--- url: "https://xcademia.com/courses/threat-intelligence-analysis-and-attribution-tradecraft" title: Threat Intelligence Analysis and Attribution Tradecraft description: "Four-day advanced threat intelligence training. Covers attribution methodology, SATs, STIX/TAXII, Maltego, dark web collection, and finished intelligence produc" publishedAt: "2026-04-13T07:07:27.7903+00:00" updatedAt: "2026-04-29T06:05:35.05521+00:00" type: course code: "CYB-0160" level: Professional duration_days: "4" track: "Cyber Warfare & Advanced Threat Defence" category: "Cybersecurity & Ethical Hacking" credential_tier: tier1 price_gbp: "4995" --- # Threat Intelligence Analysis and Attribution Tradecraft > A four-day advanced programme developing the structured analytical methodology, attribution tradecraft, and finished intelligence production skills required of senior cyber threat intelligence professionals. Build the capability to produce finished intelligence from raw threat data, apply structured attribution methodology to nation-state campaigns, operate across OSINT and technical intelligence sources, and brief government and executive stakeholders. ## Overview Threat intelligence is no longer a feed subscription or an automated enrichment layer. Senior practitioners are expected to produce finished intelligence products that drive strategic and operational decisions, apply rigorous attribution methodology that can withstand executive and diplomatic scrutiny, and manage intelligence programmes that continuously improve organisational defensive posture. This four-day advanced programme develops precisely those capabilities. Across four mentor-led days, participants apply the intelligence cycle to cyber threat analysis, master Structured Analytic Techniques for reducing cognitive bias, execute attribution methodology across technical, operational, and strategic dimensions, operate across OSINT and dark web intelligence sources, build link analysis using Maltego and STIX/TAXII intelligence sharing protocols, and produce finished intelligence products calibrated to executive and government audiences. The programme culminates in a four-hour capstone: given a live threat dataset, participants produce a complete intelligence assessment attributing a campaign, assessing actor intent and capability, and forecasting likely next moves. They then brief a simulated senior leadership panel. This course is aligned with STIX 2.1 and TAXII standards, structured analytic techniques used by Western intelligence agencies, and NCSC threat intelligence guidance. ## Prerequisites - Minimum three years of professional experience in threat intelligence, SOC operations, or incident response. - Solid understanding of nation-state threat actor groups, MITRE ATT&CK, and cyber threat analysis fundamentals. - Completion of Nation-State Threat Actor Profiles (X-CWTA-F) or APT Detection and Threat Hunting (X-CWAPT-P) recommended. ## What you will learn - Produce finished intelligence products from raw threat data using structured analytical methodology. - Apply technical, operational, and strategic attribution methodology to nation-state cyber campaigns. - Operate across OSINT, dark web, and technical intelligence sources with appropriate tradecraft. - Brief executive and government stakeholders on threat actor intent, capability, and likely next moves. - Structure intelligence assessments in STIX 2.1 format for machine-readable sharing via TAXII - Build and manage a threat intelligence programme that drives organisational security decision-making. - Apply Structured Analytic Techniques to reduce cognitive bias and improve intelligence product quality. ## Skills you will gain - Structured attribution methodology - Finished intelligence production - Structured Analytic Techniques application - Dark web intelligence collection - OSINT tradecraft for cyber intelligence - Maltego link analysis - STIX 2.1 intelligence structuring - TAXII intelligence sharing operations - Strategic intelligence forecasting - Intelligence programme management - Executive and government briefing - Campaign cluster methodology ## Career progression - Senior Threat Intelligence Analyst - CTI Programme Lead - Government Intelligence Analyst - CISO Intelligence Advisor - SOC Intelligence Lead - Threat Hunt Programme Manager ## Curriculum 1. **Module 1: Getting Ready** - Pre-reading: STIX 2.1 specification overview, NCSC threat intelligence guidance, and SAT primer - Setting up Maltego community edition and accessing course threat dataset environments - Intelligence requirements template: defining PIRs and IRs for the capstone organisation scenario - Course objectives, skill baseline assessment, and individual development pathway alignment 