About This Course

The "Godfather of Threat Intelligence" delivers the definitive course on Cyber Threat Intelligence. 

The course uses real-world "war stories" from hunting, analyzing, and disrupting the world's worst cyber threats. With guided reading across various of domains including military, psychology, history, communication, and technology, this course will impart wisdom and lessons learned from a career in the trenches.

This multi-month 800-level course requires deep and comprehensive examination of the questions, challenges, and opportunities in Cyber Threat Intelligence.  This course will not only create an experienced intelligence practitioner but those ready to lead and build threat intelligence practices themselves.

This course is for those wanting to become a principal-level analyst and leader in cyber threat intelligence. It would be best to consider the course a "Master's Degree in Threat Intelligence."

This course is currently under development and new material is released when it is ready. The price provides students a discount based on this fact.  After completion the course price will increase.

Who Should Take This Course?

  • Cybersecurity practitioners or students who want to learn how to apply Threat Intelligence to their domain
  • Existing Threat Intelligence professionals who want to dive deeper into tradecraft and practice
  • Anyone who wants to start or expand their career into Threat Intelligence and intrusion analysis.

Learning Objectives

  • Find, evaluate, and integrate threat intelligence sources which measurably improve defense
  • Produce world-class threat intelligence from public and private data sources
  • Use wisdom and lessons from both modern and ancient case studies to apply elements of intelligence across cybersecurity
  • Disseminate threat intelligence and threat findings so decision-makers pay attention and take action
  • Apply traditional and modern models including the Diamond Model, Cyber Kill Chain, F3EAD, the Intelligence Cycle, OODA, MITRE ATT&CK and others
  • Hunt for previously unknown threats
  • Logically assess and criticize threat intelligence from any source and improve your own
  • Associate and attribute cyber threats to adversaries and other groups

Time Commitment

This course will require likely 6+ months of investment including readings, research, exercises, lecture, and exams. It is taught in a traditional graduate-school style using readings and lectures to bring the student along in the knowledge journey.  This course is not a "40 hour firehose" but instead designed to instill lifelong knowledge and understanding.


The course concludes with a rigorous final exam requiring a 70% or better passing grade. A passing grade will result in certifying the student in Threat Intelligence and an associated certificate.

The course material and exam is available to students for 1 year from course enrollment.

Add your email to the mailing list to get the latest updates.


Lead Instructor

Sergio Caltagirone

Sergio Caltagirone has been called the "Godfather of Threat Intelligence" having built over a dozen threat intelligence teams in both public and private sector and leading the development of threat intelligence worldwide with hundreds of publications and presentations. He co-created the Diamond Model of Intrusion Analysis, helping thousands of others bring more pain to adversaries by strengthening hunters and analysts. He spent 9 years at the US National Security Agency as their lead threat intelligence analyst hunting and tracking the world's most sophisticated threats. He left NSA to build Microsoft's threat intelligence capability and practice protecting over 1 billion customers from cyber threats. Now, Sergio leads the world's only dedicated industrial control system threat intelligence team at Dragos protecting electric power grids, water systems, oil and gas plants, and manufacturing worldwide. He furthers several humanitarian goals through membership on the International Committee of the Red Cross cybersecurity experts committee and serving as Technical Director for the Global Emancipation Network combating human trafficking on the internet globally.

Course curriculum

  • 2

    Introduction to Threat Intelligence

    • Overview

    • Traditional Intelligence

    • Optional: Read pages 541-581 and of the Arthashastra

    • READ: "Art of War XIII: The Use of Spies" by Sun Tzu

    • Optional: Read Kim by Rudyard Kipling

    • Read: "The Craft of Intelligence" by Allen Dulles pages 1-47 (Introduction and History

    • Read: "The Origins of Modern Intelligence, Surveillance, and Reconnaissance" by Finnegan 2009

    • Optional: Read Tinker, Tailor, Soldier, Spy by John le Carré

    • Intelligence Tradecraft

    • Optional: "Intelligence in War It Can Be Decisive" by Gregory Elder 2006

    • READ: "Successful Leaders Employ Strategic Intelligence" by Maccoby 2001

    • Intelligence Uses

    • Optional: Read "Clausewitz's Contempt for Intelligence" by Rosello 1991

    • Optional: Read "The Joint Intelligence Process" pp. I-5 through I-22 in Joint Publication 2-0 "Joint Intelligence"

    • READ "Intelligence Concepts — The Intelligence Cycle" by Scott Roberts

    • READ: Intelligence-Driven Incident Response pp. 17-22 "Intelligence Cycle"

