A hands-on defensive security training course and certification, showcasing practical ability in defending networks and systems from cyber threats.

BTL1 has been used around the world to train technical defenders in governments, law enforcement, military units, financial institutions, telecommunications giants, and many more.

Take a quick look...

Do you want to become a defensive security professional? Our course is comprised of almost 300 lessons, videos, tests, and practical activities before a 24-hour practical assessment.

Why Choose BTL1?

Simply put, we don’t use multiple choice exams. We teach and test student’s abilities by using practical methods, and that’s why we’re so popular – our students love getting hands-on with real-world tools, in real-world scenarios, giving them a genuine boost to their career.
Network defenders need to know how to defend, not how to tick boxes.

Different Teaching Styles

To appeal to all learning styles, we teach our content using a mixture of written material, video demonstrations, knowledge tests, and lots of practical challenges and activities.

Content Vetted by Industry Experts

Our own Academic Advisory Board is comprised of 11 industry experts, with over 100 years experience. They work hard to ensure all of our content is relevant and of high quality, ensuring the most beneficial experience for our students.

Relevant & Updated Content

All of our content is updated, relevant, and reflects industry best practice. Learn the skills you actually need to work in a defensive security position.

A Certification That Showcases Practical Skill

Blue Team Level 1 certificate holders have proven their knowledge and ability to perform hands-on security tasks. Students have the practical ability and experience to succeed in defensive security roles.

Course Details


BTL1 is perfect for security enthusiasts or security professionals that want to develop their practical defensive cyber skills. Roles that we believe would benefit from this course include:

  • Security Analysts
  • Incident Responders
  • Intrusion Analysts
  • Threat Intelligence Analysts
  • Threat Hunters
  • Forensics Analysts

Whilst our content is aimed primarily at entry-level or junior roles, read our course syllabus to see if BTL1 is the right choice for you or your team!


As BTL1 is the first certification in our pathway, there are
no requirements for students, as we teach everything from the ground up. However, having the following knowledge would be beneficial:

  • Understanding of both Linux and Windows operating systems
  • Confident in using Linux command-line interface
  • TCP/IP networking knowledge
  • Previous experience in any of the 5 technical domains
  • A genuine passion for cybersecurity

In order to prepare for BTL1, we suggest students take our £20 entry-level training courses, as they cover the above recommended knowledge and a lot more – Click Here.


Below you can download our course syllabus to view the content that is covered in both the training course and the practical assessment. The certification is split into 6 domains:

  • Security Fundamentals
  • Phishing Analysis
  • Threat Intelligence
  • Digital Forensics
  • Incident Response
  • SIEM


Below are just a few examples of the practical skills that you will have acquired upon successful completion of the BTL1 exam:

  • Analysing and responding to phishing attacks
  • Performing forensics investigations to collect digital evidence
  • Analysing logs using a SIEM platform
  • Log analysis including malware infections
  • Conducting threat actor research
  • Implementing network defences
  • and much more!

By completing this certification you are also showing employers or potential employers that you are motived, dedicated, and seeking to better yourself – all very desirable qualities.

Certification Pricing

£ 499

Academic Advisory Board

For security reasons, some surnames and personnel photos are missing from Academic Advisory Board member’s profiles. A complete list of all board member’s profiles can be found by the button at the bottom of this section.

Shawn Thomas


Shawn is a SOC Manager, incident responder, threat hunter, podcaster, and speaker. He builds and manages detection and analysis programs for large enterprises whilst mentoring analysts.

James Q


James is the Director of Security Operations and Incident Response for a global company, and built the SOC capability.

Michael Jenks


Michael has previously worked as a Training Program Leadan analyst, consultant, incident responder, and has helped build multiple Security Operations Centres.

Ismael Briones-Vilar


Ismael is a Senior Security Analyst, specialising in malware analysis and digital forensics, with 15 years experience in this field.

Gage Southard


Gage is an Active Duty Cyber Warfare Operations NCO, and is a SANS Mentor for SEC555.

James Weston


James is a former Police Officer, who is now a Senior Security Analyst, and the Co-Founder and Director of PhishTool.

Certification Process


Once students believe they are ready to take our challenging practical exam, they will be able to book in via our website. Students will have access to the exam lab via an in-browser virtual session for 12 hours, and must complete the report template that will be made available to them. Students will have an additional 12 hours once their lab access has expired. The report is designed to allow students to prove they understand what has happened in the exam scenario. Provided students are confident with the content of the course, and have attempted all of the practical activities, they will be ready to take and pass the exam, becoming Blue Team Level 1 certified.

Once the student has successfully submitted their PDF report, we will mark their submissions and inform the student if they have passed or failed, typically within 21 days.


We believe feedback is absolutely crucial to developing your skills, rather than just passing the certification.

We will provide feedback to all students regardless of whether they pass or fail our exam, so you can understand your weak areas, and become a stronger security professional.

Together we can do more than create an industry certification, we can provide genuinely useful training and assessments that develop student’s careers, improving the quality of blue team members around the world.


Once a student passes the practical exam and becomes BTL1 certified, they will receive a number of rewards for their hard work:

  • Become Blue Team Level 1 certified for life
  • BTL1 printed certificate
  • BTL1 silver challenge coin (gold if score 90%+)
  • BTL1 and SBT logo stickers
  • Unique PhishTool sticker


If students fail the exam, they will be permitted one free resit voucher. After using it, additional resit vouchers can be purchased for £100. Students are not permitted to resit their exam within 14 days of failing. If a student passes the exam, they are not allowed to resit after gaining certification.

Frequently Asked Questions

We provide students with access to our online, self-paced training course that features over 275 lessons, videos, tests, and practical activities. This course will teach them everything they need to know for the exam, and more! Domains include:

  • Security Fundamentals
  • Phishing Analysis
  • Threat Intelligence
  • Digital Forensics
  • SIEM
  • Incident Response

When a student comes to one of our many practical activities, from log and network analysis to implementing a SIEM or threat intelligence platform, they will be provided with safe download links, a guide on how to install any required tools or files on their locally-hosted virtual machine, and the actions they need to complete throughout the exercise.

Using locally-hosted VMs means we can reduce the overhead cost of virtual labs, but it also provides the student with more time and flexibility if they want to expand on the exercises in their own time, improving their understanding and ability.

We do run a student-only forum, where we can answer questions and assist with issues. We intended to build out our support function in the future to offer dedicated support to organizations.

Students will have access to a virtual lab environment via their browser for 12 hours. They will be provided an exam brief, and must complete a number of actions and investigations, drawing on their knowledge and ability from practical activities covered in the training course. After 12 hours they will lose access to the exam lab, and will have another 12 hours to write their incident report based on the activities they have conducted, completing a template we provide.

Within 24 hours, students must have submitted their report to us, which will be hand-marked, and useful feedback provided, typically within 14-30 days.

Security Blue Team is dedicated to providing affordable, practical, and high-quality defensive cybersecurity training, certifications, and community events.