- Exam at a Glance: The Numbers That Matter
- Question Format and What It Actually Tests
- Domain Breakdown: Where the Points Live
- Registration, Fees, and Eligibility
- Scoring Mechanics and the 70% Threshold
- Testing Environment: Proctoring Options
- Preparing by Domain Weight
- Certification Validity and Renewal
- Frequently Asked Questions
- The CTIA exam (code 312-85) consists of exactly 50 multiple-choice questions answered in 2 hours, with a 70% passing score.
- Total entry cost is $550: a $450 exam voucher plus a $100 eligibility application fee.
- Data Collection and Processing is the heaviest domain at 24%, covering OSINT, HUMINT, threat feeds, and cloud collection.
- Prerequisites require EC-Council authorized training OR a documented 2+ years of information security experience via eligibility application.
Exam at a Glance: The Numbers That Matter
Before investing time and money into preparation, every CTIA candidate deserves a clear, unambiguous picture of what the exam actually looks like. The CTIA (Certified Threat Intelligence Analyst), governed by EC-Council and currently in version CTIA v2, uses exam code 312-85. Here is every measurable fact about the exam structure in one place.
| Exam Detail | Specification |
|---|---|
| Exam Code | 312-85 (CTIA v2) |
| Governing Body | EC-Council |
| Number of Questions | 50 multiple-choice |
| Time Allowed | 2 hours (120 minutes) |
| Passing Score | 70% (35 of 50 questions) |
| Question Language | English only |
| Exam Format | Closed-book |
| Exam Voucher Fee | $450 |
| Application Fee | $100 |
| Certification Validity | 3 years |
| Testing Platform | EC-Council Exam Center or Pearson VUE |
With 50 questions spread over 120 minutes, you have an average of 2 minutes and 24 seconds per question. That pacing is more generous than many technical certifications, but it assumes you genuinely understand the material rather than spending precious minutes decoding unfamiliar terminology under pressure.
Question Format and What It Actually Tests
The 312-85 exam is entirely multiple-choice. Unlike some advanced EC-Council certifications that incorporate performance-based or lab simulations, CTIA v2 relies on scenario-driven MCQs that assess your ability to apply threat intelligence principles in realistic analyst contexts. That distinction matters a great deal for how you study.
Scenario-Driven vs. Knowledge-Recall Questions
CTIA questions do not simply ask you to define terms. Many present a short scenario - a SOC analyst receives a threat report, an organization needs to prioritize a threat feed, a CISO asks for an intelligence-driven risk summary - and then ask you to identify the correct analyst action, the appropriate framework, or the right data source. This means rote memorization of definitions is necessary but not sufficient. You need to understand how concepts like OSINT collection, data normalization, STIX/TAXII, and the intelligence lifecycle interact in practice.
The exam is also English-only, which is worth noting for candidates whose primary language is not English. Technical threat intelligence terminology - pivot analysis, indicator enrichment, threat actor attribution, dissemination formats - can be nuanced, and there is no accommodation for language ambiguity in the current version.
Domain Breakdown: Where the Points Live
The eight CTIA domains are not equally weighted. Knowing the percentage each domain contributes to your final score allows you to make rational decisions about where to focus your study time. A weak performance in Domain 4 costs you roughly four times as much as a weak performance in Domain 7.
Domain 4: Data Collection and Processing (24%)
This is the single most tested domain and covers the broadest technical range of any section in the exam.
- Open-Source Intelligence (OSINT) collection techniques and tooling
- Human Intelligence (HUMINT) tradecraft relevant to cyber investigations
- Threat feed selection, integration, and quality assessment
- Data enrichment processes: correlating raw indicators with context
- Cloud-based collection: APIs, cloud logs, SaaS threat data sources
- Data normalization and structuring for downstream analysis
Domain 5: Data Analysis (16%)
Candidates must understand how raw collected data becomes actionable intelligence through structured analytic techniques.
- Structured analytic techniques (SATs) including ACH, kill chain analysis, and diamond model application
- Indicator of Compromise (IoC) analysis and pivoting
- Threat actor profiling and attribution methodologies
- Statistical and pattern-based analysis of threat data
Domains 3 and 6: Planning and Dissemination (14% each)
Domain 3 (Requirements, Planning, Direction, and Review) and Domain 6 (Dissemination and Reporting of Intelligence) each carry 14% of the exam weight. Together they represent more than a quarter of the total score.
