GCTI Practice Questions: Open Source Intelligence (OSINT) Collection and Analysis Domain
Test your GCTI knowledge with 10 practice questions from the Open Source Intelligence (OSINT) Collection and Analysis domain. Includes detailed explanations and answers.
GCTI Practice Questions
Master the Open Source Intelligence (OSINT) Collection and Analysis Domain
Test your knowledge in the Open Source Intelligence (OSINT) Collection and Analysis domain with these 10 practice questions. Each question is designed to help you prepare for the GCTI certification exam with detailed explanations to reinforce your learning.
Question 1
You are tasked with enriching your understanding of a threat actor's infrastructure by examining related domains. Which OSINT tool would allow you to pivot from a known malicious domain to discover other potentially related domains by analyzing shared WHOIS details?
Show Answer & Explanation
Correct Answer: B
Explanation: PassiveTotal provides functionality to pivot on WHOIS details such as registrant email or organization, enabling the discovery of other domains potentially related to the same threat actor. VirusTotal is more focused on malicious file and URL analysis, Shodan is for device discovery, and Maltego is used for visual link analysis.
Question 2
During an investigation, you find a suspicious domain that appears to be used for malware distribution. Which OSINT method would help determine if this domain is linked to any known malware families?
Show Answer & Explanation
Correct Answer: A
Explanation: Checking the domain in a public threat intelligence platform can reveal if it has been associated with known malware families, as these platforms aggregate data from various sources about malicious activities. A reverse DNS lookup, WHOIS search, and port scanning provide different types of information not directly related to known malware associations.
Question 3
An analyst is using OSINT to investigate a series of cyber attacks. They find a list of email addresses used in the attacks and want to verify if these emails have been part of any known data breaches. Which OSINT resource would be most effective for this purpose?
Show Answer & Explanation
Correct Answer: A
Explanation: Have I Been Pwned is a service that allows users to check if their email addresses have been compromised in known data breaches. Shodan is used for discovering internet-connected devices, VirusTotal is for analyzing files and URLs, and DNSDumpster is used for DNS enumeration.
Question 4
An analyst is using OSINT to verify the authenticity of a newly discovered threat feed. Which factor would be most critical in assessing the reliability of this source?
Show Answer & Explanation
Correct Answer: C
Explanation: The historical accuracy of the threat feed is critical in assessing its reliability, as it indicates the track record of providing valid and actionable intelligence. While the number of indicators and update frequency are important, they do not necessarily reflect accuracy. The geographical location of the server is generally irrelevant to the feed's reliability.
Question 5
An analyst is tasked with identifying potential vulnerabilities in their organization's external network. They want to use OSINT to gather information about exposed services. Which tool should the analyst use to achieve this?
Show Answer & Explanation
Correct Answer: B
Explanation: Using Shodan is the best choice for identifying open ports and services, providing a direct view of exposed services on the organization's network. Option A, Maltego, is useful for mapping relationships but not direct service exposure. Option C, VirusTotal, is more about malware and threat detection than service exposure. Option D, PassiveTotal, is useful for historical DNS analysis but not for current service exposure.
Question 6
A threat intelligence team is tasked with identifying potential data leaks from their organization. They suspect an insider might be sharing sensitive documents. Which OSINT method should they prioritize to detect potential leaks?
Show Answer & Explanation
Correct Answer: A
Explanation: Monitoring paste sites is the most effective method for detecting potential data leaks, as these sites are commonly used for sharing stolen data. Option B, searching social media, might yield some information but is less structured. Option C, WHOIS, is not relevant for detecting data leaks. Option D, checking code repositories, can be useful but is more specific to code and not general data leaks.
Question 7
An organization wants to enhance its OSINT capabilities by integrating threat intelligence feeds. Which characteristic is most important when selecting a threat feed for reliable intelligence?
Show Answer & Explanation
Correct Answer: C
Explanation: Source diversity and validation are crucial for ensuring the reliability of a threat feed. A diverse set of sources and proper validation processes help ensure the intelligence is accurate and comprehensive. While the number of indicators, update frequency, and cost are important considerations, they do not directly impact the reliability of the intelligence.
Question 8
A threat intelligence analyst is tasked with validating the credibility of an OSINT source that claims to have detailed information on a cyber espionage group. Which factor should the analyst prioritize to assess the credibility of the source?
Show Answer & Explanation
Correct Answer: B
Explanation: The source's history of accurate reporting is the most critical factor in assessing credibility, as it demonstrates a track record of reliability and accuracy. Publication frequency, social media followers, and anonymity level may provide additional context but do not directly reflect the source's credibility or accuracy.
Question 9
During an OSINT investigation, you come across a series of IP addresses that you suspect are part of a botnet. To confirm your suspicion, you decide to check if these IPs have been reported in any threat intelligence feeds. Which platform would be most suitable for this task?
Show Answer & Explanation
Correct Answer: B
Explanation: MISP (Malware Information Sharing Platform) is a platform used for sharing threat intelligence, including information on malicious IP addresses, domains, and other indicators of compromise. It would be the most suitable platform for checking if the IPs are part of a botnet. Shodan is used for discovering devices, Maltego is a data mining tool, and VirusTotal is used for malware analysis.
Question 10
A cybersecurity analyst is tasked with investigating a recent phishing campaign targeting their organization. They have identified a suspicious domain that was used in the campaign. To gather more information about the domain, the analyst decides to perform a WHOIS lookup and discovers that the domain was registered anonymously through a privacy protection service. What should be the analyst's next step to gather more OSINT on this domain?
Show Answer & Explanation
Correct Answer: A
Explanation: The correct answer is A. Checking the domain's historical WHOIS records can provide information about previous owners, which might not be protected by privacy services. Option B is incorrect because DNS zone transfers are often restricted and might not provide useful information in this context. Option C is a valid technique, but it is not the immediate next step focused on the domain itself. Option D is unlikely to succeed due to privacy policies.
Ready to Accelerate Your GCTI Preparation?
Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.
- ✅ Unlimited practice questions across all GCTI domains
- ✅ Full-length exam simulations with real-time scoring
- ✅ AI-powered performance tracking and weak area identification
- ✅ Personalized study plans with adaptive learning
- ✅ Mobile-friendly platform for studying anywhere, anytime
- ✅ Expert explanations and study resources
Already have an account? Sign in here
About GCTI Certification
The GCTI certification validates your expertise in open source intelligence (osint) collection and analysis and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.
GCTI Practice Question Sets
Sharpen your skills by domain with realistic, exam-style questions.
Write actionable intel, tailor to stakeholders, and practice reporting tradecraft.
Start Practicing →Map TTPs, track campaigns, and strengthen attribution skills with ATT&CK and Diamond Model.
Start Practicing →Hone collection planning, pivoting, and source validation across domains and infrastructure.
Start Practicing →Master lifecycle, tradecraft, bias mitigation, and core frameworks used across CTI.
Start Practicing →Level Up Your Cyber Skills: The Ultimate Guide to GIAC Cyber Threat Intelligence (GCTI) Certification
Explore everything you need to know about the GCTI certification — domains, frameworks, exam tips, and strategies to master threat intelligence analysis.
Read the Ultimate Guide →