OSINT × Latest Cases × Monthly Hands-On

Threat Intelligence Training Course

"Read Threats, Act First."

Become a Ready-to-Work Analyst in 1 Year!

Learn to collect → analyze → report through monthly hands-on exercises and feedback.
Internalize reports that influence management decisions and insights that lead to detection.

Free Counseling View Curriculum

次のセクションへ

What is Threat Intelligence?

Threat Intelligence is a field of cyber analysis that involves collecting and analyzing data containing threat information from various sources such as internet logs, social networks, forums, and the dark web to uncover the intentions, tactics, and methods of attackers. It goes beyond simple data collection — it is a framework for “intelligent defense”, systematically identifying who is attacking, which industries are being targeted, and how those attacks are being carried out. By leveraging threat intelligence, organizations can understand risks before an attack occurs and build proactive and adaptive defense strategies.

【 Growing Global Demand and High-Earning Potential】
The field of threat intelligence faces a severe global talent shortage, particularly in the United States and Europe, where the recruitment of skilled analysts has become an urgent challenge. In the U.S., Threat Intelligence Analysts are ranked among the fastest-growing and highest-paying IT professions, with an average annual salary exceeding USD 110,000. In Japan, the number of specialized professionals remains limited, but with the strengthening of national cybersecurity initiatives and corporate risk management priorities, demand is expected to rise sharply in the coming years. As such, threat intelligence represents an extremely promising career path for those seeking to advance their expertise and income in the cybersecurity field.

What is the Threat Intelligence Training Course?

This course is a comprehensive one-year program designed to systematically teach threat intelligence from the fundamentals to applied and practical skills, against the backdrop of national cybersecurity strategies and the acceleration of “proactive cyber defense” initiatives.
Each month, participants engage in exercises using OSINT tools and real-world data, based on the latest domestic and international cyber attack cases and threat actor information. During the program, students also utilize paid intelligence platforms provided by partner companies, allowing them to develop analytical skills in an environment similar to real-world operations.

Additionally, participants learn to transform collected threat information into actionable reports from their organization’s perspective, producing outputs directly applicable to decision-making and defensive strategy development. The program aims to cultivate “ready-to-deploy analysts” capable of understanding cutting-edge security situations and organizational operational risks.

By capturing the trends in strengthening national security intelligence, this course equips participants with the skills to advance corporate and public sector cybersecurity on both offensive and defensive fronts.

Key Points of the Course

1. Systematic Learning of Threat Intelligence
A practical program that enables participants to systematically learn the entire process of threat intelligence—from collection and analysis to report creation. By leveraging OSINT tools and frameworks such as MITRE ATT&CK, participants acquire skills from both theoretical and practical perspectives.

2. Hands-On Exercises Using Paid Tools
Participants have access to paid threat intelligence tools provided in cooperation with Recorded Future throughout the course. This allows them to experience a realistic analysis environment and engage in learning that closely mirrors real-world operations.

3. Monthly Exercises Based on the Latest Cases
Participants engage in exercises using up-to-date cyber attack cases and threat actor information, updated monthly. This approach allows them to grasp current threat trends while honing analytical skills that are immediately applicable in real-world settings.

4. Practical Outputs Applicable to Your Organization
Participants collect the threat information relevant to their industry and threat environment, then analyze it and create reports. The knowledge and skills gained can be directly applied to their organization’s security operations and decision-making.

次のセクションへ

I put together a report on the cyberattack targeting the KADOKAWA Group!

In 2024, the KADOKAWA Group was targeted by a cyberattack that forced the suspension of its “Niconico Services,” including the widely known video platform Niconico Douga—a service familiar to most internet users. For this course, the lead instructor, Kazuki Omo, has prepared a concise threat intelligence report on this incident.

By reading this report, you can gain insights into the Who, When, Where, What, Why, and How of the attack, as well as potential countermeasures. If you are interested in the course content or want to learn more about the KADOKAWA incident, we encourage you to take a look!

In this course, we conduct practical exercises every month based on the latest cyberattack cases like this, allowing participants to analyze real-world threats and develop actionable skills.

Download

※An explanatory article about “BlackSuit,” the ransomware group that claimed responsibility for the cyberattack on the KADOKAWA Group

Lecture Report Summarizing Ransomware Attack Trends Targeting the Financial Industry in the First Half of 2025!

This report was created during an actual lecture and summarizes trends both in Japan and overseas, with a particular focus on attacks targeting the financial industry. It highlights attack patterns and methods to protect against them.

During the lecture, participants are also taught how to efficiently organize and create report content using AI tools such as Google Gemini and NotebookLM.

Download

次のセクションへ

Through a partnership with Recorded Future, participants can learn using paid threat intelligence tools!

