Skip to content

Blue Team Level One (BTL1)

[Date taken : March - April 2026] [Overall Rating : 4/5]

I took this course to learn something about how blue teams work, as it can be helpful in both red teaming and if I want to switch roles in the future. BTL1 is an entry level certification, so for this review I am going to take that into account in my ratings.

I think as an entry level certification it does a good job, but if you want to take away deep technical skills you should look somewhere else.

Course & Lab

[Overall Rating : 4/5] [Homepage : securityblue.team]

The course contents are pretty high level on most subjects, with only the email analysis section going into more details. But as it tries to cover many different subjects (security fundamentals, phishing analysis, threat intelligence, digital forensics, SIEM, and incident response) while being a entry level course, this is understandable. If you are short on cash and do not need the cert, you can probably find most information from searching the Internet, watching YouTube, asking a LLM or installing the tools and playing around with them. I appreciated that the different topics were pretty self-contained, so you can take them in the order you like. A small caveat to the course is that it is not lifetime access, so you can not use it to look stuff up afterwards if you did not take extensive notes (or scrape the course contents).

Where it really shined for me were the labs. Again they are nothing sophisticated, but it was nice to play around with the different tools without having to figure out where to get them, installing and configuring them, searching test data, etc. The lab infrastructure worked surprisingly well, except the clipboard having a limited transfer size and one VM refusing to start. But at least copy / paste worked at all, which is more than I can say about most labs from other providers. One slight annoyance for me mostly using my 14" laptop is that the panel where you see the questions and need to submit the answers in opens over the VM's screen. So I had to constantly open it, scroll down, paste in the answer and close it again instead of being able to have it open all the time.

I worked through all the sections and exercises and it took me probably slightly more than the around 30 hours they advertised, with around 10 hours of that being lab time.

Exam

[Overall Rating : 3/5]

As they state in the exam preparation section (sadly not publicly accessible), the exam is built around only a small number of tools. This also means that it covers only around three if the five main topics. As such it is not really testing everything you learned, which I think is one of the core purposes of an final exam.

Because there is no proctoring, you can take the exam at any time without scheduling it ahead of time. It took me a couple hours to solve it (you have 24) and somehow I got some answers wrong, leading only to a 90% score. For someone from a pentesting background the exam should be easy, even without looking at the course. This matches with their statements on their website, where they say:

On average 70% of students pass on their first attempt. Over 99% of students that use their free retake pass the exam.

Given this, it seems to be intended to be solvable by almost anyone if you paid some attention and put in a bit of effort. Which I guess is pretty nice for an entry level cert, as you are almost guaranteed to get the cert for the money you paid (£399.00 GBP), unlike say with an OSCP, where you may have to shell out extra money for retakes.

Outlook

As I mostly enjoyed this course I looked at the followup Blue Team Level 2 course. But for some reason it is five times as expensive (£1,999.00 GBP instead of £399.00 GBP), so I decided against it. If it were the same or a slightly higher price than the BTL1, I could understand and might have taken it. But this price difference looks as if they want to cash in on people taking getting it sponsored by their job.

But I found it funny that they have some free (though short) modules on threat hunting and vulnerability management, two of the four topics of the BTL2.