Build core CTI skills through expert-led instruction, labs, and panel discussions on program architecture, research, workflows, and stakeholder support. FOR478 provides a foundational understanding of Cyber Threat Intelligence (CTI) and its role within enterprise, government, and vendor contexts. It focuses on CTI program architecture, operationalized workflows, and delivering actionable insights to stakeholders. Expert-led panel discussions on CTI operations and labs complement course instruction. ▐ The course takes a structured approach to help students develop a fulsome understanding of CTI operational realities while building core skills essential for navigating a career in CTI. ▐ The course labs replicate professional workforce expectations, requiring students perform threat research and develop finished intelligence products that reflect realistic stakeholder requests. ▐ Students will also be provided a library of production-ready CTI program templates, ensuring immediate utility for analysts upon returning from training. Syllabus Summary SECTION 1: Foundational Elements of a CTI Program Day 1 establishes CTI as a customer-centric service designed to drive organizational decision-making against cyber security and business objectives, moving beyond the reductive notion that threat intelligence is solely a data feed. The material then grounds CTI research and analytic production in core frameworks including the Intelligence Lifecycle and the OODA loop before deconstructing CTI program elements, the evolution of the discipline, and the analyst’s operational workbench. The course exposes students to the operational expectations and frequent pain points when supporting cybersecurity and risk stakeholder teams. By analyzing common stakeholder objectives, workflows, and vernacular, students gain the critical framing necessary to anticipate customer needs. This alignment empowers analysts, and the broader intelligence program, to develop strategic partnerships and deliver high-impact support across the organization. SECTION 2: Cyber Threats and Stakeholder Workflows Students develop a baseline for analyzing threat actor activity while learning about the risks and rewards of publicly publishing threat research. This includes understanding personal security considerations with potential societal impact. This section also covers effective approaches for collaborating with journalists to amplify research, build personal brand, and drive thought leadership. The course concludes with a deep dive into the specific roles and responsibilities of security and risk teams that comprise strategic, operational, and tactical stakeholder audiences. The day concludes by revisiting stakeholder types, focusing on the role profiles for each team within the strategic, operational, and tactical stakeholder categorization. Job profiles are created outlining their remit, workflows, and integration points for CTI analysts. FOR478: Cyber Threat Intelligence Foundations™ CURRICULUM: DFIR & Threat Hunting 2 Day Course 12 CPEs 8 Labs You Will Be Able To ▐ Architect an effective CTI program that aligns service support to organizational needs ▐ Manage requirements and build an actionable ICP that maps telemetry to stakeholder needs ▐ Baseline threat actor history to contextualize evolving adversary goals and tactics ▐ Analyze how geopolitical drivers and past adversary operations shape your threat landscape ▐ Produce finished intelligence products that meet the standards employers and stakeholders expect ▐ Apply intelligence tradecraft, CTI frameworks, and AI- assisted workflows used by working analysts ▐ Map your professional skills to a career plan aligned with current industry needs Who Should Attend ▐ Aspirant or current CTI analysts who want to understand industry state of play, how CTI programs are structured, and how to shore up foundational practices, methodologies, or tool use ▐ Incident Responders who want to understand how CTI can assist their hunt efforts and work better with CTI peers ▐ SOC Analysts who want to understand how geopolitical dynamics impact cyber threat activities and explore natural career pathways into CTI ▐ Military, civilian intelligence, and law enforcement agents who require a baseline understanding of working cyber threats in public or private sector roles ▐ Business, systems, and risk (GRC) analysts who want to expand their job prospects in CTI and understand which skills are transferable ▐ Data scientists and intelligence engineers who need to understand CTI data, tooling, and which workflow elements can be automated For detailed course description, visit SANS.ORG/FOR478 WAYS TO TAKE FOR478 Live Online In-Person OnDemand John Doyle Course Author
