A tailored course, built for your situation
Advanced Threat Intelligence for Security Analysts
A 12-module implementation-grade course for security professionals advancing beyond baseline analysis
The situation this course is for
Many security analysts master tool operation but hit a ceiling when asked to anticipate threats, justify investments, or influence leadership. The gap isn’t technical skill, it’s structured frameworks for intelligence production, detection design, and risk communication.
Who this is for
Mid-career security analysts in consulting or managed services who want to lead detection programs, not just support them
Who this is not for
Entry-level analysts still learning SIEM basics or professionals outside cybersecurity operations
What you walk away with
- Produce actionable threat assessments using structured intelligence frameworks
- Design detection logic that reduces noise and escalates meaningful signals
- Map adversary behaviors to defensive controls using MITRE ATT&CK
- Communicate risk insights to technical and non-technical stakeholders
- Build repeatable processes for threat landscape analysis
The 12 modules (with all 144 chapters)
- Defining threat intelligence in operational security
- The lifecycle of intelligence production
- Aligning intelligence to business objectives
- Types of intelligence: strategic, tactical, operational
- Integrating intelligence into SOC workflows
- Common pitfalls in analyst-to-intel transitions
- Building credibility through structured reporting
- Sourcing inputs across open and proprietary channels
- Validating intelligence for reliability
- Managing intelligence requirements
- Prioritizing collection based on risk
- Case study: intelligence-driven incident response
- Classifying threat actors: nation-state, cybercrime, hacktivist
- Mapping motivations and objectives
- Understanding funding models and infrastructure
- Attribution frameworks and limitations
- Tracking known groups and aliases
- Using actor personas in planning
- Behavioral patterns by actor type
- Geopolitical context in targeting
- Language, time zones, and cultural indicators
- Infrastructure reuse and link analysis
- Public reporting on actor activity
- Case study: profiling a ransomware affiliate
- Overview of MITRE ATT&CK framework
- Tactics vs techniques vs sub-techniques
- Mapping detections to technique IDs
- Using ATT&CK for gap analysis
- Customizing frameworks for industry
- Mapping cloud-native threats
- Integrating ATT&CK into threat modeling
- Automating coverage reporting
- Mapping adversary groups to ATT&CK
- Building detection tiers based on ATT&CK
- Using ATT&CK for red team planning
- Case study: ATT&CK mapping for phishing campaign
- Identifying stakeholder intelligence needs
- Formulating priority intelligence requirements
- Developing intelligence questions
- Balancing breadth and depth
- Time-sensitive vs strategic requirements
- Aligning with compliance frameworks
- Integrating legal and ethical boundaries
- Managing classified or sensitive inputs
- Documenting and updating requirements
- Linking requirements to collection plans
- Measuring intelligence relevance
- Case study: IR planning for M&A due diligence
- Ethical and legal boundaries in OSINT
- Reconnaissance without attribution
- Domain and IP footprinting techniques
- Social media intelligence methods
- Certificate transparency logs
- Search engine dorking safely
- Archived data and historical snapshots
- Verifying OSINT credibility
- Automating OSINT collection
- Reporting OSINT findings securely
- Avoiding operator burnout
- Case study: pre-incident OSINT on supply chain
- From log collection to detection logic
- Signal vs noise in alerting
- Thresholds, baselines, and anomalies
- Writing precise detection rules
- Reducing false positives systematically
- Using statistical methods in detection
- Leveraging telemetry density
- Validating detection efficacy
- Versioning and managing detection rules
- Integrating detections with playbooks
- Measuring detection coverage
- Case study: detecting lateral movement
- Difference between red teaming and emulation
- Designing emulation scenarios
- Scoping without disruption
- Mapping to MITRE ATT&CK
- Selecting techniques for testing
- Using Caldera and open-source tools
- Integrating with detection teams
- Documenting emulation objectives
- Reporting findings effectively
- Measuring detection improvements
- Legal and operational boundaries
- Case study: emulating ransomware TTPs
- Tracking emerging threats and trends
- Using industry reports effectively
- Identifying patterns across sectors
- Mapping threats to assets
- Benchmarking against peer organizations
- Analyzing attack vectors over time
- Incorporating third-party risk data
- Visualizing threat landscape shifts
- Predicting future targeting
- Updating risk models dynamically
- Communicating trends to leadership
- Case study: tracking cloud service abuse
- Audience analysis for security reports
- Writing for technical and executive readers
- Visualizing risk and trends
- Creating briefing packages
- Using storytelling in reporting
- Tailoring frequency and depth
- Presenting to non-security stakeholders
- Building trust through consistency
- Feedback loops with decision-makers
- Metrics that matter
- Avoiding jargon without losing precision
- Case study: board-level threat briefing
- Identifying automatable tasks
- Using Python for data collection
- Parsing structured threat feeds
- Integrating with ticketing systems
- Building alert enrichment workflows
- Automated report generation
- Managing API rate limits
- Securing automation credentials
- Testing automation reliability
- Version control for scripts
- Documenting automation logic
- Case study: auto-enriching phishing reports
- Risks in vendor and partner ecosystems
- Monitoring shared cloud environments
- Tracking supply chain compromises
- Using threat intelligence sharing groups
- Analyzing third-party security ratings
- Benchmarking vendor security posture
- Incident response coordination
- Legal and contractual considerations
- Reporting third-party risks
- Building vendor risk playbooks
- Measuring third-party improvement
- Case study: monitoring SaaS provider risks
- Assessing organizational maturity
- Staffing and team structure options
- Tooling selection and integration
- Defining success metrics
- Integrating with incident response
- Establishing governance
- Managing stakeholder expectations
- Budgeting for intelligence
- Continuous improvement cycles
- Scaling across regions and clients
- Knowledge management and retention
- Case study: launching intel function in MSSP
How this maps to your situation
- You're analyzing threats but not shaping prevention
- You're reporting incidents but not influencing decisions
- You're using tools but not designing detections
- You're responding but not anticipating
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 3-4 hours per module, designed for professionals to complete at their own pace over 12-16 weeks.
How this compares to the alternatives
Unlike generic certification prep or tool-specific training, this course focuses on implementation-grade frameworks used by mature security teams to produce actionable intelligence and influence decisions.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.