Home - BTL1 Field Notes
~/security/analysts/madrid $ cat btl1-field-notes.md
BTL1 Gold  Â·  Security Blue Team

BTL1
Field Notes

Practical reference for the Security Blue Team BTL1 certification and SOC Tier 1 operations. Built from real exam experience. Real commands. Real workflows. No fluff.

6 Domains
97★ GitHub Stars
25 Forks
24h Exam Duration
Six exam domains

Each domain contains cheatsheets, command references and investigation workflows.

Commands you use every day

The most-reached-for commands across all six domains.

btl1-field-notes ~ analyst@soc
vol.py -f dump.mem windows.pslist.PsList # Volatility 3 — list running processes
vol.py -f dump.mem windows.netscan.NetScan # Volatility 3 — network connections
index=windows EventCode=4625 | stats count by src_ip | sort -count # Splunk — brute force detection
tcp.flags.syn==1 && tcp.flags.ack==0 # Wireshark — SYN scan detection
strings -n 8 artifact.bin | grep -Ei 'http|powershell|cmd' # Quick static triage
sha256sum suspicious.exe # Hash for VirusTotal lookup
Why this exists

These notes were built during preparation for the BTL1 exam and refined over several years working as a Tier 1 SOC analyst in detection and response at VAR Group, Madrid.

The goal was never to replace the course material — it was to have a fast reference during live investigations. When an alert fires at 2am, you need the Volatility plugin name, not a paragraph explaining what memory forensics is.

If you are preparing for BTL1 or working in a SOC, use it, fork it, improve it.

Author Miguel Alameda — @Nervi0z
Role Security Analyst · VAR Group Madrid
Certification BTL1 Gold · SAL1
Focus Vulnerability Management · Detection · SOC
License MIT — fork it, use it, improve it