Blue Team Level 2

Vulnerability Management
Malware Analysis
Threat Hunting
Advanced SIEM & Emulation


lessons, activities, and tests



5 Months


£̶1̶9̶9̶9̶ £1599

certification price


We have proven that our training can help change lives. Our students have broken into industry or secured promotions as a result of taking our certifications. We have developed the skills of entire security teams and forged stronger technical defenders. Don’t believe us? Believe them! Read our BTL1 success stories at the link below (BTL2 success stories coming after the exam is released!).

Read BTL1 Student Success Stories >

The training course and certification exam were created under the supervision of our Academic Advisory Board, comprised of Senior Security Analysts, SOC Managers, and other senior security roles; ensuring it is accurate, realistic, and applicable to modern security operations.

View Academic Advisory Board >


A hands-on defensive security training course and certification, showcasing advanced practical ability in defending networks and systems from sophisticated cyber threats. No more multiple choice exams, get genuine security operations experience with content developed by industry experts and a challenging practical assessment.


Individual Students:

  • 5 months access to our on-demand training course
  • 5 months access to our brand-new lab platform & 120 hours of lab time
  • Step-by-step guides to setup your own small-scale labs to keep learning even after the course
  • 2 exam attempts (initial and a free resit, with feedback after each exam)
  • Dedicated student forum supported by SBT staff
  • BTL2 Acclaim digital badge and badge on Blue Team Labs Online
  • High quality PDF certificate and physical card certificate
  • BTL2 silver challenge coin or gold if score 90% or above on first exam attempt

Corporate Clients:

  • All of the above
  • Team Leader management portal. Track course and lab progress for all your team members
  • Corporate discounts starting at 3 students (including voucher scheme to ‘buy now, use later’)
  • Corporate discounts for Blue Team Labs Online, BTL1, and BTL2 bundles

benefits of btl2

BTL2 is designed to strengthen technical defenders that already have experience and exposure to security operations. BTL2 will develop you in niche areas that make you stand out as an advanced defender. Below are some examples of the skills and experience you will gain.

  • Identify, analyze, prioritize, and remediate vulnerabilities to effectively reduce risk.
  • Conduct static and dynamic malware analysis to gather indicators of compromise and document details of the malware’s purpose and utilized techniques.
  • Writing SIEM detection rules and tuning them to ensure they’re as efficient as possible by conducting adversary emulation activities.
  • Perform threat hunts to detect adversaries that have already breached the perimeter.

Who is the course for?

BTL2 is aimed at security professionals with 2-4 years experience in a practical role, but can be suitable for individuals with less experience provided they can commit to the intense training. Roles that we believe would benefit from this course include:

  • Mid-Senior Security Analysts
  • Mid-Senior Incident Responders
  • Mid-Senior Security Consultants
  • DFIR Specialists
  • Threat Hunters
  • Malware Analysts


Below you can download our course syllabus to learn more about the content that is covered in the training course and tested in the practical assessment (we’ve also provided a high-level overview in the tabs below!). The certification is split into 4 domains.

Domain Sections:

  • Introduction to Malware Analysis
  • Build Your Own Analysis Lab
  • Static Analysis Tools and Techniques
  • Dynamic Analysis Tools and Techniques
  • Malware Analysis Practice
This domain features 10 hands-on cloud labs:
  • Hashing and Strings
  • YARA and YarGen
  • Monitoring Malicious Processes
  • Utilizing Sysinternals For Analysis
  • Portable Executable Analysis
  • PDF Analysis
  • Office Document Analysis
  • Blackbox Analysis – PE File
  • Blackbox Analysis – PDF File
  • Blackbox Analysis – Office File


Domain Sections:

  • Introduction to Threat Hunting
  • Build Your Own Hunting Lab
  • Endpoint Threat Hunting
  • Network Threat Hunting
  • Hunt Reflection and Report Writing
This domain features 9 hands-on cloud labs:
  • Winlogbeat to ELK
  • Replaying Attacks With ELK
  • Windows Program Execution
  • Windows System Hunt (w/ ELK)
  • Linux System Hunt
  • Beacon Detection with RITA and Wireshark
  • Hunting Empire C2
  • Hunting Meterpreter C2
  • Creating Deliverables, DeTTECT & Navigator

