Blue Team Level 1 (BTL1) Exam Review & Tips

Blue Team Level 1 (BTL1) Exam Review & Tips

Studying for and passing Security Blue Team’s Blue Team Level 1 (BTL1) was a focused, practical step in my blue team journey. The course and exam emphasize real-world defensive skills across domains such as phishing analysis, digital forensics, SIEM/SOC workflows, incident response, and threat intelligence. In this writeup, I will discuss my personal experience in passing Blue Team Level 1 (BTL1) from Security Blue Team and I will also provide some practical tips that you can use to help pass the exam on your first try and hopefully get the gold challenge coin.

The BTL1 certification is Security Blue Team’s junior / entry-level defensive security certification. It is designed to develop and test practical knowledge in core blue team disciplines such as Phishing Analysis, Threat Intelligence, Digital Forensics, SIEM log analysis, and Incident Response. Aside from that, you will also gain hands-on skills in using tools such as Splunk, Wireshark, FTK Imager, KAPE, Volatility, Autopsy, and many more!

Course Material

At the time of this writing, the BTL1 certification is priced at £399.00 GBP (around $500) and currently they are running Black Friday sale where the certification is %20 off. You will have 4 months of on-demand access to the course materials and 2 exam attempts which is valid for 12 months. The course material is divided into 6 domains: Security Fundamentals, Phishing Analysis, Threat Intelligence, Digital Forensics, Security Information and Event Monitoring, and Incident Response. You can view the full course content here: BTL1 Domains

The course also provides 100 hours of access to the labs, which is more than enough to to practice the tools you’ve learned. I have used 30.5 hours of lab time before taking the exam. Personally, I find some of the labs quite slow to start and use. I also had difficulties using their copy and pasting functions as there’s a limit of 100 characters when copying, and when pasting from your device to the lab machine, you would need to paste the text first to the textbox before you can paste anything in the lab machine. I hope that they slightly increase the performance of the machines and implement a more efficient way to copy and paste texts.

The majority of the course material is written content, however there are some videos and they also provide quizzes at the end of each topic. The topics provided are perfect for entry-level security analysts and anyone starting a career in Blue Teaming.

Personally, I would prefer video content so that the demonstration can be delivered more clearly. In terms of course content, I would love if they added more topics such as Windows Network and Process Analysis, Windows core processes, and Sysinternals which are helpful in doing investigations. I would also love if they went more in depth in some areas such as Wireshark and Windows forensics and add more video contents especially on the parts where it would need to demonstrate how the tool is used, and lastly, I think increasing the access to the course material to 12 months would be beneficial especially to anyone that has a busy schedule or does not have the capacity finish the course in 4 months.

Exam

As mentioned previously, you have 2 exam attempts which is valid for 12 months. BTL1 is a 24-hour practical exam in which you will perform investigation on a security incident and answer 20 task-based questions in which you will apply all knowledge that you’ve learned on the course material.

Take note that everything you need to pass the exam is in the course material. In terms of my exam experience, the exam environment is similar to the labs that is provided. I haven’t encountered any issues and the performance of the exam machine is great.

It took me around 1 and half months to complete the course material and around 8-9 hours to complete the exam and scored 95% which qualified for the gold challenge coin. Another great thing is that they provide feedback and hints on where you made a mistake and what you should do to answer that correctly.

Exam Tips

Before the Exam

A common tip is to take good notes. This is extremely important if you want to pass on your first attempt as you will be using all of the things you’ve learned in the course material. However, I recommend focusing on the following topics: Splunk, Wireshark, DeepBlueCLI, Autopsy, Phishing Analysis, Log analysis, and Threat Intelligence.

Create your own cheat sheet. This is helpful in reinforcing your learning and you can easily refer to it while doing the exam.

Build your own investigation methodology or playbooks. This should be also in your cheat sheet, this will be the steps that you will take and the things that you need to check when doing investigations. For example, when doing phishing analysis, what email artifacts you need to collect? What are the tools you will need to perform analysis on the suspicious URLs and attachments? When working with splunk, what are the fields that are important to me when correlating events?

Use Pomodoro technique when studying to avoid burnout, it also helps you keep a steady pace. I personally use the Focus To-Do app.

Practice Practice Practice. Another important tip is to re-do your labs, you can reset your labs up to three times, this will reset all of your progress and allows you to submit your answers again. This will allow you to get familiar with the tools and reinforce what you’ve learned. Use the 100 hours of lab time if you can. If you need other labs to practice on, I highly suggest going to Blue Team Labs Online, this is Security Blue Team’s own lab platform similar to Hack The Box. Here are some of the labs that I took from the BTLO platform:

• BEC-KY - Phishing and Log/SIEM analysis
• MIDDLEMAYHEM - Log analysis using Splunk
• PIGGY - PCAP investigation using Wireshark

During the Exam

Document Everything. This is also important while doing the exam and in real-life investigations. Take detailed notes and screenshots of the IOCs, the results of the commands and queries you’ve ran, and other details that you think that might help you with the investigation.

Create an Incident Timeline. This is helpful to map what the threat actor has done and helps you correlate events and see the bigger picture. Write down the timestamp of a key event, for example:

2025-11-25 14:15:37 UTC - User received the phishing email.
2025-11-25 14:17:22 UTC - User clicked the link from the phishing email an downloaded a malicious file.
2025-11-25 14:20:05 UTC - The malicious file started communicating with the C2 server.

Take Breaks. This is important to avoid burnout. If you’re stuck on a question, take breaks, go for a walk, take a nap, or meditate. Do the things that takes your focus away from the exam and puts your brain into diffuse mode, and more importantly, don’t scroll on social media. You can also use Pomodoro technique to pace your exam. You will notice that your brain has refreshed and you will understand the question more clearly.

Double Check your Answers. Make sure you double check your answers if they are absolutely correct or if they make sense based on the question that was asked. Make sure to also follow the answer format.

Don’t Overthink the Questions. Read all the questions carefully but do not overthink them, the questions provides hints that guides you on what tools you will need and what to look for.

Conlusion

Overall, the course material is perfect for entry-level blue teamers and anyone starting a career in Blue Teaming. The exam environment is stable and they give you all the things you need to pass the exam. I hope this writeup helps you in your Blue Team Level 1 (BTL1) journey and hopefully gets you the Gold challenge coin!