I recommend reading Blue Team Level 2 (BTL2) – Review Part 1 to get some additional background on my journey with this certification.
Why I took this certification.
I took this certification not to move up the security ranks or get a new career. It was for me to level up and to be able to recommend this certification to other analysts that want to take that next step. I wanted to test the water, gain some new skills, and, ideally, recommend this as the gold standard for a blue teamer.
Material and Labs
If you read my previous review, I mentioned some things being unpolished. So, I waited until the last minute to do this exam. Doing so, I knew taking a 2nd attempt would be outside my approved exam time frame. But I waited until the last minute to have the most finished product with BTL2. I have to say there have been some big improvements from the start of the year until now, but in the end, it still feels slightly unpolished. I’ll use one example: Previously they didn’t provide solutions to the labs, but after a question on their forum, they decided to do so, which is great and expected from a learning platform.
I started working through the course material and labs once again in October. I found the solution section helpful because it might give me insight on how to do a process more efficiently or just differently altogether. The beginning labs were thorough, but as I got further into the material, I found that the solution sections were not filled out yet. There was one particular lab that I was interested in alternative ways to get the answer, and the solutions were not there. I went onto the forums and found another student had asked for this in July 2022. I saw from July to my current time (October) four other students had the same question… no response. I commented to bump up the thread, and suddenly, there was a filled-out solution page, and they closed the thread. So from July to October, they had the page for solutions, but not filled out. It’s just things like this I was still experiencing after all this time, and what I mean by “still not polished”. Things like this worry me about taking any future material, such as BTL3 or CSOM.
As a side note, I want to say while I was going through the material, I used outside resources heavily, both BTLO and TryHackMe. I did this because some of the TryHackMe labs gave me a better experience with the tools I was learning than what I found in BTL2 labs. I used BTLO as well because there are no time restrictions on it. I could work for 30 – 45 minutes, take a 30-minute break and pick up right where I left off. Having 120 hrs of lab time is a lot, but I also had that nagging feeling that I was wasting it.
Exam
For the exam, I took off from work Friday and Monday. The reason was to start the exam Friday at 10 am and, if necessary, have until Monday at 10 am to complete the exam. I felt this was a good strategy, and afterward, it worked out.
The exam itself is easy to start, just hit the button, wait a few minutes, and you’re brought to your lab environment, which looks like the labs in the course. So nothing new or shocking there. Also, at the top of the lab is a timer to track how much time you have left for the exam and a spot to reset the lab if necessary. There is a limit on the number of times you can reset the lab, but the number is pretty high.
Once you get into the exam, you’ll get a report template which you will use to fill out your findings. I recommend reading through the whole template, as I did not and found myself filling out a section I wasn’t aware of and adding several more hours to the documentation process. Also, you’ll be given a scenario. Make sure to read through that. Once the lab starts up, you’ll be eager to jump in, but I just say hold back, read everything and get yourself situated first.
Once comfortable, it’ll take some time to get your tools situated. There’s a lot of information in the instructions. It took me 30 – 45 minutes to set up and ensure everything was working correctly. If you reset the lab, you’ll have to do all this again. I wouldn’t say it’s a deterrent to reset the lab, but the first time setting up just takes a little time to understand what does what and how to get yourself situated. For the exam itself, you have 3 days to do your analysis and write your report, but if I had kids or needed to run errands, I would have been more pressed for time. I dedicated 72 hours to it and submitted the report with only 10 hours left. So I feel it’s important to set time aside for this and let others know that you’ll be doing it.
Regarding the exam, the boxes are beefy in the sense of resources given to them, but I found some issues with one of the boxes being pretty sluggish when using any tools. I had experienced this in the BTL2 labs previously. I believe it has to do with some configuration done on the operating system itself and not because of the resource dedicated to the box. I can’t say I’ve seen it in other places like TryHackMe with boxes that had fewer resources, so it has to be a configuration issue. I know I’m being a little vague, and that’s on purpose, but I also want to mention it because it feels like a known issue, and I don’t want future students to be frustrated; just give things time to work. Go make some coffee, drink a cup, fill up, drink another cup, then it should be ready to go.
The third day for me was left for report writing. I felt like there was some more analysis I wanted to do just because I had some issues with the tools I was using, but unfortunately, based on how much was needed for the report, I felt like I just had to let it go. The report felt very redundant; I don’t know if that’s for them to help with grading, but I felt like with some pieces of information I was providing the same pieces of evidence 2 or 3 times. I also thought it would be quicker than it truly was. I stayed up until close to midnight, trying to finish it up since I didn’t want to wake up early just to finish it. I would like to see the exam be 96 hrs instead of 72 hours, but I understand their decision.
The overall impression
The majority of comments from LinkedIn and Discord have been positive. Two major comments seem to be a recurring theme, one being how challenging the exam is, and the other is it’s 72 hours. I see people mentioning the exam categories, and that’s about it. In this conclusion, I would like to give a little more than that.
I can’t say that this course/exam specifically leveled me up. I’m not sure if it would be helpful with someone with less experience; it’s just hard to say. It’s also hard to say because I’m a visual learner, and most of the material is text. While pursuing this certification, I did level up, but that was because of watching and reading learning material from other content creators like John Hammond, HuskyHacks, Didier Stevens, Josh Stroschein, and Matt Weiner in preparation for the exam. I believe certifications do this in general and it’s not specific to this exam.
The exam was just weird to me in some aspects. I constantly felt like I was looking at a 10-piece puzzle and always missing a piece or two. I didn’t feel like it was overly complicated, but the whole time I was just not seeing a piece of evidence to tie it all together. I don’t have the exam results when writing this, but if I fail, maybe it’s because of this, or if I pass, maybe there wasn’t anything there for me to find. I don’t know.
For me, my feelings are torn by the course and exam. When it comes to the course material and labs, that unpolished feeling left a bad taste in my mouth. Can you succeed in spite of this? Clearly, as I saw others pass. But for me, I paid roughly $2k out of my own pocket for this, and I was hoping for something more polished by this time. I will continue to subscribe to BTLO, but am apprehensive about pursuing any more of their certification programs. If I do, it’ll be years after the release date; even then, I would have my apprehensions about it.
2/5/2023 – Update
I was notified that I have passed the exam. I know they said they provide feedback either pass or fail, but I didn’t realize how detailed they would be with a pass. This feedback is way better than other practical exams I’ve taken. The feedback was truly appreciated.