Blue Team Level 1 (BTL1) A Complete Study Guide
I. Introduction
BTL1 is a hands-on defensive cybersecurity certification developed by SBT founder Joshua Beaman. This guide explains what to expect, how to go through the course and how I passed the exam.
Before you begin here are several important logistics worth noting:
- Gold Coin: Requires atleast 90% passing rate.
- Training access: 124 days from the start of the course (This is more than enough, I personally spent about a month preparing before taking the exam.)
- Extensions: One allowed — £100 for 31 days or £150 for 62 days
- Exam deadline: Strict 12-month limit with no extensions
- Retake policy: 10-day cooldown after any failed attempt
- The course spans six domains, delivered through self-paced lessons, quizzes (70% passing score) and browser-based labs.
A study path is included below, click any domain to explore it and feel free to skip past lessons already familiar to you.
II. Study Path
Security Fundamentals
Tip
Don’t spend too much time on this section. It’s meant to prepare you and build your understanding of the topics, not something you’re expected to show up during the exam. You can always come back to it during the exam if needed.
This very first section of the course covers the foundational knowledge every defender needs before diving to the course. It’s less about the technical side of things and more about the mindset a defender should have.
It starts with Blue Team Roles, introducing the defensive landscape: SOC Analysts, Incident Responders and Threat Analysts, with roles like Security Architect and Forensic Analyst. A good part of this section is about Soft Skills. It’s great that this is given more weight than most technical curriculums bother with. It’s the first training I’ve seen where mental health also gets its own dedicated space: burnout, imposter syndrome and alert fatigue.
Then it starts to roll in some technical topics such as Security Controls, Physical Controls and Network Controls. You might want to skip this part if you’ve already taken entry level certifications.
Then there is a shift from a technical to an organizational mindset, with topics such as Management Principles. Risk is defined in this section, along with various policies (AUP, BYOD, SLA) and compliance frameworks (GDPR, ISO 27001, PCI DSS, HIPAA).
Active Directory closes the section with topics such as Kerberos, Group Policy and basic level discussion into Objects, OUs and Security Groups.
Phishing Analysis
Tip
This section covers the basics of email analysis (no advanced techniques are required). The goal is simply to get comfortable with the fundamentals and practicing on your own is more than enough. Don’t be afraid to analyze your own emails, especially the headers, as this is where most key information is found.
This is the longest part of the course. The section is very helpful because it builds the full analyst workflow (recognize it, investigate it, contain it and document it).
Understanding the threat starts with how email actually works: SMTP, POP3/IMAP and headers. From there, the section covers the tricks attackers rely on (spoofing a sender address, or hiding a malicious link behind a legitimate-looking button). This is a good refresher for me since I already have experience with email analysis from my very first job.
The core of the course is the investigation workflow: what information to pull from a suspicious email, how to check whether a link or file is malicious and how to make that determination confidently.
Finally, the last section covers how to write a proper investigation report. This is a skill that often isn’t given enough importance. Then the section wraps up with a full hands-on challenge: a real phishing scenario, leaving the learner with more than knowledge but experience handling email cases.
Threat Intelligence
Tip
This section introduces the first hands on tool in the course. It is important to get familiar with the setup of the lab, as it will be the same environment used in the exam. There is sufficient lab time provided, so there is no need to rush through the exercises. Take time to explore each part thoroughly, and revisit the labs multiple times if needed to build confidence.
This section focuses on developing a proactive mindset and understanding adversaries. It begins by defining threat intelligence and explaining how it flows through an organization, from initial data collection to the decisions it informs.
It then examines the threat landscape by exploring various threat actors, including cybercriminals, nation-states, hacktivists and insiders. Key defensive frameworks are introduced, including MITRE ATT&CK and the Cyber Kill Chain, to help map and analyze adversary behavior. The Pyramid of Pain is also covered to illustrate which threat indicators are most effective to target for disruption.
There is also a section that includes deploying and utilizing MISP (it is my first time using this), a widely adopted threat intelligence platform, to manage, analyze and share intelligence.
Digital Forensics
Tip
If you have a prior experience in forensics, it is important to note that preferred tools cannot be used. The lab environment is controlled by BTL1, the good thing is that all the necessary tools are already discussed and practiced throughout the course, so nothing outside of that is expected.
The Digital Forensics section begins with foundational concepts, including the role of digital forensics within incident response and the standard five-step investigative process. It establishes core knowledge on how data is stored, encoded and structured across various file systems and storage media before progressing to case analysis.
Evidence handling is emphasized early in the section. This includes proper evidence collection techniques to avoid contamination, maintaining a documented chain of custody and adhering to legal and professional standards required for evidence integrity.
What’s great about this section is that it covers multi-platform investigations. In Windows environments, it covers the recovery and analysis of artifacts such as program execution, history, browser activity, authentication events and deleted files. In Linux environments, it focuses on user account data, authentication logs, command history and techniques for identifying concealed data, including steganography.