    • The Intelligence Cycle

    • READ: Source and Information Reliability

    • READ: Intelligence-Driven Incident Response "Sources and Methods" pp 11-13


    • READ: FM 2-22.3 Appendix B Pages 285-286 "Source and Information Reliability Matrix"

    • Intelligence Sources

    • Intelligence Coordination

    • Defining Cyber Threat Intelligence

    • History of Cyber Threat Intelligence

    • OPTIONAL: Read "Computer Security Threat Monitoring and Surveillance" by James Anderson 1980

    • WATCH: The World's First Cyber Crime: The Morris Worm

    • WATCH: The KGB, the Computer and Me

    • READ: "An Evening with Berferd" by Bill Cheswick 1991

    • WATCH: Tsutomu Shimomura Interview

    • WATCH: Back to the Future - Moonlight Maze

    • READ: "The Invasion of the Chinese Cyberspies" by Nathan Thornburgh via Time Magazine 2005

    • WATCH: Cracking Stuxnet, a 21st-century Cyber Weapon by Ralph Langer via TED

    • READ: Mandiant's APT1 Report

    • WATCH: Mandiant APT1 China Hackers Report with Richard Bejtlich 2013

    • Live: Analyzing the Historic Mandiant APT1 Report

    • CTI Introduction Quiz

  • 3

    Malicious Activity

    • READ: Intelligence-Driven Incident Response Chapters 1-5

    • Threat Naming Intro

    • Cyber Threat Actors

    • READ: Private Threat Actors for Hire

    • Cyber Threat Actor Motivations Part 1

    • Read: Florentine Banker Group

    • WATCH: The World's First Cyber Crime The Morris Worm

    • Watch: John Draper Explain the Captain Crunch Whistle Phreaking

    • Cyber Threat Motivations Part 2

    • READ: Double Dragon APT41, a dual espionage and cyber crime operation

    • Watch: Syrian Electronic Army Their Methods and Your Responses

    • False Flags, Covert and Clandestine Cyber Operations

    • READ: Russian Hacker False Flags Work—Even After They're Exposed by Andy Greenberg via Wired

    • Insider Threats

    • Read: The Insider Threat - An introduction to detecting and deterring an insider spy

    • Read: Ten Tales of Betrayal The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations

    • Read: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran

    • Diamond Model of Intrusion Analysis Overview

    • Diamond Model Details

    • Read: Diamond Model of Intrusion Analysis Paper

    • Cyber Kill Chain

    • Read: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

    • Watch: Using An Expanded Cyber Kill Chain Model to Increase Attack Resiliency


    • Read: MITRE ATT&CK Design and Philosophy

    • Watch: Putting MITRE ATT&CK™ into Action with What You Have, Where You Are presented by Katie Nickels

    • Preparation

    • Read: RECONNAISSANCE A Walkthrough of the “APT” Intelligence Gathering Process by Rotem Kerner

    • Initial Phases Part 1

    • Initial Phases Part 2

    • READ: Cyber Espionage & Strategic Web Compromises – Trusted Websites Serving Dangerous Results by Ned Moran and Steven Adair 2018.

    • Read: BREAKING TRUST Shades of Crisis Across an Insecure Software Supply Chain

    • Read: Reflection on Trusting Trust by Ken Thompson

    • READ: Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record

    • Operational Phases

    • WATCH: Attack Tutorial Pass-the-Hash Attack Using Mimikatz

    • READ: Hiding in Plain Sight - Fireeye and Microsoft Expose Obfuscation Tactic

    • Watch: TEMPEST BBC report on Van Eck Phreaking

    • Action Phases

    • Watch: Ransomware

    • Exercise: Analyzing an Enterprise Cyber Incident

    • Industrial Control System (ICS) Attacks

    • Industrial Control System (ICS) Attacks Part 2

    • Watch: The Stuxnet Story: What really happened at Natanz

    • WATCH: Mike Assante - Analysis of the Attack on the Ukrainian Power Grid

    • WATCH: Hackers Manipulate Controls at Electric Distribution Substation in Ukraine 2015

    • CTI Chapter 3 Quiz

  • 4

    Intelligence Customers, Requirements, and Direction

    • Threat Intelligence Customers

    • Mission and Risk Analysis for Intelligence Analysts

    • READ: ISO31000:2018 Risk Management

    • READ ISO 31010:2019 Risk Assessment Techniques

    • Requirements Gathering

    • Read: A Fresh Look at Intelligence Requirements by Clyde R. Heffter (1995)

    • Turning Requirements into Hypotheses

    • Exercise: Turning Requirements into Hypotheses

    • Customer Cohesion

    • Read "Getting to Know the President" [3rd ed] Intelligence Briefings of Presidential Candidates 1952-2012 (About the PDB Process)

    • CTI Live! Managing Customer Requests for Information (RFI)

    • CTI Customers, Requirements, and Direction Quiz

  • 5

    Intelligence Collection and Processing

    • Read: "The Craft of Intelligence" by Allen Dulles pages 47-83 (Requirements, Collection)

    • Threat Intelligence Data

    • Fourth Party Collection Resources

    • OSINT Part 1

    • What is TOR, Onion Routing, and the Dark Web?