Domain Sections:

  • Introduction to Vulnerability Management
  • Host Discovery
  • Vulnerability Discovery
  • Analysis, Prioritization, and Threat Intelligence
  • Reporting and Remediation
This domain features 8 hands-on cloud labs:
  • Active Discovery With Nmap
  • Active Scanning With OpenVAS
  • OpenVAS Scanning
  • Nikto Scanning
  • NSE Scanning
  • WPScan Scanning
  • Scan Analysis
  • Vulnerability Remediation
  • Blackbox Vulnerability Assessment

Domain Sections:

  • Introduction to Advanced SIEM
  • SIEM Architecture
  • Build Your Own SIEM Lab
  • Proactive SIEM (Hunting)
  • Adversary Emulation, Detection, and Analysis

This domain features 7 hands-on cloud labs:

  • Threathunting App Deployment
  • Analysis and Hunting
  • YARA IOC Scanner
  • Adversary Emulation With CALDERA
  • Creating Rules and Dashboards
  • Command-and-Control Detection
  • File Integrity Monitoring


We have not yet announced all of the details regarding the certification process for BTL2. We will provide more information in early December.

The BTL2 exam is designed to practically assess students on the four domains covered in the training course by utilising a range of tools and techniques to investigate a realistic intrusion scenario. The exam is comprised of two components:

  • A number of questions that must be answered during the investigation
  • A written report based on a provided template
Students must score 70% or higher to pass and earn the silver BTL2 challenge coin, and 90% or above on their first attempt to earn the gold challenge coin.


We believe feedback is absolutely crucial to developing your skills, rather than just passing the certification. We will provide feedback to all students regardless of whether they pass or fail our exam, so you can understand your weak areas, and become a stronger security professional.



You will have access to the on-demand course and lab platform (with 120 lab hours) for 5 months (155 days) from the date of purchase. Your certification exam vouchers are valid for 12 months from purchase. We have guides to create your own labs for the Advanced SIEM, Threat Hunting, and Malware Analysis domains, so you can continue to practice even after your access expires.

do you offer discounts FOR INDIVIDUALS?

Please do not email us asking for discounts or free vouchers – if we decide to run a discount or giveaway, we will post it on our social media accounts and website.

why is this course so expensive?

While it may seem like a lot, BTL2 is an extremely large course and is very competitively priced compared to other companies on the market. This price is based on the scope and quality of the content, training labs, and importantly, our practical exam. It is not cheap to build and maintain a course and certification of this scale, including technology, employees, and certified rewards.


After feedback from our community, we decided that BTL1 is not required to take BTL2. While BTL2 is aimed at security professionals with a recommended minimum experience of 2 years in a technical role, it is definitely possible for an individual with less experience to take and pass BTL2, but it will require discipline and dedication.


Of course! We offer discounts on BTL2 vouchers in progressive tiers, starting at 3 students in one order. We also offer discounts for BTLO, BTL1, and BTL2 bundles. Another benefit includes a Team Leader console to track the progress of your team members across our training courses. You can request a quote via the button at the top of this page where you’ll be passed to one of our Account Managers.

What happens if my training access expires? Can i still access the labs and exam?

Yes, BTL2 separates the certification into three elements; the training, the labs, and the exam. This means even if your training access expires you can still practice and take the exam, giving you up to 5 full months of studying (if your training access ends and you start the exam, we’ll even give you access to the course for the exam duration so you can reference the material during your attempt!).


Yes, we provide one-time paid extensions for either 31 days or 62 days. These can be purchased from the store on our new lab platform and will automatically add the number of days to your existing total. This will extend your access to the course, labs, and forum.

My friend wants to take the training and labs but he cannot afford it - can i just share my account with them?

Account sharing or leaking course materials to non-paying individuals is a breach of the BTL2 Terms and Conditions and will lead us to automatically remove BTL2 from your account with no refund. We also reserve the right to claim for legal damages based on the extent of the T&C breach.

Security Blue Team is dedicated to providing affordable, practical, and high-quality defensive cybersecurity training, certifications, and community events.