2. **Module 2: The Intelligence Cycle Applied to Cyber** - Planning and direction: defining Priority Intelligence Requirements that drive collection and analysis - Collection: mapping sources to requirements across technical, OSINT, and human indicator channels - Processing: normalising, validating, and structuring raw threat data for analytical use - Analysis: applying structured methodology to produce assessments rather than summaries - Dissemination: choosing format, classification, and audience for each intelligence product type 3. **Module 3: Structured Analytic Techniques for Cyber Intelligence** - Why cognitive bias degrades intelligence quality and how SATs systematically reduce its impact - Analysis of Competing Hypotheses: applying ACH to attribution and campaign assessment problems - Key Assumptions Check: surfacing and challenging the hidden assumptions in threat analysis - Indicators and Warnings analysis: building and maintaining indicator lists for early warning - Red Cell analysis: stress-testing assessments by adopting the adversary's perspective 4. **Module 4: Attribution Methodology: Technical Dimension** - Technical attribution evidence: malware code similarity, infrastructure reuse, and toolset fingerprinting - Infrastructure attribution: domain registration patterns, hosting provider selection, and TLS certificate reuse - Malware family analysis: identifying shared code bases across campaign clusters - MITRE ATT&CK technique fingerprinting: how technique selection distinguishes actor groups operationally - Confidence levels in technical attribution: expressing certainty accurately without overstating 5. **Module 5: Attribution Methodology: Operational Dimension** - Operational attribution evidence: targeting patterns, campaign timing, and victim set analysis - Working hours analysis: inferring actor geography from timestamp distributions across campaigns - Language artefacts in malware and infrastructure: linguistic indicators in code, domains, and error messages - Campaign cluster methodology: grouping intrusions into actor-attributable clusters using overlapping indicators - Distinguishing primary actor operations from false flag operations designed to mislead attribution 6. **Module 6: Attribution Methodology: Strategic Dimension** - Strategic attribution: connecting technical and operational findings to state interest and geopolitical context - Attribution has become a diplomatic tool as much as a forensic one: implications for confidence thresholds - When to attribute publicly and when to maintain strategic ambiguity: decision framework - Five Eyes attribution coordination: how allied nations build shared attribution assessments - Legal and diplomatic implications of public attribution: standards required before a government accuses a state 7. **Module 7: Dark Web Intelligence Collection** - Dark web architecture for threat intelligence: Tor, I2P, and closed forum ecosystems - Underground forum monitoring: tracking threat actor infrastructure, tooling, and targeting announcements - Safe collection methodology: operational security requirements for dark web intelligence gathering - Building source networks without exposing collector identity or operational objectives - Validating dark web intelligence: distinguishing genuine actor communications from deception and misinformation 8. **Module 8: OSINT Collection and Source Development** - OSINT tradecraft for cyber intelligence: systematic collection across technical and open-source channels - Passive DNS, certificate transparency, and infrastructure reconnaissance using open sources - Social media intelligence for tracking threat actor personas and recruitment activity - Code repository monitoring: identifying actor tooling published or leaked to open-source platforms - Source reliability assessment: evaluating and weighting OSINT sources by track record and access 9. **Module 9: :Maltego: Link Analysis and Intelligence Visualisation** - Maltego architecture and transform library for cyber threat intelligence workflows - Building actor infrastructure graphs: connecting domains, IPs, certificates, and malware samples - Campaign cluster visualisation: mapping relationships between intrusion sets across time - Link analysis for attribution: identifying infrastructure overlap between attributed and unattributed clusters - Hands-on lab: build a complete actor infrastructure graph from a provided threat dataset 10. **Module 10: STIX 2.1 and TAXII Intelligence Sharing** - STIX 2.1 object model: SDOs, SROs, and their application to cyber threat intelligence representation - Structuring a finished intelligence assessment in STIX 2.1 format for machine-readable sharing - TAXII 2.1 protocol: establishing