EXAM 2026 COMPREHENSIVE EXAM
SOLVED QUESTIONS WITH VERIFIED
ANSWERS AND RATIONALES
⩥ Which type of memory is the most critical in intel analysis and why?
Answer: Working memory as it processes inputs and determines whether
to store them for long or short term memory
⩥ What is template matching? Answer: Theory that every object is
processed by the brain and stored as a template in long term memory
⩥ Compare system 1 and 2 thinking Answer: System 1 - intuitive, fast,
effective
System 2 - analytical, slow, methodical
⩥ Which system of thinking requires mental models? Answer: System 1
⩥ What is an activity group? Answer: A clustering of intrusions which
cover 2 or more phases in the diamond model
,⩥ What is a key indicator? Answer: An indicator that remains constant
across multiple intrusions, uniquely distinguishes a campaign from other
campaigns, and aligns to a single category of adversary action.
⩥ What is a Collection Management Framework (CMF)? Answer: A
CMF is the plan for how you collect data, where you collect it, and what
type of data you collect.
⩥ What 3 aspects make up a threat? Answer: Intent, Capability,
Opportunity
⩥ Which level of effort is required to change a domain name according
to the pyramid of pain? Answer: Simple
⩥ What is the importance of understanding intelligence collection on a
technical level? Answer: Ensures analyst understands limitations of their
data sources
⩥ What is counter intelligence? Answer: The identification, assessment,
neutralisation, and exploitation of adversarial entities.
⩥ Understanding your organizations vulnerabilities using models and
config analysis is what type of threat detection? Answer: Environmental
,⩥ Which TLP level allows intel to be shared online? Answer: TLP:
White
⩥ On the sliding scale of cyber security, what category to analysts
respond to and learn from adversaries on their network? Answer: Active
Defence
⩥ Before satisfying an intel requirement, what must an analyst do to
determine if it is achievable? Answer: Determine whether they have
enough data to satisfy the requirement. A Collection Management
Framework (CMF) defines how you collect data.
⩥ What TLP level allows you to share intel within your community?
Answer: TLP:Green
⩥ IOCs are used to improve signatures of an organizations NIDS, what
category on the sliding scale of security does this all under? Answer:
Passive Defence
⩥ How can intel teams prevent bias? Answer: Use of Structured
Analytic Techniques (SATs)
Inclusion of diversity
, ⩥ Questioning the ROI and reduction of risk of security intel functions
within an organization is an example of what category of intelligence?
Answer: Strategic
⩥ What is synthesis in CTI field? Answer: Combination of various event
data sources, historical information, and digital forensics to form a
theory or system
⩥ What is a priority intelligence requirement (PIR)? Answer:
Intelligence requirements that are seen as critical to mission success.
⩥ Which non-linear approach to modelling was meant to eliminate
stovepiping that occurs in intel work? Answer: Target-centric
intelligence
⩥ What is bouncing malware? Answer: User is passed between multiple
sites and numerous exploits used in convoluted combinations
⩥ Give 2 common examples of protocols used as delivery methods for
malware Answer: SMTP
HTTP
⩥ Which part of the CoA matrix involves hacking back? Answer:
Destroy