---
url: "https://xcademia.com/courses/xcti-xcademia-cyber-threat-intelligence-practitioner"
title: "XCTI: Xcademia Cyber Threat Intelligence Practitioner "
description: "Earn XCTI through a 6-day CTI programme. STIX/TAXII, MISP, OpenCTI, Diamond Model, MITRE ATT&CK. GCTI alternative UK. Practitioner-assessed. No MCQs. "
publishedAt: "2026-04-20T07:26:15.236911+00:00"
updatedAt: "2026-04-20T11:20:17.012799+00:00"
type: course
code: "CYB-0348"
level: Expert
duration_days: "6"
track: "SOC Analyst & Threat Hunting"
category: "Cybersecurity & Ethical Hacking"
credential_tier: tier1
price_gbp: "3995"
---

# XCTI: Xcademia Cyber Threat Intelligence Practitioner 

> The XCTI Certification Programme is the practitioner standard for cyber threat intelligence analysts who collect, analyse, and operationalise intelligence across strategic, operational, and tactical layers, producing intelligence products that drive measurable security improvement across SOC operations, incident response, and executive decision-making.   Assessed on Day 6 through a supervised intelligence analysis exercise producing a professional threat intelligence report. No MCQs. No closed-book exam.

## Overview

Cyber threat intelligence is the difference between reacting to attacks and anticipating them. The CTI analyst who can only consume threat feeds is not performing intelligence: they are performing data management. Real threat intelligence requires hypothesis formation, structured analytic technique application, source evaluation, confidence grading, and intelligence product development that actually changes defensive decisions. The GCTI from SANS is the most respected CTI certification, but it is a 115 to 118 question MCQ exam. XCTI is built for analysts who want to demonstrate they can produce intelligence, not pass a test. 

Across six instructor-led days, participants build CTI capability across the complete intelligence lifecycle: intelligence requirements and planning, OSINT collection methodology, STIX 2.1 and TAXII 2.1 standards, MISP and OpenCTI platform operations, threat actor profiling and campaign analysis, dark web intelligence collection in authorised environments, the Diamond Model and Cyber Kill Chain for intrusion analysis, strategic and geopolitical threat intelligence, intelligence product development for different audiences, and CTI integration into SOC operations and incident response. 

On Day 6, participants receive a raw intelligence collection package (OSINT artefacts, malware reports, network indicators, and industry reports) and must produce a complete threat intelligence product: a threat actor profile with campaign attribution, MITRE ATT&CK heat map, IOC list, and an executive summary and technical annex. A senior practitioner assesses analytical rigour, structured technique application, and product quality. XCTI certificate and Practitioner Assessment Report issued together.

## Prerequisites

- Minimum 12 months in a SOC, DFIR, threat hunting, or security analysis role with exposure to threat intelligence concepts 
- Working knowledge of MITRE ATT&CK framework and basic familiarity with at least one SIEM platform
- Basic understanding of malware types, C2 communications, and common adversary TTPs

## What you will learn

- Apply the intelligence lifecycle to CTI operations including requirements management, collection planning, and systematic feedback collection
- Conduct OSINT collection using passive infrastructure analysis tools and apply structured analytic techniques to produce high-confidence threat assessments
-   Operate MISP and OpenCTI platforms for threat actor profiling, IOC lifecycle management, and intelligence sharing using STIX 2.1 and TAXII 2.1
-   Apply the Diamond Model and MITRE ATT&CK to produce threat actor profiles with attribution confidence grading and campaign timeline analysis
- Produce professional threat intelligence products for strategic, operational, and tactical audiences including executive briefings and technical threat advisories
- Integrate CTI outputs into SOC detection engineering, SIEM enrichment, and SOAR automation to deliver measurable security improvement

## Skills you will gain

- Intelligence lifecycle and requirements management
- OSINT collection (Maltego/Shodan/Censys)
- STIX 2.1 and TAXII 2.1
- MISP platform operations
- OpenCTI threat actor profiling
- Diamond Model intrusion analysis
- Cyber Kill Chain analysis
- Threat actor profiling and attribution
- Dark web intelligence collection
- Strategic CTI product development
- IOC lifecycle management
- CTI integration into SOC and SOAR