    • Dark Web Introduction

    • Dark Web Demonstration

    • Exercise: Visiting the Dark web for Ransomware

    • OSINT Part 2

    • RecordedFuture Demonstration

    • WATCH: Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT)

    • How to Use Shodan

    • Ransomware Criminal Data Leak Sites

    • Google Dorking

    • Honeypots and Deception

    • Recommended: Intrusion Detection Honeypots by Chris Sanders

    • Internal Collection

    • WATCH: Guide to key Windows 10 event logs you need to monitor

    • WATCH: Event Viewer & Windows Logs

    • WATCH: Windows Forensics - Event Trace Logs

    • Additional Windows Host Security Resources

    • Optional: Read Detecting and Analyzing Network Threats With NetFlow by Cisco

    • WATCH: Anti-Forensics for Fun and Privacy by Alissa Gilbert

    • Exercise: Read and Respond, Using Incident Response Reports in Threat Intelligence Collection

    • Metadata for Improved Forensics

    • Malicious Capability (Malware) Collection

    • Watch: Basic Static Malware Analysis

    • Watch: Dynamic Malware Analysis

    • Optional: Advanced Virus Total Tutorial

    • Recommended Malware Analysis Resources

    • Internet Infrastructure Collection

    • Watch: Threat Hunting with Netflow by Austin Whisnant

    • READ: Chapter 1 pages 1-16 of "Network Traffic Analysis with SiLK" by CMU-SEI

    • Read: Investigating Infrastructure Links with Passive DNS and Whois Data by Citizen Lab

    • Watch: A Case Study in Pivoting Using Passive DNS and Full PCAP

    • Watch: Dropping Docs on Darknets: How People Got Caught by Adrian Crenshaw

    • Download Resource: Collection Resources

    • Exercise: Finding Badness Online

    • Building a Collection Strategy

    • Data Storage and Processing

    • Challenges and Issues in Collection and Processing

    • READ: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Ptacek and Newsham

    • CTI Collection and Processing Quiz

    • CTI Live! Threat Intelligence During a Major Event: Solar Winds Case Study

  • 6

    CTI Analysis Foundations: Strategic Analysis for American World Policy by Sherman Kent

    • Introduction

    • Read: "What if Sherman Kent was Wrong" by Zachery Tyson Brown

    • Kent Introduction

    • Read: Prologue and Chapter 1 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    • Video Lesson: Strategic Intelligence Preface

    • Video Lesson: Strategic Intelligence Chapter 1

    • Read: Chapters 2-4 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    • Video Lesson: Strategic Intelligence Chapters 2-4

    • Read: Chapter 5 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    • Video Lesson: Strategic Intelligence Chapter 5

    • Read: Chapter 6 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    • Video Lesson: Strategic Intelligence Chapter 6

    • Read: Chapter 7 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    • Video Lesson: Strategic Intelligence Chapter 7

    • Read: Chapter 8 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    • Video Lesson: Strategic Intelligence Chapter 8

    • Read: Chapter 9 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    • Video Lesson: Strategic Intelligence Chapter 9

    • Read: Chapter 10 Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    • Video Lesson: Strategic Intelligence Chapter 10

    • Read: Chapter 11 of Strategic Analysis for American World Policy by Sherman Kent (Annotated)

    • Video Lesson: Strategic Intelligence Chapter 11

    • Read: "The Function of Intelligence" by Willmore Kendall (Annotated)

    • Kent vs. Kendall

    • Read: "The Kent-Kendall Debate of 1949" by Jack Davis

    • Conclusion: Applying Kent and Kendall to Modern Cyber Threat Intelligence

  • 7

    CTI Analysis Foundations: The Craft of Intelligence by Allen Dulles

  • 8

    CTI Analysis Foundations: The Psychology of Intelligence Analysis by Richards Heuer

  • 9

    Threat Intelligence Analysis

    • Introduction to Analysis

    • Optional: The Myth of Cassandra

    • Logic for Intelligence Analysis: Deduction

    • CTI Analysis:Deduction Quiz

    • Exercise: Identifying and Evaluation Deductive Threat Intel Arguments

    • Logic for Intelligence Analysts: Induction Part 1

    • Logic for Intelligence Analysts: Induction Part 2 "Anomalies, Bayesian Analysis, and Falsifiability"

