Introduction¶
Everything you need to know before starting the BTL1 exam.
What is BTL1¶
The Blue Team Level 1 certification from Security Blue Team is a 100% practical, 24-hour exam. No multiple choice. You get access to a virtual lab environment and a real incident scenario — your job is to investigate, analyze and document findings across all six domains.
BTL1 tests whether you can actually do the job, not just talk about it. That's why it's valued by employers — it's one of the few certs that proves practical ability from day one.
Exam format¶
| Detail | Value |
|---|---|
| Duration | 24 hours |
| Format | Practical lab — no multiple choice |
| Environment | Virtual machines (Windows, Linux, SIEM) |
| Passing score | 70% |
| Gold pass | 90%+ |
| Report | Required — document your findings |
The six domains¶
| # | Domain | Weight |
|---|---|---|
| 1 | Phishing Analysis | ~15% |
| 2 | Threat Intelligence | ~15% |
| 3 | Digital Forensics | ~20% |
| 4 | SIEM Analysis | ~20% |
| 5 | Network Analysis | ~15% |
| 6 | Incident Response | ~15% |
Before the exam¶
Key preparation points
- Get comfortable with Volatility 3 — know the core plugins cold
- Practice Splunk SPL queries until they are automatic
- Know your Wireshark display filters — have them ready
- Practice writing a clear, structured incident report
NDA
The Security Blue Team NDA is strictly respected in these notes. No specific exam content, direct solutions or proprietary information is included. These notes cover techniques applicable to BTL1 domains in general.