※The Recorded Future tools (paid) are available for use throughout the duration of the course!

Heatwave Inc., the company that operates the Security Training School, has established a training partnership with Recorded Future. Through this partnership, participants in this course can learn to collect and analyze the latest threat intelligence using Recorded Future’s paid tools.

Recorded Future, founded in the United States in 2019, is a pioneer in providing threat intelligence. The company collects and stores data from a vast range of sources, including the dark web, and combines machine learning with human analyst research to deliver real-time threat information to its clients.

In the United States, Recorded Future is widely used by major organizations and government agencies to monitor early indicators of potential crimes and attack methods, track the dissemination of stolen information, and proactively prevent cyberattacks.

Official Website

次のセクションへ

In the class Slack, the instructor shares threat intelligence almost every day!

In the Threat Intelligence Training Course, Kazuki Omo, a security evangelist and the course instructor, shares the latest threat intelligence on the class Slack almost daily.

It’s not just one-way communication—participants can ask questions about cases they find interesting in the news, and the instructor provides answers. In some instances, these questions and discussions are even incorporated into lecture examples.

次のセクションへ

Curriculum

🎯What You Will Be Able to Do ∨

Educational Objectives of the Course
The course aims to develop professionals capable of building and operating an organization’s threat intelligence framework. Over a 12-month period, participants systematically learn the entire process: information collection → analysis → visualization → reporting → improvement and dissemination. By the end of the program, participants acquire the skills to become “Threat Intelligence Professionals”, equipped with technical analytical abilities, strategic decision-making skills, reporting proficiency, and information-sharing capabilities.
Final Deliverable
Industry-Specific Threat Analysis Report (3–5 pages, BLUF format) Documentation for Building an Analysis Environment Using MISP, Recorded Future, and HoneyPot List of IoCs, TTPs, and Rule Sets (YARA / Snort / Sigma) Threat Intelligence Operations Roadmap (1-Year Plan)
Final Goal
Information Gathering Skills: Able to collect the latest threat intelligence using OSINT, API integrations, and automated scripts. Analytical Skills: Able to evaluate threat actors, TTPs, vulnerabilities, and geopolitical risks from multiple perspectives. Technical Skills: Capable of operating tools such as MISP, OpenCTI, Recorded Future, and T-Pot in a real-world environment. Reporting Skills: Able to create clear and concise reports based on the BLUF and So What models. Strategic Thinking: Able to connect organizational challenges with threat trends and propose improvement measures. Self-Driven Capability: Able to independently adopt new tools and techniques and conduct analyses autonomously.

🧭Basic Knowledge Part 1 ∨

Chapter 1: Fundamentals of Intelligence and Threat Intelligence
Types of Intelligence (HUMINT / SIGINT / OSINT) Understanding the Intelligence Cycle Components of Threat Intelligence (Strategic / Tactical / Operational / Technical) Overview and Utilization of OSINT (Open Source Intelligence) Integration of AI and OSINT [Exercise ①: Extracting Threat Elements Using Open Source Information]
Chapter 2: Frameworks and Models for Threat Analysis
Basic Concepts of IoCs and TTPs Structure and Usage of the MITRE ATT&CK Matrix Case Study Using LockBit 3.0 Actor Analysis Using the Diamond Model Case Study Using LockBit 3.0 [Exercise ②: Attack Mapping Using MITRE ATT&CK Navigator] [Exercise ③: Actor Profiling Using the Diamond Model]
Chapter 3: Utilizing Vulnerability Information and OSINT
SCAP Components (CVE / CVSS / CWE / CPE / CCE / XCCDF / OVAL) CVSS v3.1 / v4.0 Evaluation Methods Utilizing NVD API and CISA KEV Catalog [Exercise ④: Retrieving and Analyzing CVE Information via API] [Exercise ⑤: Determining Risk Priorities Using CVSS Evaluation]
Chapter 4: Integrated Use of OSINT and Threat Intelligence
Major OSINT Sites (CISA, Unit42, BleepingComputer, etc.) How to Use OSINT Framework / OSINT Links Dark Web / Social Media (X/Twitter) Monitoring Overview of Recorded Future [Exercise ⑥: OSINT Investigation Using the Log4j Vulnerability as a Case Study]
Chapter 5: Visualization of Threat Intelligence and Report Creation
Basic Concepts of MISP / OpenCTI Threat Actor Analysis Using Recorded Future Structure and Key Points of Threat Intelligence Reports Application of the BLUF Method [Exercise ⑦: Data Analysis and Visualization Using MISP or OpenCTI] [Exercise ⑧: Creating a Threat Report (BLUF Structure)]
Learning Objectives of 'Basic Knowledge Part 1
Systematically understand the concepts and types of Threat Intelligence Effectively utilize Kill Chain, ATT&CK, and Diamond Model Understand and apply vulnerability standards such as CVE and CVSS Conduct analysis by combining OSINT and automation tools Summarize results as a report and be able to explain them

