Elizabeth Ekedoro
7 min readFeb 25, 2024
A Screenshot of my exam score.

In this article, I aim to recount my journey toward obtaining BTL1 certification with the Security Blue Team. I’ll provide feedback on the training course’s quality, delve into the 24-hour incident response practical exam, and offer recommendations and tips to help you prepare for the BTL1 certification exam.


Elizabeth Ekedoro | LinkedIn | X(Twitter)

My name is Elizabeth Ekedoro, and I graduated from the university with Second Class Honors Upper Division in Biology. In 2023, I transitioned fully into cybersecurity, dedicating myself to acquiring both theoretical and practical knowledge in the field. Currently, I am actively seeking an internship or entry-level role as a Security Operations Center (SOC) Analyst, aiming to get hands-on experience by leveraging advanced security tools and technology. This position will provide me with the opportunity to collaborate with esteemed professionals, enhance my skills, grow among colleagues, and contribute value to the organization.


BTL1 is ideal for security enthusiasts or professionals looking to enhance their practical defensive cyber skills. The certification is designed to train technical defenders capable of effectively securing networks and responding to cyber incidents.

Source: Security Blue Team

At the time of writing, the exam cost stands at £399 GBP and I must express gratitude to CyberSafe Foundation for easing this financial burden through the provision of a voucher. While the cost may seem high, I can attest that investing in this certification is undeniably worthwhile.

Source: security blue team


A screenshot of all the topics, quizzes, and labs I completed

-Upon exploring the curriculum, I found it to be comprehensive; covering 309 topics, 32 quizzes, 24 labs (100 hours of access), and grants candidates two attempts at the exam.

- The exam structure facilitates a seamless experience for students, allowing them to commence the 24-hour practical incident response exam directly from the BTL1 course within 12 months of purchase.

- Students gain access to a cloud-based lab through an in-browser session, available for up to 24 hours. It is a 24-hour practical incident response exam that consists of twenty task-based questions that must be completed and answered. That means you’ll have to be ready to spend a lot of your mental energy, analytical skills, and 100% focus for a long time.

- Upon answering all questions, students can promptly submit the exam to receive immediate grading and detailed feedback. To pass and earn the silver challenge coin, a minimum score of 70% is required while 90% (on the first attempt) is required for the gold challenge coin.

Read more about the BTL1 Exam here: Blue Team Level 1 Certification » Security Blue Team


This course has a user-friendly eLearning platform. Each content module predominantly comprises text-based training, accompanied by video demonstrations when applicable, and includes various quizzes for knowledge checks.

It encompasses six domains, including Security Fundamentals, Phishing Analysis, Threat Intelligence, Digital Forensics, Security Information and Event Management (SIEM), and Incident Response.

A screenshot of all domains I completed.
A screenshot of all domains I completed.

It’s noteworthy that the distribution of labs is not uniform across modules:

-Phishing Analysis: 4 labs

-Threat Intelligence: 1 lab

-Digital Forensics: 10 labs

-SIEM: 5 labs

-Incident Response: 4 labs

-It’s worth mentioning that more labs are currently in development and will be added to the platform.

- I found the labs in phishing analysis, threat intelligence, and digital forensics to be particularly enjoyable. The phishing analysis module is exceptional, laying a great foundation for evaluating the legitimacy of emails. It introduces a structured approach to thinking when determining the malicious nature of an email. The abundance of resources in this domain and the well-organized learning materials make it a valuable section of the course.

- The SIEM labs are based on Splunk, but the query logic is largely transferable across different SIEMs. Investing time in exploring Splunk will undoubtedly equip you with skills and a mindset applicable to other SIEM platforms in your current or future work.


Autopsy, Browser History Capturer, Browser History Viewer, DeepBlueCLI, DomainTools, Event Viewer, FTK Imager, JumpList Explorer, KAPE, Linux CLI, PECmd, PhishTool, PowerShell, ProcDump, Scalpel, Sigma, Snort, Splunk, Suricata, TheHive5, URL2PNG, VirusTotal, Volatility, WannaBrowser, Windows File Analyzer, Wireshark etc.


