Hopefully, this review will be slightly different than others I’ve seen. I won’t go as in-depth on some of the labs, material, or exams because I feel there seem to be several reviews about that already, and I expect many more as this cert becomes more popular. I also warn you I might be making some comparisons to Blue Team Level 2 (my review of BTL2) as I believe the two certifications are very similar. As you read along, you’ll probably feel which one I think is better.
Why I took this certification.
I took the Certified CyberDefender (CCD) certification not to move up the security ranks or get a new career. It was for me to recommend this certification to other analysts who want to take that next step. I wanted to test the water, gain some new skills, and, ideally, recommend this as the gold standard for a blue teamer.
Prelude to Material and Labs
Before I signed up, I thought this course would be comparable to BTL1, thinking it was a beginner course. As I progressed through the material and labs, it became evident that this course is comparable to BTL2. I see this question asked often: “Should I do BTL1 or CCD?” It’s genuinely comparing a beginner course to an intermediate one. I want to emphasize that CCD is an intermediate course, as their website states. Can you jump into the CCD material and pass the exam as a beginner? Yes, but just be ready to buckle down with the platform for the next four months.
I also had a chance to jump onto the beta and, in doing so, saw the platform evolve into what it is today. If you compare the beta material, lab, and layout to today’s, it’s almost two different platforms. I believe this is the case because CyberDefenders listens to their customers. I can’t emphasize this point enough. The company is willing to change the platform if its customers have ideas to make it a better user experience. I had seen it in their Discord where a user would make a suggestion, and that change would take effect within a day or two. That one point tells you what kind of experience you’ll get from this certification process.
Material and Labs
The material is mostly text, but as time passed, they included small videos to accompany the material, which I enjoyed. They don’t have sound, but sometimes just seeing somebody navigate a tool can give you pointers on how to take specific steps. I found them extremely helpful. The material that was in text was well written and laid out in small chunks so it could be easily digestible (which was a suggestion from a user, I believe). I found this helpful when I wanted to know about a specific topic or didn’t have much time. I could do a few sections and come back to the rest later. For a while there, they were adding so much material it was hard to keep up. They have slowed down since it’s a finished product now, but I wouldn’t be surprised if, as time goes on, little sections are added here and there; it’s just how this platform is. (They just announced a malware section added to the course, for example.)
The labs, oh man, the labs. The labs were something else. As I mentioned earlier, I thought the labs would be easier, but I have to say, these labs are beasts. Some labs took 10+ hours, and a couple took 5 – 7 hours to complete. So don’t be aggravated if it takes you a couple of hours to answer one question. Sometimes it does feel like you’re “wasting” your lab time trying to figure out one question, but these times of struggling are when you learn. I also worried about only having 120hrs of lab time, but it ended up being way more than needed; I used about 60.
Support
It’s weird to put this down in a review, but I want to mention it because of how well they do it. As mentioned before, they listen to their users. If somebody has an idea for the platform, they don’t seem to blink an eye to change it up. Like the suggestion to make smaller chunks for the material; that was a huge undertaking, and I think most companies would have put it in their backlog and moved on. They heard this suggestion and worked for several days on doing just that for their users.
Now, there were three times when I had to interact with support. Each time I got feedback very quickly–maybe not a fix, but somebody acknowledged my issue and worked to fix it. The first one was when the platform went to dark mode, and as I’m a person that dark mode affects my eyes, I have trouble seeing after a while. I asked if there could be a toggle between dark and light modes. I quickly got an answer of, “I don’t believe so, but I’ll work with the development team about it.” They were unable to create a switch, but they provided me with steps I could take with my browser to put it in light mode. They also provided me with a custom video on how to do this step by step. They could have just said “nope” and moved on, or “Nope, here’s an article; good luck”, but they took the extra effort to make a video specifically for me to ensure I had no issues. The second time was when I got an extension to my course time: I did it via their website, and it was updated on the site. Still, the previous expiration day hit, and I was kicked out of the platform. Once again I reached out to support on Discord, and very shortly (within an hour or two), I was back in and working. The last interaction was during the exam. I believed that maybe a particular tool was missing. I was hesitant to ask for support, but I was convinced a tool was supposed to be there and wasn’t. I asked, and within a minute, I got a reply! Now this might not seem like a big deal or just what you’d expect, but I can honestly say I’ve never had this kind of support on other platforms; I just haven’t. I’ve brought up an issue on another platform, was asked to put in a ticket, and to this day, never got a response (literally over a year ago). The interactions with CyberDefenders staff have been excellent, and I think bringing them up as part of my review is essential.
