Back to blog
Study Tips9 min read

How to Pass the BTL1 Exam in 2026: A Study Plan for the 24-Hour Practical

Learn how to pass BTL1 in 2026 with a six-week study plan built for the 24-hour practical exam. Covers the five domains, Splunk and Autopsy prep, note-building and exam-day time management.

Owen Gallagher

Owen Gallagher · Study Skills & Careers Editor

18 July 2026

If you want to know how to pass BTL1, the honest answer is that reading will only get you halfway. The Blue Team Level 1 (BTL1) certification from Security Blue Team (now trading as Centri) is not a multiple-choice exam. It is a 24-hour, hands-on incident investigation where you sit in the analyst's chair, pull apart a compromised environment, and prove you can actually do the job. That is exactly why employers rate it, and exactly why candidates who cram theory tend to run out of time.

This guide gives you a realistic six-week study plan for the BTL1 practical, the tools you must be fluent in before exam day, and a set of time-management tactics for surviving the full 24 hours without burning out. Follow it and you will walk into the exam knowing what to do, not just what to recite.

What the BTL1 Exam Actually Is

BTL1 is an entry to junior level defensive security certification aimed at SOC analysts, incident responders, and anyone moving into a blue team role. The course and exam are built around real analyst workflows: triaging alerts, analysing phishing emails, pivoting through logs, and writing up findings.

The headline facts you need to plan around:

  • Format: browser-based, open-book, unproctored, fully hands-on. No multiple-choice.
  • Length: a single 24-hour window from the moment you start.
  • Questions: 20 task-based challenges tied to one connected incident scenario.
  • Pass mark: 70% to certify. Score 90% or higher on your first attempt and you earn the gold coin.
  • Attempts: each BTL1 purchase includes two exam attempts, so a first-time fail is not the end.
  • Validity: the certification does not expire, so there is no renewal treadmill.
  • Cost: around 490 US dollars for the full package including training, labs, and both exam attempts, with discounts for students, military, and first responders.

Exam Tip: The BTL1 exam is open-book, but the clock is the real enemy, not the content. Candidates fail because they cannot find their notes fast enough, not because they lack knowledge. Your note system is your single most important asset.

Because the exam simulates a compromised organisation and follows the MITRE ATT&CK lifecycle, you are not answering isolated trivia. You are reconstructing an attack from phishing through to impact, which means the skills stack on top of each other.

The Five Domains You Are Tested On

The BTL1 course is split into domains, and the exam pulls from all of them. Knowing the weighting of your effort matters more than knowing every page of the material.

DomainWhat it coversExam focus
Security FundamentalsNetworking, the CIA triad, common attacks, blue team rolesLow, foundational context
Phishing AnalysisEmail headers, malicious attachments, artefact extraction, defenceHigh, a common opening task
Threat IntelligenceThreat actors, IOCs, the intelligence lifecycle, MITRE ATT&CKMedium
Digital ForensicsEvidence acquisition, Autopsy, memory and disk analysis, Windows artefactsHigh
Security Information and Event Management (SIEM)Splunk, log analysis, writing queries, building detectionsVery high, Splunk is central
Incident ResponseThe IR lifecycle, containment, MITRE mapping, reportingHigh

The pattern is clear. Phishing analysis, digital forensics, SIEM, and incident response carry the exam. Splunk in particular sits at the centre of the practical, so if you are shaky on search syntax you will lose hours you cannot spare.

Where Candidates Lose Marks

  • Splunk unfamiliarity. The course does not drill Splunk as hard as the exam demands. Reps matter.
  • Thin forensics practice. Autopsy and Windows artefact analysis need hands-on repetition, not reading.
  • Weak note structure. Open-book only helps if you can retrieve the right command in seconds.
  • Poor evidence tracking. Losing track of which artefact answers which question wastes your final review pass.

A Six-Week BTL1 Study Plan

This plan assumes roughly two to three hours a day on weekdays with longer weekend sessions. If you can commit three to four hours daily you can compress it to around four weeks. The course itself is about 40 to 50 hours of material, so the schedule below front-loads content and back-loads hands-on repetition.

Week 1: Foundations and Phishing

Work through Security Fundamentals and the full Phishing Analysis domain. Do not rush this. Phishing is often the entry point of the exam scenario, so being fast at reading email headers and extracting artefacts pays off immediately.

  • Complete all Security Fundamentals and Phishing labs.
  • Start your master notes document with a dedicated phishing section: header fields to check, tools to use, and a repeatable analysis workflow.

Week 2: Threat Intelligence and MITRE ATT&CK

Cover Threat Intelligence and get genuinely comfortable with the MITRE ATT&CK framework. The exam maps attacker behaviour to ATT&CK techniques, so you need to think in tactics and techniques, not just tool output.

  • Practise mapping observed activity to ATT&CK techniques.
  • Add an ATT&CK quick-reference to your notes, focused on the tactics an intrusion actually moves through.

Week 3: Digital Forensics

This is a heavy week. Work through Digital Forensics and spend most of your time inside Autopsy and Windows artefact analysis rather than reading about it.

  • Redo every forensics lab at least once. You can reset labs up to three times, so use them.
  • Note the exact steps for acquiring evidence and locating key Windows artefacts.

Week 4: SIEM and Splunk (the big one)

Splunk is the tool most likely to make or break your exam. Spend the whole week here.

