CREST Certified Threat Intelligence Manager


LevelAdvanced level
Career OpportunitiesThreat Intelligence Manager
Skills Manage a multi-disciplinary team in the production of threat intelligence for end-users, performs core intelligence tasks focusing on social, cultural and geopolitical analysis, analyze malicious code samples, monitor malware behavior inside a controlled environment, develop collection and analysis tools, analyze network traffic
Validity3 years
RenewalTake the CREST CPSA along with either the OSCP or CREST CRT exams on a three-year cycle
Themes Threat Intelligence, Malware Analysis, Network Security, SOC, Incident Response, Digital Forensics, Advanced Threat Management, Attackers, APTs, Vulnerabilities Management


The CREST Certified Threat Intelligence Manager (CCTIM) examination tests candidates’ knowledge and expertise in leading a team that specialises in producing threat intelligence. The candidate is expected to have a good breadth of knowledge in all areas of threat intelligence and proven experience in operational security, data collection / analysis and intelligence production.

The exam will assess the candidate’s ability to conduct engagements that produce threat intelligence in a realistic, legal and safe manner, ensuring the customer is provided with actionable intelligence which can be used to increase security and reduce corporate risk.

Examination Format and Details

The examination will consist of three components:
  • Short-form questions which require single word or short sentence answers;
  • Long form questions that require that require detailed written answers;
  • A written scenario-based element which reflects tasks which a threat intelligence Manager is likely to perform on a regular basis

The examination is delivered in two parts with Part 1 taken first and Part 2 must be taken within three months of Part 1.

Examination Details
The CREST Certified Threat Intelligence Manager examination contains only written components – there is no practicalelement to this exam. There are three elements to the written component: short form questions, long form questions and a more detailed scenario-based element.

The CC TIM examination is delivered in two separate sessions at a Pearson Vue Centre. The Sessions are identified as TIM 1 and TIM 2. TIM 1 must be taken before TIM 2, and TIM 2 must be taken within three months of TIM 1. The award of CCTIM certification will not be made until both TIM 1 and TIM 2 have been passed.

  • Short Form Questions (TIM 1): There are one hundred and fifty (150) questions, all of which the candidate must complete. Each of these questions requires a single word, or a short sentence for an answer.
  • Long Form Questions (TIM 1): The candidate will be presented with one (1) compulsory long form question.
  • Long Form & Scenario Questions (TIM 2): The candidate will be presented with three (3) long form questions of which the candidate must choose and complete two (2) in addition to the one (1) scenario-based question. The Scenario question is similar in nature to the Long Form questions, although more detail is expected and more time isallocated as a result.

The CC TIM examination is delivered in two separate sessions as a Pearson Vue Centre. The Sessions are identified as TIM 1 and TIM 2. TIM 1 must be taken before TIM 2.

TIM 1 will consist of a set of short form questions and a single compulsory long form question, all of which are completed within 3 hours; TIM 2 is also 3 hours long and will comprise both long form and scenario questions. Note that your permitted maximum session time at Pearson Vue is 3.5 hours for each exam, allowing you time to read the Code of Conduct and also to provide feedback following each examination.

Candidates should take great care to note that the breakdown of marks approximates to one mark per minute throughout each phase of the exam. 

Marking Scheme / Pass Mark

The marking scheme is given in the table below:

CCTIM1 (180 Marks)

  • Written (Short form) 150 questions, 1 mark each
  • Written (long form): 1 question,30 marks

CCTIM2 (180 Marks)

  • Written (long form): 2 questions, 30 marks each 
    Scenario: 1 question, 120 marks 

Successful candidates must score 70% of the available marks in each component.
That is:
• at least 126 marks from the CCTIM1 (possible total: 180 marks), and
• at least 42 marks from the CCTIM2 Long Form (possible total: 60 marks), and
• at least 84 marks from the Scenario component (possible total: 120 marks).

This represents an overall pass mark of approximately 70% but note that candidates must score the minimum number of marks in each section: candidates who score very well in one component but not in the other will not pass.


Disclaimer: Reference in this site to any specific commercial product, process, service, certification, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by CyberMaterial.

Related Posts

More Articles

Welcome Back!

Create New Account!

Retrieve your password

Please enter your username or email address to reset your password.

Add New Playlist