Skip to content

Introduction

Everything you need to know before starting the BTL1 exam.

What is BTL1

The Blue Team Level 1 certification from Security Blue Team is a 100% practical, 24-hour exam. No multiple choice. You get access to a virtual lab environment and a real incident scenario — your job is to investigate, analyze and document findings across all six domains.

BTL1 tests whether you can actually do the job, not just talk about it. That's why it's valued by employers — it's one of the few certs that proves practical ability from day one.

Exam format

Detail Value
Duration 24 hours
Format Practical lab — no multiple choice
Environment Virtual machines (Windows, Linux, SIEM)
Passing score 70%
Gold pass 90%+
Report Required — document your findings

The six domains

# Domain Weight
1 Phishing Analysis ~15%
2 Threat Intelligence ~15%
3 Digital Forensics ~20%
4 SIEM Analysis ~20%
5 Network Analysis ~15%
6 Incident Response ~15%

Before the exam

Key preparation points

  • Get comfortable with Volatility 3 — know the core plugins cold
  • Practice Splunk SPL queries until they are automatic
  • Know your Wireshark display filters — have them ready
  • Practice writing a clear, structured incident report

NDA

The Security Blue Team NDA is strictly respected in these notes. No specific exam content, direct solutions or proprietary information is included. These notes cover techniques applicable to BTL1 domains in general.