Why BTL1
Most entry-level security certifications test theory (see CompTIA Security +), but BTL1 certification is done via an open book, sandbox test environment that matches what you’ll see in the real world.
Most of my colleagues had already sat and passed BTL1 when I joined my current job. I had a few years experience in InfoSec by the time I sat BTL1 and wish it had been around when I first started as it really reinforces good practice as an analyst working in InfoSec.
What the certification covers
BTL1 is produced by Security Blue Team and pitched at analysts in their first one to two years. The course is self-paced and entirely online.
The six domains:
| Domain | Topics |
|---|---|
| Phishing Analysis | Header analysis, artefact extraction, sandboxing, reporting |
| Threat Intelligence | CTI fundamentals, MITRE ATT&CK, indicator enrichment |
| Digital Forensics | Disk and memory acquisition, artefact ahttps://github.com/Nervi0z/btl1-field-notes/tree/mainnalysis, timeline reconstruction |
| SIEM | Log ingestion, query writing, alert triage, Splunk and Elastic |
| Incident Response | IR lifecycle, containment, eradication, post-incident review |
| Vulnerability Management | Scanning, prioritisation, remediation tracking |
All domains include practical labs throughout the material, reinforcing the provided reading.
The exam
The BTL1 exam is a 24-hour practical. You get access to a lab environment and work through a simulated incident from initial alert through to investigation conclusion. No multiple choice questions.
The scenario covers multiple domains as detailed above.
Pass mark: 70%
Time limit: 24 hours
Retake: one free retake included
What actually helped
- Multiple guides / notes are available on Github, see Nervi0z BTL1 GitHub for comprehensive notes.
- Online Labs from blueteamlabs or letsdefend focused on Incident Response (blue Team labs mirrors the exam environment).
- Splunk Boss of the SOC (BOTS) Splunk Boss of the SOC - helpful if you have no Splunk experience.
Do the labs, not just the reading
The course material is good but the labs are where it sticks. Every domain has associated exercises — do them all, even the ones that feel easy. The exam will ask you to do things under time pressure that feel slow when you first encounter them.
Get comfortable in Splunk
Know how to write basic searches, filter by field, and chain queries in each. You don’t need to be an expert in Splunk, completing BTL1 labs and Splunk BOTS is enough to get comfortable with its usage.
# Splunk — find authentication events for a specific user
index=* sourcetype=WinEventLog EventCode=4624 Account_Name="<username>"
| table _time, ComputerName, Logon_Type, Source_Network_Address
Build a notes template before the exam
The 24 hours sounds generous until you’re two hours in and juggling five artefact types. Go in with a template: investigation summary, indicators table, timeline, MITRE mappings, recommendations. Fill it as you go rather than reconstructing everything at the end.
Tools you’ll use
| Tool | Purpose |
|---|---|
| Splunk | SIEM querying and alert triage |
| Wireshark | Packet analysis |
| Autopsy / FTK Imager | Disk forensics |
| Volatility | Memory forensics |
| VirusTotal, Any.run | Indicator enrichment and sandboxing |
| MITRE ATT&CK Navigator | Technique mapping |
Difficulty and time investment
Honest take: BTL1 is approachable for anyone with six months or more in a security-adjacent role. The material is well structured and the labs do most of the teaching. The exam could be challenging under time pressure, but the 24-hour window is fair.
Budget around 30–40 hours for the course material and labs if you’re working through it alongside a full-time role. More if the DFIR domains are new to you.
Is it worth it?
For analysts early in their career: yes. BTL1 validates the practical skills that actually come up in day-to-day SOC work. It’s also one of the few certifications where the exam format is directly transferable to what you’ll do on the job.
If you’re already a few years in and working across SIEM, IR, and threat intel regularly, you’ll probably find the material familiar. It’s still worth the exam as a structured assessment, but the learning curve will be shallower.
My Experience
Using the resources detailed below, I passed with a 92% mark.
If you manage to pass with over 90% in BTL1, you’ll receive a nifty challenge coin.
Resources
- Security Blue Team — BTL1 course page
- Blue Team Labs Online — free labs, good exam prep and matches exam format
- Nervi0z BTL1 GitHub - Comprehensive BTL1 notes
- MITRE ATT&CK - will be used throughout your career
- Splunk Boss of the SOC - Splunk training
- CyberDefenders / LetsDefend — additional DFIR and SOC labs