Edit

Exam Details

BTL1 Exam Format

The BTL1 exam consists of a single practical component with no theory. Once started, students receive 24 hours of lab access to complete and submit answers.

What Will I Do?

Candidates receive access to a compromised network along with scenario text explaining the situation and the required tasks.

What Tools Will I Use?

The exam emphasizes proficiency with the following tools and areas, supported by prior lab completion:

What Do I Submit?

Students must complete 20 random task-based questions that require specific actions and evidence submission. Answers can be edited before final submission, but all responses must be submitted within the 24-hour timeframe to avoid failure.

What Happens After my Exam?

Candidates immediately receive a PASS/FAIL grade along with their score. Additional post-exam resources include:

  • Feedback on performance

  • Downloadable PDF certificate

  • Submission of shipping details for physical rewards

  • A digital badge from Credly for sharing on platforms such as LinkedIn

Using RDP

Remote Desktop Protocol (RDP) allows a user to connect from one Windows system to another with a graphical interface, similar in concept to SSH. It will be used during the exam to access remote systems, so familiarity with the process is important to avoid delays.

Requirements

To connect with RDP, you must have:

  • The remote system’s IP address

  • A valid username

  • A valid password

Connecting with RDP

RDP can be opened via shortcut or through the Windows search bar. After launching, the connection window appears.

To map a local drive for file transfer:

  1. Click Show Options at the bottom of the RDP window.

  2. Navigate to the Local Resources tab.

  3. Select More….

  4. Expand the Drives section and check C:.

Once connected, the local C: drive appears in the remote session under This PC, allowing files to be copied from the remote system to the local machine for later analysis.

Session Management

  • Active sessions show the remote desktop as if working directly on the system, with an RDP toolbar at the top of the window.

  • To end the session, click the X on the toolbar.

  • To minimize, use the button as with any other application.

Exam Preparation Guide

Following these preparation tips increases the likelihood of scoring well and achieving certification.

Complete All Course Content

Ensure 100% completion of both lessons and labs. The training content is designed to provide the exact knowledge and skills needed to succeed in the exam.

Don’t Rush

Take time to carefully evaluate findings. Rushing can lead to overlooking key information that is essential to the exam scenario.

… But Don’t Go Slow Either

The exam lab is available for 24 hours, providing ample flexibility. Dedicate uninterrupted time, but also take breaks for food, rest, and recovery. Track the remaining time carefully to avoid running short.

Make Sure You Have Good Notes

Collect and organize notes from the course before starting. Document tool usage and key commands, and supplement with publicly available cheatsheets. Well-prepared notes save time during investigations.

Use the Course Bookmarks Feature

Flag lessons that may be useful during the exam. Bookmarked content is accessible with a single click, reducing time spent searching.

Read the Exam Brief

The exam brief, displayed in the lab sidebar, explains the scenario and outlines the information to collect. Careful reading ensures proper understanding of events and required actions.

Write a Timeline

During the exam, build a timeline of major events on your host machine. Record timestamps of key findings and connect related activity to form the larger incident narrative.

Blue Team Labs Online

While the BTL1 course provides all the training needed to pass the exam, additional practice on Blue Team Labs Online (BTLO) can help build confidence and work toward earning the gold challenge coin.

BTLO is a gamified defensive cybersecurity platform with security challenges and investigation labs. It includes customizable profiles, achievements, badges, titles, and global and country leaderboards.

BTLO Content Categories

  • Security Operations

  • Incident Response

  • Reverse Engineering

  • Digital Forensics

You can create a free account at Blue Team Labs Online.

FREE: BTLO Challenges

ATT&CK Work as a Blue Team member tasked with performing threat intelligence. Apply the MITRE ATT&CK framework to solve scenario-based problems.

Network Analysis – Ransomware Investigate a ransomware attack against ABC Industries that encrypted a critical tender document. Analyze the provided network traffic, ransom note, and encrypted file to recover the document.

Phishing Analysis Examine a phishing email and its attachment, forwarded to the SOC, to extract and analyze useful artifacts.

Phishing Analysis 2 Conduct triage and artifact collection from a broader phishing campaign.

BTLO Investigations

To locate labs that align with BTL1 tools and activities, visit the Investigations page on BTLO and search for “BTL1” in the left-hand menu.

Exam and Certification Integrity

Maintaining the integrity of the BTL1 exam is essential to protect both the certification’s value and the achievements of legitimate holders.

Non-Disclosure Agreement

Starting the BTL1 exam constitutes agreement to the Exam NDA, which prohibits disclosure of exam content outside of SBT staff. Key restrictions include:

  • No sharing of exam details or answers with others, including friends, family, or colleagues.

  • No posting of details on platforms such as Discord, LinkedIn, or Twitter.

  • No collaboration with other candidates during exam attempts.

Violating the NDA results in certification revocation, bans from all platforms (eLearning, BTLO, CySec Careers), and potential legal action.

Sharing or Using Exam Answers

Recording, sharing, or using exam answers—whether freely or for payment—results in certification revocation and platform bans.

Certification proves genuine knowledge and skills. Cheating provides no real ability and will be evident to employers during interviews.

Suspicious approaches or materials should be reported as outlined below.

Our Security Controls

Exams are actively monitored with undisclosed tools and methods. Key account metadata is recorded to detect and investigate cheating at both small and large scales.

Reporting Suspicious Activity

Suspicious activity, such as being offered exam answers, should be reported through a support ticket on the official website. Include as much detail as possible, including screenshots, to support internal investigations.

By preventing cheating and enforcing accountability, the reputation and value of BTL1 remain strong for all legitimate holders, ensuring it continues to provide meaningful career benefits.

How to Start Your Exam

You may begin the BTL1 exam at any time, provided your exam access is still valid (12 months from purchase) and you have at least one exam attempt remaining. Each BTL1 purchase includes two attempts.

Starting the Exam

  1. Navigate to the Exams tab.

  2. Click Start Exam.

  3. Wait 5–10 minutes for the lab to load.

  4. Connect to the exam environment directly in your browser using the same button.

If the browser window is closed accidentally, reopen it through the same button in the Exams tab.

After Submission

Once all exam questions are answered and submitted, your completed exam attempt will appear at the bottom of the page.

PreviousBTL1 Exam PreparationNextNext Steps!

Last updated