Who is this cybersecurity threat intelligence course for?

SOC analysts moving into Tier 3 hunting or threat intelligence; incident responders grounding post-incident analysis in tradecraft; security engineers responsible for detection content; cybersecurity professionals preparing for GIAC GCTI; cyber-curious adults from journalism, OSINT research, or policy backgrounds entering defensive CTI.

What primary sources does this cybersecurity course cite?

Diamond Model of Intrusion Analysis (Caltagirone, Pendergast, Betz 2013), Lockheed Martin Cyber Kill Chain (Hutchins, Cloppert, Amin 2011), MITRE ATT&CK Enterprise v15 and ATT&CK Cloud matrix, MITRE ATT&CK: Design and Philosophy (Strom et al. 2018), Heuer's Psychology of Intelligence Analysis (CIA 1999), Heuer & Pherson Structured Analytic Techniques (2014), ODNI ICD 203 Analytic Standards (2015), ODNI 2017 assessment of Russian election interference (a public ACH-style product), STIX 2.1 and TAXII 2.1 OASIS specifications, FIRST.org TLP 2.0, CISA Automated Indicator Sharing (AIS), BLS OES 2024, ISC2 Workforce Study 2024.

Will this prepare me for GIAC GCTI?

It is a primary-source-grounded primer that covers the same frameworks (Diamond Model, Kill Chain, ATT&CK, ACH, STIX/TAXII) GCTI tests against. Pair the course with the official SANS FOR578 training resource for the depth and lab practice the exam expects.

Do I need clearance to take this course?

No. The course covers defensive CTI tradecraft taught from public sources (CIA Sherman Kent School publications, ODNI public standards, OASIS standards, MITRE public frameworks). Government-classified CTI tradecraft is not covered.

Primary-source-grounded cybersecurity course

Threat Intelligence Fundamentals

A primary-source-grounded six-module path into cyber threat intelligence work: the analytic frameworks (Diamond Model, Kill Chain, ATT&CK), the structured analytic techniques from intelligence tradecraft, and the CTI career ladder.

6 modules16 hours$197 one-timeDiamond + Kill Chain + ATT&CK + tradecraft

What this cybersecurity course is

Threat Intelligence Fundamentals is a 6-module cybersecurity course for SOC analysts, incident responders, and security engineers moving into cyber threat intelligence (CTI) roles. Every module is grounded in primary-source frameworks: the Diamond Model of Intrusion Analysis (Caltagirone, Pendergast & Betz 2013), the Lockheed Martin Cyber Kill Chain (Hutchins, Cloppert & Amin 2011), MITRE ATT&CK Enterprise v15, STIX 2.1 and TAXII 2.1 (OASIS standards), Heuer's Psychology of Intelligence Analysis (CIA 1999), and Heuer & Pherson's Structured Analytic Techniques (2014). The course covers strategic, operational, and tactical CTI; how to write a finished intelligence product an executive will read; how to use STIX bundles to share indicators across organizations; and how the Traffic Light Protocol (TLP) governs information sharing. Designed by Julian Calvo, Ed.D. in Applied Learning Sciences (University of Miami, 2026).

The course sequences six modules around the intelligence lifecycle as defined in tradecraft literature: requirements, collection, processing, analysis, dissemination, feedback. Each module pairs a primary-source standard with a hands-on artifact: read the standard, write the analytic product the way the intelligence tradition expects to see it, evaluate the product against an analyst-checklist drawn from Heuer (1999) and CIA's analytic standards. The pedagogical pattern follows Kolb's experiential learning cycle (1984): concrete intelligence task, structured reflection against a tradecraft standard, abstract conceptualization through the framework, then active experimentation with a real CTI source. Every claim cites a primary-source framework, a peer-reviewed paper, MITRE/CISA, or BLS/ISC2. No vendor CTI-platform marketing.

Six modules

Module 01 · 120 min
The Intelligence Lifecycle and Why CTI Inherits It
The six-step intelligence lifecycle from US national-intelligence tradecraft, why CTI uses the same structure, and what each step looks like at a corporate cyber-threat-intelligence team.
Learning objectives
- Cite the six steps of the intelligence lifecycle (requirements, collection, processing, analysis, dissemination, feedback) and identify the deliverable each step produces in a CTI context
- Distinguish strategic, operational, and tactical CTI by audience, time horizon, and the form of the finished product
- Apply the Traffic Light Protocol (TLP 2.0) to a sample CTI product and explain who can receive each TLP level
Module 02 · 130 min
The Diamond Model and the Cyber Kill Chain
Two analytic frameworks for understanding intrusions, why CTI analysts use them as complementary lenses rather than competing ones, and how to apply both to a published APT report.
Learning objectives
- Cite the four vertices of the Diamond Model (adversary, capability, infrastructure, victim) and the meta-features (timestamp, phase, result, direction, methodology, resources)
- Cite the seven stages of the Cyber Kill Chain and identify the kill-chain phase a given technique sits in
- Read a published APT report (Mandiant, Microsoft, CrowdStrike) and produce both a Diamond Model representation and a Kill Chain mapping
Module 03 · 130 min
Structured Analytic Techniques in CTI
How professional intelligence analysts manage cognitive bias, why Heuer's Analysis of Competing Hypotheses is the foundational technique, and which structured techniques apply to which CTI questions.
Learning objectives
- Cite Heuer's Psychology of Intelligence Analysis (1999) and the eight cognitive biases it documents that affect intelligence judgment
- Apply Analysis of Competing Hypotheses (ACH) to a published attribution claim
- Identify three other structured analytic techniques (key assumptions check, devil's advocacy, what-if analysis) and the CTI question each applies to
Module 04 · 110 min
STIX, TAXII, and Cross-Organization Information Sharing
How CTI moves between organizations in machine-readable form, what the STIX 2.1 data model captures, and how the TAXII protocol structures the exchange.
Learning objectives
- Cite the major STIX 2.1 object types (SDO, SCO, SRO) and identify when each is used
- Read a STIX bundle and identify the threat-actor, campaign, malware, indicator, and relationship objects
- Distinguish ISAC, ISAO, and bilateral exchange channels and identify when each is appropriate
Module 05 · 110 min
Writing Finished Intelligence Products
What an executive expects in a strategic CTI assessment, the BLUF (Bottom Line Up Front) discipline, the analytic confidence language, and how to source claims so the consumer can verify.
Learning objectives
- Apply the BLUF discipline to a sample CTI assessment and identify what belongs in the first paragraph versus the body
- Distinguish the standard analytic confidence terms (high, moderate, low confidence) per ICD 203 and use them correctly in a sample paragraph
- Source a finished intelligence product so a consumer can independently verify each non-obvious claim
Module 06 · 100 min
The CTI Career Trajectory
What the CTI analyst, senior CTI analyst, threat intelligence lead, and threat intelligence director ladder looks like, the credentials hiring managers price into the offer, and the BLS, ISC2, and SANS data behind compensation.
Learning objectives
- Distinguish CTI analyst, senior CTI analyst, threat intelligence lead, and threat intelligence director by daily decisions and credentials
- Cite BLS OES 2024, ISC2 2024, and SANS data on CTI compensation
- Build a 12-month plan from current state to a target CTI role with credentialed milestones (Security+, GCTI, GCFA, plus a portfolio of published analytic products)

Target audience

SOC analysts moving into Tier 3 hunting or threat intelligence roles
Incident responders who want to ground their post-incident analysis in tradecraft frameworks
Security engineers responsible for detection content who want to consume CTI sources critically
Cybersecurity practitioners preparing for the GIAC GCTI examination
Cyber-curious adults from journalism, OSINT research, or policy backgrounds entering defensive CTI

Prerequisites

Working SOC or detection-engineering experience or completion of DecipherU's SOC Analyst Fundamentals course
Basic familiarity with MITRE ATT&CK (the Threat Landscape module of SOC Analyst Fundamentals covers what is required)
Comfort reading APT-group reports and writing analytic prose
Willingness to commit 8 to 10 weeks of 4 to 6 hours per week study

Sources

Diamond Model of Intrusion Analysis (Caltagirone, Pendergast, Betz 2013) — Center for Cyber Intelligence Analysis and Threat Research, Technical Report ADA586960.
Lockheed Martin Cyber Kill Chain (Hutchins, Cloppert, Amin 2011) — Original peer-reviewed conference paper.
MITRE ATT&CK Enterprise Matrix and Cloud Matrix — MITRE Corporation, free for public use.
Heuer, R. J., Jr. (1999) Psychology of Intelligence Analysis — Center for the Study of Intelligence, CIA. Foundational tradecraft reference.
ODNI ICD 203 Analytic Standards (2015) — Office of the Director of National Intelligence.
ODNI 2017 Russian Election Interference Assessment (public ACH product) — Office of the Director of National Intelligence.
STIX 2.1 (OASIS Standard) — OASIS Cyber Threat Intelligence Technical Committee (2021).
TAXII 2.1 (OASIS Standard) — OASIS Cyber Threat Intelligence Technical Committee (2021).
FIRST.org Traffic Light Protocol 2.0 — Forum of Incident Response and Security Teams (2022).
CISA Automated Indicator Sharing (AIS) — Cybersecurity and Infrastructure Security Agency.
BLS OES May 2024: Information Security Analysts — U.S. Bureau of Labor Statistics.
ISC2 Cybersecurity Workforce Study 2024 — Workforce gap and compensation by tier.

Disclaimer

This course is for educational purposes only. CTI work involves judgments about adversaries that carry real-world consequences for the targets and the analysts. The tradecraft taught here applies to defensive CTI; readers must consult counsel and ethics review for any work that approaches active engagement with adversary infrastructure. Government-classified CTI tradecraft is not covered. NIST, MITRE, CISA, and CIA materials cited here are public works. STIX and TAXII are OASIS open standards. DecipherU is not affiliated with any CTI vendor or government intelligence service.