🧭Basic Knowledge Part 2 ∨

Chapter 1: Fundamentals of OSINT and Utilization of Information Visualization Tools
What is Intelligence (HUMINT / SIGINT / OSINT) Definition and Components of Threat Intelligence OSINT Data Sources (Shodan / ZoomEye / ShadowServer / URLScan / VirusTotal) Relationship Between AI and OSINT Definition and Components of Threat Intelligence [Exercise ①: Search Experience Using Shodan / ZoomEye / ShadowServer] [Exercise ②: Scanning and Analysis Using URLScan.io and VirusTotal]
Chapter 2: Vulnerability and Exploit Information and Threat Intelligence Visualization
Checking Breaches Using Have I Been Pwned Using the Zero-day Vulnerability Database and ZDI Searching Exploit Information via Exploit-DB / GitHub Overview of MISP and the STIX Format Mechanism of OpenCTI and Integration of Threat Data [Exercise ③: Vulnerability Search Using ZDI and ExploitDB] [Exercise ④: Investigating Ransomware / Vulnerability Information with OpenCTI]
Chapter 3: Report Creation and Utilization of Threat Intelligence
Basic Structure of Reports (Purpose / Intended Audience / 5W1H) BLUF / What–SoWhat–NowWhat / 3C Principles Report Structure (Primary / Secondary Reports) Utilization of Visual Materials (Charts and Graphs) [Exercise ⑤: Creating Reports Using the KADOKAWA Case Study (Two Types: Technical Report and Management Report)]
"Learning Objectives of 'Basic Knowledge Part 2'"
Collect and evaluate threat intelligence using OSINT tools Analyze vulnerability and exploit information from multiple perspectives Understand threat intelligence sharing platforms using MISP / OpenCTI Create clear and understandable reports using the BLUF structure
Tools Used:
Shodan、ZoomEye、ShadowServer、URLScan.io、VirusTotal、MISP、OpenCTI

🧭Utilization of Threat Intelligence and Report Writing ∨

Chapter 1: Threat Trends and Fundamentals of Report Writing (Part 2)
Classification of Intelligence (HUMINT / SIGINT / OSINT) Definition and Classification of Threat Intelligence Major Frameworks (IoC / TTP / Kill Chain / MITRE ATT&CK / Diamond Model) Basics of SCAP / CVE / CISA Information Collection and AI Integration Using Recorded Future Threat Report Structure (BLUF / 5W1H / What–SoWhat–NowWhat) [Exercise ①: Analysis of Various Companies' Threat Reports (2024 Comparison)] [Exercise ②: Drafting a Report for CISOs]
Chapter 2: Installation and Utilization of MISP
Overview of MISP and Information Sharing Models (STIX / TAXII) Installation Procedures on Ubuntu Environment Apache / SSL Configuration (certbot) User and Organization Settings Feed Configuration, Activation, and Job Management Correlation Analysis (IoCs / Events) Reference to CIRCL Public MISP [Exercise ③: MISP Installation and Feed Registration] [Exercise ④: Correlation Analysis of Threat Intelligence Events]
Chapter 3: Report Revision and Presentation
Review of Basic Report Structure BLUF / What–SoWhat–NowWhat Model Information Visualization Using Charts and Graphs Primary / Secondary Report Structure Incorporating Feedback and Finalizing [Exercise ⑤: Final Report Revision (CISO Reporting Format)] [Exercise ⑥: Presentation Delivery]
Learning Objectives of 'Utilization of Threat Intelligence and Report Writing'
Systematically understand the fundamentals and practical methods of Threat Intelligence Build and operate MISP to share and analyze threat intelligence Create and present reports using the BLUF structure
Tools Used
MISP、RecordedFuture、MITRE ATT&CK Navigator、CVE／NVD、CISA KEV、OSINT Framework

