[{"content":"Why BTL1 Most entry-level security certifications test theory (see CompTIA Security +), but BTL1 certification is done via an open book, sandbox test environment that matches what you\u0026rsquo;ll see in the real world.\nMost of my colleagues had already sat and passed BTL1 when I joined my current job. I had a few years experience in InfoSec by the time I sat BTL1 and wish it had been around when I first started as it really reinforces good practice as an analyst working in InfoSec.\nWhat the certification covers BTL1 is produced by Security Blue Team and pitched at analysts in their first one to two years. The course is self-paced and entirely online.\nThe six domains:\nDomain Topics Phishing Analysis Header analysis, artefact extraction, sandboxing, reporting Threat Intelligence CTI fundamentals, MITRE ATT\u0026amp;CK, indicator enrichment Digital Forensics Disk and memory acquisition, artefact ahttps://github.com/Nervi0z/btl1-field-notes/tree/mainnalysis, timeline reconstruction SIEM Log ingestion, query writing, alert triage, Splunk and Elastic Incident Response IR lifecycle, containment, eradication, post-incident review Vulnerability Management Scanning, prioritisation, remediation tracking All domains include practical labs throughout the material, reinforcing the provided reading.\nThe exam The BTL1 exam is a 24-hour practical. You get access to a lab environment and work through a simulated incident from initial alert through to investigation conclusion. No multiple choice questions.\nThe scenario covers multiple domains as detailed above.\nPass mark: 70%\nTime limit: 24 hours\nRetake: one free retake included\nWhat actually helped Multiple guides / notes are available on Github, see Nervi0z BTL1 GitHub for comprehensive notes. Online Labs from blueteamlabs or letsdefend focused on Incident Response (blue Team labs mirrors the exam environment). Splunk Boss of the SOC (BOTS) Splunk Boss of the SOC - helpful if you have no Splunk experience. Do the labs, not just the reading The course material is good but the labs are where it sticks. Every domain has associated exercises — do them all, even the ones that feel easy. The exam will ask you to do things under time pressure that feel slow when you first encounter them.\nGet comfortable in Splunk Know how to write basic searches, filter by field, and chain queries in each. You don\u0026rsquo;t need to be an expert in Splunk, completing BTL1 labs and Splunk BOTS is enough to get comfortable with its usage.\n# Splunk — find authentication events for a specific user index=* sourcetype=WinEventLog EventCode=4624 Account_Name=\u0026#34;\u0026lt;username\u0026gt;\u0026#34; | table _time, ComputerName, Logon_Type, Source_Network_Address Build a notes template before the exam The 24 hours sounds generous until you\u0026rsquo;re two hours in and juggling five artefact types. Go in with a template: investigation summary, indicators table, timeline, MITRE mappings, recommendations. Fill it as you go rather than reconstructing everything at the end.\nTools you\u0026rsquo;ll use Tool Purpose Splunk SIEM querying and alert triage Wireshark Packet analysis Autopsy / FTK Imager Disk forensics Volatility Memory forensics VirusTotal, Any.run Indicator enrichment and sandboxing MITRE ATT\u0026amp;CK Navigator Technique mapping Difficulty and time investment Honest take: BTL1 is approachable for anyone with six months or more in a security-adjacent role. The material is well structured and the labs do most of the teaching. The exam could be challenging under time pressure, but the 24-hour window is fair.\nBudget around 30–40 hours for the course material and labs if you\u0026rsquo;re working through it alongside a full-time role. More if the DFIR domains are new to you.\nIs it worth it? For analysts early in their career: yes. BTL1 validates the practical skills that actually come up in day-to-day SOC work. It\u0026rsquo;s also one of the few certifications where the exam format is directly transferable to what you\u0026rsquo;ll do on the job.\nIf you\u0026rsquo;re already a few years in and working across SIEM, IR, and threat intel regularly, you\u0026rsquo;ll probably find the material familiar. It\u0026rsquo;s still worth the exam as a structured assessment, but the learning curve will be shallower.\nMy Experience Using the resources detailed below, I passed with a 92% mark.\nIf you manage to pass with over 90% in BTL1, you\u0026rsquo;ll receive a nifty challenge coin.\nResources Security Blue Team — BTL1 course page Blue Team Labs Online — free labs, good exam prep and matches exam format Nervi0z BTL1 GitHub - Comprehensive BTL1 notes MITRE ATT\u0026amp;CK - will be used throughout your career Splunk Boss of the SOC - Splunk training CyberDefenders / LetsDefend — additional DFIR and SOC labs ","permalink":"https://secmytech.com/posts/btl1-experience-and-guide/","summary":"\u003ch2 id=\"why-btl1\"\u003eWhy BTL1\u003c/h2\u003e\n\u003cp\u003eMost entry-level security certifications test theory (see CompTIA Security +), but BTL1 certification is done via an open book, sandbox test environment that matches what you\u0026rsquo;ll see in the real world.\u003c/p\u003e\n\u003cp\u003eMost of my colleagues had already sat and passed BTL1 when I joined my current job. I had a few years experience in InfoSec by the time I sat BTL1 and wish it had been around when I first started as it really reinforces good practice as an analyst working in InfoSec.