My thoughts after taking the exam.


After a month of procrastination, I finally sat myself down and took the BTL1 certification exam. I'm happy to share that I passed with 100% and earned a shiny gold coin :0

This is a short blog to share my experience and any thoughts I have to hopefully help out anyone who's on the fence about investing in this course.

About BTL1

Blue Team Level 1 by Security Blue Team is a defense-oriented certification that emphasizes on assessing practical, hands-on ability. In contrast to the more widely recognized Security+, BTL1 offers a refreshing alternative to the traditional approach of testing conceptual understanding.

Course material

Before tackling the exam, it is recommended that you complete the accompanying 6-domain course which covers everything from dissecting phishing emails to managing a SIEM. The aim is to provide a well-rounded foundation of skillsets required of a beginner SOC Analyst. You can learn more about the syllabus here.

For £399, you get 4 months of access to the course material, 100 hours of lab time, and an exam voucher valid for 12 months. I promise, the 4 months access flies by pretty quickly, so don't procrastinate like I did T.T

While the course covers a broad range of valuable topics, it falls short in delivering the depth of knowledge I was anticipating. At times, the material felt a little slow and repetitive, and I really had to force myself to push through the content.

With that being said, I really did enjoy the labs, especially when I got to the modules covering SIEM and Incident Response. Another thing I really appreciated were the really thoughtfully-curated "dive deeper" sections at the end of each topic which held links to a bunch of other resources to further your learning.

About the exam

The exam is a 24-hour-long practical assessment where you are tasked with conducting incident response on a compromised network. Throughout this period, you must answer 20 free-response questions by gathering evidence using tools such as Splunk, Autopsy, and Wireshark, applying the knowledge gained throughout the course.

If you are comfortable with the tools provided in the exam, 24 hours is plenty of time to complete the challenge. Work at a comfortable pace and allow yourself breaks to eat, sleep, and rest if necessary. I completed my exam within an evening and I even had time to grab a quick bite in between.

My experience

By far, the exam was my favorite part of the course. I had a lot of fun building out my timeline and hunting for IoCs. However, I did find the questions a little leading at times. I understand that they have to be more explicit to avoid confusion, especially with an automated grader, but the questions almost served as a playbook for me and in a way eliminated the hunt. There's no need to go down rabbit holes when the questions practically point to the next step. Perhaps it might be worth switching back to the previous report writing approach instead of the free response questions. Regardless, I still really enjoyed the scenario and found the challenges to be comfortably difficult.

Is this the right cert for you?

In my opinion, if you are entering the industry and want a really well-structured guide on all the basics, you should consider taking BTL1. Not only does the course material serve as a solid foundation for you to build experience upon, the labs are also a very convenient and friendly way to gain confidence in your skills.

However, if you feel confident in your skills and are considering taking this certification for better job prospects, more reputable certifications like Security+ might be better suited for your needs. Although BTL1 is probably a more accurate reflection of applicable skill, it is worth noting that the Security+ is still significantly more recognized in the industry and would probably be more valuable on your resume.

Finally, if you are already working in the industry and just want to further your knowledge, I think the material covered in this exam might not offer enough value to justify its cost. Putting your efforts into a home lab or saving your learning budget for more intense courses would probably yield a higher return.

Final thoughts

Although I am not without complaints, I strongly think that BTL1 is a very valuable certification for our industry. We desperately need more affordable(ish 🥲) hands-on assessments on the blue team side of the house. I also really love how digestible the content is–they really have a knack for simplifying complex topics.

Overall, I am very happy that I now have BTL1 under my belt! 😎