Security Blue Team Level 1

My experience with the Security Blue Team Level 1 certification course and exam.


I recently took the Security Blue Team Level 1 (BTL1) cybersecurity course and passed the exam. I’ve collected my thoughts here in case they are useful to anyone considering the course, or about to sit the exam. As with my other posts around certification I won’t be giving away any specific answers, or anything else which might breach my Non-Disclosure Agreement (NDA) with the provider.

The Course

The course is entirely online and self-paced. You will normally get 4 months access to the training material and then an additional few months when you can take the exam, however I’d recommend doing the exam during the window when you have content access as you’ll be able to refer to it during the test if you wish. There’s an option to purchase additional months if required.

There are a number of modules covering phishing, threat intelligence, digital forensics, Security Information and Event Management (SIEM), and incident response. Each module is made up of a mixture of reading, watching videos, and hands-on-lab sessions. The first, more introductory, modules were heavier on the reading/watching content in my opinion, with the majority of the lab modules towards the back end of the course. This works well, putting the fundamentals in place before getting hands-on with the tools, but I did feel the course dragged a bit in those opening modules. My advice here is stick with it, it does get more interactive. Short quizzes along the way help reassure you that you are on the right track with your learning.

You will be shown lots (and lots!) of tools for analysing attacks and their aftermath. I found it useful here to keep a list in my notes and try and summarise briefly what each tool did. You (probably) won’t need all of them in the exam, but you don’t know which ones will feature in advance. It’s also worth noting that the course content is being updated regularly, but the course material is clear when a particular new tool won’t be covered in the exam. Take advantage of the new learning material that’s provided, but remember this is extra-curricular when you focus on the exam content.

The Exam

You’re given 24 hours to do the exam, but it took me about 5 hours. This starts from when you click “Go”, so you don’t need to make a booking. It could easily take a bit longer (or shorter) if you get stumped on a question (or the answer just pops), but I can’t see it taking more than a working day if you’ve worked through the course material and labs. The 24 hours does however allow for it to fit around “life”; that emergency call from the office, the school run, and so on. The exam is non-proctored and open-book, replicating a real world situation where you would have access to books, notes, online tools, and search engines. This doesn’t really make it easier, just more realistic than being sat in a booth at a test center trying to recall which TCP port an obscure network service usually runs on or what HTTP response 418 means.

The testing component is all in an online lab environment that looks just like the labs on the course- a remote desktop with instructions and questions tabs to tell you what to do. You have to answer a number of questions, similar to the ones in the course labs but with less guidance and hand-holding to get to your answer. The exam used to involve a report-writing component, but that wasn’t there when I took my test. The bonus of this is your pass/fail and mark is returned straight away on completion of the whole test so you know straight away how you did. Note that you don’t get the tick or cross after each question as you would in the course labs, so you can go back and change answers before submitting.

If I can give you one big exam tip, it would be read the instructions. I know we’re always told this, but there was one bit in my exam where tasks needed doing in a certain order and if I hadn’t read the instructions and instead just charged ahead I would have had to reset and start the whole lab environment again.

If you are working in Cyber Security, or another IT discipline but need to bolster your ITSec skills then this is definitely worth a look at. In particular the assessment method is a nice change from a traditional closed-book, multiple choice exam. More details can be found on and they also offer a number of free courses including a demonstration section of BTL1.