How I passed the BTL1 earning the Gold Coin in 2023 — Training Course/Exam Review & Tips

Ilias Mavropoulos
9 min readApr 4


Hey medium,

Today I want to share with you my journey on being Certified with Security Blue Team , give you my feedback on the quality of the training course / 24-hour incident response practical exam and provide you with recommendations and tips for preparing for the BTL1.


ILIAS Mavropoulos | LinkedIn

For the most part of my life I’ve been a technology nerd pursuing new ways to solve problems with the use of computers while also make my daily routine easier and more enjoyable by augmenting real life through the digital word.

I am living in Athens, Greece and I’ve graduated as an El. Engineer, currently studying for my Msc in Cybersecurity. Since 2014 I’ve gained over 7 years of experience working in IT related roles both at local businesses and large multinational organizations, which laid a strong foundation for my transitioning career in Cybersecurity in 2022.

I’m currently working as an Analyst within the Internal Security Operations Center of Teleperformance, where I’ve been given the opportunity to use high end security tools & technology, collaborate with some great professionals in the field and grow my skills alongside my colleagues.

WHAT is BTL1 and WHY I think it’s a great Training Course for CyberDefenders?

If you’re like me and you enjoy scrolling for hours on LinkedIn discovering and connecting with students / professionals of all kinds of specialties worldwide, you must have definitely noticed a large number of security people already holding the Blue Team Level 1 (BTL1) certification, or talking about it.

After researching more information about the BTL1 I landed in the official website of Security Blue Team where, to be honest, I was initially disappointed by its seemingly high price at 399 GBP. However, digging deeper into the curriculum of the certification noticing it actually includes 300+ activities, 21 labs with 100 hours of access and one exam-take with the ability to have a free re-take in case you fail your first attempt, I came to the realization that its price-tag may not be that high after all.

*You can always have a free trial of the BTL1 training course before actually paying for it. That’s what I did.

So I’m happy I actually invested on this training course!

Jumping into it I was presented to an intuitive and easy to use eLearning platform:

Each content module includes mostly text-based training with several video demonstrations (when applicable) and lots of small quizzes for knowledge checks.

Note that labs are not distributed evenly on each module:

Phishing Analysis: 4 labs

Threat Intelligence: 1 lab

Digital Forensics: 8 labs

SIEM: 5 labs

Incident Response: 3 labs

*More labs are currently on development and being added in the platform.

The labs I personally enjoyed the most were the ones included in DF and SIEM modules. Please note that SIEM labs are based on Splunk but the query logic is mostly the same throughout different SIEM’s, so if you devote time into playing around with Splunk, you will definitely manage to transfer those skills / mindset to whatever SIEM you’re using at your current / future work.

Phishing analysis module is also a great one as it lays a strong and essential foundation on your way of thinking when it comes in determining if an email is malicious or not. You would be surprised to realize how many mind-maps could be created for categorizing, documenting or responding to phishing incidents. So yes, lots of resources on this domain and nicely structured learning materials.

Student Support / Integrity of the learning material

What’s also really nice to have on your journey through the training course, is the “Discussions” and “Support” tab when you gain access to the training platform. There you can find immediate help on any problem you may encounter (I didn’t encounter any problem) and chat with the student support if needed.

I personally covered all the training material so I can safely say it’s definitely a mature, well thought, refined and reliable course, both at a data integrity level as well as lab environment.

Study Tips, Study Procedures and how long to prepare for the BTL1 exam

Remember that this is a full hands-on practical exam, so the №1 tip I can give to students is to really practice and be familiar with the tools that they will be using in the exam environment, i.e. wireshark is one of the tools you will probably be using in the exam environment. You can play around with it until you feel really confident in using it to analyze network traffic and extracting relevant information and artifacts.

Though I don’t think it’s essential to do the same with me, I also utilized other resources like LinkedIn Learning and YouTube videos to get more in-depth with Wireshark. Keep in mind that everything included in the training course is more than enough to help you pass the exam.

Following the same logic, take as much time as you need to become familiar with each one of the tools that will be included in the exam. Personally, by studying for 3–4 hours each day I needed approximately 45 days to complete my exam preparation. During that period I also had 15 days to rest so I used a total of 2 months to complete my training for the BTL1 exam.

Exam Preparation Process:

- Choose a note-keeping app/platform that you find easy to use. Remember than BTL1 is an open-book, open-internet exam. I am using Microsoft’s OneNote as I find it very effective in structuring my notes and it is also very capable in searching through the notes I’ve made. If you don’t know how to design and structure your notes you can copy the layout of the BTL1 training course, create the same folders and sub-folders similar to the hierarchy of the BTL1 learning modules.

