GIAC Cyber Threat Intelligence
(GCTI) Practice Examination Questions And Correct
Answers (Verified Answers) Plus Rationales 2026
Q&A | Instant Download Pdf
What is counterintelligence? - <<<<ANSWERS>>>The identification, assessment, and
neutralisation of adversary intelligence activities.
Which type of memory is the most critical in intel analysis and why? -
<<<<ANSWERS>>>Working memory as it processes inputs and determines whether to
store them for long or short term memory
What is template matching? - <<<<ANSWERS>>>Theory that every object is processed
by the brain and stored as a template in long term memory
Compare system 1 and 2 thinking - <<<<ANSWERS>>>System 1 - intuitive, fast,
effective
What TLP level allows you to share intel within your community? -
<<<<ANSWERS>>>TLP:Green
IOCs are used to improve signatures of an organizations NIDS, what category on the
sliding scale of security does this all under? - <<<<ANSWERS>>>Passive Defence
How can intel teams prevent bias? - <<<<ANSWERS>>>Use of Structured Analytic
Techniques (SATs)
Inclusion of diversity
Questioning the ROI and reduction of risk of security intel functions within an
organization is an example of what category of intelligence? -
<<<<ANSWERS>>>Strategic
What is synthesis in CTI field? - <<<<ANSWERS>>>Combination of various event data
sources, historical information, and digital forensics to form a theory or system
What is a priority intelligence requirement (PIR)? - <<<<ANSWERS>>>Intelligence
requirements that are seen as critical to mission success.
Which non-linear approach to modelling was meant to eliminate stovepiping that occurs
in intel work? - <<<<ANSWERS>>>Target-centric intelligence
What is bouncing malware? - <<<<ANSWERS>>>User is passed between multiple
sites and numerous exploits used in convoluted combinations
Give 2 common examples of protocols used as delivery methods for malware -
<<<<ANSWERS>>>SMTP
HTTP
Which part of the CoA matrix involves hacking back? - <<<<ANSWERS>>>Destroy
What are the 3 stages of the indicator lifecycle? - <<<<ANSWERS>>>Revealed
Mature
Utilized
,When completing the kill chain should the investigators go backwards or forwards? -
<<<<ANSWERS>>>Investigators should always proceed from the point detection takes
place to the end of the kill chain to ensure the threat has been dealt with, then they can
work backwards after that.
What is temporal triangulation? - <<<<ANSWERS>>>Looking for files that might have
different types of timestamps with the same value
What is temporal clustering? - <<<<ANSWERS>>>Looking for clusters of EXE or DLL
files being created
Malware often maps to which part of the diamond model? -
<<<<ANSWERS>>>Capability
Name 3 common locations for human fingerprints in malware -
<<<<ANSWERS>>>Header metadata
Code reuse
Config data
System 2 - analytical, slow, methodical
Which system of thinking requires mental models? - <<<<ANSWERS>>>System 1
What is an activity group? - <<<<ANSWERS>>>A clustering of intrusions which cover 2
or more phases in the diamond model
What is a key indicator? - <<<<ANSWERS>>>An indicator that remains constant across
multiple intrusions, uniquely distinguishes a campaign from other campaigns, and aligns
to a single category of adversary action.
What is a Collection Management Framework (CMF)? - <<<<ANSWERS>>>A CMF is
the plan for how you collect data, where you collect it, and what type of data you collect.
What 3 aspects make up a threat? - <<<<ANSWERS>>>Intent, Capability, Opportunity
Which level of effort is required to change a domain name according to the pyramid of
pain? - <<<<ANSWERS>>>Simple
What is the importance of understanding intelligence collection on a technical level? -
<<<<ANSWERS>>>Ensures analyst understands limitations of their data sources
What is counter intelligence? - <<<<ANSWERS>>>The identification, assessment,
neutralisation, and exploitation of adversarial entities.
Understanding your organizations vulnerabilities using models and config analysis is
what type of threat detection? - <<<<ANSWERS>>>Environmental
Which TLP level allows intel to be shared online? - <<<<ANSWERS>>>TLP: White
On the sliding scale of cyber security, what category to analysts respond to and learn
from adversaries on their network? - <<<<ANSWERS>>>Active Defence
Before satisfying an intel requirement, what must an analyst do to determine if it is
achievable? - <<<<ANSWERS>>>Determine whether they have enough data to satisfy
the requirement. A Collection Management Framework (CMF) defines how you collect
data.