Threat Intelligence Fundamentals

6 modules16 hours$197 one-timeDiamond + Kill Chain + ATT&CK + tradecraft

What this cybersecurity course is

Six modules

Module 01 · 120 min

The Intelligence Lifecycle and Why CTI Inherits It

The six-step intelligence lifecycle from US national-intelligence tradecraft, why CTI uses the same structure, and what each step looks like at a corporate cyber-threat-intelligence team.

Learning objectives

Cite the six steps of the intelligence lifecycle (requirements, collection, processing, analysis, dissemination, feedback) and identify the deliverable each step produces in a CTI context
Distinguish strategic, operational, and tactical CTI by audience, time horizon, and the form of the finished product
Apply the Traffic Light Protocol (TLP 2.0) to a sample CTI product and explain who can receive each TLP level

Module 02 · 130 min

The Diamond Model and the Cyber Kill Chain

Two analytic frameworks for understanding intrusions, why CTI analysts use them as complementary lenses rather than competing ones, and how to apply both to a published APT report.

Learning objectives

Cite the four vertices of the Diamond Model (adversary, capability, infrastructure, victim) and the meta-features (timestamp, phase, result, direction, methodology, resources)
Cite the seven stages of the Cyber Kill Chain and identify the kill-chain phase a given technique sits in
Read a published APT report (Mandiant, Microsoft, CrowdStrike) and produce both a Diamond Model representation and a Kill Chain mapping

Module 03 · 130 min

Structured Analytic Techniques in CTI

How professional intelligence analysts manage cognitive bias, why Heuer's Analysis of Competing Hypotheses is the foundational technique, and which structured techniques apply to which CTI questions.

Learning objectives

Cite Heuer's Psychology of Intelligence Analysis (1999) and the eight cognitive biases it documents that affect intelligence judgment
Apply Analysis of Competing Hypotheses (ACH) to a published attribution claim
Identify three other structured analytic techniques (key assumptions check, devil's advocacy, what-if analysis) and the CTI question each applies to

Module 04 · 110 min

STIX, TAXII, and Cross-Organization Information Sharing

How CTI moves between organizations in machine-readable form, what the STIX 2.1 data model captures, and how the TAXII protocol structures the exchange.

Learning objectives

Cite the major STIX 2.1 object types (SDO, SCO, SRO) and identify when each is used
Read a STIX bundle and identify the threat-actor, campaign, malware, indicator, and relationship objects
Distinguish ISAC, ISAO, and bilateral exchange channels and identify when each is appropriate

Module 05 · 110 min

Writing Finished Intelligence Products

What an executive expects in a strategic CTI assessment, the BLUF (Bottom Line Up Front) discipline, the analytic confidence language, and how to source claims so the consumer can verify.

Learning objectives

Apply the BLUF discipline to a sample CTI assessment and identify what belongs in the first paragraph versus the body
Distinguish the standard analytic confidence terms (high, moderate, low confidence) per ICD 203 and use them correctly in a sample paragraph
Source a finished intelligence product so a consumer can independently verify each non-obvious claim

Module 06 · 100 min

The CTI Career Trajectory

What the CTI analyst, senior CTI analyst, threat intelligence lead, and threat intelligence director ladder looks like, the credentials hiring managers price into the offer, and the BLS, ISC2, and SANS data behind compensation.

Learning objectives

Distinguish CTI analyst, senior CTI analyst, threat intelligence lead, and threat intelligence director by daily decisions and credentials
Cite BLS OES 2024, ISC2 2024, and SANS data on CTI compensation
Build a 12-month plan from current state to a target CTI role with credentialed milestones (Security+, GCTI, GCFA, plus a portfolio of published analytic products)

Target audience

SOC analysts moving into Tier 3 hunting or threat intelligence roles

Incident responders who want to ground their post-incident analysis in tradecraft frameworks

Security engineers responsible for detection content who want to consume CTI sources critically

Cybersecurity practitioners preparing for the GIAC GCTI examination

Cyber-curious adults from journalism, OSINT research, or policy backgrounds entering defensive CTI

Prerequisites

Working SOC or detection-engineering experience or completion of DecipherU's SOC Analyst Fundamentals course

Basic familiarity with MITRE ATT&CK (the Threat Landscape module of SOC Analyst Fundamentals covers what is required)

Comfort reading APT-group reports and writing analytic prose

Willingness to commit 8 to 10 weeks of 4 to 6 hours per week study

Disclaimer

Threat Intelligence Fundamentals

What this cybersecurity course is

Six modules

The Intelligence Lifecycle and Why CTI Inherits It

The Diamond Model and the Cyber Kill Chain

Structured Analytic Techniques in CTI

STIX, TAXII, and Cross-Organization Information Sharing

Writing Finished Intelligence Products

The CTI Career Trajectory

Target audience

Prerequisites

Related cybersecurity content

Sources

Disclaimer

Threat Intelligence Fundamentals

What this cybersecurity course is

Six modules

The Intelligence Lifecycle and Why CTI Inherits It

The Diamond Model and the Cyber Kill Chain

Structured Analytic Techniques in CTI

STIX, TAXII, and Cross-Organization Information Sharing

Writing Finished Intelligence Products

The CTI Career Trajectory

Target audience

Prerequisites

Related cybersecurity content

Sources

Disclaimer