Passing the Blue Team Level 1 (BTL1): The Ultimate 2026 Guide

If you’re aiming for a practical, job-ready entry into cybersecurity defense, the Blue Team Level 1 (BTL1) certification is a strong place to start. It’s hands-on, beginner-friendly, and designed to mirror real SOC and incident response work. In this ultimate guide, we’ll cover exactly what BTL1 is, who it’s for, how the exam works, how to study, what it costs, and how to use it to boost your career—without the fluff.

By the end, you’ll know whether BTL1 is right for you and how to pass it on your first try.

What Is Blue Team Level 1 (BTL1)?

BTL1 is a practical, lab-driven certification from Security Blue Team that teaches and assesses core defensive cybersecurity skills: phishing analysis, threat intelligence, SIEM investigation, digital forensics, and incident response. The program combines on-demand training with browser-based labs and a realistic 24-hour practical exam. You learn by doing, not just reading.

Why it matters:

• It’s focused on real workflows you’ll use in a SOC or IR team—triaging alerts, scoping incidents, analyzing artifacts, and writing clear findings.

• The exam simulates a compromised organization and asks you to investigate and answer task-based questions, which mirrors how junior analysts actually operate day to day.

Actionable takeaway: If your goal is a junior SOC analyst or incident response role, BTL1 gives you a focused way to demonstrate tool proficiency and incident workflows to employers.

Who Should Take BTL1?

BTL1 is designed for learners with 0–2 years of experience in IT or security. There are no formal prerequisites, and the course is accessible even if you’re transitioning from another field.

Good candidate profiles:

• Students or career changers who want a practical first cybersecurity credential.

• IT generalists or helpdesk analysts who want to pivot into SOC Tier 1.

• Self-taught learners with homelab experience who want a recognized validation.

Actionable takeaway: If you can commit to consistent practice for 6–8 weeks and want to prove hands-on skills instead of just theory, BTL1 is a fit.

How the BTL1 Training Is Structured

The BTL1 training is on-demand, with a set of structured domains and browser-based labs. It’s marketed as covering eight domains and maps to the NICE Cyber Defense Analyst role, providing a balanced skill foundation for junior defenders.

Core topics you’ll learn:

• Security Fundamentals

• Phishing Analysis

• Threat Intelligence (TI)

• Digital Forensics (DFIR fundamentals)

• Security Information and Event Monitoring (SIEM)

• Incident Response (IR)

• Exam Preparation and capstone-style practice

Tools and workflows you’ll touch:

• SIEM: Splunk—searching, filtering, pivoting across events

• Network analysis: Wireshark—protocol triage, display filters

• Forensics: Volatility, KAPE, FTK Imager, Windows event log triage

• TI platforms and pivots: MISP/OpenCTI concepts, VirusTotal, WHOIS/passive DNS

• Case management/reporting: Defining scope, findings, and recommendations The official skills and tools listed on the certification page offer a strong checklist to track your progress.

Learning experience:

• The course includes browser-based labs (23 labs with 100 lab hours), so you can practice without building a complex homelab. Most learners won’t exhaust the lab time if they pace themselves.

Actionable takeaway: Keep a running “skills and tools tracker” as you complete each lab. Record one-liners for commands, filters, and triage steps you’ll want during the exam.

BTL1 Exam Format: What To Expect

The exam is where BTL1 stands out: it’s a 24-hour, open-book, unproctored, lab-based incident simulation. You’ll investigate a compromised environment and answer 20 task-based questions that reflect the MITRE ATT&CK lifecycle.

Key details (updated for 2026):

• Open-book and unproctored: You can use your own notes and allowed references, but AI tools are prohibited. An NDA applies to preserve exam integrity. (support.securityblue.team; securityblue.team)

• Immediate grading: Results are displayed right after submission; you need 70% to pass. If you score 90% on your first attempt, you earn a gold challenge coin.

• Attempts: You receive one attempt and one free resit; an additional paid resit may be available. There’s a 10-day cooldown between attempts.

Actionable takeaway: Because it’s open-book, invest time in crafting a concise notes document rather than trying to memorize everything. Organize by domain: phishing, TI, SIEM, DFIR, IR.

Pricing, Access Windows, and What’s Included

As of February 4, 2026:

• Price: £399 GBP for the training + exam bundle.

• Access windows: 4 months of training access, and a 12-month window from purchase to start your exam. You can buy training extensions, but they do not extend the 12-month exam window.

