  • Find, evaluate, and integrate threat intelligence sources which measurably improve defense
  • Produce world-class threat intelligence from public and private data sources
  • Use wisdom and lessons from both modern and ancient case studies to apply elements of intelligence across cybersecurity
  • Disseminate threat intelligence and threat findings so decision-makers pay attention and take action
  • Apply traditional and modern models including the Diamond Model, Cyber Kill Chain, F3EAD, the Intelligence Cycle, OODA, MITRE ATT&CK and others
  • Hunt for previously unknown threats
  • Logically assess and criticize threat intelligence from any source and improve your own
  • Associate and attribute cyber threats to adversaries and other groups

Time Commitment

This course will require likely 6+ months of investment including readings, research, exercises, lecture, and exams. It is taught in a traditional graduate-school style using readings and lectures to bring the student along in the knowledge journey.  This course is not a "40 hour firehose" but instead designed to instill lifelong knowledge and understanding.


The course concludes with a rigorous final exam requiring a 70% or better passing grade. A passing grade will result in certifying the student in Threat Intelligence and an associated certificate.

The course material and exam is available to students for 1 year from course enrollment.

Ready to Try for Free?

Enroll in a free trial of TIA-810 Advanced Cyber Threat Intelligence and receive free lessons


Lead Instructor Sergio Caltagirone

Sergio Caltagirone has been called the "Godfather of Threat Intelligence" having built over a dozen threat intelligence teams in both public and private sector and leading the development of threat intelligence worldwide with hundreds of publications and presentations. He co-created the Diamond Model of Intrusion Analysis, helping thousands of others bring more pain to adversaries by strengthening hunters and analysts. He spent 9 years at the US National Security Agency as their lead threat intelligence analyst hunting and tracking the world's most sophisticated threats. He left NSA to build Microsoft's threat intelligence capability and practice protecting over 1 billion customers from cyber threats. Later, Sergio built and led the world's only dedicated industrial control system threat intelligence team at Dragos protecting electric power grids, water systems, oil and gas plants, and manufacturing worldwide. He furthers several humanitarian goals through membership on the International Committee of the Red Cross cybersecurity experts committee and serving as Technical Director for the Global Emancipation Network combating human trafficking on the internet globally.

Course curriculum

    1. Overview

    2. Traditional Intelligence

    3. Optional: Read pages 541-581 and of the Arthashastra

    4. Optional: Read "The Intelligence Dimension of Kautilyan Statecraft and Its Implications for the Present" by Dany Shoham and Michael Liebig

