Cyber Intelligence Foundations (CIF) Module Overview

This foundational course provides a wide-ranging introduction to Cyber Intelligence roles, frameworks, tradecraft, and organizational value.

View the Datasheet

mandiant academy


The course shows learners how intelligence can drive value across various use cases in different ways. It gives learners a high-level programmatic overview of intelligence, including team composition, the organizational role of cyber threat intelligence (CTI) and stakeholder analysis. 

Learners will explore basic practitioner skills, such as developing raw data into minimally viable intelligence, interpreting cyber artifacts and leveraging the intelligence cycle, to compose original intelligence products. Basic attribution techniques are introduced. 

Concepts introduced in Cyber Intelligence Foundations are reinforced and explored in depth during subsequent intelligence training courses.

Learning Objectives

After completing this course, learners should be able to:

  • Define cyber intelligence and articulate the roles, impact and value of a CTI function  
  • Recognize how intelligence analysts convert raw threat data derived from technical artifacts into actionable intelligence 
  • Interpret and assess intelligence reporting claims of attribution  
  • Explain the concepts and interactions between cyber key terrain, cyber security intelligence, quality assessments, indicators of compromise and threat modeling  
  • Use frameworks such as MITRE, the Intelligence Lifecycle and the Diamond Model in analysis
two people pointing at a graph

Who Should Attend

This is a foundational level course for anyone looking to get started with cyber intelligence, as a practitioner or consumer.




24 hours
Content is available for 3 months from date of first login. It can be accessed 24/7 from a standard web browser.


$1,000 USD or 1 EOD Unit

Course Outline

Introduction to Cyber Threat Intelligence

  • Roles and team structures
  • Applying the intelligence cycle
  • Categories of intelligence

The Analyst’s Toolkit

  • Systems of analytic thought
  • Cognitive biases
  • Confidence levels in reporting

Cyber Artifacts

  • 3 key types of cyber artifacts (file, host, network)
    and relevance to intelligence reporting
  • Analysis of real-world scenarios
  • IOCs in modeling

Developing Raw Data into Minimally Viable Intelligence

  • Common Operating Pictures, infrastructure analysis
  • Threat modeling and threat groups (creating, merging)

How Intelligence Teams Work with Malware

  • Static analysis
  • Dynamic analysis
  • String searching
  • File formats
  • Sandbox overview
  • Binary launching

Writing Intelligence Products

  • Technical writing
  • Knowing your audience
  • Critical thinking for establishing audience
  • Review procedures

Establishing Attribution

  • Basic modeling techniques
  • Levels of attribution


Tufail Ahmed, Principal Threat Analyst

Tufail Ahmed serves Mandiant customers globally by analyzing cyber threats. He has spent over 12 years in various technical analyst and consultant roles, supporting several customers across many different sectors. He is enthusiastic about automating all things cyber to detect threats using intelligence and analytics.

Tufail Ahmed headshot

Sarah Atik, Intelligence Enablement Consultant

Sarah Atik helps organizations answer the question "Am I targeted?" through comprehensive assessments of their threat landscape. Her experiences in both 'red' & 'blue' teams equip her with a unique perspective on both sides of an attack, and she is passionate about connecting experience-based knowledge and anecdotal, real-world examples to security concepts and topics.


Sarah Atik headshot

Mark Owens, Principal Intelligence Capability Consultant

Mark Owens is a trusted advisor to clients globally, leading organizations through significant challenges and aligning security initiatives with enterprise programs and business objectives. He works collaboratively to assess organizations’ cyber security capabilities, risk posture and threat landscape, while providing actionable recommendations to drive strategic change, reduce risk and build resilient, intelligence-led cyber defense programs.

Mark Owen headshot

Shanyn Ronis, Manager of Mandiant Intelligence Training Services

Shanyn Ronis has extensive knowledge and background in Cyber Threat Intelligence and methods for operationalizing intelligence for mission success. Since 2013, she has worked in various cyber intelligence positions, ranging from Intelligence Analyst to embedded Fusion Analyst within a SOC environment, to leading Tier 2 Incident Response. Ms. Ronis is a member of the Forbes 30 Under 30 class of 2017.

Shanyn Ronis headshot

Andrew Schmidt, Director of Intelligence Performance and Production

Andrew Schmidt oversees quality control, strategic communications and intelligence production. Previously, he served as Senior Director of Production and Analysis for iSIGHT Partners, Managing Editor for iDefense Inc. and Deputy Intelligence Director for VeriSign-iDefense. He served for 21 years in the United States Air Force and Air National Guard in the fields of Logistics, Communications and Inspections, retiring as a Lieutenant Colonel. ­

Andrew Schmidt headshot