My Journey of BTL1: Diving into the Blue World

Akshat Gupta
8 min readAug 22, 2022

Hey there!! It has been a long time since I publish any blog. But trust me. This time it has been a blast for me. I have been studying for the BTL1 (Blue Team Level 1) certification that ended on the August 19th, 2022.

BTL1 Credly Badge

I will take you through my journey from how it all started, to how I got to know about SBT (Security Blue Team), to how I studied and practice for this exam (the review!). Let’s start!

The BackStory

So it all started back in February 2022, when I was dangling onto different certifications while not being able to decide which certification Should I choose as my next certification. A part of me was afraid of not letting me sit in an exam for fear of failing the exam (honestly, this feeling sucks!). I was also looking for various resources on how to get started in Cloud Security, or on how to get started with Bug Bounties, or should I make some CTF challenges, or should I write some blogs? I was also looking for an internship so that I can have experience. This mixed, wild, and overflowing thoughts are making me less productive, and being very honest, I have been off track since February with all the things happening to me.

Then my close friend Rahul Bhichher got a job as a Cyber Security Engineer in a company named Quantiphi. I was (and still am) so happy for him, which boosted my motivation. I asked him so many questions regarding getting some experience from an internship, certification, or Bug Bounties. Then I got busy with my university exams and was constantly thinking that I would fail all six subjects but guess what? I passed each one of them. Then I get enrolled in The Safer Internet Project for training. Then I started completing the modules required to become a verified member, and in my university, placement drive training began (I am a 4th-year Computer Science student). Now at this point, I seriously got no spare time to start learning other kinds of stuff and play around in my home lab.

Although, I managed to purchase Raspberry Pi 4B Model and managed my time to start playing with it. Then one day, I was on a phone call with Rahul, and he told me that I should go for a blue team certification, BTL1 (Blue Team Level 1), provided by SBT (Security Blue Team) Company. I, at that time, was not in the mood to change the team from Red to Blue, but at that instance, I looked at the BTL1 exam details and was astonished by the course material itself. I got pumped up after seeing so many new juicy things that I would learn in the course but looking at the exam price, £399 (32,000 INR), my excitation lowered. I started to pray if, by any chance, I have this course, it would be a great learning experience. And miracles do happen. In celebration of 80,000 followers on Linkedin, the SBT company gave away 50x BTL1, 10(+1)x BTL2, and 5(+1)x CSOM vouchers. Rahul tagged me (he knew we both wanted to do this certification), and I mentioned my other friend.

I was lucky enough that I won the giveaway of BTL1, the same course that I was praying for, and I am eternally grateful to the Security Blue Team. Then I started the course and enjoyed every bit of it. Then came the most awaited DEFCON held in Delhi. It was my first CON, and I met many new people and made friends with them.

Pass looks so cool!

Everything has motivated me immensely, and I decided to finish this course quickly and start preparing for labs. Now, I decided that from the 15th to the 20th of August, I would practice the labs and then attempt the exam in the same week. Then on August 17th, I got a mail in the morning that I didn’t get selected for AWS Community Builders Program. It made me sad but I was at total peace with it as I cannot let anything ruin the schedules I set for the exam.

Rejected this time but next time for sure!

Just before the exam day, I read some reviews of the users who passed their BTL1 exam, which made me nervous. I was drowning in anxiety, and my spine was shivering, literally. I thought, what if I failed the exam? What would I do if I got stuck in a particular thing? Will I be able to make it? How will I tell everyone that I failed the first attempt of BTL1? Every thought like this was eating my energy and making me more uncomfortable.Then finally, on August 19th, 2022, I quickly prepared a handy cheat sheet for myself and started the exam. Amid the exam, I genuinely got anxious. Then I forced myself to think that “there is nothing to worry about. What worse can happen if I failed? It will be a great learning experience. You will be fine”.

Let me tell you one fun moment that happened to me during the exam. So I used VirusTotal multiple times searching for a particular IOC (Indicators Of Compromise; google IOC if you want to know!), and my API allowance got exceeded, meaning now I can’t perform any more searches on VirusTotal!!! I was laughing at my condition like, what the hell is happening amid the exam😂??

Screenshot of how I exceeded my limit!

