Why BTL1 Should be on Your Job Descriptions

Securing Technical Candidates

By Security Blue Team

This post is going to explain how adding the Blue Team Level 1 certification to your cybersecurity job descriptions, whether you’re a hiring manager or a recruiter, can have great benefits when identifying capable candidates. Certification holders have been thoroughly tested using practical, real-world scenarios across a range of blue team domains including; incident response, digital forensics, SIEM, threat intelligence, and phishing. Let’s get into why this entry-level certification is so valuable!

  • What is Blue Team Level 1?
  • Tools Covered
  • Created by Industry Experts
  • Practical Training and Assessment
  • Conclusion

What is Blue Team Level 1?

A hands-on defensive security training course and certification, showcasing practical ability in defending networks and systems from cyber threats. BTL1 is trusted around the world by public and private sector clients, from governments, military, law enforcement, telecommunications, financial institutions and more. This course and associated exam covers 6 domains;

  • Security Fundamentals Covering the building blocks for the rest of the course, this domain focuses on security controls, networking principles, soft skills, and security management.
  • Phishing Analysis Students will learn to identify phishing emails, analyse them thoroughly using a range of tools, report on tactics utilised, and take defensive actions to protect the organisation.
  • Threat Intelligence From threat actors to tools techniques and procedures, students will gain an understanding of tactical, operational, and strategic threat intelligence practices.
  • Digital Forensics Covering endpoints and memory investigations on Linux and Windows systems, students will also learn about core forensic principles and concepts such as the Order of Volatility, and Chain of Custody, to ensure sound forensic examinations.
  • SIEM Students will learn about the entire SIEM lifecycle, from deployment to logging, aggregation to correlation, and finally creating and investigating alerts and suspicious activity through log and network analysis.
  • Incident Response Mapped to the NIST incident response lifecycle, students will learn everything from preparation to lessons learned, understanding how to defend, detect, and respond to cyber events and incidents.
Composed of written lessons, videos, quizzes and practical activities, we work to address all learning styles to provide the best learning experience for our students. You can download our revamped course syllabus PDF below:

Tools Covered

BTL1 covers tools that security professionals actually use day-to-day, meaning the candidate is ready to ‘hit the ground running’ in a new role. Students will get hands-on with all of the tools below; from reviewing and writing Sigma rules to setting up Splunk and analysing malicious activity, performing forensic investigations with Autopsy and Volatility, and pulling apart phishing emails with text editors and PhishTool.

Created by Industry Experts

The training course and certification exam were created under the supervision of our Academic Advisory Board with over 100 years of industry experience. Comprised of Senior Security Analysts, SOC Managers, Security Trainers, and other senior security roles; this ensures it is accurate, realistic, and applicable to modern security operations.

Practical Training and Assessment

We don’t use a multiple choice exam to determine if students meet the high standard of knowledge, they have to get their hands dirty in a realistic intrusion scenario. To become certified students must complete a practical 24-hour incident response assessment. They will have access to a cloud lab via an in-browser session for up to 12 hours and will complete activities against multiple hosts, such as network analysis, endpoint forensics, SIEM investigations, and more. Throughout the exam candidates will be completing a provided report template which features sections for timelines, indicators of compromise, and detailed walkthroughs of their investigations per host. Students will have an additional 12 hours once their lab access has expired if they need more time to finish their report.

We believe feedback is absolutely crucial to developing skills, rather than just passing a certification. We provide detailed, human-written feedback to all students regardless of whether they pass or fail our exam, so they can truly understand their weak areas and work to become a stronger security professionals.


We hope this post has given you an insight into how BTL1 is an extremely strong entry-level certification, and that candidates with this have been tested using tools and processes we use daily as defensive security professionals. If you’re looking to hire technically-competent defenders, we hope you’ll consider adding BTL1 to your job descriptions today!

If you have any questions, please reach out to us at contact@securityblue.team!