Intelligence Tradecraft

CyberDefenses Academy



Available Upon Request


Available Upon Request

Delivery Method

Classroom & Online


Certification of Completion

Audience / Level



Analysis and Profiling, Threat Hunting News and Public Information Analysis


Laptop required

Course Details

Program Introduction

This course is split into two sessions that can be taken independently or together. The first two-day session covers the collection and transformation of information, both internally and externally, that is required for a successful Threat Intelligence pursuit. The second two-day session dives into analysis, profiling, investigation and reporting of that information.

In this “Part A” of the course, students learn the focus areas for threat intelligence collection, both internal and external. Deep pockets of information exist internally and when combined with the depth of external sources, provide a rich pallet in which to paint current events and threats. Students learn where to find that information, how and what to collect from the data and then how to deduplicate, connect, add context, asset confidence and pivot (C3P), and store the data in order to process and apply it.

In this “Part B” of the course, students turn their focus to analysis, investigation, profiling and reporting. Students are taught structured analytic techniques to profile, investigate and understand the information they learned to collect in “Part A” of the course. A grounding in risk signals and indicators in information in market verticals, against an organization or threat groups. Deeper dossiers of information on threats are discussed and built, including fil, DNS, and operation corpus for adversaries. Lastly, students learn effective reporting strategies to communicate and disseminate information through briefs, reviews, case studies and reports.

Course Objectives

  • It is designed for those with an interest in employing Threat Intelligence to deter, mitigate and understand threats.
  • It conveys the necessary concepts, principles and terms to lay down a solid foundation.
  • It is a ranged class that starts at an introductory-level and proceeds into intermediate concepts.

Target Student

  • Individuals new to or desiring a better understanding of Threat Intelligence concepts.
  • Professionals who deal with technical issues, but feel they do not have enough background in Threat Intelligence.
  • Technical professionals that need to be armed with greater knowledge of incident response, Threat Intelligence and their role in resolving incidents.


Monty St John
Monty St John is a computer science and information security expert, U.S. Navy and U.S. Air Force veteran, certified instructor, and author of dozens of classes for CyberDefenses. He has assisted numerous companies build and accredit laboratories, threat teams, and security operations centers. He’s also a prolific writer with two upcoming technical volumes set for 2018; Game Designer and Speaker. Learn more about Monty St John

Additional Information

  • Laptop required
  • Requires basic knowledge of computers, technology and command line interface (CLI)
    • Open and operate browsers
    • Find and use command line
    • Execute scripts
  • Requires knowledge of Linux
  • Requires basic knowledge of Python
  • Understanding of virtual machines (VM) and how to use one.
    • Understand how to import and power on a VM

Course Outline

Part A
  • Introduction
  • Defining the Threat
    • What they want
    • How they will get it
    • What they leave behind
  • Threat Structure Components
    • Organization
    • Assets
    • Members
    • Motivations
  • Attacker Core Steps
  • Collection Methodologies
  • White versus Red Information
  • Internal Collection Targets
  • External Collection Targets
  • Storage
  • Automation
  • Transformation
    • Connect data, add Context, set
    • Confidence & Pivot (C3P)
    • Visualize, Graph and Chart
    • Geometry, Constellations, Twisting
  • Structural Iteration and Linking
  • Q&A
Part B
  • Introduction
  • Profiling, Research, Investigation,
  • Analysis (PRIA)
    • Pitfalls & Cautions
    • Handling Bias
    • Echo Effect
  • Structured Analysis Techniques
    • Strategies of Use
    • Diagnostic
    • Contrarian
    • Imaginative
  • Reviews
    • Narrative
    • Systemic & Meta-analysis
  • Risk Signals & Indicators
  • Core Step Identification
  • Campaign Attribution
  • Dimensions of Time
  • Profiling
  • Communication
    • Briefs
    • Reports
    • Case Studies
    • Reviews
Note: Each hour of this course follows a pattern of 5-minute instructors discussion, 10-minutes classroom discussion, and 45-minute lab work.