But I worked hard and passed the exam! 😇

BTL1 Exam Review

Security Blue Team says,

BTL1 Certification stands for Blue Team Level 1, a Junior Security Operations Certification.

This exam is for anyone who wants to step into the world of blue teamers, a.k.a The Defenders. The course contains six major domains Security Fundamentals, Phishing Analysis, Threat Intelligence, Digital Forensics, SIEM, and Incident Response. These domains have a vast amount of knowledge that a defender should possess. These domains have sections that further have topics needed to cover. Next will be the quizzes that will follow at the end of each section. Then comes the labs on the labs’ tab. These labs demonstrate the practical scenario that, you will study in the material and practice in these environments.

Okay, so from here, let’s talk about the details. First things first, the exam is NOT pricey. Believe me when I say that the cost is not too much when you literally can learn so many unique kinds of stuff that can help you become a Defender! For some of you, it is not affordable at all. But, seriously and honestly, if anyone of you is interested in Blue teaming and can afford this training, please do yourself a favor and purchase it. The hands-on experience is a real deal, believe it or not. The cost is £399, including course material, labs, and an exam with one free retake. You will have access to the content for 4 Months. In addition to it, the exam voucher has 12 months of expiration time from the time of purchase. In case you failed the exam, there will be a cooldown period of 10 days, and only after the 10 days, you can re-sit the exam (the free retake). (:

The exam is 24 hours of Incident Response, which allows you to demonstrate skills you learned from the course. The exam will be browser-based, having all the required tools pre-installed, so you can straightforwardly focus on the exam. There will be 20 questions in the format of fill-in-the-blanks. You will be provided the syntax of the answer. SBT says,

70% is required to pass and earn the silver challenge coin, while 90% (on the first attempt) is required for the gold challenge coin.

Yes, you read it right! Physical Rewards await those who pass this exam. The reward contains a certificate and a challenge coin. The SBT Company ships these rewards to your home. After passing the exam, just claim the physical reward, enter your home address and you are good to go.

My prep for the Exam

Disclaimer : Before moving ahead, I just wanted to let you know that I do not have prior knowledge of the Defensive team. I am a total newbie. Prior experience in Cyber Security will immensely help you pass this exam. But, I am not saying total newbies cannot pass this exam. It all depends on how sincerely you prepared for it.

It took me around 1 ½ month to complete the course plus labs. After completing the course, I completed the in-course labs again without looking at the solution (I also did and you can look if you need to). Then I moved to BTLO (Blue Team Labs Online) and Cyber Defenders platform to practice labs. And then I sit for the exam. There is no report writing in BTL1!!

The labs I completed from BlueTeamLabsOnline were :

  1. The Report
  2. The Report II
  3. Phishing Analysis
  4. Phishing Analysis 2
  5. Network Analysis — Web Shell
  6. Network Analysis — Malware Compromise
  7. Malicious PowerShell Analysis
  8. Log Analysis — Sysmon

The lab I completed from Cyber Defenders was :

  1. Boss Of The SOC v1

My Personal Advice while Preparing/Appearing for the Exam

There are a few things that I would like to emphasize:

  1. MAKE GREAT NOTES!!! Seriously. You will need them for the exam.
  2. Please, be comfortable with all the labs. Re-visit them and practice a lot. Do not underestimate any section/topic.
  3. DO NOT RUSH IN THE EXAM! It will lead to failure, which decreases your chances of getting that shiny gold coin.
  4. You have plenty of time to think around. Take little breaks. Distract your mind so that you might not overstrain your eyes. Eat, sleep, walk, breathe, and drink water.
  5. After starting the exam, READ ALL THE INSTRUCTIONS CAREFULLY!
  6. My Mistake which took away the gold coin from me was not creating the Timeline. A timeline is a series of events that happened in chronological order. Make sure to create one while giving the exam so that your answers make some sense.

I don’t think there is anything I haven’t covered. But if you guys have questions regarding the exam, please do not hesitate to ask! You can approach me on my social handles:

  1. Twitter
  2. LinkedIn
  3. Discord: Hellfire#3915

One last advice,

Work hard, leave no stones unturned, stay calm, and shine!

This is a wrap! Thank you so much for all the wishes, and reading the blog till now. I wish you all prosperity. Until next time. Take care. (: