Home Blue Team Level 1 Exam Review

Blue Team Level 1 Exam Review

It’s been a while since I wrote a last post (two and half years) and a lot of things changed for me since then. I spent a lot of time on improving my technical skills in various areas like pentesting, blue team, general security, scripting, and so on. I am glad that after some time, I will write a new post about an amazing journey toward Blue Team Level 1 certification, which I passed recently.

Blue Team Level 1 is a starter point, or better say, first level of certification provided by an amazing team, Security Blue Team. This course goes through the 6 domains which teaches you the basics of not just blue team operations, but also includes basics of security and some good advices about mental health, which is very important in cyber security, but not that often mentioned. Each domain have certain number of labs that you can use for practice. Those six domains, that are covered are shown bellow and I will cover short summary along with the extra links that helped me to prepare for an exam (and more):

  1. Security Fundamentals
  2. Phishing Analysis
  3. Threat Intelligence
  4. Digital Forensics
  5. Security Information and Event Monitoring
  6. Incident Response

Security Fundamentals

One part of this domain covers basics of security like physical security, email, endpoint, network security. You will also learn about basic networking concepts (which is a crucial skill not just in cyber security but in almost any job in IT field, whether that was sysadmin, DevOps, or networking), security policies and compliance. The other part covers also some crucial things in this field, like communication skills, management and also the most important one, mental health. I can’t tell you many courses I’ve watched online and how rarely I see a lesson about this. Going through this part, I actually found myself in those words. So please read carefully this part and any extra link provided in the course.

Phishing Analysis

My second favorite, the one that I thought is my strongest skill, showed to be the weakest because of some beginner mistakes that I never make in general hah. In this domain you will learn all you need to know about how mail system works, types of attacks, basic mail terminology and how to recognize phishing or malicious email through various examples and more.

I recommend bellow videos as an extra material for studying as those helped me a lot even before I started BTL1 journey.

  1. Email Header Analysis and Forensic Investigation by 13Cubed.
  2. Email Header Analysis Part 1 and Part 2 by Ryan Chapman.

Threat Intelligence

This domain will teach you everything you need to know about threat actors, their motivations, threat intelligence process, what are APTs and also you will learn how to use MITRE ATT&CK Framework, which can be very useful (and fun) thing to learn. You will also learn how to gather and share information through various methods and with others over the globe.

Digital Forensics

This is probably the one that most of you can’t wait to start with learning. Here you will learn all about DFIR process, tools, hardware, software that you will use not just during the course, but most likely during your daily job. You will learn how to get a disk image, how to analyze collected information for both Windows and Linux, how to collect and what to do with the data and other similar and fun stuff. This is I guess the biggest domain, but with a reason of course.

Security Information and Event Monitoring

If you are already in a security (especially an SOC engineer/analyst) than you know what this domain is about. SIEM is very important tool for security teams, and BTL1 will introduce you with it through various lessons and labs prepared for you. You will learn about Windows and Linux logging systems and how to analyze their logs with the Splunk. Be sure to prepare very well Splunk as it is important part of an exam (this is even mentioned by Security Blue Team in the course). We all know how SIEM tools are usually very greedy when it comes to the hardware resources to set them up, so use this chance where the tools are already prepared for you, and learn as much as you can.

Incident Response

The last one is incident response (IR) domain, the section that will teach you how to defend your organization, the process and what to do during an incident (not just before but also after an incident), IR phases and similar. In this domain you will also learn about traffic analysis with Wireshark and basics of CMD and PowerShell which can be useful not for just an exam, but also for your work.

While the course materials are enough to pass, I recommend bellow sites to practice more Wireshark (of course they are also useful to practice even after you pass the exam):

  1. Malware-Traffic-Analysis.net

Additional Resources

While these resources are not necessary for the exam, it is good to do some of them to be sure and more confident about the exam.

  1. Blue Team Labs Online - An amazing platform for practicing blue team skills. It is similar like TryHackMe or HackTheBox. What those two platforms are for people who practice red skills, BTLO is the same for those who wants to practice blue team skills.
  2. CyberDefenders - Similar like BTLO, have a quite number of various practice labs for all level of skills.
  3. Blue Team Home Labs - This is a GitHub repository of an amazing tools that are useful not just for home labs but also for work. Take this repository more as a next step after you pass BTL1, create a great personal home lab.


I haven’t mentioned the best part of this certificate…it is pure 100% practical exam, where you get real life situation explained, background story, all the files you need which I value the most, because to be honest I am a bit tired of publicly recognized certifications which are in form of multiple choice questions with no practical way of actually proving your knowledge. So be sure to have 24 hours free time and stable connection to do an exam. And for me, I will take a little break from all day studying and take some time to create my own lab. Next steps would be learning more about cloud, malware analysis and other advanced blue team stuff.

This post is licensed under CC BY 4.0 by the author.
Recently Updated