- Intelligence Requirements (IRs) and Priority Intelligence Requirements (PIRs)
- Intelligence program governance and stakeholder management
- Report formats: strategic, tactical, operational, and technical intelligence
- STIX, TAXII, and structured sharing formats
- Threat intelligence platform (TIP) integration and dissemination workflows
The remaining domains cover important conceptual ground but carry lower individual weights:
- Domain 1: Introduction to Threat Intelligence (12%) - intelligence lifecycle, types of threat intelligence, and program maturity models
- Domain 2: Cyber Threats and Attack Frameworks (8%) - MITRE ATT&CK, Cyber Kill Chain, Diamond Model, and threat actor taxonomy
- Domain 7: Threat Hunting and Detection (6%) - hypothesis-driven hunting, TTP-based detection, and hunting platforms
- Domain 8: Threat Intelligence in SOC Operations, Incident Response, and Risk Management (6%) - integrating intelligence into IR playbooks, risk-based prioritization, and SOC workflows
Registration, Fees, and Eligibility
The CTIA has a two-part cost structure that candidates sometimes overlook when budgeting. The exam voucher costs $450, but EC-Council also charges a $100 application fee for candidates who are not entering through an EC-Council authorized training program. That brings the minimum total investment to $550 before factoring in study materials, practice exams, or retake fees.
Two Paths to Eligibility
There are two legitimate routes to sit the CTIA exam. The first is completing EC-Council authorized training - typically the official CTIA course delivered through an accredited training partner or directly through EC-Council's iLearn platform. The second is submitting an eligibility application demonstrating a minimum of 2 years of information security work experience. This application-based route is where the $100 fee applies and requires documented evidence of your professional background.
For a detailed walkthrough of exactly what qualifies as acceptable experience and how to structure your eligibility application, see our article on CTIA Prerequisites and Eligibility Requirements 2026. Getting eligibility right before you purchase your voucher saves both time and money.
Scoring Mechanics and the 70% Threshold
The CTIA passing score is 70%. On a 50-question exam, that means you need to answer at least 35 questions correctly. You can answer up to 15 questions incorrectly and still earn your certification. There is no penalty for incorrect answers - if you are genuinely unsure of a question, guessing is always preferable to leaving it blank.
Understanding What 70% Really Means Across Domains
The passing threshold is applied to your overall score, not to individual domains. EC-Council does not publish a per-domain minimum requirement for CTIA v2. This means that a particularly strong performance in Data Collection and Processing (Domain 4) can compensate for a weaker result in Threat Hunting and Detection (Domain 7). However, approaching the exam with the intention of deliberately skipping domain coverage is a high-risk strategy - the questions do not announce which domain they belong to, and gaps in foundational knowledge tend to surface unexpectedly.
EC-Council does not publicly disclose the CTIA pass rate. Do not trust any source that claims to cite an exact percentage - those figures are not available from the certifying body.
Key Takeaway
You need 35 correct answers out of 50 to pass. There is no wrong-answer penalty, so always submit an answer for every question - even when uncertain. Use the remaining time to revisit flagged questions rather than leaving anything blank.
Testing Environment: Proctoring Options
The CTIA exam can be taken through two official channels: the EC-Council Exam Center (which supports remote proctoring) or a Pearson VUE authorized testing center. Both deliver the same 312-85 exam, but the experience differs in meaningful ways.
Remote Proctoring via EC-Council
Remote proctoring through the EC-Council Exam Center allows you to test from a private location - typically your home or office - using a webcam and a stable internet connection. Candidates must meet strict environmental requirements: a clean desk, no external monitors, no mobile devices within reach, and no other people in the room. The exam is closed-book, and the proctor monitors your session in real time. This option offers scheduling flexibility but demands a distraction-free environment.
Pearson VUE Testing Centers
Pearson VUE operates physical testing centers globally. This option suits candidates who prefer a controlled, away-from-home environment, or whose home setup cannot reliably meet remote proctoring requirements. Scheduling is done directly through the Pearson VUE portal after obtaining your EC-Council exam voucher.
Regardless of which delivery method you choose, the exam rules are identical: English only, closed-book, no reference materials, no communication with others during the exam window.
Preparing by Domain Weight
Given the clear domain weight distribution, a structured preparation timeline should allocate study time proportionally. The following five-week framework maps study blocks to domain weight and builds from foundational concepts toward the highest-weighted applied skills.
