CTIA Exam Prep Free practice test →

Free CTIA Practice Questions

10 free, exam-style Certified Threat Intelligence Analyst (CTIA) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CTIA practice test to study every exam domain.

The CTIA exam has 50 questions and runs 2 hours.

These 10 free CTIA questions are organized by exam domain, so you can see how each part of the Certified Threat Intelligence Analyst blueprint is tested. Reveal the answer and explanation under each question.

Domain 1: Introduction to Threat Intelligence 12% of exam

Question 1

Nadia receives threat intelligence about trending malware families being used against organizations in the energy sector. She prepares a presentation for the board of directors about the potential business impact. Nadia is consuming intelligence at which level?

  1. Technical
  2. Tactical
  3. Operational
  4. Strategic
Show answer & explanation

Correct answer: D - Strategic

Domain 2: Cyber Threats and Attack Frameworks 8% of exam

Question 2

An attacker sets up a watering hole attack by compromising a website frequently visited by employees of the target organization. Visiting the compromised site triggers a drive-by download. Which TWO Cyber Kill Chain phases are represented?

  1. Reconnaissance and Weaponization
  2. Delivery and Exploitation
  3. Installation and Command and Control
  4. Weaponization and Delivery
Show answer & explanation

Correct answer: B - Delivery and Exploitation

Question 3

An organization develops detection rules that identify specific adversary behaviors (such as living-off-the-land techniques and lateral movement patterns) rather than relying solely on hash and IP blocking. According to the Pyramid of Pain, this approach:

  1. Is less effective than blocking hashes
  2. Targets the highest level, inflicting maximum pain
  3. Only works against nation-state actors
  4. Is too expensive to implement effectively
Show answer & explanation

Correct answer: B - Targets the highest level, inflicting maximum pain

Domain 4: Data Collection and Processing 24% of exam

Question 4

An analyst needs to visually map relationships between an adversary's domains, IP addresses, email addresses, and social media accounts. Which tool is MOST suitable?

  1. Wireshark
  2. Maltego
  3. Cuckoo Sandbox
  4. IDA Pro
Show answer & explanation

Correct answer: B - Maltego

Question 5

An analyst identifies suspicious API imports like 'CreateRemoteThread' and 'VirtualAllocEx' during static analysis. These imports suggest the malware may:

  1. Be a harmless utility
  2. Perform process injection
  3. Only access the file system
  4. Only communicate over HTTP
Show answer & explanation

Correct answer: B - Perform process injection

Domain 5: Data Analysis 16% of exam

Question 6

A web application does not log user actions, allowing a malicious user to deny making a fraudulent transaction. In STRIDE, this is:

  1. Spoofing
  2. Repudiation
  3. Information Disclosure
  4. Tampering
Show answer & explanation

Correct answer: B - Repudiation

Question 7

A CTI team is investigating a breach and has three competing theories about the responsible threat actor. To systematically evaluate each theory against the available evidence, the team should use:

  1. Google dorking techniques
  2. The Analysis of Competing Hypotheses (ACH)
  3. The Cyber Kill Chain framework
  4. Shodan scanning methodology
Show answer & explanation

Correct answer: B - The Analysis of Competing Hypotheses (ACH)

Domain 6: Dissemination and Reporting of Intelligence 14% of exam

Question 8

An analyst receives intelligence marked TLP:AMBER about a critical vulnerability being actively exploited. The analyst's MOST appropriate action is:

  1. Post the intelligence on Twitter for maximum awareness
  2. Share it within the organization on a need-to-know basis to relevant teams
  3. Forward it to all external partners without restriction
  4. Ignore the intelligence since it is restricted
Show answer & explanation

Correct answer: B - Share it within the organization on a need-to-know basis to relevant teams

Domain 7: Threat Hunting and Detection 6% of exam

Question 9

A threat hunt reveals that several workstations are making periodic HTTPS connections to a previously unknown external domain at exact 60-second intervals. This pattern is consistent with:

  1. Normal software update checks
  2. C2 beaconing activity
  3. Standard email polling
  4. DNS resolution caching
Show answer & explanation

Correct answer: B - C2 beaconing activity

Domain 8: Threat Intelligence in SOC Operations, Incident Response, and Risk Management 6% of exam

Question 10

During an active incident, how can threat intelligence MOST effectively accelerate containment?

  1. By providing the adversary's personal information
  2. By revealing known TTPs and C2 infrastructure to target
  3. By automatically containing all threats without human intervention
  4. By providing only historical data about past incidents
Show answer & explanation

Correct answer: B - By revealing known TTPs and C2 infrastructure to target

The rest of the CTIA blueprint

The CTIA exam also covers these domains. Drill them in the full free practice test:

Ready for the real thing?

Practice hundreds more CTIA questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing