CREST Practitioner Threat Intelligence Analyst (CPTIA)

CPTIA Overview

The CREST Practitioner Threat Intelligence Analyst examination is the first certification in the CREST Threat Intelligence pathway. It proves the CTI analyst holds the fundamental skills and knowledge of both contextual analysis (focusing on social, cultural and geopolitical elements) and technical analysis (analysis of data relating to IOCs (Indicators of Compromise)).

A practitioner level Cyber Threat Intelligence Analyst is responsible for the collection and analysis of data, information and intelligence in order to generate threat intelligence outputs.

Practitioner - Competent to conduct routine assignments under supervision in structured environment.

CPTIA Syllabus

The CREST examination syllabus for CPTIA is broken down into 6 key areas, running from appendix A through to F. Within each appendix CREST defines a number of topics that should be covered.

The key concepts underlying intelligence-led cyber threat assessments.

A1 - Objectives of Threat Intelligence
Understand the key reasons why an organisation would want TI and how they would use it.
A2 - Terminology
Demonstrate familiarity with commonly used terms relating to TI and intelligence processes.
A3 - Threat Actor Types / Definitions
Be able to distinguish between different threat actors and their likely objectives.
A4 - Threat Vector & Vulnerability Types
Understand the definition of a threat vector, and demonstrate knowledge of key threat vectors. Understand the definition of a vulnerability and demonstrate knowledge of common vulnerability types.
A5 - The Intelligence Cycle
Be able to name the stages of the cycle, and explain the key processes that occur at each stage.
A6 - Analytic Models
Know the components of the Diamond Model, and understand the relationship between them.
Be aware of the meta-features of the model and be able to interpret them.
A7 - Attack Lifecycle
Understand the lifecycle of a typical attack, for example using a model such as the “Cyber Kill Chain”.
A8 - Understanding Risk
Demonstrate an understanding of the relationship between threat, capability, intent, and motivation.

Understanding how the direction and review processes influence the analyst’s workflow

B1 - Developing Terms of Reference
Be able to list the elements included in a typical Terms of Reference.
Know why Terms of Reference are important to have before beginning a job.
B2 - Importance of Project Review
Be aware of the criteria used to assess intelligence output (for example Timeliness / Accuracy / Presentation / Answering the IR etc.).
Understand why it is important to seek feedback on outputs
B3 - Dealing with Intelligence Gaps
Know what an intelligence gap is, and how to identify one.
Be able to identify likely sources of information to fill an intelligence gap.

Collection of data relevant to a customer’s intelligence requirements and turning it into a format suitable for analysis.

C1 - Function & Use of a Collection Plan
Know the key component parts of a collection plan and be able to interpret it effectively.
C2 - Use of a Collection Worksheet
Understand the benefit / necessity of recording collection activity.
Know what information a collection worksheet should contain (for example what sources were checked, what search terms were used, when, etc.)
C3 - Types of Sources
Understand different types of source and their broad classifications (HUMINT, OSINT, etc.).
C4 - Source Reliability and Grading
The ability to interpret source reliability grading / information reliability grading (based on the UK 5x5x5 model).
C5 - Specific Sources
Know what information can be obtained from typical technical sources such as WHOIS, DNS, malware analysis, social media, document metadata etc.
Understand the format of data and be able to interpret it accurately.
C6 - Boolean Search Strings
Ability to combine Boolean operators to form a precise search, as used by many search engines and proprietary products.
C7 - Basic Source Analysis
Understand reasons why some online sources are likely to be biased / inaccurate.
C8 - Operational Security (OPSEC)
Understand requirement for OPSEC and potential implications of failure.
Knowledge of anonymization tools such as Tor and i2p.
Understand the requirement to separate personal web use from work collection.
Know the appropriate course of action in the event of an OPSEC breach.

Understanding common approaches to analysis and potential pitfalls.