🧭Threat Intelligence Using Recorded Future ∨

Chapter 1: Fundamentals of Threat Intelligence Using Recorded Future
Definition and Classification of Intelligence (HUMINT / SIGINT / OSINT) Integration of OSINT and AI Major Frameworks (Kill Chain / ATT&CK / Diamond Model) Overview of Recorded Future and Entity Structure Risk Score Calculation and Intelligence Cards Analysis of CVE Examples (e.g., CVE-2024-6387) Search and Comparison of LockBit / BlackSuit / Log4j, etc. [Exercise ①: Basic Searches Using Recorded Future]
Chapter 2: Utilizing the Advanced Query Builder
Structure and Query Syntax of AQB (Involving / Event Type / Time) Combining Search Conditions (AND / OR) Sources / Source Type / Geofence Settings Visualization (Timeline / Map) and Output Formats Data Accuracy and Analytical Perspectives Investigation of Threat Information Related to KADOKAWA / dwango Constructing Search Queries for LockBit / BlackSuit [Exercise ②: Creating Queries Using Recorded Future]
Chapter 3: Advanced Operations and Analytical Exercises Using Recorded Future
Search by Event Type (Cyber Attack / Vulnerability / Credential Leak, etc.) Advanced Analysis Using Sandbox / Timeline / Map Visualization of Attack Actors / Target Industries / Country Trends Creating Monitoring Lists Using the Lists Feature Report Structure (BLUF / 5W1H) [Exercise ③: Visualizing Threat Trends Using Timeline and Map Analysis] [Exercise ④: Drafting Reports Using Recorded Future]
Learning Objectives
Collect and analyze threat intelligence using Recorded Future Build advanced threat search queries using AQB Visualize attack trends using Timeline and Map Create and present threat reports using the BLUF structure
Tools Used
Recorded Future, MISP, OpenCTI, urlscan.io, VirusTotal

🧭Threat Intelligence Collection ∨

Chapter 1: Fundamentals of Threat Intelligence Collection and Understanding the Intelligence Cycle
Basics of Intelligence and the Cycle (Plan / Collect / Process / Analyze / Disseminate) Classification and Purpose of Threat Intelligence Methods for Collecting Threat Actor / Victim Information Major Information Sources (BleepingComputer, CISA, AlienVault, ransomware.live) JSON Analysis and API Integration Using jq Command [Exercise ①: Collecting and Classifying Threat Actor Information] [Exercise ②: Retrieving and Formatting CVE / Victim Information via API]
Chapter 2: Collection and Automation of Vulnerability Information
Types and Characteristics of Vulnerability Information (Pre-disclosure / Post-disclosure) Relationship and Structure of CVE / NVD / CISA Using CVE.org API and NVD API Utilizing GitHub cvelistV5 Using CISA ADP (vulnrichment) Information Obtaining API Keys and Setting Authentication [Exercise ③: Retrieving CVE Information Using curl + jq] [Exercise ④: Automatically Extracting CVE Data from GitHub] [Exercise ⑤: Differential Analysis of CISA ADP Information]
Chapter 3: Utilization, Automation, and Optimization of Collected Data
Understanding SSVC (Stakeholder-Specific Vulnerability Categorization) Comparison with CVSS and Its Application Automation Mechanisms (Email Notifications / Slack Integration) Use Cases of ransomware.live / CISA API Creating Internal Reports Using Threat Intelligence [Exercise ⑥: Threat Analysis Assuming Your Own Industry] [Exercise ⑦: Building Automated Notification Scripts (Slack / Email)] [Exercise ⑧: Final Report Creation (Applying SSVC)]
Learning Objectives of "Threat Intelligence Collection"
Understand the overall process of threat intelligence collection Automatically acquire threat intelligence via API integration Evaluate priorities using SSVC / CVSS Create and report organizational threat analysis reports
Tools Used
jq, curl, CVE.org API, NVD API, CISA ADP, ransomware.live, OpenCTI, AlienVault

🧭Threat Hunting ∨

Chapter 1: Fundamentals of Threat Hunting and Understanding Approaches
Purpose and Role of Threat Hunting Difference from SOC / SIEM (from Passive Defense to Active Defense) Hunting Maturity Model (HM0–HM4) Hunting Loop (Hypothesis → Collection → Analysis → Improvement) Main Approaches (Anomaly-Based / Hypothesis-Driven / AI-Assisted) Hunting Frameworks (PEAK / ABLE) [Exercise ①: Hypothesis-Driven Hunting Design Workshop] (Example: Hypothesis Formulation for RansomHub Attack)
Chapter 2: Practical Hunting Using Detection Techniques and Rule Design
Definition and Utilization of IoC / TTP Major Public Sources (CISA / FBI / ransomware.live) File Detection Using YARA Rules (Syntax and Exercises) Network Detection Using Snort Rules (Editing local.rules) Converting SIEM Queries Using Sigma Rules Automation and Correlation Analysis of Rule Operations [Exercise ②: Creating YARA Rules and File Detection] [Exercise ③: Detecting Communications Using Snort Rules] [Exercise ④: Converting Sigma Rules for Elastic / Splunk]
Chapter 3: Comprehensive Exercise – Practical Threat Hunting and Reporting
Confirmation of Threat Hunting Exercise Environment Data Collection and Correlation Analysis Based on Hypotheses Improving Detection Accuracy Through Multiple Rule Integration Visualization of Findings and Report Structure (BLUF Format) Integration Points with Incident Response [Exercise ⑤: Comprehensive Exercise (IoC + Rule Integration Scenario)] [Exercise ⑥: Creating a Hunting Report (Hypothesis → Results → Insights)]
Learning Objectives of "Threat Hunting"
Understand the purpose, methods, and maturity model of threat hunting Perform proactive threat detection using IoC / TTP Create and validate detection rules (YARA / Snort / Sigma) Report hunting results in a structured report
Tools Used
YARA, Snort, Sigma, ElasticSearch, Splunk, Uncoder.io

