🔎

Learning Track · 15 modules

Cyber Threat Intelligence

OSINT, ATT&CK, Pyramid of Pain, and intel-driven hunting — actionable CTI.

Why this track

OSINT, ATT&CK, Pyramid of Pain, and intel-driven hunting — actionable CTI. This track walks you from fundamentals through advanced techniques across 15 practitioner modules — the same body of knowledge senior security professionals build over years, structured for self-paced progression with India-specific context throughout.

Prerequisite: See module 1 for entry context. Most modules are self-contained but follow the suggested sequence for best results.

Modules

11.2 h

Total time

Free modules

∞

Quiz retries

Difficulty mix

Beginner · 2 Intermediate · 9 Advanced · 3 Expert · 1

Module sequence

Cyber Threat Intelligence Fundamentals

Four levels of intelligence, the intelligence cycle, sources, attribution, Diamond Model, and metrics that track real value.

Beginner 60 min →

OSINT Collection for CTI

Search operators, Shodan, Censys, subdomain enumeration, GitHub dorking, dark-web research, tradecraft OpSec.

Intermediate 90 min →

Pyramid of Pain & IOC Lifecycle

Bianco's Pyramid of Pain, IOC lifecycle, 90-day rule, TTP-focused detection priorities.

Intermediate 90 min →

MITRE ATT&CK in Operations

ATT&CK taxonomy, tactics and sub-techniques, Navigator for coverage mapping, detection-as-technique, D3FEND.

Advanced 120 min →

Intel-Driven Threat Hunting

From threat report to hunt hypothesis to SIEM query to finding. KQL/SPL examples, triage, pivoting, documentation.

Expert 150 min →

The Pyramid of Pain

Covered briefly in Blue Team Module 6. This is the deeper dive. The pyramid Hash values — recompile, hash changes IPs — rotate infrastructure Domains — register new Network/host artefacts — User-Agent, registry keys Tools — Cobalt Strike, Mimikatz TTPs — tactics, techniques, procedures Top of pyramid = harder for attacker to change. Operational implication […]

Beginner 15 →

MITRE ATT&CK in Practice

MITRE ATT&CK is the de-facto common language. Operationalising it requires discipline. The structure Tactics (14) — adversary goals (Initial Access, Execution, Persistence, etc.) Techniques (~200) — how the goal is achieved Sub-techniques — specific variants Procedures — actor-specific implementation ATT&CK Navigator Free tool for visualising layers. Use cases: Coverage map — which techniques have detections […]

Intermediate 20 →

STIX & TAXII Standards

STIX = data format. TAXII = transport. Together: machine-readable threat intel sharing. STIX object types Indicator (the “what to look for”) Threat Actor Campaign Intrusion Set Malware Tool Attack Pattern (= ATT&CK technique) Vulnerability (= CVE) Identity (= Victim) Relationship Why structured matters Vendor PDF report → manual extraction. Vendor STIX feed → automatic ingestion […]

Intermediate 15 →

Attribution Methodology

“Who did this?” is often the wrong question. Attribution is hard, slow, and often inconclusive. Defenders mostly need TTP-level intel, not actor identity. The Diamond Model Four vertices of an intrusion analysis: Adversary — who Capability — what tools, what TTPs Infrastructure — what domains, IPs, code-signing certs Victim — who/what was targeted Pivot between […]

Advanced 15 →

M10

OSINT for Actor Profiling

For sectoral and regional threat awareness, OSINT is invaluable. Sources Public threat reports — Mandiant, CrowdStrike, Microsoft, Recorded Future VirusTotal Intelligence — sample relationships MalwareBazaar — malware samples URLhaus, ThreatFox — abuse.ch projects Twitter/X — security researchers post real-time Telegram — actor channels (be careful) Dark web monitoring — paid services (Recorded Future, Flashpoint, KELA) […]

Intermediate 15 →

M11

IOC Hygiene

Buying IOC feeds is the easy part. Operationalising them without false positives is the hard part. IOC lifecycle Ingest from source Score (confidence, source reputation) Enrich (WHOIS, geolocation, ASN, related campaigns) Match against telemetry Decay — IOCs age out (IPs rotate, domains expire) Retire — remove from active matching after N days Quality signals Source […]

Intermediate 15 →

M12

Deception Technology

Deception is high-fidelity threat detection: legitimate users don’t touch decoys, so any touch = malicious. Three patterns Honeypots — fake systems (servers, databases). Real protocol; fake content. T-Pot, Cowrie. Honeytokens — fake credentials, fake API keys. Trigger alert on use. Canary tokens — Thinkst Canary; lightweight tokens that fire on access. Practical deployment Honey AD […]

Intermediate 15 →

M13

Malware Family Classification

Classifying samples by family enables tracking actor evolution. YARA is the de-facto language. YARA basics rule MyMalware_v2 { meta: author = "RingSafe" family = "Cobalt Strike" version = "4.x" strings: $beacon_str = "Mozilla/5.0 (Windows NT 6.1)" wide $config_marker = { 00 01 00 0E ?? ?? } condition: uint16(0) == 0x5A4D and any of them […]

Advanced 20 →

M14

Continuous Threat Intel Workflow

Most Indian organisations don’t have dedicated CTI teams. But you can run a 1-person / 0.5-FTE program effectively. The cadence Daily (15-30 min) — skim Twitter/X security feed; check threat-feed updates; review SIEM enrichments Weekly (2 hours) — read 2-3 vendor reports; update threat-actor watchlist; brief SOC on changes Monthly (half day) — assessment review, […]

Intermediate 15 →

M15

Strategic Threat Intelligence

Tactical TI is for SOC. Strategic TI is for executives. Different language, different cadence, different artefacts. Strategic questions Which threat actors target organisations like ours? What are their goals (extortion, espionage, disruption)? What’s their technical sophistication level? Are we more or less targeted than peers? What investments would meaningfully shift the risk? Strategic artefacts Threat […]

Intermediate 15 →

Common questions about this track

How long will this track take me? +

Most learners finish in 4-8 weeks at a sustainable 4-5 hours per week. Modules are self-paced so you can move faster or slower as life allows.

Do I need prior experience? +

Module 1 sets the entry baseline. The first module is always free; if it feels approachable, the track is for you.

Will this prepare me for industry certifications? +

Most modules align with the body of knowledge tested by senior security certifications. The Academy is not a cert-prep course but produces working knowledge that transfers to any cert exam in the same domain.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map