Skip to main content
Image coming soon

From APT Tracking to APRA-Ready Threat Reporting

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

From APT Tracking to APRA-Ready Threat Reporting

Build the research-to-regulatory pipeline that turns threat actor TTPs into defensible CPS 234 evidence.

A threat intelligence report walks in. The TTP mapping is clean, the attribution confidence is documented, the adversary objectives are laid out in MITRE ATT&CK notation. The risk committee reads it, marks it 'noted for awareness,' and asks whether it affects the CPS 234 examination next quarter. The researcher has no clean answer because the report was built in ATT&CK language, not APRA language.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Financial sector threat researchers produce technically rigorous work that stops at the SOC perimeter. The TTPs are mapped, the diamond model is applied, the confidence levels are documented. None of that language maps cleanly to what APRA examiners ask about, what the board risk committee can act on, or what the CPS 234 evidence pack requires. The researcher ends up translating their own work ad hoc for each audience, producing SOC briefings, board memos, and APRA evidence packs separately, with no shared structure and under different time pressures. The skill this course builds is the single document architecture that speaks to all three audiences: technical layer for IR and detection, regulatory layer for APRA, and strategic layer for the board. One research cycle, one pipeline, three audiences served.

What you walk away with

  • Map any adversary TTP chain to the specific CPS 234 Chapter III requirements it tests, using evidence language an APRA examiner accepts.
  • Produce a threat actor assessment that satisfies both the SOC technical lead and the board risk committee in a single layered document.
  • Build a control gap artefact that moves remediation budget through a risk committee approval process.
  • Deliver a board risk committee threat briefing that generates action items rather than an awareness note.
  • Run a repeatable research-to-regulatory pipeline on any new intrusion set without starting from a blank page.

The 12 modules

Module 1. CPS 234 Through a Threat-Intelligence Lens
CPS 234 Chapter III specifies requirements for information security capability that APRA examiners test against active threat exposure. This module maps the Chapter's twelve information asset categories to the adversary objectives most commonly pursued against Australian deposit-taking institutions. You build a capability-to-threat overlay that lets your research output speak directly to the chapter's language, not alongside it.
Module 2. APT Group Profiling for the APAC Financial Sector
Not all APT groups target Australian banks at the same priority. This module builds a sector-specific threat actor register: intrusion sets active in the APAC financial corridor, their preferred initial access vectors including spearphishing, supply chain compromise, and credential stuffing via compromised aggregators, and the historical targeting patterns relevant to deposit-taking institutions and their wealth management arms. The register becomes the evidence base for every briefing that follows.
Module 3. MITRE ATT&CK to CPS 234 Control Mapping
The gap between an ATT&CK TTP and a CPS 234 control requirement is a translation problem, not a technical one. This module establishes the mapping methodology: from adversary tactic category to APRA information security requirement to the specific control evidence an examiner expects to see. Includes worked examples for three APAC-relevant intrusion chains, with each TTP mapped to its corresponding Chapter III paragraph and evidence assertion.
Module 4. Diamond Model Application for Financial Sector Incidents
The Diamond Model's four vertices produce a richer attribution product than indicator-only reports, but its output needs to be legible to a risk audience. This module adapts the Diamond Model for financial sector incidents: structuring the adversary vertex around financial sector motivation including credential theft, SWIFT fraud, and destructive attack, and producing a model output that feeds directly into a CPS 234 incident scenario analysis without requiring the risk audience to understand the model itself.
Module 5. Writing Threat Actor Assessments That Survive Risk Review
A threat actor assessment written for the SOC looks different from one written for the board risk committee. This module covers both layers in a single document: the technical TTP block for IR and detection engineering, and the strategic assessment block for risk officers and APRA examiners. Includes the section headings, confidence-level notation, and attribution caveat language that stop the report being filed for awareness rather than acted on.
Module 6. Translating TTPs into Control Evidence Language
APRA examiners ask: what evidence demonstrates that the institution's information security capability is commensurate with its threat exposure? This module builds the translation between TTP observation and control evidence assertion. You produce a control evidence brief that pairs each observed TTP with the specific artefact, whether a configuration state, policy excerpt, penetration test result, or incident log, that a reasonable examiner accepts as evidence of commensurate capability.
Module 7. The Control Gap Artefact
The control gap report is the output that actually moves remediation budget. This module builds the structure: a threat-driven gap register that pairs each adversary capability, observed or assessed, with the current control state, the evidence basis for that assessment, and a remediation priority tied to APRA's materiality thresholds. Includes the presentation format that gets this artefact approved in a risk committee rather than deferred to the next examination cycle.
Module 8. TIBER-AU Threat Intelligence Requirements
TIBER-AU requires a structured Targeted Threat Intelligence report as its first deliverable. This module covers the TTI report structure, the threat actor scenario selection methodology, and the intelligence-to-red-team handoff format. Whether or not your institution runs TIBER-AU engagements, the TTI report structure represents the highest-quality threat intelligence product format in Australian financial services, and it maps cleanly to APRA's expectations for threat-informed control evidence.
Module 9. APRA Risk Appetite Statement: Threat-Informed Input
The risk appetite statement sits above the control framework and dictates how much threat exposure the board is willing to accept. Threat researchers rarely contribute to this document. This module shows how to produce a threat-informed risk appetite input: a structured brief that maps current adversary capability against the institution's declared risk tolerance, and flags where the two are materially misaligned in terms an RAS author can act on directly.
Module 10. Briefing the Board Risk Committee on Threat Intelligence
Board risk committees want to know three things: who is after us, what would they do, and are we ready. This module builds the briefing deck that answers all three without requiring the board to understand ATT&CK. Includes the narrative arc, the three key metrics of threat actor capability, control coverage, and residual exposure, the visual formats that register with a risk committee, and the questions that reliably follow, with model answers prepared in advance.
Module 11. Building a Repeatable Research-to-Regulatory Pipeline
The most durable output of a threat research function is a repeatable process: intelligence in at one end, regulator-ready risk narrative out at the other. This module designs the full pipeline: intake template, TTP-to-control mapping workbook, assessment report skeleton, board brief format, and APRA evidence pack structure. The goal is a process your team can run on any new intrusion set without starting from a blank page each time a new actor is tracked.
Module 12. Operationalising the Threat-Informed Defence Brief
The threat-informed defence brief is the single document that closes the loop: adversary capability assessed, control coverage mapped, gaps prioritised, remediation budgeted. This module builds the defence brief from scratch using the outputs of every prior module. Includes the sign-off workflow that gets the brief from research to CISO to board to APRA exam pack, and the version-control approach that keeps it current across the annual examination cycle.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 1 to 3 build the CPS 234 and ATT&CK vocabulary bridge, so every subsequent output speaks regulator language from the start rather than being translated after the fact.
Modules 4 to 6 produce the threat actor assessment layers: technical for the SOC, strategic for the board, and evidence-based for the APRA examiner, as a single coherent document.
Modules 7 to 9 build the control gap artefact and risk appetite input that move decisions: budget approvals, board actions, and examination-ready control evidence.
Modules 10 to 12 design the repeatable pipeline and the board brief that closes the loop from research output to APRA examination pack.

