Skip to content

2025 · 5 min read

How I Scored 95% in the Blue Team Level 1 (BTL1) Exam on My Second Attempt

Hey everyone,

I recently completed my Blue Team Level 1 (BTL1) certification, and I want to share my experience — how I failed my first attempt, what went wrong, and how I came back stronger to score 95% on my second try.

If you’re preparing for BTL1, or you’ve failed once and feel discouraged, this might help.

Blue Team Level 1 logo

Before We Begin — A Few Shoutouts to My Friends

Before diving in, I want to give a huge shoutout to my brother Shanuka (AKA Shan) for his incredible review of the BTL1 materials and exam. His insights were instrumental in shaping my preparation and expectations. The right perspective can save you hours of guesswork and wasted energy.

I also want to thank my good friend Justin K. T., who’s always been that grounded voice throughout my cybersecurity journey. His advice came at a time when I needed clarity the most, and it ultimately guided me toward pursuing BTL1.

Below are some references that really guided my journey:

Why I chose BTL1

Before BTL1, I had earned the eJPT (eLearnSecurity Junior Penetration Tester) certification. That gave me an attacker’s mindset, but I wanted to understand the other side — how defenders detect and stop those attacks.

  • Security+ is great for foundation knowledge but mostly theory and multiple choice.
  • BTL1 is hands-on, practical, and scenario-driven.

I wanted real-world experience, not just memorization. Even though BTL1 costs slightly more, it felt worth it for the practical exposure.

What the BTL1 Exam Really Is Like

The BTL1 exam isn't a quiz. It's a 24-hour, hands-on incident response simulation. The moment you click “Start” you accept an NDA and your lab environment spins up. From that point, you've got one job: solve the scenario using real tools and real thinking.

You're given an incident scenario and step into the role of a junior SOC analyst. Your job is to solve 20 practical questions using the defensive tools and techniques you learned throughout the course. The exam is open-book, but AI tools aren't allowed. It isn't about memorization—it's about investigating, connecting clues, and thinking like a defender as you would in a real SOC environment.

My First Attempt — What Went Wrong

Before my first attempt, I completed the entire BTL1 course and all the labs. I even did some research online, and most people said that if you've studied properly, the official course alone is enough to pass. That turned out not to be true in my case.

During the exam, I realized how challenging Splunk and Autopsy actually were. The tasks went deeper than what was covered in the course, and that's where I struggled the most.

When I submitted my exam and saw 65% (passing is 70%), it was disappointing — especially because I was aiming for the Gold Coin (awarded for 90%+ on the first try). But looking back, it was clear: I didn't pace myself or prepare deeply enough.

My Second Attempt — What Changed

When I started my second attempt, I already knew what went wrong before. This time, I made sure to use the full 24 hours and not rush through the exam.

Since I work full-time, I started the exam in the evening after work. I solved most of the questions till night, then took a break and continued early in the morning. That short rest helped a lot. I was able to think clearly, and finding answers felt much easier than before.

I also made sure to review all my answers before submitting. Taking that extra time really made a difference.

Although the Gold Coin is only awarded to those who score 90% or higher on their first attempt, reaching that score on my second try felt just as rewarding. It was proof that persistence and better preparation truly pay off.

BTL1 results dashboard showing a 95% score

How I Prepared Differently for My Second Attempt

After failing my first attempt, I quickly identified my weak points — Splunk and Autopsy. The BTL1 course covered them, but not in enough depth for the exam. So this time, I decided to practice more hands-on using TryHackMe and BTLO Labs.

Here are the rooms and labs I focused on:

Working on these rooms helped me understand Splunk searches, log analysis, and forensic workflows more deeply. That extra hands-on practice made all the difference in my second attempt.

Key Tips If You’re Preparing for BTL1 Exam

  • Read Exam Instructions Carefully: instructions explain how to access the tools and understand the case scenario. Missing even a small detail can cause problems during the exam.
  • Use the Full 24 Hours: Even if you finish early, double-check your answers. Don’t rush.
  • Move On If You’re Stuck: If you can’t find a flag, skip it and return later. Solving others often reveals what you missed.
  • Focus on Splunk, Autopsy, and Wireshark: Splunk and Autopsy are the toughest parts — practice them properly. These make or break your score.
  • Review Before Submitting: After long hours, small typos happen. A final pass can turn a near-miss into a full score.
Security Blue Team — Blue Team Level 1 certificate
BTL1 certificate

Closing Thoughts — Is It Worth It?

Absolutely.

Failing my first BTL1 attempt was humbling, but it turned into the best feedback I could’ve asked for. It forced me to slow down, prepare smarter, and really learn the tools instead of skimming.

If you’re aiming for a SOC or blue-team role, BTL1 is worth it. It’s challenging but fair if you prepare with intention. And if you fail the first time? That’s okay — use it as a road map for your next attempt.