// Exam Overview
BTL1 is a practical, hands-on certification from Security Blue Team. Unlike CompTIA exams, there are no multiple-choice questions � you're given a real incident scenario and must investigate, answer questions, and write a report within 24 hours.
| Detail | Value |
|---|---|
| Exam format | 24-hour practical lab environment + report submission |
| Pass mark | 70% (Silver: 80%, Gold: 90%) |
| Exam domains | Phishing Analysis, Threat Intelligence, DFIR, SIEM, Incident Response |
| Primary SIEM tool | Splunk |
| Primary forensics tool | Autopsy |
| Report required | Yes � write up findings as an incident report |
| Open book | Yes � you can use notes, Google, and reference materials during the exam |
The exam is open book. This means the challenge is not memorising facts � it's knowing how to use tools effectively, how to interpret what you find, and how to write clear, professional findings. Speed and methodology matter more than rote knowledge.
// Phishing Analysis
One of the core BTL1 domains. You'll analyse suspicious emails, extract artefacts, check them against threat intel, and write up your findings.
Phishing analysis process
| Step | Action |
|---|---|
| 1. Safe handling | Open the email in a sandbox environment � never click links or open attachments on a live machine |
| 2. Examine headers | Check SPF / DKIM / DMARC results, trace Received chain, note sending IP and domain |
| 3. Check From vs Reply-To | Mismatch is a strong spoofing indicator |
| 4. Extract URLs | Defang and check against VirusTotal, URLscan.io, PhishTank |
| 5. Extract attachments | Hash the file (MD5 + SHA256), check VirusTotal, submit to Any.run sandbox |
| 6. Check domains | WHOIS registration date, MXToolbox, VirusTotal passive DNS |
| 7. Document IOCs | List all IPs, domains, URLs, hashes in defanged format |
| 8. Determine verdict | Phishing / Spear phishing / Benign � with justification |
Email artefact types
| Artefact | Where to find it |
|---|---|
| Sending IP | First external Received header (bottom of chain you trust) |
| Sending domain | From header, Return-Path, MAIL FROM in headers |
| URLs | Email body � hover without clicking, or view source |
| Attachment hash | Save file, run Get-FileHash -Algorithm SHA256 (Windows) or sha256sum (Linux) |
| X-Originating-IP | Some providers include the sender's actual IP here |
| X-Mailer | Tool used to send � phishing toolkits leave identifiable strings |
// Threat Intelligence
BTL1 tests your ability to use threat intelligence platforms to enrich IOCs and understand the threat context behind them.
Key platforms to know
| Platform | What to use it for |
|---|---|
| VirusTotal | Hash, URL, IP, domain lookups � see detections from 70+ AV engines and OSINT context |
| AbuseIPDB | IP reputation � check reports of malicious activity for a given IP |
| URLscan.io | Submit URLs for sandboxed rendering � see what a page looks like, redirects, and scripts |
| Shodan | Internet scan data � see open ports and services on a given IP, identify the host type |
| MITRE ATT&CK | Map attacker behaviour to techniques and tactics � use for threat actor profiling |
| MXToolbox | Email header analysis, DNS record lookups, SPF/DKIM/DMARC checking, blacklist lookup |
| Any.run | Interactive malware sandbox � run suspicious files and see behaviour in real time |
| Talos Intelligence | Cisco's threat intelligence � email sender reputation, IP/domain reputation, threat advisories |
| WHOIS | Domain registration info � check creation date, registrar, contact details |
IOC defanging reference
URL: hxxp://evil[.]com/payload.exe
IP: 185[.]220[.]101[.]42
Email: attacker[@]evil[.]com
Domain: malware[.]ru// Digital Forensics & Incident Response
BTL1 DFIR tasks typically involve Autopsy for disk forensics and Volatility for memory forensics. You'll be given an image or memory dump and asked specific investigative questions.
Autopsy � key actions
| Task | How to do it in Autopsy |
|---|---|
| Create a case | File ? New Case ? add data source (disk image, local disk, logical files) |
| Find deleted files | Data Sources ? right-click image ? Extract Unallocated Space, or browse file tree with "Del" indicator |
| Browse file system | File tree in left panel � navigate to directories of interest (/Users, /Windows/Temp, etc.) |
| Timeline analysis | Tools ? Timeline � view file system activity over time, filter by date range |
| Extract browser history | Results ? Extracted Content ? Web History / Web Downloads / Web Cookies |
| Search for keywords | Keyword Search module � search across all indexed content |
| View registry hives | Windows registry files auto-parsed � check Results ? OS Accounts, Recent Documents, USB Devices |
Volatility � common commands
# Identify the OS from the memory dump
python3 vol.py -f memory.vmem windows.info
# List running processes
python3 vol.py -f memory.vmem windows.pslist
python3 vol.py -f memory.vmem windows.pstree
# List network connections
python3 vol.py -f memory.vmem windows.netstat
# Scan for injected code / hidden processes
python3 vol.py -f memory.vmem windows.malfind
# Dump a process for further analysis
python3 vol.py -f memory.vmem windows.procdump --pid 1234 --dump-dir ./output/
# Check loaded DLLs for a process
python3 vol.py -f memory.vmem windows.dlllist --pid 1234
# Extract command-line arguments for processes
python3 vol.py -f memory.vmem windows.cmdline
# Check registry hives loaded
python3 vol.py -f memory.vmem windows.registry.hivelist
# Extract hashed credentials
python3 vol.py -f memory.vmem windows.hashdump// SIEM � Splunk
BTL1 uses Splunk for SIEM tasks. You'll need to search across log data to answer investigative questions � know your SPL fundamentals.