- Make sure you devote all the necessary time to take notes of everything included in the training course. As soon as you have everything in your notes you can take more time to study and prepare independently of the 4-month training course access limitation of SBT. Be very careful not to share any of these notes as you could potentially breach your NDA with the Security Blue Team organization.

- Create your own playbooks for common procedures that you are going to follow on the exam day, i.e. it is very likely that you will have to conduct mail analysis during the exam so you could create your own mail analysis step by step playbook in your notes, combining all the information given on the learning material. Another example could be to create a folder in your notes with common CLI commands you will be using during the exam so you can quickly copy-paste them into your environment.

- Connect an extra monitor to your machine. If you have the ability to get your hands on to an extra screen for the exam day it would help you to tremendously boost your productivity as you could setup the exam environment fixed to the secondary monitor. If you can’t afford one you could always ask to borrow one from a friend or colleague just for the exam day!

- Don’t rush it. Learning takes time, you just can’t rush it and there is no point in rushing a training course just to get a certification. In the end, the certification will only set your foot at the door for an interview and won’t actually give you the job if you haven’t genuinly digested the knowledge. If you study just to pass any exam and this is your only motive, sooner or later it will become obvious.

- Blue Team Labs Online. Spending time on Blue Team Labs Online helped me build my confidence heading to the exam day. There are several labs in Blue Team Labs Online — Cyber Range than can compliment your training during the BTL1. I spent a full 2-weeks practicing on the platform.

- Don’t forget to have fun, with practical exams like BTL1 it’s possible!

Before Exam Day

As you can imagine, any exam can be stressful for some people and this is also true for me.

This is a 24-hour practical incident response exam and this timeframe is quite generous to pass the exam. However, this is not the classic single or multiple-choice question based exam or nowhere near the PBQ (Performance Based Questions of CompTIA). That means you’ll have to be ready to spend a lot of your mental energy and be focused for a long period of time.

In order to achieve that, aim in having a really good break before exam day, I would recommend at least 4–5 days of relaxing from any stressful activity or studying. Don’t worry, you won’t “forget” anything, you already have your notes ready remember? Schedule the exam on a weekend or take a day off or two as I did, so you can have another day to recover from the exam before you come back to work (if you are currently employed).

On Exam Day

It would be a good idea to have a friend / family member help you on the exam day, maybe prepare food, get you a drink or anything. I was lucky enough to have my partner prepare my meals and help me with whatever I needed during the exam.

I used 11 hours without breaks to complete my exam with a 90% passing score and after that I had a good night’s sleep of 9 hours, totaling in 20 hours of the 24-hour timeframe.

Why am I saying this?

You can structure your exam time however you want. I could sleep and wake up in the morning to continue reviewing my answers for the 4 remaining hours. In the same way, you can have as many breaks as you need, you can sleep in-between, you can have a walk outside to empty your mind, you name it.

During my 11-hour attempt I was tasked with a specific real-world incident response case scenario in which an employee’s machine had been compromised. From there I could conduct a forensic investigation, RDP to other infected machines, collect and analyze artifacts through various sources and proceed with answering the exam’s questions following a given format.

During my attempt, I can assure you there were many times that I changed some of my answers as I was digging deeper to the investigation, correlating new artifacts.

More Exam Tips:

- I definitely recommend you to craft a timeline of all your steps and findings during the investigation and maintain a list of malicious IOC’s you find along the way.

- Read the given scenario very carefully and make notes on key information provided. It will point you to the right direction.

- Examine all information provided on the virtual machine.

- Use the internet to your advantage. You can use Google to search for efficient Wireshark/Splunk queries, or other resources just like you would probably do if you were actually working in IR.

- Remember that if you rush the exam and try to answer a question based on the first evidence that seems reasonable to you, you will probably fail. You need to be confident about justifying your answers.

- Try to keep calm so you can have a clear mind. Remember, BTL1 is not a sprint, it’s more like a mini-marathon.

BTL1 exam time-lapse

I’ve also created a time-lapse video of my BTL1 exam attempt which is currently uploaded in YT:

FAQ (Currently in development)

Feel free to contact me on LinkedIn and let me know about any of your questions. I will try to respond by updating this article.

Q: What happens if you need to extend training course beyond access or lab hours beyond to 100?

A: Are the 4 months of access enough for you to prepare and study? Maybe yes for the majority of students but that’s debatable. Whatever the reason, you have the ability to extend you course access or buy more lab hours by paying a designated fee on SBT store tab enabled after you gain access to the eLearning platform.