🧭Threat Hunting Using Recorded Future ∨

Chapter 1: Review of Investigations Using Recorded Future and Introduction to Threat Hunting
Key Functions of Recorded Future (Intelligence Card / Entity / Risk Score) Practical Analysis Using CVE / IP / Domain (e.g., CVE-2025-30154) Basics and Structure of Advanced Query Builder Hypothesis-Driven Hunting (ABLE / PEAK Models) [Exercise ①: Vulnerability Search Using Recorded Future (CVE / Domain Analysis)] [Exercise ②: Time-Based Attack Analysis Using AQB (Daily / Yearly)] [Exercise ③: Extracting Actors and Creating Lists for the Financial Industry]
Chapter 2: Advanced Analysis and Vulnerability Hunting Using Recorded Future
Practical Hypothesis-Driven Hunting (Prepare → Act) Comparing Threat Actors Across Multiple Products Industry- and Product-Specific Analysis Using Entity List Utilizing Hunting Packages from Insikt Group (Snort / YARA / Sigma) Setting Up and Managing Watch Lists [Exercise ④: Product-Based Actor Analysis (Fortinet / VMware / Cisco)] [Exercise ⑤: Analysis of Common Actors Using Hunting Packages] [Exercise ⑥: Registering Your Organization’s Watch List]
Chapter 3: Advanced Operations Using Recorded Future and Sandbox Practice
Intent Analysis Using Threat Actor Map (Intent / Opportunity) Trend Change Analysis Using Change Over Time URL / Malware Analysis Using Sandbox (tria.ge) Threat Report Creation (BLUF / SoWhat / NowWhat Structure) [Exercise ⑦: Analyzing Attack Trends Using Threat Actor Map] [Exercise ⑧: Sandbox Practice (URL Analysis)] [Exercise ⑨: Comprehensive Exercise – Report Creation Based on Analysis Results Using Recorded Future]
Learning Objectives of "Threat Hunting Using Recorded Future"
Master advanced search functions of Recorded Future (AQB / Entity List / Map) Perform and compare threat actor analysis using multiple conditions Analyze malware and URLs using Sandbox Organize analysis results in BLUF format and present as a report
Tools Used
Recorded Future, Advanced Query Builder, Entity List, Hunting Package, Sandbox (tria.ge)

🧭Geopolitical Intelligence and AI Utilization ∨

Chapter 1: Introduction
Course Overview and Objectives Relationship Between Geopolitics and Cyber Structure of Modern Cyber Threats
Chapter 2: Basics of Geopolitics and National Strategy
What is Geopolitics? Integration of National Security and Cyber Domain Classification and Objectives of Cyber Attacks [Group Work: Investigate Cyber Strategies of Different Countries]
Chapter 3: Cyber Activities of Major Nations and Threat Actor Analysis (I)
Strategies and Objectives of the US, Russia, China, North Korea, Iran List of Representative Threat Actors (APT29, APT28, Lazarus, etc.) [Exercise ①: Create a Feature Sheet of Each Country's Actors]
Chapter 4: Threat Actor Analysis of Major Nations (II)
APT-Specific Techniques (TTP) and MITRE ATT&CK Analysis Case Studies: APT29 / APT28 / Sandworm / Turla [Exercise ②: Identify APT29 TTP Using MITRE ATT&CK]
Chapter 5: Case Studies of State-Sponsored Cyber Attacks
Russia's Hybrid Warfare (Ukraine Invasion) Taiwan Contingency and Information Operations Deployment of Cognitive Warfare [Exercise ③: Case Analysis – Discuss Objectives and Impact of Information Operations]
Chapter 6: Threat Analysis Automation Using AI/LLM
Features and Use Cases of ChatGPT Document Summarization and Structuring with NotebookLM AI Limitations (Countermeasures Against Hallucinations) [Exercise ④: Generate YARA Rules for APT29 Using ChatGPT] [Exercise ⑤: Summarize Threat Intelligence Using NotebookLM]
Chapter 7: Practical Collaboration Between ChatGPT × NotebookLM
Collect IoC/TTP Using ChatGPT → Analyze and Summarize Using NotebookLM Workflow from YARA Rule Generation to Verification [Exercise ⑥: Collect Latest IoC for APT29 Using ChatGPT + Analyze Using NotebookLM]
Chapter 8: Report Creation and Verification Using AI
Source Verification and Validation Process Identifying False Information (Hallucinations) [Exercise ⑦: Evaluate Reliability of ChatGPT Output]
Chapter 9: Comprehensive Exercise and Report Creation
Integrated Threat Analysis of APT29 / Lazarus Relationship Between Geopolitics and Cyber Structure of Modern Cyber Threats
Chapter 10: Summary and Q&A
Overall Review Integrated Operation of AI Utilization and Geopolitical Analysis
Learning Objectives of "Geopolitical Intelligence and AI Utilization"
Analyze Cyber Threats from a Geopolitical Perspective Explain Characteristics and TTPs of Each Country's APTs Automate Threat Analysis Using ChatGPT / NotebookLM Create and Verify Reports Using AI
Tools Used
Recorded Future, ChatGPT, NotebookLM, MITRE ATT&CK Navigator