D1 - Hypothesis Testing
Ability to outline steps required to prove / disprove a hypothesis.
D2 - Facts, Assumptions, Premises & Inferences
Distinguish between facts and assumptions.
Make a logical inference from available premises.
Understand the requirement to identify assumptions and assessments as different from fact.
D3 - Expressing Likelihood / Certainty
Understand applicability of terms such as ‘possible’, ‘likely’ and ‘highly likely’.
D4 - Circular Reporting
Know what circular reporting is, and suggest ways in which it can be avoided.
Understand the importance of managing sources effectively to prevent this occurring.
D5 - Cognitive Biases
Identify some of the major types of bias that can affect intelligence analysis.
Know common ways in which analysts attempt to counter common biases.
D6 Analytical Techniques Be able to interpret data in graphical format, for example:
  • A network diagram
  • A timeline
  • A histogram
  • A scatterplot
  • A time series graph

Methods for disseminating intelligence product to consumers and for sharing intelligence with trusted members of the wider intelligence community

E1 - Structured / Machine Readable TI
Knowledge of STIX, CYBOX and TAXII and how they relate to each other.
Knowledge of the content and format of different types of STIX message.
Understanding of the advantages / disadvantages of machine readable TI.
E2 - Unstructured / Human Readable TI
Understanding of the key advantages / disadvantages of spoken and written dissemination.
Ability to select an appropriate dissemination mechanism, for example written product vs. verbal briefings.
Understanding of importance of accuracy, brevity, clarity.
E3 - Intelligence Sharing
Understanding of ‘Need to Know’ and ‘Need to Share’ concepts.
Ability to identify information that can / cannot be shared publicly.
Knowledge of common intelligence sharing initiatives.

Legal and ethical considerations arising from conducting intelligence-led engagements.

F1 - Understanding Requirement for Adherence to Legal / Ethical Standards
Identify examples of illegal and unethical behaviour.
Demonstrate understanding of repercussions of illegal / unethical behaviour.
F2 - Handling of Classified Material
Understand GPMS classifications and their meanings.
Understand the implications of breaching GPMS.
Demonstrate the correct course of action in the event of a breach of GPMS handling.
F3 - Key Legislation Pertaining to Intelligence Collection in the UK
Demonstrate working understanding of the constraints on intelligence collection operations imposed by:
  • Computer Misuse Act 1990
  • Human Rights Act 1998
  • Data Protection Act 1998
  • Police and Justice Act 2006
  • Official Secrets Act 1989
  • Telecommunications (Lawful Business Practice) (Interception of Communications) 2000
  • Regulation of Investigatory Powers Act 2000
  • Bribery Act 2010
  • Proceeds of Crime Act 2002
F4 - Dealing With Legal / Ethical Uncertainty.
Know appropriate action if given a task of questionable legality / ethics.
F5 - CREST Code of Conduct
Demonstrate understanding of code as it applies to the individual.

CPTIA Examination

The CREST Practitioner Threat Intelligence Analyst (CPTIA) exam is a 2-hour, computer-based, 120 question, multiple choice test and is taken in a Pearson Vue testing centre.

CREST use Pearson Vue test centres to ensure examinations are proctored correctly and in line with their standards. We highly recommend checking where your local Pearson Vue testing centre is in your country. To book your exam, go to the Pearson Vue website and navigate to the "For Test-Takers" section. Here you will be able to search for CREST and find your examination listed. If you haven't already done so, you will be asked to create an account to proceed with your booking.

CPTIA Training Provider

Given that you have landed on the arcX website, you have probably guessed by now that we do deliver a CPTIA training course, we just call it something different. The arcX Cyber Threat Intelligence Practitioner course is a CREST accredited training course delivering the whole CREST PTIA syllabus.

Cyber Threat Intelligence Practitioner

Cyber Threat Intelligence Practitioner

Develop fundamental skills and knowledge to operate as a Cyber Threat Intelligence Analyst. Learn to contribute towards intelligence projects, gather intelligence requirements, formulate collection plans, and produce actionable intelligence.

  • 25+ hours of training content
  • CREST accredited CPTIA course
  • 48 units covering over 120 concepts
  • Includes 17+ hours of video training
  • arcX final exam with free re-test included
  • 100% Online and on-demand self-study course
  • 21 engaging exercises
  • 500+ practice questions
Price: £399
Course info
ernst and young ministry of defence ncc group uk government raytheon home depot