Hey everyone, it’s me, Bhavesh again! Today, I wanted to review and give you my honest opinion on the BTL1 (Blue Team Level 1) certification from Security Blue Team.

I passed this certification back in August last year, so I’ll be honest — a few minor details may have faded from memory, but I’ll do my best to give you a complete breakdown, including

Why I choose BTL1

How I prepared

My Exam Experience

Final Thoughts

This is written in the same honest, hands-on style as my PJPT review, so if you’re considering BTL1 or just starting your cybersecurity journey, I hope this helps you out!

Why I choose BTL1?

Okay, so before deciding on BTL1, I actually spent some time researching different blue team certifications. There are quite a few out there, like CCD (Certified Cyber Defender), CDSA from Hack The Box, CySA+, PSAA from TCM Security, and now there’s also SAL1 from TryHackMe — although both PSAA and SAL1 weren’t there when I took my exam last year. The thing is, CCD and CDSA are more advanced, and since this was my first time gaining proper, practical blue teaming knowledge, I didn’t want to jump into something too advanced. CySA+ is well-known, but it’s primarily multiple-choice and theory-based, which is not what I was looking for.

BTL1 felt like the perfect fit! It’s beginner-friendly yet hands-on, providing real SOC-style skills, and I kept seeing people in the community recommend it. All the reviews and comments I read were positive, and that reassured me even more. On top of that, BTL1 is widely recognised in the blue team community, so I knew I wouldn’t be wasting my time.

As of now, the certification costs £399 GBP, which gives you four months of access to all the training materials, plus a free exam retake if you don’t pass on your first attempt

The course covers several core areas that every blue teamer should know, including:

Security Fundamentals
Phishing Analysis
Threat Intelligence
Digital Forensics
Security Information and Event Management (SIEM)
Incident Response

You can find more detailed information about these modules on the official BTL1 certification page.

How I prepared?

I dedicated about one whole month to preparing for the BTL1 certification, studying roughly 5–6 hours every day. I chose to do it in August, since that’s usually the summer holiday period in Europe and work tends to be quieter, which gave me the perfect opportunity to focus without distractions.

Most of the content is text-based, but there are also numerous video walkthroughs for key modules, such as Phishing Analysis and SIEM (Splunk), Threat Intelligence (MISP), and others. The training platform is very well structured, and after you finish one section, it automatically links you to the next question or module, which keeps your flow steady as you progress.

Each domain also comes with labs to reinforce your learning, and these labs are where most of the value lies. I made sure not to go through the reading material, but I opened every tool, followed along in real time, and repeated the exercises until I could do them comfortably.

If you’re preparing for this certification, I strongly recommend two things:

Focus deeply on the SIEM domain and the use of Splunk.

This section carries significant weight in the exam, and you’ll face several questions based on your understanding of Splunk searches, dashboards, and event analysis. Practice navigating Splunk multiple times and learn how to search queries, interpret logs, and identify various anomalies.

Take good notes in the Phishing Analysis section.

Ensure you thoroughly understand the various types of phishing attacks and how to analyse suspicious emails, attachments, and URLs. There is no harm in doing labs three or four times. These concepts are practical and will appear in the exam.

My Exam experience

The BTL1 exam is designed to simulate a real-world incident investigation, and honestly, that’s what makes it both challenging and fun. You’re given 24 hours to work through a simulated case and answer a total of 20 questions.

To pass, you need a score of 70% or higher, which means you’ll need to get around 14 questions correct. The questions vary; some are straightforward, while others require in-depth analysis of logs, PCAPs (using Wireshark), or evidence files.

One important thing to know is that some of the questions are linked. In other words, if you miss a clue early on or can’t find the answer to a previous question, it can be harder to progress. For example, certain questions rely on specific indicators or artifacts you uncover earlier in the investigation. So, answering the earlier ones correctly gives you confidence that you’re moving in the right direction. It’s a great way to build momentum because as you start spotting patterns and understanding the context of the incident, the later questions begin to make a lot more sense.

When I first started, a few questions took me a while to figure out, especially those related to Splunk and SIEM analysis. I quickly realised how important it was that I had practised those sections during my preparation. Splunk can be tricky at first, especially if you are learning, but if you’ve done the labs properly, you’ll know what patterns to look for.

The phishing and threat intelligence questions were also really interesting. They make you think critically, not just “what happened,” but why it happened, and what evidence proves it. It’s not about guessing; it’s about finding and connecting details.

A few things to look out for:

Labs vs. Real Exam
In the labs, you can submit answers as you go and immediately see if you’re correct. In the actual exam, you won’t get that feedback per question. You answer all 20 questions, then submit once at the end. Only after submission do you see your result, along with which ones were wrong and helpful hints about what you should’ve done.

Take a moment to review all questions carefully before submitting. I strongly recommend reviewing each question again before submitting the final version. It might surprise you that, upon conducting a full review at the end, I changed a couple of answers I wasn’t entirely convinced about. Take your time, don’t rush, and make sure your evidence supports each answer.

I liked the overall format — it wasn’t a stressful, high-pressure exam like some of the offensive ones (OSCP, which I intend to take soon). You can pace yourself and take breaks since you have a full day to complete it and mark the ones you need to revisit later.

After about 12–13 hours of total work (including breaks), I completed the entire set and submitted it. The feeling afterwards was great as I immediately got the results and was super happy that I had passed!!

Final Thoughts

Looking back, I can honestly say that the Blue Team Level 1 (BTL1) certification is one of the best starting points if you’re getting into the defensive side of cybersecurity. It doesn’t just throw theory at you; it teaches you how to actually think like a defender, investigate incidents, and make sense of what’s happening behind the logs.

What stood out to me the most was how practical and real the whole experience feels. The labs and the exam don’t just test what you’ve memorised, they test how you analyse, correlate, and respond. It’s very close to what you’d be doing in a SOC environment, which makes it a great way to build real confidence before tackling more advanced certifications like BTL2, CCD, or even CDSA later down the line

It’s also a certification that rewards patience and curiosity. If you enjoy analysing logs, hunting for clues, and solving real-world cases, you’ll genuinely have fun preparing for it. And even if you’re already more interested in the offensive side, like I am after completing PJPT, this certification gives you a strong understanding of how defenders operate, which I think makes you a better pentester overall, too!

What’s next for me

Right now, I’m preparing for the Practical Network Penetration Tester (PNPT) certification, which I plan to take soon!

If you enjoyed reading this post, you might also like my previous write-up about the Practical Junior Penetration Tester (PJPT) exam, where I shared my full experience, preparation process, and the lessons I learned along the way. You can check it out here

👉 My PJPT Review on Medium

I hope my journey helps and motivates others who are also preparing for these certifications. Whether you’re on the blue or red side, we’re all learning together, and I’ll continue to share more of my experiences as I grow in cybersecurity.

About Me

Hey, I’m Bhavesh 👋
I write about my journey in cybersecurity, from certifications like PJPT and BTL1 to hands-on labs and bug bounties. I’m planning to share more stories, tips, and lessons as I continue to explore both offensive and defensive security paths.

If you’re also into pentesting or studying for any certs, hit follow or feel free to comment and let’s learn and grow together!!!