Core SPL commands
# Basic search � all events from a source
index=windows sourcetype=WinEventLog
# Search with field filters
index=windows EventCode=4625 user=admin
# Count events by field
index=windows EventCode=4625 | stats count by src_ip
# Find top values
index=windows | top limit=10 user
# Time-based search
index=windows earliest=-24h@h latest=now EventCode=4688
# Search for a string across all indexes
index=* "192.168.1.100"
# Rename fields and format output
index=windows EventCode=4625 | stats count as FailedLogins by src_ip, user | sort -FailedLogins
# Rex � extract fields with regex
index=web_logs | rex field=_raw "(?P\d+\.\d+\.\d+\.\d+)"
# Transaction � group related events
index=windows EventCode=4625 OR EventCode=4624 | transaction user maxspan=5m
# Timechart � events over time
index=windows EventCode=4625 | timechart count span=1h Common log sourcetypes in BTL1
| Sourcetype | Contains |
|---|---|
| WinEventLog | Windows Event Log � Security, System, Application logs |
| syslog | Linux system logs |
| access_combined | Apache/web server access logs |
| suricata | Suricata IDS alerts from network traffic |
// Incident Response
BTL1 IR tasks ask you to apply the incident response lifecycle to a given scenario � determining what happened, when, and how to respond.
IR phases (PICERL)
| Phase | Key actions for BTL1 |
|---|---|
| Preparation | Know your tools, playbooks, and escalation paths � this happens before the exam |
| Identification | Analyse alerts, logs, artefacts � determine if an incident has occurred and what type |
| Containment | Isolate affected systems, block malicious IPs/domains at the firewall, disable compromised accounts |
| Eradication | Remove malware, revoke attacker access, patch the exploited vulnerability |
| Recovery | Restore from clean backup, verify system integrity, return to production |
| Lessons Learned | Document timeline, root cause, what worked, what didn't � update playbooks |
Incident report structure
BTL1 requires a written report. A strong report includes:
| Section | What to include |
|---|---|
| Executive Summary | One paragraph � what happened, impact, current status. Non-technical. |
| Incident Timeline | Chronological list of events with timestamps � when was it detected, what happened, what was done |
| Technical Analysis | Detail of your investigation � what logs showed, tools used, what you found |
| IOCs | All extracted indicators in defanged format � IPs, domains, hashes, URLs |
| Containment actions | What was blocked/isolated and when |
| Recommendations | Specific, actionable � patch X, block Y, implement Z control |
// Key Tools Summary
| Tool | Domain | Purpose |
|---|---|---|
| Autopsy | DFIR | Disk image forensics � file recovery, browser history, registry, timeline |
| Volatility 3 | DFIR | Memory forensics � processes, network, injected code, credentials |
| Splunk | SIEM | Log searching and analysis using SPL queries |
| Wireshark | DFIR / Network | PCAP analysis � packet inspection, stream following, protocol dissection |
| VirusTotal | Threat Intel | File hash, IP, domain, URL reputation |
| AbuseIPDB | Threat Intel | IP reputation and abuse reports |
| URLscan.io | Phishing | Safe URL inspection and rendering |
| MXToolbox | Phishing | Email headers, SPF/DKIM/DMARC, DNS lookup |
| Any.run | Phishing / DFIR | Interactive malware sandbox |
| MITRE ATT&CK Navigator | Threat Intel | Map findings to TTPs, identify coverage gaps |
// Exam Tips
Read all the questions before starting. With 24 hours you have time � scan through all the questions first. Some answers you'll find incidentally while investigating something else. Knowing what you're looking for shapes your investigation.
Write your report as you go. Don't leave the report to the end. Document each finding as you discover it � timeline entries, tool outputs, IOCs. You'll thank yourself at hour 20 when you're tired.
Note timestamps carefully. BTL1 questions often ask when something happened. Always record the full timestamp (including timezone) for every event you find. UTC vs local time errors are a common mistake.
The Silver coin matters. A pass (70%) earns your certification, but Silver (80%) unlocks the BTL1 coin � a physical coin sent to your door. Worth pushing for. Gold (90%) is a stretch goal for the most prepared candidates.
Practice with the SBT labs before exam day. Security Blue Team provides training labs for each domain as part of the BTL1 course. Don't skip them � the exam scenarios are built around the same toolset and methodology. If you can complete the labs confidently, you're ready.