GIAC Cyber Threat Intelligence (GCTI) Practice Examination Questions
And Correct Answers (Verified Answers) Plus Rationales 2026 Q&A |
Instant Download Pdf: Comprehensive Practice Exam: 135+
Questions with Verified Answers & Rationales.
Section 1: Intelligence Lifecycle & Requirements
Question 1
The intelligence lifecycle begins with which phase?
A) Collection
B) Analysis
C) Direction (Planning & Requirements)
D) Dissemination
Correct Answer: C
Rationale: The intelligence lifecycle begins with Direction, also known as Planning and
Requirements. This phase establishes what intelligence is needed, why it's needed, and how
it will be used. Without clear direction, subsequent phases lack purpose and focus.
Collection occurs after requirements are defined, analysis transforms collected data, and
dissemination delivers finished intelligence to consumers.
Question 2
A threat intelligence analyst receives a request from executive leadership about long-term
cybercrime trends affecting their industry sector. This request represents which intelligence
type?
A) Tactical Intelligence
B) Operational Intelligence
,C) Strategic Intelligence
D) Technical Intelligence
Correct Answer: C
Rationale: Strategic intelligence focuses on long-term trends, threat landscapes, and high-
level risks to support executive decision-making and policy development. Tactical
intelligence informs day-to-day defense operations, operational intelligence addresses
specific ongoing campaigns, and technical intelligence provides Indicators of Compromise
(IOCs).
Question 3
During which phase of the intelligence lifecycle does an analyst convert raw data into
finished intelligence products?
A) Collection
B) Processing
C) Analysis
D) Dissemination
Correct Answer: C
Rationale: The Analysis phase is where raw data is transformed into actionable intelligence
through correlation, interpretation, and contextualization. Collection gathers raw data,
processing converts data into usable formats, and dissemination distributes finished
products.
Question 4
"Consumption" and "Feedback" are critical components of which intelligence lifecycle
phase?
A) Direction
B) Collection
,C) Analysis
D) Dissemination
Correct Answer: D
Rationale: Dissemination includes delivering intelligence to consumers and collecting
feedback to improve future intelligence products. This closed-loop process ensures the
intelligence function remains responsive to stakeholder needs and continuously improves.
Question 5
A security manager needs intelligence about specific adversary TTPs to configure SIEM
alerts. This requirement falls under:
A) Strategic Intelligence
B) Tactical Intelligence
C) Operational Intelligence
D) Raw Intelligence
Correct Answer: B
Rationale: Tactical intelligence provides information about adversary TTPs, specific
indicators, and immediate defensive measures. It directly supports security operations, SIEM
rule creation, and incident response activities.
Question 6
Which of the following best describes the purpose of the "Processing" phase in intelligence
operations?
A) Defining intelligence requirements
B) Converting collected data into a standardized, usable format
C) Distributing finished intelligence to consumers
D) Evaluating the impact of intelligence products
Correct Answer: B
, Rationale: Processing involves translating, decrypting, sorting, and organizing raw data into
formats suitable for analysis. This phase bridges collection and analysis, ensuring analysts
work with standardized, usable information.
Question 7
An intelligence requirement asking "What are the likely cyber threats to our upcoming
product launch?" represents:
A) Priority Intelligence Requirement (PIR)
B) Specific Information Requirement (SIR)
C) Collection Requirement
D) Dissemination Requirement
Correct Answer: A
Rationale: Priority Intelligence Requirements (PIRs) are high-level intelligence needs that
drive collection and analysis efforts. They focus on decision-making needs and are approved
by leadership. Specific Information Requirements (SIRs) are subordinate questions that
support answering PIRs.
Question 8
Which intelligence product would be most appropriate for weekly SOC briefings covering
recent threat actor activity?
A) Strategic Assessment
B) Tactical Bulletin
C) Annual Threat Report
D) Raw Intelligence Dump
Correct Answer: B
Rationale: Tactical bulletins are time-sensitive, operationally focused products that inform
SOC teams about recent threat activity, new TTPs, and defensive recommendations.