🧭Advanced Threat Intelligence Report Creation ∨

Chapter 1: Introduction
Course Overview and Objectives Role of Reports in Threat Intelligence Review of Learning Objectives
Chapter 2: Basic Concepts of Report Creation
Organizing "Purpose" and "Audience" Communication Methods for Engineers / Management / Clients Selection of Keywords for Reports [Mini Exercise: Design Report Structure According to Target Audience]
Chapter 3: Report Structure and Writing Techniques
BLUF (Bottom Line Up Front) Structuring What / So What / Now What / Then What Model Introduction of Purpose-Specific Templates [Exercise ①: Create Overview Using Templates]
Chapter 4: Writing and Expression Techniques
Writing Concise and Clear Documents Utilization of Charts and Graphs Comparison of Good and Poor Report Examples [Exercise ②: Compare and Revise Reports Before and After Improvement]
Chapter 5: Practical Exercise ①: Report Creation (Hands-on)
Theme: "Summary of Cyber Threats in the Financial Sector H1 2025" Setting Objectives and Organizing Information Creating Client-Facing Deliverables (PDF + Slides) [Exercise ③: Create Report Based on Specified Theme]
Chapter 6: Information Gathering Support (Supplementary Materials)
Industry Analysis Using Recorded Future Alternative Information Collection Using ChatGPT / Gemini Using Ransomware.live / BreachSense Method for Linking Domain to Industry [Exercise ④: Extract Financial Sector Incident Data Using Ransomware.live + BreachSense]
Chapter 7: Practical Exercise ②: Information Integration and Report Completion
Cross-Check Results from Ransomware.live / BreachSense / Recorded Future Trend Analysis and Visualization (Graphing) Summarization Using BLUF Structure [Exercise ⑤: Integrated Analysis and Final Report Completion]
Chapter 8: Summary and Review
Organizing Features of Effective Reports Limitations and Cautions When Using AI Quality Improvement and Continuous Enhancement [Group Discussion: Develop Application Plan for the Field]
Learning Objectives of "Advanced Threat Intelligence Report Creation"
Create Threat Reports With Audience and Purpose in Mind Integrate and Analyze Multiple Sources into Reports Utilize AI Tools to Improve Writing Efficiency and Quality Apply Structuring Methods Such as BLUF and So What Model in Practice
Tools Used
ChatGPT / Gemini (Information Extraction and Summarization) Recorded Future (Threat Actor Analysis) Ransomware.live / BreachSense (Attack Incident Analysis)