I started studying for the BTL1 exam in August 2023 and took my exam in February 2024. While the preparation duration is flexible, it’s essential to keep in mind the 4-month course access limitation of the Security Blue Team (SBT). I dedicated 8–10 hours to study on most days, allowing ample time to create extensive notes and familiarize myself with each tool included in the course and exam. In total, I invested 4 months in completing my training for the BTL1 exam.

From my experience, I offer the following advice:

- Don’t Rush Your Learning Process: Learning takes time, and rushing a training course solely for certification may not be beneficial in the long run. Certifications open doors for interviews, but a genuine understanding of the knowledge is crucial for securing a job.

- Take Notes: Utilize a book or a note-taking app while studying: BTL1 is an open-book, open-internet exam, and having well-structured notes is essential. I used Microsoft Word for its effectiveness and ease of use in organizing and searching through my notes.

- Devote Time to Note-Taking: Allocate sufficient time to take notes on every aspect of the training course. Once you have comprehensive notes, you can continue to study and prepare for your exam even if the 4-month training course access of SBT expires. Remember not to share any notes to avoid breaching the NDA with the Security Blue Team organization.


1. Blue Team Labs Online (BTLO): I spent a week practicing on the platform, exploring free labs such as;

-Phishing Analysis 1,

-Phishing Analysis 2, and


For paid labs, I had to watch video walkthroughs on the BTLO YouTube channel for;

-Drill Down,


-Countdown, and

-Sticky Situation.

2. Try Hack Me: I Completed labs on;

-Wireshark Basics and

-Exploring SPL.

3. Splunk: (I did not have enough time to utilize the resources below but I believe they’ll be extremely helpful):

-Boss of the SOC and

-Splunk Documentation.


Undoubtedly, the BTL1 exam proved to be a challenging and stressful experience for me, although it may vary for others. Typically, it’s recommended to take some days off for rest and mental preparation due to the exam’s demands and problem-solving skills. However, constrained by time, I dove into the exam after my one-week refresher.

Equipped with some fruits and snacks, I commenced the exam at almost 11am on the 10th of February, I first had apples and yogurt (haha). Faced with network issues, I persevered for about 10 hours straight, without breaks. Thankfully, my dad was always on standby to run the generator, preventing any disruptions due to power outages. I had a brief 3-hour nap between night and midnight and on the morning of the 11th of February, I had nearly 2 hours left of my 24-hour window. I completed and submitted the exam and got a 90% passing score. The flexible time structure allows for breaks as desired. Following completion, I ate more food and enjoyed a well-deserved sleep.


- Ensure you have snacks: before starting your exam, ensure you have something to eat or munch on. Having snacks on hand can provide sustenance and help maintain focus during the extended exam duration.

- Understand the Scenario: Begin by thoroughly understanding the scenario and the tasks at hand.

- Craft a Timeline: Develop a timeline outlining your steps and findings during the investigation. Maintain a list of malicious Indicators of Compromise (IOCs) as they’ll be of great use to help you carry on.

- Confidence in Answers: Avoid rushing and ensure confidence in justifying your answers. BTL1 requires a thoughtful approach.

- Stay Calm: Maintain composure for a clear mind; treat the exam as a mini-marathon, not a sprint.

- Review and Edit: Take advantage of the 24-hour duration to review and edit your answers if necessary.


Successfully passing the BTL1 exam marked the beginning of the post-exam process. This involved reading the examiner’s feedback, redeeming the certificate, claiming BTLO rewards, receiving the Credly badge, and initiating the process to request my physical reward, which will be delivered to me.

Source: security blue team

Thank you for taking the time to read my article. I trust it has provided valuable insights for those preparing to take the exam, and I eagerly anticipate hearing about your success stories. Don’t hesitate to subscribe, connect with me on LinkedIn, and feel free to send a personalized message.

Until next time — Stay cyber-awesome, my friends!



Elizabeth Ekedoro

SOC Analyst | Cybersecurity Technical Writer/Researcher | GFACT | SANS CTA | BTL1- Gold Coin | ISC ² CC | CyberGirls Alumna | Featured in GlobalSecurityMagazine