University of Oxford Logo University of OxfordSoftware Engineering - Home
On Facebook
Follow us on twitter
Linked in
Linked in
Google plus
Google plus
Stumble Upon
Stumble Upon

Cyber Threat Intelligence

This course provides an introduction to cyber threat intelligence (CTI). CTI is the acquisition and analysis of information concerning cyber threats and the actors behind them. These actors range from professional profit-driven cybercriminals, insiders, nation state actors and hacktivists. This course surveys the attribution, organisation and operations of these actors and the threats they present. It covers a broad range of often-overlapping threats, from data breaches and leaks, online scams, extortion, malware campaigns, disinformation, and many kinds of fraud. The chosen approach is primarily people-centric and contextualises the cyber threat landscape not as a purely technical phenomenon, but one with vital social, political and economic components. But a secondary component of the course will involve more technical instruction on the practical mechanics of conducting CTI, from gathering data to analysing it and disseminating the findings.

Course dates

23rd June 2025Oxford University Department of Computer Science - Held in the Department 0 places remaining.


The successful participant will:

  • Understand core concepts and nomenclature of CTI.
  • Understand the range of common cyber threats and threat actors, along with their organisation and operations, and how they might interrelate.
  • Be able to gather threat intelligence from a range of sources, analyse it and produce reporting on it.
  • Be able to evaluate the attack surface of an organisation, how this matches to the cyber threats, and develop effective CTI policies.


Introduction to Cyber Threat Intelligence
defining CTI, strategic CTI, operational CTI, tactical CTI, an overview of cyber threats and threat actors.
Profit-driven Cybercriminals
common cybercriminal operations and threats, cybercriminal organisation, the “Dark Web”, cybercriminal attribution.
Insider Threats
common insider threats, patterns of insider behaviour, attribution errors, insider interaction with external actors.
Nation State Actors and their Proxies
the nature of Advanced Persistent Threats (APTs), well-known state operations and threats, challenges for attribution/action, interaction between state actors and proxies.
Hobby Hackers and Hacktivists
common hacker operations and threats, hacker organisation, hacker profiles, attribution errors.
Conducting CTI
data gathering tools and approaches, data analysis techniques, crafting CTI reports and disseminating them.
CTI Policy
evaluating the attack surface of an organisation, and developing effective CTI policies.


The assignment will be a take home writing task. Students will produce written work that is matched to the elements of a threat intelligence report produced by government or industry. This could be a public report, or one that would be designed for internal use within an organisation. This will allow students to synthesise all the theoretical and practical lessons they have learned during the course, and package this into a format commonly employed by the CTI community.

Teaching methods

The primary mode of instruction will be through lectures with slides, along with discussion components. There will also be practical demos built into the structure of the course, which will be delivered by guest lecturers with significant industry and government experience in threat intelligence.

Course material

There is no textbook that is adequate for this course. Readings will be assigned for each topic, drawn not only from academic work, but also from government and industry reports.


No prior knowledge is required for this course.