On the 18th September 2021, I took the Blue Team Level 1 (BTL1) exam from Security Blue Team (SBT).

In this blog post, I talk about my experiences whilst preparing for and taking the exam, and my overall thoughts of the exam. So let’s begin…


  1. What is BTL1?
  2. The Exam
  3. Additional Resources
    1. AttackIQ Academy
    2. Blue Team Labs Online (BTLO)
      1. Challenges
      2. Investigations
    3. Cyberdefenders
    4. TryHackMe
    5. Free
    6. Paid
    7. Splunk
  4. Tips and Tricks
  5. My Thoughts on the Course/Exam
  6. What’s Next

What is BTL1?

Blue Team Level 1 (BTL1) is a junior certification offered by Security Blue Team (SBT) which covers six domains; Security Fundamentals, Phishing Analysis, Threat Intelligence, Digital Forensics, SIEM and Incident Response.

It’s designed for security enthusiasts wanting to break into their first role in cyber, or those with up to two years experience within an existing cyber role.

Once you have purchased the course, you will have four months in which to complete it and take the exam. One of the great things about this exam is that you’re given a free resit if you fail it on your first try, which is something you don’t see with a lot of certification platforms.

The Exam

The exam is a 24 hour hands-on lab, where you’re given 12 hours to investigate a compromised environment attempting to work out how an attacker gained their initial foothold, and was then able to move lateral throughout the rest of the infrastructure.

This is then followed by 12 hours to write a report on your findings, and to suggest some corrective measures the organisataion can take to help prevent such an attack in the future.

I unfortunately can’t go into too much detail as the exam is protected by an NDA.

Additional Resources

Whilst the material contained within BTL1 is enough for someone to pass the exam, I believe that unless you already have some experience within a cyber security role, I don’t think it’s enough… Especially if you want that juicy gold coin.

Here are a list of the extra resources I used to help supplement my studies to give me more hands-on experience.

AttackIQ Academy

AttackIQ Academy is an online learning platform which offers free courses in cyber security.

The Foundations of Operationalizing MITRE ATT&CK course in particular is perfect for helping you understand the MITRE ATT&CK framework and how it can be used to map tactics and techniques to a threat actor.

I used this course to help me get a good understanding into the framework (plus I got one of them cool Acclaim badges for completing it). Without this, I think I would have struggled a little to complete the report section of the exam.

Blue Team Labs Online (BTLO)

Blue Team Labs Online (BTLO) is the lab offering from SBT. It consists of many challenges (one of which written by yours truly) and investigations.

There are too many individual labs to mention which will help with your journey, but I’ll try to mention a few which I think will be good for you to try out.


The challenges are the free to play feature of the platform. You typically download an artefact to your local machine, and are guided through using questions. Some of the challenges which might be helpful are:


The investigations are the pay to play feature of the platform. These are self-contained virtual instances that you will connect to using your browser. These suggestions are based on investigations that I’ve completed:


Cyberdefenders is an online platform which hosts CTFs from previous competitions. It’s another great platform that’s free to participate in. Here is a small list of challenges which you can do to help you prepare you for the exam:


Everyone knows TryHackMe as a great resource learning red teaming/pentesting, however it has some great defensive rooms too.

Free Rooms

The following THM rooms can be done for free (at the time of writing this).

These rooms require a you to have a premium subscription, which I personally don’t think is too much for what you’re getting.


Splunk is featured in the exam. It’s not a difficult tool to use once you’ve got some experience in using it. Long before I signed up to take the BTL1, I came across the free fundamentals course, a free course on Spunk’s website.

This course takes you through from installing Splunk, ingesting data, filtering and creating reports. I personally think that without the use of this course and the BoTS challenges on Cyberdefenders I would have found the Splunk portion of the exam a little trickier that it ought to have been.

Another great thing about this course is that you get a certificate of completion which you can show of on your LinkedIn profile.

Tips and Tricks

I’ll share with you some tips and tricks which will help you to get the most out of the your time with the course and exam.

  • Create a study plan - Nothing will help you focus more than being able to see what you need to be working on next.
  • Take your time - But also don’t go too slowly with the course. 4 months is more than enough time to go through the material and any of the extra resources to maximise your learning.
  • Plan for an exam resit - One of the downsides to this course is that you need to have access to the course material in order to start the course. So plan some buffer space and don’t try to take your exam on the last possible day.
  • When doing the exam, take screenshots, and I mean take screenshots of everything you find or do. I forgot to take a screenshot of something I found, but couldn’t include it in the report because I had no evidence showing that I had in fact found it.
  • Write good notes when going through the exam of everything you found. This will help you when it comes to write the report as you will forget some things due to the nature of feeling pressure during the exam.

Most important tip I can give you, is to enjoy it. It’s a tough exam for sure. You’re going to go down rabbit holes; I spent an hour on something which ended up being nothing at all. But if you’re prepared, then you’re going to have a blast with it.

My Thoughts on The Course

I thoroughly enjoyed the course, and in particular the exam, which I found to be incredibly challenging and fun. I really enjoyed the hands-on elements of the course where you’re actually able to try out the things you’ve been taught, and the end of module quizzes as they really helped me to make sure I knew the stuff before moving on to the next section.

There are a few things I didn’t like, and they are:

  • Exam template was changed at some point whilst I was taking the exam without any notification. So I had to quickly copy and paste everything from the old template to the new with only 10 minutes left before the shut-off for the report submission.
  • You can’t mark all lessons as complete, which is really only a minor problem.

Aside from those points, and a few others which aren’t really worth mentioning, I would wholeheartedly recommend anyone who wants to get into cyber security (specifically the blue side) take a look at this course. There’s a free trial where you can take a look at about 10% of the course and see for yourself if it’s something you want to invest your time and money into.

What’s next?

Just before I finished my BTL1 journey, SBT released the second level of their exam series. I’ve signed up for this and will be preparing for this exam, with the goal of taking the exam in the new year (2022). During this time, I’ll be looking at other resources which will also compliment my studies to help maximise my understanding of the material.