Coming November 1 2020

Get special pre-order pricing before time runs out!

  • 00Days
  • 00Hours
  • 00Minutes
  • 00Seconds

About This Course

The "Godfather of Threat Intelligence" delivers the definitive course on Cyber Threat Intelligence. 

The course uses real-world "war stories" from hunting, analyzing, and disrupting the world's worst cyber threats. With guided reading across various domains and history and practical exercises, this course will impart wisdom and lessons learned from a career in the trenches.

Not just for "intelligence" anymore. This course will give any cybersecurity professional the expertise to understand cyber threats at a deeper level and apply that knowledge to prevent, protect, detect, and mitigate cyber threats against any organization. This course is for any cybersecurity role, including security operations personnel, pentesters, auditors, cybersecurity managers, forensics analysts, security architect, security administrator, and many others.

This is not an "introductory survey," but a deep and comprehensive examination. It promises to improve the newest student to the most experienced practitioner.


Who Should Take This Course?

  • Cybersecurity practitioners or students who want to learn how to apply Threat Intelligence to their domain
  • Existing Threat Intelligence professionals who want to dive deeper into tradecraft and practice
  • Anyone who wants to start or expand their career into Threat Intelligence and intrusion analysis.

Learning Objectives

  • Find, evaluate, and integrate threat intelligence sources which measurably improve defense
  • Produce world-class threat intelligence from public and private data sources
  • Use wisdom and lessons from both modern and ancient case studies to apply elements of intelligence across cybersecurity
  • Disseminate threat intelligence and threat findings so decision-makers pay attention and take action
  • Apply traditional and modern models including the Diamond Model, Cyber Kill Chain, F3EAD, the Intelligence Cycle, OODA, MITRE ATT&CK and others
  • Hunt for previously unknown threats
  • Logically assess and criticize threat intelligence from any source and improve your own
  • Associate and attribute cyber threats to adversaries and other groups

Time Commitment

This course will require over 80 hours including readings, research, exercises, lecture, and exams. It is taught in a traditional graduate-school style using readings and lectures to bring the student along in the knowledge journey.  This course is not a "40 hour firehose" but instead designed to instill lifelong knowledge and understanding.


The course concludes with a rigorous final exam requiring a 70% or better passing grade. A passing grade will result in certifying the student in Threat Intelligence and an associated certificate.

The course material and exam is available to students for 120 days after enrollment.

Add your email to the mailing list to get the latest updates.


Lead Instructor

Sergio Caltagirone

Sergio Caltagirone has been called the "Godfather of Threat Intelligence" having built over a dozen threat intelligence teams in both public and private sector and leading the development of threat intelligence worldwide with hundreds of publications and presentations. He co-created the Diamond Model of Intrusion Analysis, helping thousands of others bring more pain to adversaries by strengthening hunters and analysts. He spent 9 years at the US National Security Agency as their lead threat intelligence analyst hunting and tracking the world's most sophisticated threats. He left NSA to build Microsoft's threat intelligence capability and practice protecting over 1 billion customers from cyber threats. Now, Sergio leads the world's only dedicated industrial control system threat intelligence team at Dragos protecting electric power grids, water systems, oil and gas plants, and manufacturing worldwide. He furthers several humanitarian goals through membership on the International Committee of the Red Cross cybersecurity experts committee and serving as Technical Director for the Global Emancipation Network combating human trafficking on the internet globally.

Course curriculum

  • 2

    Introduction to Threat Intelligence

    • Overview

    • Traditional Intelligence

    • READ: "Art of War XIII: The Use of Spies" by Sun Tzu

    • Optional: Read Kim by Rudyard Kipling

    • Read: "The Origins of Modern Intelligence, Surveillance, and Reconnaissance" by Finnegan 2009

    • Optional: Read Tinker, Tailor, Soldier, Spy by John le Carré

    • Intelligence Tradecraft

    • Optional: "Intelligence in War It Can Be Decisive" by Gregory Elder 2006

    • READ: The President's Daily Brief: Delivering Intelligence to Nixon and Ford


    • Intelligence Uses

    • Optional: Read "Clausewitz's Contempt for Intelligence" by Rosello 1991

    • Optional: Read "The Joint Intelligence Process" pp. I-5 through I-22 in Joint Publication 2-0 "Joint Intelligence"

    • READ "Intelligence Concepts — The Intelligence Cycle" by Scott Roberts

    • READ: Intelligence-Driven Incident Response pp. 17-22 "Intelligence Cycle"