    5. READ: "Art of War XIII: The Use of Spies" by Sun Tzu

    6. Optional: Read Kim by Rudyard Kipling

    7. Read: "The Craft of Intelligence" by Allen Dulles pages 1-47 (Introduction and History

    8. Read: "The Origins of Modern Intelligence, Surveillance, and Reconnaissance" by Finnegan 2009

    9. Optional: Read Tinker, Tailor, Soldier, Spy by John le Carré

    10. Intelligence Tradecraft

    11. Optional: "Intelligence in War It Can Be Decisive" by Gregory Elder 2006

    12. READ: "Successful Leaders Employ Strategic Intelligence" by Maccoby 2001

    13. Intelligence Uses

    14. Optional: Read "Clausewitz's Contempt for Intelligence" by Rosello 1991

    15. Optional: Read "The Joint Intelligence Process" pp. I-5 through I-22 in Joint Publication 2-0 "Joint Intelligence"

    16. READ "Intelligence Concepts — The Intelligence Cycle" by Scott Roberts

    17. READ: Intelligence-Driven Incident Response pp. 17-22 "Intelligence Cycle"

    18. The Intelligence Cycle

    19. READ: Source and Information Reliability

    20. READ: Intelligence-Driven Incident Response "Sources and Methods" pp 11-13

    21. READ: ELINT

    22. READ: FM 2-22.3 Appendix B Pages 285-286 "Source and Information Reliability Matrix"

    23. Intelligence Sources

    24. Intelligence Coordination

    25. Defining Cyber Threat Intelligence

    26. History of Cyber Threat Intelligence

    27. OPTIONAL: Read "Computer Security Threat Monitoring and Surveillance" by James Anderson 1980

    28. WATCH: The World's First Cyber Crime: The Morris Worm

    29. WATCH: The KGB, the Computer and Me

    30. READ: "An Evening with Berferd" by Bill Cheswick 1991

    31. WATCH: Tsutomu Shimomura Interview

    32. WATCH: Back to the Future - Moonlight Maze

    33. READ: "The Invasion of the Chinese Cyberspies" by Nathan Thornburgh via Time Magazine 2005

    34. WATCH: Cracking Stuxnet, a 21st-century Cyber Weapon by Ralph Langer via TED

    35. READ: Mandiant's APT1 Report

    36. WATCH: Mandiant APT1 China Hackers Report with Richard Bejtlich 2013

    37. Analyzing the Historic Mandiant APT1 Report

    38. CTI Introduction Quiz

    1. READ: Intelligence-Driven Incident Response Chapters 1-5

    2. Threat Naming Intro

    3. Cyber Threat Actors

    4. READ: Private Threat Actors for Hire

    5. Cyber Threat Actor Motivations Part 1

    6. Read: Florentine Banker Group

    7. WATCH: The World's First Cyber Crime The Morris Worm

    8. Watch: John Draper Explain the Captain Crunch Whistle Phreaking

    9. Cyber Threat Motivations Part 2

    10. READ: Double Dragon APT41, a dual espionage and cyber crime operation

    11. Watch: Syrian Electronic Army Their Methods and Your Responses

    12. False Flags, Covert and Clandestine Cyber Operations

    13. READ: Russian Hacker False Flags Work—Even After They're Exposed by Andy Greenberg via Wired

    14. Insider Threats

    15. Read: The Insider Threat - An introduction to detecting and deterring an insider spy

    16. Read: Ten Tales of Betrayal The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations

    17. Read: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran

    18. Diamond Model of Intrusion Analysis Overview

    19. Diamond Model Details

    20. Read: Diamond Model of Intrusion Analysis Paper

    21. Cyber Kill Chain

    22. Read: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

    23. Watch: Using An Expanded Cyber Kill Chain Model to Increase Attack Resiliency

    24. MITRE ATT&CK

    25. Read: MITRE ATT&CK Design and Philosophy

    26. Watch: Putting MITRE ATT&CK™ into Action with What You Have, Where You Are presented by Katie Nickels

    27. Preparation

    28. Read: RECONNAISSANCE A Walkthrough of the “APT” Intelligence Gathering Process by Rotem Kerner

    29. Initial Phases Part 1

    30. Initial Phases Part 2

    31. READ: Cyber Espionage & Strategic Web Compromises – Trusted Websites Serving Dangerous Results by Ned Moran and Steven Adair 2018.

    32. Read: BREAKING TRUST Shades of Crisis Across an Insecure Software Supply Chain

    33. Read: Reflection on Trusting Trust by Ken Thompson

    34. READ: Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record

    35. Operational Phases

    36. WATCH: Attack Tutorial Pass-the-Hash Attack Using Mimikatz

    37. READ: Hiding in Plain Sight - Fireeye and Microsoft Expose Obfuscation Tactic

    38. Watch: TEMPEST BBC report on Van Eck Phreaking

    39. Action Phases

    40. Watch: Ransomware

    41. Exercise: Analyzing an Enterprise Cyber Incident

    42. Industrial Control System (ICS) Attacks

    43. Industrial Control System (ICS) Attacks Part 2

    44. Watch: The Stuxnet Story: What really happened at Natanz

    45. WATCH: Mike Assante - Analysis of the Attack on the Ukrainian Power Grid

    46. WATCH: Hackers Manipulate Controls at Electric Distribution Substation in Ukraine 2015

    47. CTI Chapter 3 Quiz

    1. Threat Intelligence Customers

    2. Mission and Risk Analysis for Intelligence Analysts

    3. READ: ISO31000:2018 Risk Management

    4. READ ISO 31010:2019 Risk Assessment Techniques

    5. Requirements Gathering

    6. Read: A Fresh Look at Intelligence Requirements by Clyde R. Heffter (1995)

    7. Turning Requirements into Hypotheses

    8. Exercise: Turning Requirements into Hypotheses

    9. Customer Cohesion

    10. Read "Getting to Know the President" [3rd ed] Intelligence Briefings of Presidential Candidates 1952-2012 (About the PDB Process)