• What’s included: On-demand modules, browser-based labs (100 hours), one 24-hour exam, one free resit, and digital/physical rewards upon passing (including the BTL1 challenge coin). You become BTL1 certified for life.

Discounts:

• Student discount (10%) and discounts for military, veterans, and first responders are available. Watch for occasional promotions.

Actionable takeaway: If you’re studying part-time, align your purchase so you can fully use the 4-month training access and still have enough buffer within the 12-month exam window.

A Proven Study Plan (6–8 Weeks)

You can pass BTL1 with focused, consistent effort. Here’s a realistic plan you can tailor to your schedule.

Week 1: Foundations and Setup

• Goals: Understand core security concepts and get familiar with the platform.

• Do: Security Fundamentals modules; one phishing and one SIEM lab.

• Deliverable: Create a “BTL1 Notes” doc with sections for Phishing, TI, SIEM, DFIR, IR. Add basic Splunk search syntax and Wireshark filters.

• Actionable tip: Capture screenshots and one-line commands/filters you’d reuse in the exam.

Week 2: Phishing Analysis Deep-Dive

• Goals: Artifact extraction and triage flow.

• Do: Complete phishing labs; practice extracting headers, URLs, hashes, and attachments.

• Deliverable: A phishing triage checklist (headers → indicators → sandbox/VT lookups → verdict → recommendations).

• Actionable tip: Draft two short write-ups: one for a benign email, one for malicious, focusing on evidence and remediation.

Week 3: Threat Intelligence (Pivoting with Purpose)

• Goals: Clean pivots with limited data.

• Do: TI modules; practice WHOIS, passive DNS, VirusTotal, and MISP-like lookups.

• Deliverable: TI pivot playbook (starting with a domain/hash/IP; document pivot paths).

• Actionable tip: Practice turning technical pivots into a short “risk profile” paragraph for stakeholders.

Week 4: SIEM Work (Splunk Essentials)

• Goals: Speed in scoping and validating activity.

• Do: SIEM modules; run searches across index/sourcetype; use time ranges and fields to pivot.

• Deliverable: A Splunk “queries bank” with filters for common use cases (logons, process starts, network connections, PowerShell).

• Actionable tip: Label each query with “When to use” and “What it proves” to speed up exam decisions.

Week 5: DFIR Triage

• Goals: Comfortable with Windows event logs, basic memory/disk triage, and Wireshark basics.

• Do: DFIR labs with Volatility and KAPE; Wireshark filtering practice (http, dns, tls).

• Deliverable: A DFIR triage flow—where to start, key artifacts, quick checks to confirm/deny hypotheses.

• Actionable tip: Keep a list of event log IDs and what they indicate, with a one-line explanation.

Week 6: Incident Response Integration

• Goals: End-to-end flow and timeboxing.

• Do: Simulate a mini-incident using multiple labs back-to-back. Follow PICERL steps (Prep → ID → Contain → Eradicate → Recover → Lessons).

• Deliverable: One-page incident summary template (executive summary, findings, impact, recommendations).

• Actionable tip: Time yourself and set milestone alarms—practice switching tasks without losing context.

Weeks 7–8 (Optional): Reps and Confidence Building

• Goals: Speed and precision.

• Do: Redo the hardest labs; refine your notes; dry-run your 24-hour schedule.

• Deliverable: An exam-day checklist and a final notes doc you can skim quickly.

Actionable takeaway: Treat each lab like a mini-exam. Ask: What is the question behind the question? What one piece of evidence proves or disproves my hypothesis?

Tool Tips You’ll Actually Use

Splunk (SIEM)

• Start with a broad time range; then narrow down. Use fields (src, dest, user, process) to pivot.

• Know basic commands: stats, eval, table, sort, where, rex.

• Keep a “Top N” view (top users, hosts, processes) to spot anomalies fast. Actionable tip: Pre-build a small library of saved searches in your notes with expected outputs and quick interpretations.

Wireshark (Network)

• Master a few display filters: http.request, dns.qry.name contains, tls.handshake.type, tcp.flags.syn==1 && tcp.flags.ack==0.

• Use Follow TCP Stream and Export Objects to quickly reconstruct activity. Actionable tip: When stuck, focus on time slices correlated with host logs to reduce noise.

DFIR (Volatility, KAPE, Windows Logs)

• Volatility: list processes, network connections, loaded DLLs; look for odd parent/child relations.

• KAPE: rapid triage of key artifacts without full disk imaging.

• Windows Logs: build a mini “event ID to detection” map. Actionable tip: Always record the one artifact that ties the story together (e.g., a parent process spawning PowerShell with a suspicious command line).