Foundations: Domains 1 and 2 (20% combined)
- Intelligence lifecycle phases and their practical outputs
- MITRE ATT&CK matrix: tactics, techniques, and sub-techniques
- Cyber Kill Chain stages mapped to threat actor behavior
- Diamond Model components and relationship mapping
- Threat actor taxonomy: nation-state, cybercriminal, hacktivist, insider
Planning and Direction: Domain 3 (14%)
- Writing and refining Intelligence Requirements (IRs)
- Priority Intelligence Requirements (PIRs) and stakeholder alignment
- Intelligence program review cycles and feedback loops
- Collection management and source reliability frameworks
Data Collection, Processing, and Analysis: Domains 4 and 5 (40% combined)
- OSINT tools and search techniques: Shodan, Maltego, passive DNS, certificate transparency
- Threat feed evaluation criteria: timeliness, accuracy, relevance, and coverage
- Cloud-based collection: AWS CloudTrail, Azure Sentinel, and SaaS log sources
- Data enrichment workflows: GeoIP, WHOIS, VirusTotal integrations
- Structured analytic techniques and cognitive bias mitigation
- IoC pivoting from hash → domain → IP → infrastructure cluster
Dissemination, SOC Integration, and Threat Hunting: Domains 6, 7, and 8 (26% combined)
- STIX 2.1 object types and TAXII server/client architecture
- Report tailoring by audience: executive, operational, technical
- Hypothesis-driven threat hunting workflows and TTP-based detection rules
- Integrating intelligence into SIEM, SOAR, and IR playbooks
- Full-length practice exams and weak-domain review
This framework prioritizes time where the exam does. Spending the equivalent of two full weeks on Domains 4 and 5 reflects their 40% combined weight. If you are using CTIA practice tests throughout this timeline, run domain-filtered quizzes at the end of each study block to identify gaps before moving forward.
Who Hires CTIA-Certified Professionals
The CTIA is specifically valued by organizations that operate dedicated threat intelligence functions. This includes financial services firms running financial sector ISACs, government agencies and defense contractors requiring structured intelligence analysis, managed security service providers (MSSPs) offering threat intelligence as a service, and large enterprises with mature SOC operations that have matured beyond reactive incident response. The credential signals that a candidate understands not only how to collect indicators but how to transform raw data into finished intelligence products that drive security decisions - the full cycle from collection planning through stakeholder dissemination.
Roles that commonly list CTIA as a preferred or required credential include Threat Intelligence Analyst, Cyber Threat Analyst, SOC Tier 3 Analyst, and Intelligence Program Manager. If you are evaluating whether this certification aligns with your career path, reviewing the CTIA Prerequisites and Eligibility Requirements 2026 article will help you determine whether your current experience qualifies you to sit the exam today.
Certification Validity and Renewal
The CTIA certification is valid for 3 years from the date of issue. Renewal requires earning 120 EC-Council Continuing Education (ECE) credits over the three-year cycle. ECE credits can be accumulated through a variety of professional development activities including attending security conferences, completing EC-Council courses, publishing research, or contributing to cybersecurity community initiatives.
In addition to the ECE requirement, maintaining an active EC-Council membership carries an $80 annual fee. This membership fee is separate from any retake or re-examination costs. Candidates who allow their certification to lapse will need to re-examine rather than simply submit a renewal application.
For candidates who are actively preparing for the initial exam, the renewal framework is worth understanding early. Building ECE credit habits - attending webinars, subscribing to threat intelligence sharing communities like ISACs, or participating in EC-Council events - during your early career as a certified analyst makes the three-year renewal cycle significantly easier to manage.
Once you are ready to test your domain knowledge in realistic exam conditions, practicing with CTIA-style questions is the most direct way to identify where your preparation stands before exam day.
Frequently Asked Questions
The CTIA passing score is 70% on a 50-question exam, which means you need at least 35 correct answers. There is no penalty for incorrect responses, so you should answer every question even if you are uncertain.
The exam voucher costs $450. Candidates applying through the eligibility application route (without EC-Council authorized training) also pay a $100 application fee, bringing the minimum total to $550. This does not include study materials or retake fees.
Yes. The EC-Council Exam Center supports remote proctoring, allowing candidates to test from a private location with a webcam and stable internet connection. Alternatively, you can schedule the exam at a Pearson VUE physical testing center. The exam rules - closed-book, English only, no reference materials - are identical regardless of delivery method.
Domain 4 (Data Collection and Processing) carries the highest weight at 24% of the exam. It covers OSINT, HUMINT, threat feeds, data enrichment, and cloud-based collection. Domains 5 (Data Analysis at 16%), 3 (Planning at 14%), and 6 (Dissemination at 14%) are also heavily weighted and should receive proportional attention in your study plan.
The CTIA certification is valid for 3 years. Renewal requires accumulating 120 ECE (EC-Council Continuing Education) credits over the three-year period, plus paying an $80 annual EC-Council membership fee. Credits can be earned through professional development activities such as conferences, courses, and community contributions.
Ready to Start Practicing?
Test your knowledge across all eight CTIA domains with exam-style multiple-choice questions built specifically for the 312-85 exam. Identify your weak domains before exam day - not during it.
Start Free Practice Test