GIAC Cyber Threat Intelligence (GCTI) Examination Questions And
Correct Answers (Verified Answers) Plus Explanation 2026 Q&A |
Instant Download Pdf
1. What is the first step in the intelligence cycle?
A) Collection
B) Analysis
C) Planning and direction
D) Dissemination
Answer: C
2. Which document formally outlines intelligence priorities, audiences, and resources?
A) Threat model
B) Intelligence requirements list
C) Collection management plan
D) After-action report
Answer: B
3. A PIR (Priority Intelligence Requirement) differs from an IR in that a PIR is:
A) Always strategic in nature
B) Approved by senior leadership and time-sensitive
C) Related only to technical indicators
D) Derived solely from open sources
Answer: B
4. Which role is responsible for approving the intelligence collection plan?
A) All-source analyst
B) Collection manager
,C) Intelligence consumer (e.g., CISO, SOC manager)
D) Threat hunter
Answer: C
5. "What are the TTPs of TA505?" is an example of a(n):
A) Indicator requirement
B) Strategic intelligence requirement
C) Operational intelligence requirement
D) Tactical intelligence requirement
Answer: C
6. Which of the following is a well-formed intelligence requirement?
A) "Get me all malware"
B) "What IP addresses are bad?"
C) "Which threat actors target the healthcare sector in Europe, and what are their
primary initial access vectors?"
D) "Tell me about ransomware"
Answer: C
7. The "direction" phase includes all EXCEPT:
A) Identifying consumers
B) Developing indicators
C) Establishing feedback mechanisms
D) Defining the timeline
Answer: B
8. A feedback loop in intelligence ensures:
A) Collection is infinite
B) Consumers can refine requirements based on delivered intelligence
C) Analysts never change their methods
D) Only strategic intelligence is produced
,Answer: B
9. Which collection method is most likely to be dictated by legal and compliance teams?
A) OSINT
B) HUMINT from dark web forums
C) Network traffic capture without consent
D) Partner sharing
Answer: C
10. Who is the primary audience for tactical intelligence?
A) Board of directors
B) SOC analysts and threat hunters
C) Strategic planners
D) Legal counsel
Answer: B
11. An intelligence requirement that asks "How will our sector be targeted in the next 6–
12 months?" is:
A) Tactical
B) Operational
C) Strategic
D) Technical
Answer: C
12. Which of the following is NOT typically part of the collection management plan?
A) Sources to task
B) Frequency of collection
C) Attribution analysis
D) Ownership of collection tasks
Answer: C
, 13. The primary output of the planning phase is:
A) A list of IOCs
B) A set of intelligence requirements
C) A finished intelligence report
D) A data lake
Answer: B
14. Who should be consulted when writing intelligence requirements?
A) Only senior executives
B) Only technical analysts
C) All stakeholders (executives, SOC, IR, legal, etc.)
D) External vendors only
Answer: C
15. A "CCIR" (Commander's Critical Information Requirement) is a term borrowed from:
A) Military intelligence
B) Corporate finance
C) Software development
D) Human resources
Answer: A
16. Which of the following is an example of a standing intelligence requirement?
A) "IP addresses used in yesterday's phishing campaign"
B) "Monthly summary of ransomware groups targeting manufacturing"
C) "Hash of the malware from incident #2025-001"
D) "Who is behind the zero-day disclosed this morning?"
Answer: B
17. The term "intelligence gap" refers to:
A) A missing indicator
B) An unanswered requirement due to lack of data or access
C) A poorly written report
D) A vulnerability in the SIEM
Correct Answers (Verified Answers) Plus Explanation 2026 Q&A |
Instant Download Pdf
1. What is the first step in the intelligence cycle?
A) Collection
B) Analysis
C) Planning and direction
D) Dissemination
Answer: C
2. Which document formally outlines intelligence priorities, audiences, and resources?
A) Threat model
B) Intelligence requirements list
C) Collection management plan
D) After-action report
Answer: B
3. A PIR (Priority Intelligence Requirement) differs from an IR in that a PIR is:
A) Always strategic in nature
B) Approved by senior leadership and time-sensitive
C) Related only to technical indicators
D) Derived solely from open sources
Answer: B
4. Which role is responsible for approving the intelligence collection plan?
A) All-source analyst
B) Collection manager
,C) Intelligence consumer (e.g., CISO, SOC manager)
D) Threat hunter
Answer: C
5. "What are the TTPs of TA505?" is an example of a(n):
A) Indicator requirement
B) Strategic intelligence requirement
C) Operational intelligence requirement
D) Tactical intelligence requirement
Answer: C
6. Which of the following is a well-formed intelligence requirement?
A) "Get me all malware"
B) "What IP addresses are bad?"
C) "Which threat actors target the healthcare sector in Europe, and what are their
primary initial access vectors?"
D) "Tell me about ransomware"
Answer: C
7. The "direction" phase includes all EXCEPT:
A) Identifying consumers
B) Developing indicators
C) Establishing feedback mechanisms
D) Defining the timeline
Answer: B
8. A feedback loop in intelligence ensures:
A) Collection is infinite
B) Consumers can refine requirements based on delivered intelligence
C) Analysts never change their methods
D) Only strategic intelligence is produced
,Answer: B
9. Which collection method is most likely to be dictated by legal and compliance teams?
A) OSINT
B) HUMINT from dark web forums
C) Network traffic capture without consent
D) Partner sharing
Answer: C
10. Who is the primary audience for tactical intelligence?
A) Board of directors
B) SOC analysts and threat hunters
C) Strategic planners
D) Legal counsel
Answer: B
11. An intelligence requirement that asks "How will our sector be targeted in the next 6–
12 months?" is:
A) Tactical
B) Operational
C) Strategic
D) Technical
Answer: C
12. Which of the following is NOT typically part of the collection management plan?
A) Sources to task
B) Frequency of collection
C) Attribution analysis
D) Ownership of collection tasks
Answer: C
, 13. The primary output of the planning phase is:
A) A list of IOCs
B) A set of intelligence requirements
C) A finished intelligence report
D) A data lake
Answer: B
14. Who should be consulted when writing intelligence requirements?
A) Only senior executives
B) Only technical analysts
C) All stakeholders (executives, SOC, IR, legal, etc.)
D) External vendors only
Answer: C
15. A "CCIR" (Commander's Critical Information Requirement) is a term borrowed from:
A) Military intelligence
B) Corporate finance
C) Software development
D) Human resources
Answer: A
16. Which of the following is an example of a standing intelligence requirement?
A) "IP addresses used in yesterday's phishing campaign"
B) "Monthly summary of ransomware groups targeting manufacturing"
C) "Hash of the malware from incident #2025-001"
D) "Who is behind the zero-day disclosed this morning?"
Answer: B
17. The term "intelligence gap" refers to:
A) A missing indicator
B) An unanswered requirement due to lack of data or access
C) A poorly written report
D) A vulnerability in the SIEM