🧭Vulnerability Analysis, Honeypot Operation, and Report Creation ∨

Chapter 1: Introduction
Course Overview and Clarification of Goals Prerequisite Knowledge (Basics of Threat Intelligence Collection and Analysis) Learning Flow and Evaluation Methods
Chapter 2: Vulnerability Trends H1 2025
Collecting and Storing CVE Data Understanding JSON Structure and Classification Methods Priority Assessment: Critical to Low Verification of Exploitation Status (KEV / CWE / CPE) [Exercise ①: Data Extraction and Aggregation Using jq + AI (Gemini)] [Exercise ②: Automated Collection Using Vulnerability-Lookup API]
Chapter 3: Honeypot Operation and Attack Observation
Structure and Mechanism of T-Pot (Honeypot) Log Collection and Visualization (Attack Map / Elasticvue) iptables / Docker Configuration and Security Considerations [Exercise ③: Analyze Attack Types and Sources from T-Pot Logs] [Exercise ④: Create Attack Frequency Graphs]
Chapter 4: Threat Report Creation Exercise (Financial Sector)
Report Design Using BLUF Structure Incident Analysis Using Ransomware.live / BreachSense Comparison of Major Threat Actors (Akira / Qilin / Luna Moth) TTP Analysis (MITRE ATT&CK Alignment) [Exercise ⑤: AI-Assisted Report Generation Using ChatGPT + Gemini] [Exercise ⑥: Summarize Incident Trends and Draft Recommendations]
Chapter 5: Practical Comprehensive Exercise
Theme Setting and Information Integration (e.g., Industry-Specific Ransomware Trends) AI-Assisted Writing and Verification Improvement Process Through Instructor Review [Exercise ⑦: Create Final Report Based on Individual Theme]
Chapter 6: Summary and Future Directions
Organizing and Consolidating Applied Skills Efficiency Methods Using AI Continuous Tracking of Latest Vulnerability Sources [Group Discussion: Develop Practical Application Plan]
Learning Objectives of "Vulnerability Analysis, Honeypot Operation, and Report Creation"
Acquire Analytical Skills Based on Vulnerability and Attack Observation Data Practice AI-Assisted Report Writing Skills Visualize and Report Industry-Specific Threat Trends Logically
Tools Used
Vulnerability-Lookup / KEV / CVE Data Feeds T-Pot (Honeypot Environment) ChatGPT / Gemini (AI Analysis Support)

🧭Honeypot and Advanced Information Gathering ∨

Chapter 1: Introduction
Course Objectives and Overview Significance of Practical Exercises Using T-Pot Learning Goals and Schedule
Chapter 2: Basics of Honeypot (T-Pot)
Concept of Honeypot Structure of T-Pot (Dionaea, Cowrie, Cisco ASA, Sentrypeer) Obtaining GitHub Repository and Running install.sh iptables Configuration and SSH Port Modification Visualization Using Attack Map / Elasticvue / Kibana [Exercise ①: Environment Setup and Initial Access Verification (Attack Map / Kibana Display)]
Chapter 3: Utilizing Honeypot Data
Data Storage Structure (tpotce/data/) Kibana Dashboard Operations Extract Top Access IPs and Export to CSV [Exercise ②: Investigate Access Information on Dashboard / Analyze tpotce/data Directory]
Chapter 4: Malware Collection with Dionaea
Overview of Dionaea and Storage Directory VirusTotal API Setup and Usage Retrieve Results Using curl Command and YARA Matching [Exercise ③: Analyze Samples Collected by Dionaea Using VirusTotal API]
Chapter 5: Unauthorized Access Analysis Using AbuseIPDB API
Overview of AbuseIPDB Understanding API Syntax and curl -G Command Visualizing Results via JSON Formatting [Exercise ④: Analyze Malicious IPs Using Dionaea + AbuseIPDB API]
Chapter 6: Observing SSH Attacks with Cowrie
Cowrie Log Structure tty Log Analysis and Playback Using playlog Analysis of Post-Intrusion Commands Malware Verification via VirusTotal Integration [Exercise ⑤: Analyze Intrusion Behavior Using Cowrie Logs]
Chapter 7: Other Honeypot Components
Recording SIP Attacks with Sentrypeer Cisco ASA Honeypot Setup and Detection of CVE-2018-0101 Attack [Exercise ⑥: Compare Behavior of Each Service Through Log Analysis]
Chapter 8: Information Gathering Exercise with SpiderFoot
Overview and Setup of SpiderFoot Collect OSINT Information Using IPs Extracted from Kibana Threat Level Assessment Using Graphs [Exercise ⑦: Information Gathering and Evaluation Using SpiderFoot]
Chapter 9: Summary and Future Directions
Application of Honeypot Operational Insights Automating Analysis via API Integration Usage Differentiation: SpiderFoot, VirusTotal, AbuseIPDB [Discussion: Consider Application Scenarios Within Your Organization]
Learning Objectives of "Honeypot and Advanced Information Gathering"
Operate honeypots and collect attack observation data Identify malware and unauthorized access using API integration Automatically gather and assess related threat information using SpiderFoot Acquire skills to analyze and report based on actual observation data
Tools Used
T-Pot, Dionaea, Cowrie, Cisco ASA, Sentrypeer VirusTotal API, AbuseIPDB API, SpiderFoot, jq

Main Instructor

Kazuki Omo
Executive Officer, Sios Technology Co., Ltd.
OSS / Security Evangelist
Bio: With nearly 20 years of experience as an OSS security expert, he mainly writes and lectures on OS security. He has worked in various roles at major vendors, foreign companies, and user organizations. Since 2015, he has been active as an OSS/Security Evangelist at Sios Technology, running the SIOS Security Blog.
Recent Publication: "Protecting Enterprise Systems from Cyber Attacks! OSINT Practical Guide"
・Security Researcher / Engineer / Developer (19 years)
・SELinux / MAC Evangelist (14 years)
・Linux Engineer (19 years)
・System Administrator (4 years)
- Antivirus Professional Engineer (3 years)
- SIEM Professional Engineer (3 years)

MISP

MISP stands for Malware Information Sharing Platform & Threat Sharing.
It is an open-source threat intelligence platform provided by CIRCL (The Computer Incident Response Center Luxembourg) in Luxembourg.