And Correct Answers (Verified Answers) Plus Rationales 2026 Q&A |
Instant Download Pdf: Comprehensive Practice Exam: 135+
Questions with Verified Answers & Rationales.
Section 1: Intelligence Lifecycle & Requirements
Question 1
The intelligence lifecycle begins with which phase?
A) Collection
B) Analysis
C) Direction (Planning & Requirements)
D) Dissemination
Correct Answer: C
Rationale: The intelligence lifecycle begins with Direction, also known as Planning and
Requirements. This phase establishes what intelligence is needed, why it's needed, and how
it will be used. Without clear direction, subsequent phases lack purpose and focus.
Collection occurs after requirements are defined, analysis transforms collected data, and
dissemination delivers finished intelligence to consumers.
Question 2
A threat intelligence analyst receives a request from executive leadership about long-term
cybercrime trends affecting their industry sector. This request represents which intelligence
type?
A) Tactical Intelligence
B) Operational Intelligence
,C) Strategic Intelligence
D) Technical Intelligence
Correct Answer: C
Rationale: Strategic intelligence focuses on long-term trends, threat landscapes, and high-
level risks to support executive decision-making and policy development. Tactical
intelligence informs day-to-day defense operations, operational intelligence addresses
specific ongoing campaigns, and technical intelligence provides Indicators of Compromise
(IOCs).
Question 3
During which phase of the intelligence lifecycle does an analyst convert raw data into
finished intelligence products?
A) Collection
B) Processing
C) Analysis
D) Dissemination
Correct Answer: C
Rationale: The Analysis phase is where raw data is transformed into actionable intelligence
through correlation, interpretation, and contextualization. Collection gathers raw data,
processing converts data into usable formats, and dissemination distributes finished
products.
Question 4
"Consumption" and "Feedback" are critical components of which intelligence lifecycle
phase?
A) Direction
B) Collection
,C) Analysis
D) Dissemination
Correct Answer: D
Rationale: Dissemination includes delivering intelligence to consumers and collecting
feedback to improve future intelligence products. This closed-loop process ensures the
intelligence function remains responsive to stakeholder needs and continuously improves.
Question 5
A security manager needs intelligence about specific adversary TTPs to configure SIEM
alerts. This requirement falls under:
A) Strategic Intelligence
B) Tactical Intelligence
C) Operational Intelligence
D) Raw Intelligence
Correct Answer: B
Rationale: Tactical intelligence provides information about adversary TTPs, specific
indicators, and immediate defensive measures. It directly supports security operations, SIEM
rule creation, and incident response activities.
Question 6
Which of the following best describes the purpose of the "Processing" phase in intelligence
operations?
A) Defining intelligence requirements
B) Converting collected data into a standardized, usable format
C) Distributing finished intelligence to consumers
D) Evaluating the impact of intelligence products
Correct Answer: B
, Rationale: Processing involves translating, decrypting, sorting, and organizing raw data into
formats suitable for analysis. This phase bridges collection and analysis, ensuring analysts
work with standardized, usable information.
Question 7
An intelligence requirement asking "What are the likely cyber threats to our upcoming
product launch?" represents:
A) Priority Intelligence Requirement (PIR)
B) Specific Information Requirement (SIR)
C) Collection Requirement
D) Dissemination Requirement
Correct Answer: A
Rationale: Priority Intelligence Requirements (PIRs) are high-level intelligence needs that
drive collection and analysis efforts. They focus on decision-making needs and are approved
by leadership. Specific Information Requirements (SIRs) are subordinate questions that
support answering PIRs.
Question 8
Which intelligence product would be most appropriate for weekly SOC briefings covering
recent threat actor activity?
A) Strategic Assessment
B) Tactical Bulletin
C) Annual Threat Report
D) Raw Intelligence Dump
Correct Answer: B
Rationale: Tactical bulletins are time-sensitive, operationally focused products that inform
SOC teams about recent threat activity, new TTPs, and defensive recommendations.