The Discord server has a section for help on the labs. It’s often used for people to ask questions about a particular part of a lab. The team doesn’t ignore these users but encourages them to “take a break and come back.” Now this feels a little like a “try harder” mantra and can be truly frustrating, but I don’t know how many times I’ve seen somebody ask a question and get this response only for the original poster to say, “I got it!” maybe a couple hours or a day later. I think it’s an interesting concept, and I wonder how often in a SOC or IR person’s day-to-day life we hit a roadblock, and how often do we take a break or return to it after doing something else? I would say seldomly. It’s a skill that should be in any blue team’s arsenal and is not something I believe to be practiced often.
Exam
The exam can be started anytime in the training portal. Hit the button, wait about 10 minutes, and you’re ready to go. The interface was friendly, but I enjoyed not needing to set anything up. You can start using the tools right away, which gave me the confidence that if I needed to reset the labs, it wouldn’t be an issue. So I feel like CCD got that right. I also appreciated not having to write a report, but it made it harder to “show your work” because I couldn’t just take a screenshot of the command and result and slap it in there. Just a reminder to analysts to write good notes! The other thing I appreciated was when you put in your answers, they are automatically saved periodically. I didn’t realize this at first and was worried if my page refreshed or something, I would lose all my work. I started saving my answers to Google Docs at first, only to realize, nope, I don’t need to do that anymore; just put what I had in the text field, and I’m good. I guess that’s one thing: I would want a little more intro to the platform. I felt a little dropped in with, here’s the machines and questions; good luck. But I feel like I’m nitpicking a little here. The machines were beefy, and at no time did i feel like something was wrong with them or laggy.
For the exam, I followed my method of 45 minutes of working and 15-minute breaks with more extended lunch and dinner breaks. The first day went from 10 am to 10 pm, and the second day I went from 9 am to 10 pm again. I didn’t feel like the exam was harder or easier than BTL2. I felt it was about the same. In both exams, I felt like I was just missing an aspect of something to get certain answers. I documented everything I did, even though I might not have the answer to the questions. This is what I do when I’m working on an alert in real life; I might not have a 100% conclusion on an alert, but I document what I have done and why I feel that it’s malicious or not.
The overall impression
My goal in taking this certification is to be able to recommend this course to others. I know I can with this course. The material is excellent, the labs are smooth and challenging, and the exam is tough. With all that said, the other reason I’m willing to recommend this course to others is CyberDefenders’ commitment to make the product and platform better. If issues arise or new ideas are put out, CyberDefenders will adjust as needed. I wouldn’t be surprised if in a year or two the course had even more material or labs. As time goes on, I believe CyberDefenders will try to keep their course relevant. I feel like when you sign up for the course, you’re a part of their team. They want to see you excel at the course, and more importantly, outside of the course. I wouldn’t hesitate to jump on the beta again if they came out with any more courses.
CCD and BTL2 are very comparable because they cover vast information in the SOC/DFIR realm and there is some overlap. But for me, CCD wins, hands down. Even if the price is the same, I would always point a security professional toward CCD. CyberDefenders will always strive to improve their product and, more importantly, be there for the users taking the course.
Results
I received my notification that I passed. Funny enough, with the same score that I did with BTL2.