  • Rebuild every SIEM lab from scratch without looking at the walkthrough.
  • Write your own Splunk cheat sheet: base searches, field extraction, stats and table commands, and time-range filtering.
  • If the course labs feel thin, get extra reps on free platforms such as TryHackMe or a local Splunk install before you sit the exam.

Week 5: Incident Response and Reporting

Tie everything together with the Incident Response domain. The exam is one connected incident, so practise moving from detection to containment to reporting as a single narrative.

  • Practise writing clear, concise findings. Reporting quality is part of the skill being tested.
  • Finalise your notes so every domain has a fast-access section.

Week 6: Full Practice and Note Consolidation

Do not learn new material this week. Consolidate.

  • Run timed mini-investigations that force you to use Splunk, Autopsy, and phishing tools in one flow.
  • Trim your notes so retrieval takes seconds, not minutes.
  • Book the exam for a weekend or a day off so you have recovery time built in.

Exam Tip: Reset and redo labs deliberately. Passive re-reading feels productive but does not build the muscle memory you need when a 24-hour clock is running. Repetition on Splunk and Autopsy is the highest-return activity in the whole plan.

How to Survive the 24-Hour Practical

The 24-hour format sounds generous, and it is, but only if you treat it as a shift rather than a sprint. Here is how experienced passers approach exam day.

  1. Read all 20 questions first. Before you touch a single tool, read every challenge. This gives you a shopping list of exactly what artefacts and answers to hunt for, and it stops you investigating things that do not earn marks.
  2. Build a findings table as you go. Track each question with columns for the question, the evidence you found, the tool or command used, your conclusion, and your confidence level. This makes your final review pass fast and accurate.
  3. Move on when you are stuck. The exam is designed to feel overwhelming in places. If a question stalls you, park it, work another, and return with fresh eyes. Momentum matters more than order.
  4. Use the whole window. Full-time workers often start in the evening, clear most questions by night, sleep, and finish clear-headed in the morning. Rest is a strategy, not a weakness. Do not rush to finish early.
  5. Document like a real investigation. Take detailed notes and screenshots as you would in a genuine incident response. Good documentation protects your marks and mirrors the job.

A Sensible 24-Hour Rhythm

PhaseRoughlyWhat you are doing
SetupFirst 30 minutesRead all questions, note your shopping list, set up your findings table
First pushHours 1 to 6Tackle the questions you can answer quickly to build confidence and score early
Deep workHours 6 to 12Work the harder forensics and SIEM challenges while you are fresh
RestA proper breakSleep or step away. Do not skip this
Second pushNext morningClear parked questions, chase remaining evidence
ReviewFinal hourVerify every answer against your findings table before you submit

Is BTL1 Worth It for a SOC Analyst Role?

For entry and junior blue team roles, BTL1 earns its place. It appears consistently in SOC analyst and security operations job adverts, and holders typically sit in the 65,000 to 95,000 US dollar range for roles such as SOC Analyst Tier 1, Blue Team Analyst, and Incident Handler. The practical format is the selling point: it proves you can investigate, not just recall.

One honest caveat. BTL1 validates skills you have, it does not manufacture skills you lack. A certificate without real competence will not survive a technical interview, so treat the study plan as genuine skill-building, not box-ticking.

If you are weighing BTL1 against other early defensive certifications, it pairs naturally with the knowledge base from CompTIA CySA+ and CompTIA Security+. Many analysts use Security+ or CySA+ to build theory, then use BTL1 to prove hands-on ability. You can explore structured practice for the whole defensive track through the CertCrush courses.

Common BTL1 Mistakes to Avoid

  • Treating it like a memorisation exam. It is a doing exam. Labs over reading, every time.
  • Neglecting Splunk until the end. Start search practice in week one and never stop.
  • Building notes you cannot search. Structure by domain and task, with commands ready to copy.
  • Skipping the rest window. Fatigue causes more failed answers than knowledge gaps.
  • Not reading all questions first. You will waste hours investigating things that earn nothing.

Ready to Start Practising?

Passing BTL1 comes down to hands-on repetition, a searchable note system, and disciplined time management across the 24-hour window. Build the skills properly and the exam becomes a demonstration rather than a gamble.

CertCrush helps you build the underlying knowledge that makes hands-on exams like BTL1 far less intimidating, from phishing analysis and SIEM fundamentals to the incident response lifecycle. Create your free CertCrush account to start practising, browse the full defensive security track in our courses, and turn your study plan into exam-day confidence.

Put in the reps, trust the plan, and go earn that coin.

BTL1Blue Team Level 1SOC analystblue teamstudy planSecurity Blue Teamdefensive securityincident response
Owen Gallagher

Written by

Owen Gallagher · Study Skills & Careers Editor

Owen spent years as an IT trainer watching smart people fail exams they should have passed — usually because of how they studied, not what they knew. He writes about study technique, exam psychology, career strategy and the service-management certifications (ITIL, PRINCE2, APM). His articles are the ones to read before you open a single practice question.

All articles by Owen

Want a BTL1 practice course?

We don’t cover this exam yet — we build the most-requested courses first. One click tells us you want it.

Ready to crush this exam?

Set your exam date, follow a daily plan, and watch your readiness score climb — realistic practice with an explanation for every answer.