How to prepare for the BTL-1 exam

I’ve recently passed the BTL-1 exam with 100% of the score. This article is intended for those who are currently studying or considering taking the exam.

Blue Team Labs Online 🔵

The best way to pass this exam is through practice. BTLO is a platform developed by Security Blue Team, who are also the creators of this certification.

Free Version

• All 41 challenges
• 6 investigations (2 Incident Response, 2 Digital Forensics, 1 Reverse Engineering)

Pro Version

• All 41 challenges
• 145 investigations

I highly recommend purchasing the PRO version to conduct more investigations using the same tools in the exam. This platform is also very useful once certification has been achieved.

Phishing Analysis 🎣

In this domain, you will learn how to identify a malicious email and how to extract artefacts.

Tools for Artifact Analysis

• VirusTotal
• URLHaus
• Talos File Reputation
• Hybrid Analysis

BTLO Practice

• Phishing Analysis
• Phishing Analysis 2

External Resources

• Phishing Quiz #1
• Phishing Quiz #2

Threat Intelligence 🧠

This domain is focused more on theoretical concepts and lacks practical application. The vital focus here lies in studying the MITRE ATT&CK framework and the prevalent attack techniques.

BTLO Practice

• ATT&CK
• Foxy
• Cipher

External Resources

• MITRE ATT&CK
• Awesome Threat Intelligence

Digital Forensics 🕵️

This domain teaches gathering digital evidence and conducting investigations on Windows and Linux.

BTLO Practice

• Sukana
• Countdown
• Sticky Situation
• Memory Analysis - Ransomware

External Resources

• Awesome Forensics

SIEM 🔎

Splunk is every student’s worst nightmare. This is where many students fail, mainly because they do not get enough practice.

BTLO Practice

• Drilldown

External Resources

• Splunk Documentation
• Splunk 101
• Splunk: Exploring SPL
• Investigating with Splunk

Incident Response 🚧

This domain teaches you how to respond to an incident. It is the most important because this is what you will do in the exam.

BTLO Practice

• Sukana
• Deep Blue
• Browser Forensics - Cryptominer
• Attacks
• SAM

External Resources

• Awesome Incident Response

General Tips 💬

• Don’t rush the exam. Nobody will give you a prize for speed.
• Read the scenario carefully, even more than once if necessary.
• In case of failure in the first attempt, don’t worry.
• Google is your best friend.
• Before submission, ensure that the answers adhere to the required format.
• Take notes during the course, especially on important tools.

I also suggest to watch this YouTube video by Malik Girondin:

Support 🤝

If you have any questions about the exam, please consult this page.