OpenCTI

OpenCTI is an open-source CTI (Cyber Threat Intelligence) system.
It can integrate with other tools and applications such as MISP, TheHive, and MITRE ATT&CK.

OTX AlienVault

OTX AlienVault, also known as AlienVault, is a platform for exchanging and sharing threat intelligence.
(OTX = Open Threat eXchange)

ACT

ACT is an open-source platform provided by Norwegian IT security provider mnemonic for collecting threat intelligence.
ACT stands for Semi-Automated Cyber Threat Intelligence.

Recorded Future, founded in 2009 in the USA, is a pioneer in providing threat intelligence. It accumulates data from vast sources including the dark web, combining machine learning and researcher analysis to deliver real-time threat intelligence to clients.
In the US, it is widely used by companies and government agencies to predict targets and methods of crime, track stolen information, and prevent damage.
In this course, participants will use Recorded Future's threat intelligence tools for hands-on threat intelligence collection.

Report Creation

Learn how to collect threat intelligence and create reports through case-based exercises.

Testimonials

I was able to learn broad and practical knowledge about "Threat Intelligence".

Since the instructor is actually working in the field, I was able to hear very practical stories, which was extremely educational.

I was able to understand the overview of "RecordedFuture".
It was also great to get hands-on experience with "HoneyPot", which I had wanted to try in the past.

It was great to be able to use "RecordedFuture".
I learned how to write threat reports and what points to consider, which helped improve my skills.

The instructor flexibly organized the curriculum, allowing me to learn investigation methods using generative AI and explanations of recent incidents. This helped improve my practical security skills. Thank you for the year-long course.

It was great that I could use the grant and take this extensive lecture at a relatively low cost.

Next Section

Threat Intelligence Training Course – Application Guidelines

Schedule	Every month on the 1st, 2nd, and 3rd Saturday 15:00 – 18:00 Total Class Hours: 108 hours + Hands-on practice available remotely from anywhere ※Recorded Future threat intelligence database is available for use.
Course Duration	1 year from the month of enrollment (12 months) ※You can start in any month!
Tuition Fee	¥671,000 (tax included) / per person
Payment Methods	Various payment options are available according to your convenience: Cash / Bank Transfer / Credit Card (VISA, Master, JCB, AMEX, DINERS) / Education Loan Cash Payment Please bring the tuition fee to the reception on the day of application. Bank Transfer Transfer the tuition fee to the designated account. Bring the transfer receipt on the first day of class along with your application form. ※Bank fees are borne by the participant. Credit Card Payment One-time payment only (no handling fee). Accepted cards: VISA, Master, JCB, AMEX, DINERS. Billing date depends on the card company. Education Loan (Government) Payment via Japan Finance Corporation education loan is available. Fixed interest rate: 1.76% per year (as of Jan 10, 2018), repayment period up to 15 years. Required Documents for Application Application Form (can be filled on the day) Seal / Signature Tuition Fee: Cash / Transfer receipt / Credit Card depending on payment method ID (if applying for training benefit) Writing materials / Notebook (for attending on the day)
Course Objectives	Efficiently collect, process, analyze, and create threat intelligence from scattered online sources Create threat intelligence reports based on collected data Conduct threat intelligence collection and reporting for your organization Understand the latest security incidents and explain them in detail
Recommended For	Those interested in threat intelligence Those who want to learn systematically from basics to advanced techniques from experts Those aiming to improve skills and expand career opportunities Companies seeking to strengthen security measures as part of corporate strategy Those wishing to join engineering communities and share knowledge Those aiming to become analysts and increase their income
Other Requirements	＜Required Windows or Mac environment＞ CPU: x64 compatible 2.0GHz or higher RAM: 8GB or higher Recommended browser: Latest Chrome/Firefox (※) The threat intelligence platforms used in the seminar are prepared on Heatwave's cloud, so a browser-accessible environment is sufficient. ＜Available both on-site and online＞ ■For Remote Attendance Internet connection Web camera Microphone ■For On-site Attendance Wired network (Ethernet) port (Internet access is provided at the venue)

¥671,000 (tax included)/per person