The section concludes with the use of Autopsy, a comprehensive digital forensics platform. It is used to analyze disk images, recover deleted files, examine browser and email artifacts and construct detailed timelines of events.
SIEM
Tip
This, for me, is the most important part of the course and the one that would be primarily relied upon during the exam. Make sure to understand each topic and if there is extra time, consider studying additional resources, particularly Splunk.
The section begins with an explanation of what a SIEM is, why organizations rely on it and how its two core functions (collecting security information and managing security events) work together to provide visibility across an entire environment. It also includes an overview of major industry platforms to establish familiarity with the SIEM landscape.
From there, the section covers logging, including where data originates, what different log types reveal and how raw logs from disparate systems are normalized into a searchable and comparable format. It also explores Windows Event Logs, what Sysmon adds on top of them and why this combination is critical for detecting suspicious activity.
The practical portion primarily uses Splunk, one of the most widely adopted SIEM platforms in the industry. It covers navigation, searching across datasets, filtering and sorting results, creating alerts and building dashboards.
Incident Response
Tip
This is a good to know section. Although its weight in the exam is not that significant, it is essential knowledge for real-world work in the field. Consider it bonus content that is still worth learning and understanding.
This section begins with what incident response is, why organizations require a structured approach and how to distinguish between a routine security event and a genuine incident that requires action. It also covers the full incident response lifecycle, from preparation through detection and analysis to containment and eradication.
The preparation phase focuses on building defenses across network, endpoint and email layers, along with creating response plans, playbooks and simulations to ensure readiness. The detection and analysis phase involves identifying compromise, triaging alerts and tracking investigations using case management tools, supported by hands-on labs. The containment and eradication phase focuses on stopping attacks, collecting forensic evidence, removing threats, restoring systems and strengthening defenses to prevent recurrence.
The section concludes with reporting and lessons learned, covering how to document incidents for both technical and executive audiences, measure response effectiveness and translate incidents into long-term security improvements.
III. Tools Used
| Section | Tools |
|---|---|
1Introduction |
Blue Team Labs |
2Security Fundamentals |
Nmap Netstat Traceroute / Tracert Dig / Nslookup ipconfig / ip PowerShell LDAP Browser WSUS SCCM Todoist Trello Toggl TryHackMe OverTheWire |
3Phishing Analysis |
PhishTool Sublime Text Outlook / Thunderbird URL2PNG URLScan VirusTotal Talos File Reputation Hybrid Analysis URLhaus PhishTank |
4Threat Intelligence |
MISP ThreatConnect AlienVault OTX Virus Share Spamhaus URLScan URLhaus VirusTotal MITRE ATT&CK Navigator Nmap Netcat Nessus Suricata Snort VirtualBox |
5Digital Forensics |
CyberChef FTK Imager KAPE Scalpel LiME memdump Volatility Autopsy Windows File Analyzer PECmd.exe JumpList Explorer ExifTool VirtualBox |
6SIEM |
Splunk Graylog ArcSight QRadar LogRhythm Sysmon OSQuery Moloch / Arkime Sigma Azure Monitor Suricata Zeek / Bro VirusTotal |
7Incident Response |
Wireshark DeepBlueCLI TheHive MISP MITRE ATT&CK Navigator FTK Imager KAPE Process Explorer Process Monitor Autoruns pfSense Snort Suricata Sysmon |
IV. Exam Prep
The exam runs for a full day, this is sufficient to work through all required tasks without rushing. The allotted time is generally enough to complete the exam comfortably when managed properly.
The exam format closely mirrors the lab exercises, with the key difference being that there are no unlimited attempts to verify answers. It is designed as a realistic, real world incident response scenario, offering a practical experience of what handling an actual security incident feels like.
Breaks are allowed, including time to eat or briefly step away when needed. If you are stuck, taking a short nap or break can help reset focus and improve clarity when returning to the tasks.
The most important tip is to use an additional monitor during the exam, this will let you open the lab/notes and questions simultaneously.
Maintaining well organized notes is also highly recommended. Structured notes make it significantly easier to quickly search and retrieve relevant information when needed.
After sending the answers, you will immediately see your grade, and you can always request a manual review if you think your grade is incorrect. You will still have access to the labs after your exam, so if you want to practice more, you may do so.
V. Conclusion
This is a solid certification for beginners who want to build a strong foundation in defensive cybersecurity. However, if you already have prior experience, it may be more worthwhile to aim for Level 2 instead of treating Level 1 as the end goal.
Personally, I’m also planning to take Level 2 next to continue my learning path. For those with experience, it’s better to shift focus toward earning the gold coin achievement (which is what I aimed for) rather than just passing the exam.
Feel free to reach out via leekristiancao@gmail.com if you have questions, suggestions or need more details about this study guide.