What TLP level allows you to share intel within your community? -
<<<<ANSWERS>>>TLP:Green
IOCs are used to improve signatures of an organizations NIDS, what category on the
sliding scale of security does this all under? - <<<<ANSWERS>>>Passive Defence
How can intel teams prevent bias? - <<<<ANSWERS>>>Use of Structured Analytic
Techniques (SATs)
, Inclusion of diversity
Questioning the ROI and reduction of risk of security intel functions within an
organization is an example of what category of intelligence? -
<<<<ANSWERS>>>Strategic
What is synthesis in CTI field? - <<<<ANSWERS>>>Combination of various event data
sources, historical information, and digital forensics to form a theory or system
What is a priority intelligence requirement (PIR)? - <<<<ANSWERS>>>Intelligence
requirements that are seen as critical to mission success.
Which non-linear approach to modelling was meant to eliminate stovepiping that occurs
in intel work? - <<<<ANSWERS>>>Target-centric intelligence
What is bouncing malware? - <<<<ANSWERS>>>User is passed between multiple
sites and numerous exploits used in convoluted combinations
Give 2 common examples of protocols used as delivery methods for malware -
<<<<ANSWERS>>>SMTP
HTTP
What is counterintelligence? - <<<<ANSWERS>>>The identification, assessment, and
neutralisation of adversary intelligence activities.
Which type of memory is the most critical in intel analysis and why? -
<<<<ANSWERS>>>Working memory as it processes inputs and determines whether to
store them for long or short term memory
Which part of the CoA matrix involves hacking back? - <<<<ANSWERS>>>Destroy
What are the 3 stages of the indicator lifecycle? - <<<<ANSWERS>>>Revealed
Mature
Utilized
When completing the kill chain should the investigators go backwards or forwards? -
<<<<ANSWERS>>>Investigators should always proceed from the point detection takes
place to the end of the kill chain to ensure the threat has been dealt with, then they can
work backwards after that.
What is temporal triangulation? - <<<<ANSWERS>>>Looking for files that might have
different types of timestamps with the same value
What is temporal clustering? - <<<<ANSWERS>>>Looking for clusters of EXE or DLL
files being created
Malware often maps to which part of the diamond model? -
<<<<ANSWERS>>>Capability
Name 3 common locations for human fingerprints in malware -
<<<<ANSWERS>>>Header metadata
Code reuse
Config data
Name 4 places to get malware samples - <<<<ANSWERS>>>First party data
Partners
Sharing groups
Commerical data sets - VirusTotal
Why might it be a bad thing to upload to VirusTotal? - <<<<ANSWERS>>>Adversaries
will find out that their malware has been detected
(GCTI) Practice Examination Questions And Correct
Answers (Verified Answers) Plus Rationales 2026
Q&A | Instant Download Pdf
What is counterintelligence? - <<<<ANSWERS>>>The identification, assessment, and
neutralisation of adversary intelligence activities.
Which type of memory is the most critical in intel analysis and why? -
<<<<ANSWERS>>>Working memory as it processes inputs and determines whether to
store them for long or short term memory
What is template matching? - <<<<ANSWERS>>>Theory that every object is processed
by the brain and stored as a template in long term memory
Compare system 1 and 2 thinking - <<<<ANSWERS>>>System 1 - intuitive, fast,
effective
What TLP level allows you to share intel within your community? -
<<<<ANSWERS>>>TLP:Green
IOCs are used to improve signatures of an organizations NIDS, what category on the
sliding scale of security does this all under? - <<<<ANSWERS>>>Passive Defence
How can intel teams prevent bias? - <<<<ANSWERS>>>Use of Structured Analytic
Techniques (SATs)
Inclusion of diversity
Questioning the ROI and reduction of risk of security intel functions within an
organization is an example of what category of intelligence? -
<<<<ANSWERS>>>Strategic
What is synthesis in CTI field? - <<<<ANSWERS>>>Combination of various event data
sources, historical information, and digital forensics to form a theory or system
What is a priority intelligence requirement (PIR)? - <<<<ANSWERS>>>Intelligence
requirements that are seen as critical to mission success.
Which non-linear approach to modelling was meant to eliminate stovepiping that occurs
in intel work? - <<<<ANSWERS>>>Target-centric intelligence
What is bouncing malware? - <<<<ANSWERS>>>User is passed between multiple
sites and numerous exploits used in convoluted combinations
Give 2 common examples of protocols used as delivery methods for malware -
<<<<ANSWERS>>>SMTP
HTTP
Which part of the CoA matrix involves hacking back? - <<<<ANSWERS>>>Destroy
What are the 3 stages of the indicator lifecycle? - <<<<ANSWERS>>>Revealed
Mature
Utilized
,When completing the kill chain should the investigators go backwards or forwards? -
<<<<ANSWERS>>>Investigators should always proceed from the point detection takes
place to the end of the kill chain to ensure the threat has been dealt with, then they can
work backwards after that.