\u003c/p\u003e","title":"Blue Team Level 1: My Experience and a Guide on Passing"},{"content":"Overview A small but practical homelab running on repurposed enterprise hardware. Primary uses: learning, testing security tooling in a controlled environment, and running self-hosted services that I actually use day to day.\nHardware Host Specs Role Dell OptiPlex 7060 i7-8700, 32 GB RAM, 512 GB SSD Proxmox hypervisor Raspberry Pi 4 4 GB RAM DNS, monitoring Unmanaged switch 8-port gigabit Core switching The OptiPlex was an eBay find — small form factor, low idle power draw, and enough headroom to run several VMs concurrently without thermal issues.\nNetwork topology ISP Modem/Router │ [Firewall] │ [Switch] ├── Proxmox host (VLAN 10 — lab) ├── Raspberry Pi (VLAN 20 — services) └── Personal devices (VLAN 30 — trusted) Lab traffic is isolated on its own VLAN and has no route to trusted devices. Anything running in the lab environment — vulnerable VMs, test detections, malware samples — stays contained.\nRunning services Service Host Purpose Proxmox VE OptiPlex Virtualisation Pi-hole Raspberry Pi DNS filtering and local resolution Grafana + Prometheus Proxmox VM Host and service monitoring Elastic Stack Proxmox VM Log aggregation, detection engineering Kali Linux Proxmox VM Offensive tooling, lab testing Vulnerable VMs Proxmox VMs Practice targets (isolated VLAN) What I use it for Detection engineering — the Elastic stack ingests logs from all lab hosts. I use it to build and test detection rules before they go anywhere near production, and to replay attack scenarios against a real SIEM.\nCertification prep — spun up dedicated environments for BTL1 and other practical certs. Cheaper and more flexible than booking lab time repeatedly.\nTooling evaluation — anything new goes in the lab first. Network scanners, DFIR tools, log shippers — test the behaviour before deploying it.\nGeneral tinkering — DNS configuration, certificate management, Ansible playbooks. Low-stakes place to break things.\nBuild notes Proxmox over bare metal Linux — the VM snapshot and clone workflow is worth it. Being able to roll back a test environment in 30 seconds changes how you approach experimentation.\nPi-hole for DNS — handles ad blocking and local DNS resolution for lab hostnames. Pairs well with Unbound as an upstream recursive resolver if you want full local DNS resolution without relying on a third-party.\nVLAN isolation is non-negotiable — if you\u0026rsquo;re running anything adversarial (vulnerable machines, malware samples, exploitation frameworks), it needs to be isolated at the network layer. A software firewall on the host isn\u0026rsquo;t sufficient.\nWhat\u0026rsquo;s next Migrate from unmanaged to managed switching for proper VLAN enforcement Add a dedicated log forwarding agent on each host Document the Elastic detection rule library ","permalink":"https://secmytech.com/projects/homelab/","summary":"\u003ch2 id=\"overview\"\u003eOverview\u003c/h2\u003e\n\u003cp\u003eA small but practical homelab running on repurposed enterprise hardware. Primary uses: learning, testing security tooling in a controlled environment, and running self-hosted services that I actually use day to day.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"hardware\"\u003eHardware\u003c/h2\u003e\n\u003ctable\u003e\n  \u003cthead\u003e\n      \u003ctr\u003e\n          \u003cth\u003eHost\u003c/th\u003e\n          \u003cth\u003eSpecs\u003c/th\u003e\n          \u003cth\u003eRole\u003c/th\u003e\n      \u003c/tr\u003e\n  \u003c/thead\u003e\n  \u003ctbody\u003e\n      \u003ctr\u003e\n          \u003ctd\u003eDell OptiPlex 7060\u003c/td\u003e\n          \u003ctd\u003ei7-8700, 32 GB RAM, 512 GB SSD\u003c/td\u003e\n          \u003ctd\u003eProxmox hypervisor\u003c/td\u003e\n      \u003c/tr\u003e\n      \u003ctr\u003e\n          \u003ctd\u003eRaspberry Pi 4\u003c/td\u003e\n          \u003ctd\u003e4 GB RAM\u003c/td\u003e\n          \u003ctd\u003eDNS, monitoring\u003c/td\u003e\n      \u003c/tr\u003e\n      \u003ctr\u003e\n          \u003ctd\u003eUnmanaged switch\u003c/td\u003e\n          \u003ctd\u003e8-port gigabit\u003c/td\u003e\n          \u003ctd\u003eCore switching\u003c/td\u003e\n      \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe OptiPlex was an eBay find — small form factor, low idle power draw, and enough headroom to run several VMs concurrently without thermal issues.\u003c/p\u003e","title":"Homelab"},{"content":"I\u0026rsquo;m a Australian based Information Security Analyst working in security operations, working my way towards Threat Hunting and Detection Engineering.\nWhat this site is secmytech.com is my blog. Investigations, write-ups, homelab setups can be found here.\nWhat I\u0026rsquo;ll be writing about:\nDetection engineering — Threat hunting — Certifications — BTL1 Tutorials — Background I\u0026rsquo;ve worked in IT for a decade now, starting on the helpdesk before moving into InfoSec. Diving in and discovering why an event has occurred is what I really enjoy.\nIn my personal time I spend too long finding ways not to spend money and aspire to do Stardew Valley IRL.\nGet in touch GitHub: github.com/benreally LinkedIn: linkedin.com/in/benr Opinions on this site are my own and do not represent my employer.\n","permalink":"https://secmytech.com/about/","summary":"About Ben Riley — InfoSec Analyst, secmytech.com","title":"About"}]