    11. CTI Live! Managing Customer Requests for Information (RFI)

    12. CTI Customers, Requirements, and Direction Quiz

    1. Read: "The Craft of Intelligence" by Allen Dulles pages 47-83 (Requirements, Collection)

    2. Threat Intelligence Data

    3. Fourth Party Collection Resources

    4. OSINT Part 1

    5. What is TOR, Onion Routing, and the Dark Web?

    6. Dark Web Introduction

    7. Dark Web Demonstration

    8. Exercise: Visiting the Dark web for Ransomware

    9. OSINT Part 2

    10. RecordedFuture Demonstration

    11. WATCH: Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT)

    12. How to Use Shodan

    13. Ransomware Criminal Data Leak Sites

    14. Google Dorking

    15. Honeypots and Deception

    16. Recommended: Intrusion Detection Honeypots by Chris Sanders

    17. Internal Collection

    18. WATCH: Guide to key Windows 10 event logs you need to monitor

    19. WATCH: Event Viewer & Windows Logs

    20. WATCH: Windows Forensics - Event Trace Logs

    21. Additional Windows Host Security Resources

    22. Optional: Read Detecting and Analyzing Network Threats With NetFlow by Cisco

    23. WATCH: Anti-Forensics for Fun and Privacy by Alissa Gilbert

    24. Exercise: Read and Respond, Using Incident Response Reports in Threat Intelligence Collection

    25. Metadata for Improved Forensics

    26. Malicious Capability (Malware) Collection

    27. Watch: Basic Static Malware Analysis

    28. Watch: Dynamic Malware Analysis

    29. Optional: Advanced Virus Total Tutorial

    30. Recommended Malware Analysis Resources

    31. Internet Infrastructure Collection

    32. Watch: Threat Hunting with Netflow by Austin Whisnant

    33. READ: Chapter 1 pages 1-16 of "Network Traffic Analysis with SiLK" by CMU-SEI

    34. Read: Investigating Infrastructure Links with Passive DNS and Whois Data by Citizen Lab

    35. Watch: A Case Study in Pivoting Using Passive DNS and Full PCAP

    36. Watch: Dropping Docs on Darknets: How People Got Caught by Adrian Crenshaw

    37. Download Resource: Collection Resources

    38. Exercise: Finding Badness Online

    39. Building a Collection Strategy

    40. Data Storage and Processing

    41. Challenges and Issues in Collection and Processing

    42. READ: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Ptacek and Newsham

    43. CTI Collection and Processing Quiz

    44. CTI Live! Threat Intelligence During a Major Event: Solar Winds Case Study

    1. Introduction

    2. Read: "What if Sherman Kent was Wrong" by Zachery Tyson Brown

    3. Kent Introduction

    4. Read: Prologue and Chapter 1 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    5. Video Lesson: Strategic Intelligence Preface

    6. Video Lesson: Strategic Intelligence Chapter 1

    7. Read: Chapters 2-4 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    8. Video Lesson: Strategic Intelligence Chapters 2-4

    9. Read: Chapter 5 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    10. Video Lesson: Strategic Intelligence Chapter 5

    11. Read: Chapter 6 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    12. Video Lesson: Strategic Intelligence Chapter 6

    13. Read: Chapter 7 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    14. Video Lesson: Strategic Intelligence Chapter 7

    15. Read: Chapter 8 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    16. Video Lesson: Strategic Intelligence Chapter 8

    17. Read: Chapter 9 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    18. Video Lesson: Strategic Intelligence Chapter 9

    19. Read: Chapter 10 Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    20. Video Lesson: Strategic Intelligence Chapter 10

    21. Read: Chapter 11 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    22. Video Lesson: Strategic Intelligence Chapter 11

    23. Read: "The Function of Intelligence" by Willmore Kendall (Annotated)

    24. Kent vs. Kendall

    25. Read: "The Kent-Kendall Debate of 1949" by Jack Davis

    26. Optional: A Policymaker's Perspective on Intelligence Analysis by Jack Davis

    27. Conclusion: Applying Kent and Kendall to Modern Cyber Threat Intelligence

About this course

  • $3,999.00
  • 319 lessons
  • 49.5 hours of video content

Want to get updates about this course?


This course requires some external resources for the student to obtain prior to starting the course.


These resources are required for the student to obtain for completion of the course.

Intelligence-Driven Incident Response by Scott Roberts and Rebekah Brown 

Threat Intelligence and Me by Robert M. Lee 

Threat Intelligence Handbook, 2nd ed. by Recorded Future (Free download)


These resources are highly recommended by the instructor but not necessary.

Tinker, Tailor, Soldier, Spy by John le Carré 

Red Team: How to Succeed by Thinking Like the Enemy by Micah Zenko