What you get with this course

  • Text-based course modules in the Art of Service learning environment.
  • Downloadable CPS 234 TTP mapping workbook with worked examples for three APAC-relevant intrusion chains.
  • Threat actor assessment report template covering both technical and strategic layers in a single document.
  • Control gap register template with APRA materiality scoring framework.
  • Board risk committee briefing deck skeleton with model answers to standard examiner questions.
  • TIBER-AU Targeted Threat Intelligence report structure template.
  • Hand-built implementation playbook tailored to a financial sector threat research function, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

Threat research output is technically thorough but lands as 'noted for awareness.' The researcher translates their work separately for each audience: SOC briefings, board memos, and APRA evidence packs produced on different timelines with no shared structure, none of them fully satisfying the audience it was written for.

After

A single research cycle produces a layered document that speaks to the SOC, the board risk committee, and the APRA examiner. The control gap artefact drives remediation budget approval. The board briefing generates action items. The CPS 234 examination pack builds from the same intelligence product that briefed the SOC.

What happens if you do not address this

Threat research that does not translate into regulatory language accumulates as technical debt. APRA examiners increasingly expect institutions to demonstrate threat-informed control coverage, not just reactive incident response. A threat research function that cannot produce a CPS 234-aligned control gap artefact is invisible to the decision-makers who control the security budget and determine the examination outcome.

Who it is for

Cyber threat researchers and senior threat intelligence analysts working inside Australian deposit-taking institutions, wealth managers, and financial market infrastructure operators. Typically three to eight years into a technical security career, with strong MITRE ATT&CK fluency and SOC experience, now in a role that requires producing outputs for risk, compliance, and board audiences who use different vocabulary entirely. They know what the adversary is doing. The gap is producing output that moves the institution's control posture.

Who this is NOT for. SOC analysts whose output is entirely operational: alerts, triage, and incident tickets, without a dedicated threat intelligence or research mandate. General IT security practitioners without a written threat intelligence product responsibility. Compliance officers who consume threat intelligence reports but do not produce them.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. 12 modules across four to six hours of focused reading. Templates are ready to adapt immediately; full pipeline implementation typically takes two to three weeks working alongside an active threat intelligence cycle.

Why $199 is the right number

Generic threat intelligence certifications teach the research methodology but do not cover the APRA-specific regulatory output layer. CPS 234 compliance training covers the regulatory requirement but does not address the threat-intelligence input. This course bridges both, specifically for Australian financial institutions where the regulatory audience is APRA and the prudential standard is CPS 234.

FAQ

Is this relevant if my institution has not yet been through an APRA CPS 234 examination?
Yes. The pipeline this course builds is designed for use before an examination, not during one. The value is in producing examination-ready outputs as a normal part of the threat research cycle, so the evidence pack builds itself from existing work rather than being assembled under time pressure.
We already map to MITRE ATT&CK. How is this different?
ATT&CK mapping and CPS 234 control evidence are different outputs. This course builds the translation layer between them, plus the board briefing format and control gap artefact that ATT&CK mapping does not produce on its own.
How does this apply if our team is running TIBER-AU engagements?
Module 8 covers the TIBER-AU Targeted Threat Intelligence report structure specifically. The broader pipeline in this course produces the continuous threat intelligence product that TIBER-AU engagements draw from, so the two complement each other directly.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!