5-Day Instructor-Led Programme
The XCTI Certification Programme is the practitioner standard for cyber threat intelligence analysts who collect, analyse, and produce actionable intelligence that informs strategic, operational, and tactical security decisions across enterprise and government environments. Assessed on Day 6 through a supervised intelligence report production exercise, no multiple choice, no exam, no question bank.
Duration
5 Days
Price
$4,995
Cyber threat intelligence is not threat feeds. It is not a dashboard. It is not a daily digest of CVEs. Real CTI is the product of a structured intelligence process that answers specific questions for decision-makers — from the SOC analyst who needs to know which TTPs a threat actor is using today, to the CISO who needs to understand the strategic risk landscape for a board presentation. XCTI is built for analysts who want to produce intelligence that actually changes decisions.
Across six instructor-led days, participants build capability across the complete CTI lifecycle: intelligence requirements definition, OSINT collection methodology, the dark web and technical intelligence sources, threat actor profiling and attribution methodology, malware-derived intelligence, STIX 2.1 and TAXII 2.1 for structured intelligence sharing, CTI platform operations, and intelligence production across strategic, operational, and tactical levels. Every session is grounded in real threat actor profiles, real intelligence sources, and real intelligence products.
On Day 6, participants produce a structured intelligence report on a designated threat actor profile using the collection methodology and tools covered across Days 1–5. A senior CTI practitioner assesses collection methodology, analytical rigour, source handling, and intelligence product quality. XCTI certificate and Practitioner Assessment Report issued together. Aligned with MITRE ATT&CK v14, STIX/TAXII, TLP 2.0, NIST SP 800-150, UK National Cyber Security Strategy, and NATO MISP.
Hands-on OSINT collection, dark web monitoring, MITRE ATT&CK threat actor profiling, STIX 2.1 object creation, MISP platform operations, malware sandbox analysis for IOC extraction, and structured intelligence report production.
Mentor-led sessions covering real threat actor campaigns from current intelligence, analytical tradecraft (structured analytical techniques), source credibility assessment, and intelligence-to-decision communication.
Produce actionable strategic, operational, and tactical threat intelligence that informs SOC operations, executive risk decisions, and security programme prioritisation — from raw collection through to finished intelligence product.
Define intelligence requirements and design collection plans aligned to Priority Intelligence Requirements for enterprise and government security programmes
Conduct OSINT collection and dark web monitoring using structured methodology and appropriate source handling standards
Profile threat actors using MITRE ATT&CK, the Diamond Model, and structured attribution methodology with appropriate confidence grading
Produce STIX 2.1 intelligence objects and operate MISP and OpenCTI platforms for structured intelligence sharing
Analyse malware samples and technical indicators to extract intelligence supporting threat actor attribution and defensive recommendations
Produce intelligence products across strategic, operational, and tactical levels that demonstrably inform security programme and executive decision-making
Minimum 12 months in a SOC, threat hunting, security operations, or intelligence analysis role
Basic understanding of malware behaviour, network protocols, and threat actor concepts
Familiarity with MITRE ATT&CK framework and SIEM-based alert analysis
Organized by professional domains with comprehensive coverage
Master these in-demand skills through hands-on practice
A clear view of the roles this programme supports, what typically comes next, and where learners progress over time
Choose the learning format that works best for you and your team
Instructor-Led Training
Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible.
Price per person
Group enrolments and early planning options available.
All prices are exclusive of VAT where applicable. Group enrolments and custom packages available on request.
Not everyone learns best in a group. If you want focused guidance, faster clarity, and confidence you can use on the job, our 1-to-1 Fast-Track Training gives you private, mentor-led support tailored to your experience and goals.
"Many learners choose 1-to-1 when they want understanding, not memorisation."
Credential
On successful completion of Xcademia Cyber Threat Intelligence Practitioner, learners receive an Xcademia Certificate of Completion. This standalone certificate is issued directly by Xcademia and recognised by employers across the UK defence and security sector.
Everything you need to know about the certification exams
You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations.
Everything you need to know about this course
SANS GCTI is a course costing approximately $8,780 followed by a $999 exam — nearly $10,000 total. XCTI is 6 instructor-led days ending in a supervised intelligence report production exercise on Day 6. The practitioner assesses collection methodology, analytical rigour, source handling, and the quality of the finished intelligence product. Less than half the total GCTI cost, and the assessment evaluates actual intelligence production — not MCQ recall.
Take the next step in your professional development