    • The Intelligence Cycle

    • READ: Source and Information Reliability

    • READ: Intelligence-Driven Incident Response "Sources and Methods" pp 11-13


    • READ: FM 2-22.3 Appendix B Pages 285-286 "Source and Information Reliability Matrix"

    • Intelligence Sources

    • Intelligence Coordination

    • Defining Cyber Threat Intelligence

    • History of Cyber Threat Intelligence

    • OPTIONAL: Read "Computer Security Threat Monitoring and Surveillance" by James Anderson 1980

    • WATCH: The World's First Cyber Crime: The Morris Worm

    • WATCH: Stalking the Wily Hacker with Cliff Stoll

    • READ: "An Evening with Berferd" by Bill Cheswick 1991

    • WATCH: Tsutomu Shimomura Interview

    • WATCH: Back to the Future - Moonlight Maze

    • READ: "The Invasion of the Chinese Cyberspies" by Nathan Thornburgh via Time Magazine 2005

    • WATCH: Cracking Stuxnet, a 21st-century Cyber Weapon by Ralph Langer via TED

    • WATCH: Mandiant APT1 China Hackers Report with Richard Bejtlich 2013

    • Test your learning

  • 3

    Malicious Activity

    • Cyber Kill Chain


    • Initial Phases

    • Operational Phases

    • Action Phases

    • Exercise: Analyzing a Corporate Attack

    • Industrial Control System (ICS) Attacks

    • Exercise: Attacking an Industrial Environment

  • 4

    Intelligence Customers, Requirements, and Direction

    • Mission and Risk Analysis for Intelligence Analysts

    • Threat Intelligence Customers

    • Customer Cohesion

    • Requirements Gathering

    • Exercise: How Well Do You Know Your Customer

    • Evaluating and Selecting External Threat Intelligence

    • Exercise: Comparing and Selecting a Threat Intelligence Vendor

    • Turning Requirements into Hypotheses

    • Test your learning

  • 5

    Intelligence Collection and Processing

    • Threat Intelligence Data

    • Building a Collection Strategy

    • OSINT

    • Exercise: Find Badness Online

    • Integrating Across a Security Operations Center

    • Internal Collection

    • Exercise: Network Anomaly Detection

    • Malicious Capability (Malware) Collection

    • Internet Infrastructure Collection

    • Exercise: Passive DNS Hunting

    • Integrating External Threat Intelligence

    • Data Storage and Processing

    • Exercise: Data Splunking

    • Test your learning

  • 6

    Threat Intelligence Analysis

    • Logic for Analysts

    • Bias

    • Exercise: Find the Fallacy!

    • Threat Intelligence Quality

    • Threat Intelligence Confidence

    • Hypothesis-Driven Analysis

    • Diamond Model of Intrusion Analysis

    • Exercise: Map an Attack

    • Structured Analysis Models

    • Exercise: Alternative Competing Hypotheses

    • Attribution

    • Exercise: Exploring Attribution

    • Documenting and Managing Analysis

    • Exercise: Documenting Analysis Using MISP

    • Ethics for Analysts

    • Writing for Analysts

    • Presentation for Analysts

    • Test your learning

  • 7

    Intelligence Dissemination, Usage, and Feedback

    • Classification, Protection, and TLP

    • Dissemination

    • Intelligence for Architecture and Visibility

    • Intelligence for Policy and Compliance

    • Intelligence for Risk Analysis

    • Intelligence for Threat Modeling

    • Intelligence for Security Operations

    • Intelligence for Detection

    • WATCH: Threat Indications and Warning in Principle & Practice

    • Intelligence for Threat Hunting

    • Exercise: Build a Visibility and Detection Strategy

    • Intelligence for Incident Response

    • Disrupting Cyber Threats

    • Exercise: Build Disruption Plan

    • Working with Press and Journalists

    • Measuring Success

    • Gathering and Using Customer Feedback

    • Test your learning

  • 8

    Building and Growing an Intelligence Function

    • Intelligence Maturity Scale

    • Collaboration and Sharing

    • Building an Intelligence Function and Team

    • Legal Considerations in Threat Intelligence

  • 9

    Before you go

    • Congrats! Here's what's next...

    • More resources for you

    • Before you go...


This course requires some external resources for the student to obtain prior to starting the course.


These resources are required for the student to obtain for completion of the course.

Intelligence-Driven Incident Response by Scott Roberts and Rebekah Brown 

Threat Intelligence and Me by Robert M. Lee 

Threat Intelligence Handbook, 2nd ed. by Recorded Future (Free download)


These resources are highly recommended by the instructor but not necessary.

Tinker, Tailor, Soldier, Spy by John le Carré 

Red Team: How to Succeed by Thinking Like the Enemy by Micah Zenko