TI Pivots (VT, MISP, Passive DNS)

• Start from the cleanest indicator (hash > domain) to minimize false positives.

• Document hypotheses: “If this domain belongs to X actor, we expect Y infrastructure behavior.” Actionable tip: Write a single-sentence risk statement per indicator to keep your final answers crisp.

Your 24-Hour Exam Game Plan

Because the exam is open-book and timeboxed, structure is your superpower.

Before you start:

• Prep your environment: stable internet, comfortable setup (two monitors help), your notes in a searchable format.

• Skim the NDA and rules—AI tools are not allowed.

A simple schedule:

• Hours 0–2: Read the scenario, build a timeline, answer any “low-hanging fruit” questions.

• Hours 2–8: Deep dives—phishing artifacts, SIEM scoping, quick DFIR triage.

• Hours 8–12: Fill gaps, validate findings, and document clear evidence.

• Hours 12–20: Second pass on tough tasks; pivot with TI; sanity-check assumptions.

• Hours 20–23: Finalize answers; ensure each has proof (screenshot, log line, artifact).

• Hour 24: Submit, breathe, and celebrate the learning.

Actionable takeaway: Use a simple findings table with columns: Question → Evidence → Tool/Command → Conclusion → Confidence. This makes your final pass faster and more accurate.

After the Exam: Results, Reviews, and Retakes

• Immediate results: You’ll see your score right away; 70% is a pass, and 90% on the first attempt earns gold status.

• Manual review: If needed, you can request a review, with a target timeline of about 10 working days.

• Retakes: One free resit is included; if you need another attempt, a paid resit is typically available after a 10-day wait.

Learner perspectives:

• Students often describe BTL1 as practical and beginner-friendly but still challenging—useful for building confidence and interview stories.

Actionable takeaway: If you miss by a small margin, immediately annotate your notes with the gaps you felt under pressure, wait the required period, then target those domains before your resit.

Career Value and ROI: A Balanced View

Where BTL1 shines:

• It’s a strong practical signal for Tier 1/2 SOC, junior IR, or DFIR-adjacent roles.

• The training maps to NICE Cyber Defense Analyst functions and teaches tool usage you’ll actually apply on the job.

Market recognition:

• Many learners and employers like the hands-on nature and capstone-style exam.

• Community feedback notes recognition can vary by region; supplement with a portfolio (lab write-ups, detection content) and broad foundations (networking, OS internals).

Actionable takeaway: Pair BTL1 with 2–3 public write-ups of your lab work. In interviews, tell a clear “investigation story” using the STAR method (Situation, Task, Action, Result).

Is BTL1 Right for You? A Quick Checklist

Say “yes” to BTL1 if:

• You want practical incident skills, not just theory.

• You can commit to 6–8 weeks of consistent practice.

• You’re targeting SOC/IR entry roles and want an open-book, hands-on exam.

Consider alternatives or complements if:

• You’re seeking broad, theory-heavy coverage for compliance/governance pathways.

• Your region strongly prefers vendor certifications; you might pair BTL1 with a widely recognized baseline while you build experience.

• You prefer proctored, multiple-choice exams (BTL1 is the opposite).

Actionable takeaway: If your top priority is “showing, not telling” you can do the job, BTL1 is built for you.

FAQs

Q1: Is the BTL1 exam proctored and open-book?

A1: It’s unproctored and open-book, governed by an NDA and strict anti-cheating policies (AI tools are prohibited).

Q2: How many attempts do I get, and how soon are results?

A2: The bundle includes one attempt and one free resit; additional paid resits may be allowed. There’s a 10-day cooldown after a fail. Results are auto-graded immediately; manual reviews target ~10 working days.

Q3: How long do I have to use my training and exam access?

A3: You get 4 months of training access and 12 months from purchase to start your exam. Training extensions are available but do not extend the 12-month exam window.

Q4: How much does BTL1 cost, and are there discounts?

A4: The bundle is £399 GBP. Students, military, veterans, and first responders may qualify for discounts; watch for occasional promos.

Q5: Is BTL1 a lifetime certification?

A5: Yes—BTL1 is a lifetime certification, and you’ll receive digital and physical rewards upon passing.

Conclusion:
BTL1 is a practical, accessible way to prove you can investigate incidents, use real tools, and communicate findings—exactly what blue teams need. If you follow a focused plan, practice the labs, and create a sharp notes doc, you can pass with confidence. From there, leverage your new skills in interviews with clear, artifact-backed stories.