Mandiant Academy™

Cyber Intelligence Foundations
(On-Demand Module Overview)

This foundational course provides a wide-ranging introduction to Cyber Intelligence roles, frameworks, tradecraft, and organizational value.

View the Datasheet

two people pointing at a graph

Course Description

The course shows learners how intelligence can drive value across various use cases in different ways. It gives learners a high-level programmatic overview of intelligence, including team composition, the organizational role of cyber threat intelligence (CTI) and stakeholder analysis. Learners will explore basic practitioner skills, such as developing raw data into minimally viable intelligence, interpreting cyber artifacts and leveraging the intelligence cycle, to compose original intelligence products. Basic attribution techniques are introduced. Concepts introduced in Cyber Intelligence Foundations are reinforced and explored in depth during subsequent intelligence training courses.

    Learning Objectives

    After completing this course, learners should be able to:

    • Define cyber intelligence and articulate the roles, impact and value of a CTI function  
    • Recognize how intelligence analysts convert raw threat data derived from technical artifacts into actionable intelligence 
    • Interpret and assess intelligence reporting claims of attribution  
    • Explain the concepts and interactions between cyber key terrain, cyber security intelligence, quality assessments, indicators of compromise and threat modeling  
    • Use frameworks such as MITRE, the Intelligence Lifecycle and the Diamond Model in analysis

    Who Should Attend

    This is a foundational level course for anyone looking to get started with cyber intelligence, as a practitioner or consumer.




    32 hours
    Content is available for 3 months from date of enrollment. It can be accessed 24/7 from a standard web browser.


    $3,000 USD or 3 EOD Units

    Course Outline

    Introduction to Cyber Threat Intelligence

    • Roles and team structures
    • Applying the intelligence cycle
    • Categories of intelligence

    The Analyst’s Toolkit

    • Systems of analytic thought
    • Cognitive biases
    • Confidence levels in reporting

    Cyber Artifacts

    • 3 key types of cyber artifacts (file, host, network)
      and relevance to intelligence reporting
    • Analysis of real-world scenarios
    • IOCs in modeling

    Developing Raw Data into Minimally Viable Intelligence

    • Common Operating Pictures, infrastructure analysis
    • Threat modeling and threat groups (creating, merging)

    How Intelligence Teams Work with Malware

    • Static analysis
    • Dynamic analysis
    • String searching
    • File formats
    • Sandbox overview
    • Binary launching

    Writing Intelligence Products

    • Technical writing
    • Knowing your audience
    • Critical thinking for establishing audience
    • Review procedures

    Establishing Attribution

    • Basic modeling techniques
    • Levels of attribution


    Tufail Ahmed headshot

    Tufail Ahmed
    Principal Threat Analyst

    Tufail Ahmed serves Mandiant customers globally by analyzing cyber threats. He has spent over 12 years in various technical analyst and consultant roles, supporting several customers across many different sectors. He is enthusiastic about automating all things cyber to detect threats using intelligence and analytics.

    Sarah Atik headshot

    Sarah Atik
    Intelligence Enablement Consultant

    Sarah Atik helps organizations answer the question "Am I targeted?" through comprehensive assessments of their threat landscape. Her experiences in both 'red' & 'blue' teams equip her with a unique perspective on both sides of an attack, and she is passionate about connecting experience-based knowledge and anecdotal, real-world examples to security concepts and topics.

    Mark Owen headshot

    Mark Owens
    Principal Intelligence Capability Consultant

    Mark Owens is a trusted advisor to clients globally, leading organizations through significant challenges and aligning security initiatives with enterprise programs and business objectives. He works collaboratively to assess organizations’ cyber security capabilities, risk posture and threat landscape, while providing actionable recommendations to drive strategic change, reduce risk and build resilient, intelligence-led cyber defense programs.

    Shanyn Ronis headshot

    Shanyn Ronis
    Manager of Mandiant Intelligence Training Services

    Shanyn Ronis has extensive knowledge and background in Cyber Threat Intelligence and methods for operationalizing intelligence for mission success. Since 2013, she has worked in various cyber intelligence positions, ranging from Intelligence Analyst to embedded Fusion Analyst within a SOC environment, to leading Tier 2 Incident Response. Ms. Ronis is a member of the Forbes 30 Under 30 class of 2017.

    Andrew Schmidt headshot

    Andrew Schmidt
    Director of Intelligence Performance and Production

    Andrew Schmidt oversees quality control, strategic communications and intelligence production. Previously, he served as Senior Director of Production and Analysis for iSIGHT Partners, Managing Editor for iDefense Inc. and Deputy Intelligence Director for VeriSign-iDefense. He served for 21 years in the United States Air Force and Air National Guard in the fields of Logistics, Communications and Inspections, retiring as a Lieutenant Colonel. ­