Review: Security Blue Team: BLUE TEAM LEVEL 1 (BTL1)

Security Blue Team Certification

In February, I attempted as passed the SBT Blue Team Level 1 with a score of 93% and scoring a Gold Challenge coin.

BTL1 challenges Blue Teamers across a wide range of disciplines:

  • Phishing Analysis
  • Digital Forensics
  • Threat Intelligence
  • SIEM
  • Incident Reponse

To work though the BTL1, it is a good idea to go through the BTLJA courses (shown below) first.

SBT BTLJA/Intro Courses

BTLJA does not have a formal certification exam. You just need to complete the courses above then send SBT an email to get the certification.

On the other hand, BTL1 requires you perform a practical 24-hour incident response. The exam is open-book, open Internet, and open-notes. You have 12 hours of access to the virtual lab and 12 hours to write the report.

Exam and Preperation

You get four months of access to the materials for BTL1. The material can be completed much earlier then the four months. Also, if you need extra practice, you can SBT's Blue Team Labs Online which convers many of the areas of the exam.

During the first 12 hours, you need to ensure you have proper documentation and screenshots for your report. If you are using Windows, you can use Greenshot to create screenshots. For Greenshot, using Effects > Border and Effects > Invert (on screenshots with dark background) on each image to get a nice border and easier to see and read in the report.

For the report, I ended up using VSCode with the following plugins:

I have other plugins but these are for Markdown. I basically saved all my notes by typing in Markdown then using the Paste Image plugin to paste (and save the image) into VSCode. This allowed me to easily create the report from the documentation.

Personally, I spent about 4 hours writing the report. It is best to grab as much information as possible to document the incident during the first 12 hours. Then, get some sleep and wake up to write the report!

Worth it?

BTL1 is one of the few cheaper alteratives to GIAC certifications and covers a lot of ground between all of its domains. For those wanting to get into security and into working in a SOC, this is a certification to take a look at. It covers all the basics and gives you further study to continue your career path.

Jesse Spangenberger

Jesse Spangenberger