and operating threat intelligence sharing channels - Intelligence sharing policy design: TLP classification, need-to-know, and recipient management - Hands-on practical: structure a completed attribution assessment as a STIX 2.1 bundle 11. **Module 11: Finished Intelligence Product Design** - Product types and their audiences: tactical, operational, and strategic intelligence products - Writing for executive audiences: clarity, confidence expression, and actionable recommendations - Government format intelligence reports: structure, classification, and analytical standards - Strategic forecasting: assessing actor intent and predicting next campaign moves with stated confidence - Intelligence product critique: structured peer review methodology for improving analytical output quality 12. **Module 12: Intelligence Programme Management** - Building a threat intelligence programme from scratch: team structure, tooling, and source portfolio - Intelligence requirements management: maintaining PIR relevance as the threat landscape evolves - Measuring intelligence programme effectiveness: metrics that reflect analytical quality rather than volume - Integrating CTI output into SOC, IR, and executive decision-making workflows operationally - Building and maintaining an analyst development programme within a CTI team 13. **Module 13: Capstone: Finished Intelligence and Senior Briefing** - Four-hour capstone: receive a live threat dataset and produce a complete finished intelligence assessment - Apply attribution methodology across technical, operational, and strategic dimensions with stated confidence - Assess actor intent, current capability, and forecast next campaign moves with analytical justification - Present the completed assessment to a simulated senior leadership and government stakeholder panel - Full instructor debrief: attribution methodology quality, analytical rigour, and briefing effectiveness review ## Exam & certification You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations. ## Delivery options - **Live Online** — Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible. - **Onsite Training** — We come to you. Training delivered at your workplace for teams of 6 or more. - **Venue-Based** — Classroom training at a professional venue. Ideal for focused, immersive learning. - **Blended** — Combine online and in-person learning for maximum flexibility and impact. ## Frequently asked questions **Who is this course designed for?** Senior threat intelligence analysts, CTI team leads, government intelligence professionals, and CISO advisory teams responsible for producing and directing finished intelligence products that drive strategic security decisions. **What experience level is required?** A minimum of three years in threat intelligence, SOC operations, or incident response is expected. This is an advanced programme that builds on practitioner-level knowledge and is not suitable as a first introduction to threat intelligence. **How does this differ from the threat actor profiling foundation course?** This programme develops the analytical methodology and intelligence production skills of a senior intelligence professional. It focuses on structured attribution, finished intelligence production, dark web tradecraft, and programme management rather than actor awareness. **What do I leave with?** A Certificate of Achievement, a complete finished intelligence assessment from the capstone, a STIX 2.1 structured intelligence bundle, a Maltego actor infrastructure graph, and a personal development action plan. **Does this course need an exam?** No. Assessment is through structured exercises and the four-hour capstone. Completion requires full attendance and delivery of the capstone finished intelligence product and briefing. ## Course at a glance | Field | Value | | --- | --- | | Code | CYB-0160 | | Duration | 4 days | | Level | Professional | | Track | Cyber Warfare & Advanced Threat Defence | | Category | Cybersecurity & Ethical Hacking | | Credential tier | tier1 | | Price (GBP) | £4995 | --- ## About this content This Markdown course profile is the citation-grade twin of [Threat Intelligence Analysis and Attribution Tradecraft](https://xcademia.com/courses/threat-intelligence-analysis-and-attribution-tradecraft). It is published by **Xcademia** (UK Companies House 12322710) and is available for AI search engines and large language models to index, summarise, and cite. When citing or quoting, please attribute *Xcademia* and link back to the source URL above. - Source: https://xcademia.com/courses/threat-intelligence-analysis-and-attribution-tradecraft - Publisher: Xcademia — https://xcademia.com - Catalogue index: https://xcademia.com/llms-full.txt