## Career progression

- Cyber Threat Intelligence Analyst
- Threat Intelligence Lead
- SOC L3 Analyst (CTI)
- Incident Responder (CTI)
- Strategic Threat Analyst
- Red Team Intelligence Analyst

## Framework alignment

- MITRE ATT&CK v14
- Diamond Model
- Cyber Kill Chain
- STIX 2.1 and TAXII 2.1
- TLP 2.0
- MISP Project
- OpenCTI
- OSINT Framework

## Curriculum

1. **Module 1**
2. **Module 2**
3. **Module 3**

## Exam & certification

You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations.

## Delivery options

- **Live Online** — Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible.
- **Onsite Training** — We come to you. Training delivered at your workplace for teams of 6 or more.
- **Venue-Based** — Classroom training at a professional venue. Ideal for focused, immersive learning.
- **Blended** — Combine online and in-person learning for maximum flexibility and impact.

## Frequently asked questions

**How does XCTI compare to SANS FOR578 (GCTI)?**

SANS FOR578 costs approximately $9,000 total including training and the GCTI exam (115 to 118 MCQs, 3 hours, closed-book). XCTI is 6 instructor-led days ending in a supervised intelligence analysis exercise on Day 6 where participants receive raw intelligence collection data and must produce a professional threat intelligence product. The Practitioner Assessment Report documents analytical capability and product quality. Less than half the GCTI total cost. 

**What MISP and OpenCTI skills will participants develop?**

MISP: instance configuration, event creation, attribute tagging with MISP taxonomies and ATT&CK galaxies, external feed integration, and synchronisation with community MISP instances. OpenCTI: entity creation, threat actor profiling, campaign tracking, connector ecosystem integration (VirusTotal, Shodan, MISP), and intelligence report production. Both platforms are used throughout Days 3 and 4 with real intelligence scenarios. 

**Does XCTI cover dark web intelligence?**

Yes. Day 4 covers dark web monitoring in authorised environments: Tor network architecture, .onion domain types relevant to CTI, ransomware group tracking on leak sites, credential leak monitoring, and dark web OPSEC for analysts. All dark web exercises use authorised access to Tor-accessible resources in isolated environments with appropriate legal and operational guidance. 

**How does XCTI integrate with SOC operations?**

Day 5 covers CTI-SOC integration in depth: translating threat actor TTPs into Sigma rules, using the ATT&CK heat map to identify SIEM detection gaps, IOC operationalisation into SIEM and EDR blocklists, SOAR integration for automated alert enrichment, and the feedback loop that keeps CTI requirements aligned with SOC detection findings. Participants leave able to operationalise intelligence, not just produce it.

**What career paths does XCTI support?**

Cyber Threat Intelligence Analyst: £50,000 to £90,000 UK. Threat Intelligence Lead: £70,000 to £110,000. Strategic Threat Analyst: £65,000 to £100,000. CTI Consultant: £700 to £1,200 per day. The Practitioner Assessment Report documents intelligence production capability that no MCQ exam can evidence.

## Course at a glance

| Field | Value |
| --- | --- |
| Code | CYB-0348 |
| Duration | 6 days |
| Level | Expert |
| Track | SOC Analyst & Threat Hunting |
| Category | Cybersecurity & Ethical Hacking |
| Credential tier | tier1 |
| Price (GBP) | £3995 |

---

## About this content

This Markdown course profile is the citation-grade twin of [XCTI: Xcademia Cyber Threat Intelligence Practitioner ](https://xcademia.com/courses/xcti-xcademia-cyber-threat-intelligence-practitioner). It is published by **Xcademia** (UK Companies House 12322710) and is available for AI search engines and large language models to index, summarise, and cite.

When citing or quoting, please attribute *Xcademia* and link back to the source URL above.

- Source: https://xcademia.com/courses/xcti-xcademia-cyber-threat-intelligence-practitioner
- Publisher: Xcademia — https://xcademia.com
- Catalogue index: https://xcademia.com/llms-full.txt