BTL1 - Blue Team Level 1, Course Review

Emil Schmidth Nielsen Emil Schmidth Nielsen Follow Mar 09, 2024 · 6 mins read
BTL1 - Blue Team Level 1, Course Review
Share this

BTL1 - Blue Team Level 1, course review

The Blue Team Level 1 course was overall very well-rounded and gave a good overall introduction to Blue Teaming. I enjoyed going through the course content on the Security Blue Team online platform, which honestly just worked flawlessly. I did not have a single problem with labs not working, content missing some information, bad quizzes etc. The exam was a quite challenging 24-hour hands-on practical exam.

Difficulty: Entry Level

Link: https://www.securityblue.team/why-btl1/

Pricing: £399 GBP

Course Content

The course is split into the following 6 domains:

  • Security Fundamentals
  • Phishing Analysis
  • Threat Intelligence
  • Digital Forensics
  • SIEM
  • Incident Response

Besides these 6 domains, the course is made up of written content (306 Topics), videos, 32 quizzes, 24 labs, and a final exam as of this writing. Overall the course content manages to give a fairly deep dive into the specific topics, and you get a bunch of hands-on experience through their labs using tools such as KAPE, Autopsy, Splunk, Wireshark, and DeepBlueCLI. I already had quite a bit of basic knowledge about the different topics, so I was a bit skeptical going into the course, but my skepticism was quickly turned into optimism. The course manages to give a brief outline of the different domains, and then fairly quickly dives into the different tools used within the different domains. I.e. in the Digital Forensics domain, you get a brief introduction to doing Digital Forensics and then dive straight into identifying file system types and doing metadata and file carving using cmd-line tools such as Exiftool and Scalpel.

Time to complete

I spent just around 2 months completing the course content using around 1-2 hours a day. I ended up spending 12 hours in labs and probably another 30-40 hours going through the course content. I recommend being consistent when going through the course content, setting aside time almost every day, as this keeps you in a good flow going through the content. Blue Team Level 1 has a super nice progress tracker inside their e-learning portal, that shows your overall progress. BTL1 Progress Tracker

5 minute writeups

A thing that worked wonders for me going through the content, was doing 5-minute writeup sessions after I got through a section of a domain. I would then set a 5-minute timer on my phone and write as much as I could in these 5 minutes, in a brainstorm-like format with all the things I just learned in this section. Doing this 5-minute writeup exercise in my opinion helped me understand the course content much better, as I forced myself to reflect on the material I just went through. Furthermore, the next day I read through all of my 5-minute writeups as a quick reminder of what I had learned the previous day.

Exam Format

The exam is a 24-hour practical incident response exam, where you have to answer and complete 20 task-based questions. You get to use different tools you have learned in the course, investigate different systems, and identify different tactics from the ATT&CK framework, used by the “threat actor” in the exam. You have to get 70% of the 20 questions right to pass the exam, and if you manage to get 90% or over, you get a BTL1 gold coin (first attempt). If you fail the exam the first time around, you have a 10-day cooldown period, before you can attempt to pass the exam a second time. So I recommend starting the first exam at least 11 days before your exam expires.

My Exam Experience

I decided to start my exam at 12:30 pm on a Friday. The thought process behind this was that I could spend 8-10 hours on Friday going through the exam and answering all the questions. Then I planned to get a good 8 hours of sleep and still have 4 hours to go through all my answers the next day with a fresh mind. My strategy was hugely focused on getting an overall understanding of the TTPs used by the threat actor and documenting everything in OneNote. I created the following pages in OneNote which helped keep me structured and document my findings:

  • Case Notes
  • IoC’s (Indicator of Compromise), where I would post everything I found during the investigation.
  • A Timeline, to keep track of the chronological order of which steps and TTPs the threat actor had used.
  • A blank page for each question I had to answer, where I would dump screenshots of how I came to the answer, so I could revisit it later.

I spent the first hour meticulously going over the instructions, reading through the scenario, launching and setting up all the tools I would need, and finally preparing my OneNote with data for the exam. However, at around 6 pm on Friday, I had already finished all the questions and felt super confident in 17 of the answers. I was very tempted to submit the exam, to get it over with. But having the gold coin in mind, I decided to go for a run to refresh my mind and I told myself I would spend another hour going over the questions, specifically the 3 questions I was not sure of. So at 7 pm, feeling refreshed I sat back down, and first of all, I went through all the questions double-checking my thought process and how I came to the answers. I also made sure the format of the answers where correct. After half an hour of checking all 20 answers to the questions, I dove deep into the 3 questions where I wasn’t feeling too sure. I went through these questions from A-Z again and decided to change one of my answers. But now what? I had only spent 8 hours of the designated 24 hours, and I was quite nervous, did I miss something? But at 8 pm I thought to myself, that I may just end up wrongly reversing more of the answers, and get tunnel-visioned on some irrelevant lead. So I submitted the exam.

The Result

The great thing about the BTL1 exam is you get instant feedback, and there it was. “Congratulations Emil Schmidth! You passed the certification with a score of 100%” I am by no means an expert in the field and was very pleasantly surprised with the result as I had barely used most of the tooling used in the exam. However, bear in mind that I have a few years of experience within Blue Teaming, and co-founded a company that offers training in incident response called SagaLabs.

Certification Rewards

Once passed, you will receive the following BTL1 awards:

  • Become Blue Team Level 1 certified for life
  • BTL1 digital PDF certificate
  • BTL1 Credly digital badge
  • BTL1 printed certificate
  • BTL1 silver challenge coin (gold if score 90%+ on the first attempt)
  • Laptop Sticker

BTL1 Coin


Overall the BTL1 course was a great introduction to Blue Teaming, which gives you experience using tooling that is used in the real world. I would recommend this course to anyone wanting to get into Cyber Security, but it also serves as a good refresher, for people who already have some experience within the field like myself.

Emil Schmidth Nielsen
Written by Emil Schmidth Nielsen