# Passing the Blue Team Level 1

[**Blue Team Level 1 (BTL1)**](https://securityblue.team/why-btl1/)

<figure><img src="/files/mLI3KdSr3XQZFU2DLZM0" alt=""><figcaption></figcaption></figure>

## **Why BTL1?**

I was in need of a more practical and in-depth course to fill in my lack of technical knowledge in blue team, specifically SOC Analyst role. After [passing the CySA+](/longs-cybersecurity/certifications/passing-the-cysa+.md), the certification only fulfilled the theoretical aspect of blue team. It was a mile-wide and inch-deep quality of knowledge I gained after passing it. Luckily, I stumbled upon one of [Day Cyberwox](https://www.youtube.com/c/DayCyberwox)'s stream, where he was talking about the BTL1, how it is basically the "OSCP for blue team". A certification with a practical 24-hour incident response exam. I was convinced.&#x20;

## 24-Hour Incident Response Exam

I sat the exam for 8.5 hours and passed with an 80%. Won't be able to cover much detail about the exam because of NDA, but It was a fun one. I'd say it was the best certification exam I have ever taken.&#x20;

<figure><img src="/files/Gd5DpQK2P74tiSp8CGxd" alt=""><figcaption><p>Tracked my exam duration using Toggl</p></figcaption></figure>

## Preparation

I used up 40 out of the 100 hours of lab time provided by the course. Redoing the labs, taking notes, and trying to understand why and how the techniques and tools are used helped me pass the exam. Approaching the course with the mindset of "I'm here to learn" instead of just trying to get the cert as fast as possible also helped me relax.

I also used external materials (see below) to better understand the topics that I wasn't strong at.

## Supplemental Resources

These were the additional resources I used to get more practice in areas that I was weak at:

### Autopsy

[**TryHackMe | Autopsy**](https://tryhackme.com/room/btautopsye0)&#x20;

[**TryHackMe | Disk Analysis & Autopsy**](https://tryhackme.com/room/autopsy2ze0)

### Splunk

[**Free access to Splunk with BOTSv1 data**](https://samsclass.info/50/proj/botsv1.htm)

### MITRE ATT\&CK Framework

[**Free video course covering the basics of the MITRE ATT\&CK Framework** ](https://www.academy.attackiq.com/courses/foundations-of-operationalizing-mitre-attck)

## Conclusion

I found this certification exam and training course to be the best of its kind. The course content was comprehensive and in-depth, and the practical labs were engaging and informative. I believe that the value of this certification will only increase over time, as it is well-suited for those who are interested in the technical aspects of blue teaming, such as network defense, digital forensics, and incident response. I would highly recommend this certification exam and training course to anyone who is looking to advance their career in cybersecurity.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://longholdpham.gitbook.io/longs-cybersecurity/certifications/passing-the-blue-team-level-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.