What is temporal triangulation? - <<<<ANSWERS>>>Looking for files that might have
different types of timestamps with the same value
What is temporal clustering? - <<<<ANSWERS>>>Looking for clusters of EXE or DLL
files being created
Malware often maps to which part of the diamond model? -
<<<<ANSWERS>>>Capability
Name 3 common locations for human fingerprints in malware -
<<<<ANSWERS>>>Header metadata
Code reuse
Config data
System 2 - analytical, slow, methodical
Which system of thinking requires mental models? - <<<<ANSWERS>>>System 1
What is an activity group? - <<<<ANSWERS>>>A clustering of intrusions which cover 2
or more phases in the diamond model
What is a key indicator? - <<<<ANSWERS>>>An indicator that remains constant across
multiple intrusions, uniquely distinguishes a campaign from other campaigns, and aligns
to a single category of adversary action.
What is a Collection Management Framework (CMF)? - <<<<ANSWERS>>>A CMF is
the plan for how you collect data, where you collect it, and what type of data you collect.
What 3 aspects make up a threat? - <<<<ANSWERS>>>Intent, Capability, Opportunity
Which level of effort is required to change a domain name according to the pyramid of
pain? - <<<<ANSWERS>>>Simple
What is the importance of understanding intelligence collection on a technical level? -
<<<<ANSWERS>>>Ensures analyst understands limitations of their data sources
What is counter intelligence? - <<<<ANSWERS>>>The identification, assessment,
neutralisation, and exploitation of adversarial entities.
Understanding your organizations vulnerabilities using models and config analysis is
what type of threat detection? - <<<<ANSWERS>>>Environmental
Which TLP level allows intel to be shared online? - <<<<ANSWERS>>>TLP: White
On the sliding scale of cyber security, what category to analysts respond to and learn
from adversaries on their network? - <<<<ANSWERS>>>Active Defence
Before satisfying an intel requirement, what must an analyst do to determine if it is
achievable? - <<<<ANSWERS>>>Determine whether they have enough data to satisfy
the requirement. A Collection Management Framework (CMF) defines how you collect
data.
What TLP level allows you to share intel within your community? -
<<<<ANSWERS>>>TLP:Green
IOCs are used to improve signatures of an organizations NIDS, what category on the
sliding scale of security does this all under? - <<<<ANSWERS>>>Passive Defence
How can intel teams prevent bias? - <<<<ANSWERS>>>Use of Structured Analytic
Techniques (SATs)
, Inclusion of diversity
Questioning the ROI and reduction of risk of security intel functions within an
organization is an example of what category of intelligence? -
<<<<ANSWERS>>>Strategic
What is synthesis in CTI field? - <<<<ANSWERS>>>Combination of various event data
sources, historical information, and digital forensics to form a theory or system
What is a priority intelligence requirement (PIR)? - <<<<ANSWERS>>>Intelligence
requirements that are seen as critical to mission success.
Which non-linear approach to modelling was meant to eliminate stovepiping that occurs
in intel work? - <<<<ANSWERS>>>Target-centric intelligence
What is bouncing malware? - <<<<ANSWERS>>>User is passed between multiple
sites and numerous exploits used in convoluted combinations
Give 2 common examples of protocols used as delivery methods for malware -
<<<<ANSWERS>>>SMTP
HTTP
What is counterintelligence? - <<<<ANSWERS>>>The identification, assessment, and
neutralisation of adversary intelligence activities.
Which type of memory is the most critical in intel analysis and why? -
<<<<ANSWERS>>>Working memory as it processes inputs and determines whether to
store them for long or short term memory
Which part of the CoA matrix involves hacking back? - <<<<ANSWERS>>>Destroy
What are the 3 stages of the indicator lifecycle? - <<<<ANSWERS>>>Revealed
Mature
Utilized
When completing the kill chain should the investigators go backwards or forwards? -
<<<<ANSWERS>>>Investigators should always proceed from the point detection takes
place to the end of the kill chain to ensure the threat has been dealt with, then they can
work backwards after that.
What is temporal triangulation? - <<<<ANSWERS>>>Looking for files that might have
different types of timestamps with the same value
What is temporal clustering? - <<<<ANSWERS>>>Looking for clusters of EXE or DLL
files being created
Malware often maps to which part of the diamond model? -
<<<<ANSWERS>>>Capability
Name 3 common locations for human fingerprints in malware -
<<<<ANSWERS>>>Header metadata
Code reuse
Config data
Name 4 places to get malware samples - <<<<ANSWERS>>>First party data
Partners
Sharing groups
Commerical data sets - VirusTotal
Why might it be a bad thing to upload to VirusTotal? - <<<<ANSWERS>>>Adversaries
will find out that their malware has been detected