    • Optional: Read Karl Popper's Conjectures and Refutations Chapter 10 "THE GROWTH OF KNOWLEDGE: THEORIES AND PROBLEMS"

    • Logic for Intelligence Analysis: Induction Part 3 "Necessary/Sufficient and Induction Arguments"

    • Optional: Watch "Necessary and Sufficient" from CUNY

    • Logic for Intelligence Analysis: Induction Part 4 "Causation and Mill's Methods"

    • Optional: Watch "Mills Methods" from CUNY

    • Optional: Read John Stuart Mill's System of Logic

    • CTI Analysis:Induction Quiz

    • WATCH: Can you HEAR Stuxnet damaging centrifuges at Natanz? By Langer Group

    • Logic for Intelligence Analysis: Abduction

    • Abduction Quiz

    • Using and Combining Different Reasoning Approaches in Threat Intelligence

    • Quick Guide: Using Reasoning in Intelligence

    • Introducing Problems in Analytic Thinking

    • Bias

    • READ: Tale of Two Cybers, How Threat Reporting by Cybersecurity Firms Systematically Underrepresents Threats to Civil Society

    • Read: Why Malware Numbers Don't Matter and Security Accounting

    • Case Study: PIPEDREAM

    • Case Study: Popping Eagle

    • Case Study: Operation Pawn Storm

    • Cognitive Biases

    • Read: Framing Effect in Cybersecurity Choices

    • Read: Thinking, Fast and Slow by Daniel Kahneman

    • Additional External Bias Resources

    • Logical Fallacies

    • Exercise: Find the Fallacy!

    • Threat Intelligence Quality

    • Threat Intelligence Confidence

    • Hypothesis-Driven Analysis

    • Diamond Model of Intrusion Analysis

    • Exercise: Map an Attack

    • Structured Analysis Models

    • Exercise: Alternative Competing Hypotheses

    • Integrating External Threat Intelligence

    • Attribution

    • Watch: Attributing Active Measures by Thomas Rid

    • Watch: A Brief History of Attribution Mistakes by Sarah Jones

    • Exercise: Exploring Attribution

    • Estimates and Judgements

    • Documenting and Managing Analysis

    • Exercise: Documenting Analysis Using MISP

    • Ethics for Analysts

    • Writing for Analysts

    • Presentation for Analysts

    • Evaluating External Threat Intelligence

    • Exercise: Evaluate Threat Intelligence

    • Test your learning

  • 10

    Intelligence Dissemination, Usage, and Feedback

    • Classification, Protection, and TLP

    • Dissemination

    • Intelligence for Architecture and Visibility

    • Intelligence for Policy and Compliance

    • Intelligence for Risk Analysis

    • Intelligence for Threat Modeling

    • Intelligence for Security Operations

    • Intelligence for Detection

    • WATCH: Threat Indications and Warning in Principle & Practice

    • Intelligence for Threat Hunting

    • Exercise: Build a Visibility and Detection Strategy

    • Intelligence for Incident Response

    • Disrupting Cyber Threats

    • Exercise: Build Disruption Plan

    • Intelligence for Executives

    • READ: The President's Daily Brief: Delivering Intelligence to Nixon and Ford

    • Working with Press and Journalists

    • Measuring Success

    • Gathering and Using Customer Feedback

    • Test your learning

  • 11

    Building and Growing an Intelligence Function

    • Intelligence Maturity Scale

    • Collaboration and Sharing

    • Building an Intelligence Function and Team

    • Legal Considerations in Threat Intelligence

    • Selecting an Intelligence Vendor

    • Exercise: Evaluate and Select an Intelligence Vendor

    • CTI Building and Growing Intel Function Quiz

  • 12

    Threat Intelligence Case Studies

    • Case Study: Validating an FBI FLASH Report

  • 13

    Before you go

    • Congrats! Here's what's next...

    • More resources for you

    • Before you go...


This course requires some external resources for the student to obtain prior to starting the course.


These resources are required for the student to obtain for completion of the course.

Intelligence-Driven Incident Response by Scott Roberts and Rebekah Brown 

Threat Intelligence and Me by Robert M. Lee 

Threat Intelligence Handbook, 2nd ed. by Recorded Future (Free download)


These resources are highly recommended by the instructor but not necessary.

Tinker, Tailor, Soldier, Spy by John le Carré 

Red Team: How to Succeed by Thinking Like the Enemy by Micah Zenko