Navigating Your Next Move After BTL1: The Blue Team Certification Guide

Navigating Your Next Move After BTL1: The Blue Team Certification Guide

You have accomplished something truly challenging by passing the BTL1, leveraging it to land your SOC Level 1 role, and now finding yourself in the enviable position of having a company training budget handed to you.

This is an incredible gift, but it also presents a genuine challenge because the certification market is incredibly noisy, making it surprisingly easy to spend that money on the wrong thing. This guide is specifically designed for you; the dedicated blue team analyst who already has the BTL1 under your belt, possesses real hands-on SOC experience, and clearly needs to move beyond entry-level credentials to advance your career.

We are going to cut through all the industry noise, break down the jargon in plain English, and figure out exactly how to make this important decision properly so you can maximize both your budget and your future earning potential.

Why This Decision Matters More Than Your First One

Your first certification did its job perfectly by getting your foot in the door, proving to hiring managers that you possessed the foundational blue team knowledge and hands-on capability needed to be employable in a SOC environment.

However, your next certification serves a completely different and much more strategic purpose, as it essentially defines the trajectory of your entire technical specialization. The choice you make right now signals to both your current employer and future hiring managers whether you are steering your career toward deep incident response, threat intelligence, malware analysis, red team crossover, or cloud security.

More importantly, it dictates the actual, practical skills you will build over the next few months, and in an industry where your hands-on capabilities matter far more than the acronyms you can list on a resume, that skill development is the most critical outcome.

Therefore, before you jump to choosing a specific certification name, you need to take a step back and ask yourself what kind of SOC analyst you actually want to be in three years, and let that answer drive your selection rather than simply following a random ranking list you found on the internet.

The Certifications Worth Your Training Budget

Let's look at a quick, high-level comparison before diving deeply into what makes each of these options unique.

Certification Best For Price Estimate Exam Format
BTL2 Deep DFIR & advanced analyst work ~$2,600 72-hour practical + written report
HTB CDSA Fast recognition & maximum budget value ~$210 7-day practical + written report
THM SAL 2 TryHackMe fans wanting a stepping stone ~$510 72-hour practical + written report
SANS GIAC Enterprise/Gov roles with huge budgets $5,000+ Proctored multiple-choice
CySA+ / CEH Compliance & specific HR resume filters Varies

Proctored multiple-choice

 

The Direct Continuation: BTL2 If you are looking for the most direct continuation of your current path, the BTL2 is the natural next step, explicitly built by Security Blue Team for analysts who need to operate at the advanced level demanded by real-world SOC environments.

This credential holds a unique level of trust among military and law enforcement agencies: a tier of professional recognition that most commercial certifications simply never achieve. The exam itself is a grueling 72-hour practical investigation where the written reporting component is not just a mere formality, but rather a core requirement that forces you to think, analyze, and communicate exactly like a senior analyst.

However, you must keep in mind that BTL2 strongly recommends having two to four years of hands-on SOC experience before attempting it, because the material heavily assumes you have navigated real, messy incidents rather than just clean lab scenarios.

The Best Value Option: HTB CDSA On the other hand, the HackTheBox Certified Defensive Security Analyst (CDSA) is arguably the absolute best mid-tier option on the market when it comes to pure value for your training dollar.

While it is officially marketed as an entry-level certification, the community consensus is that its difficulty firmly overlaps with mid-tier credentials, comprehensively covering complex topics like tactical analytics, threat hunting, and Active Directory analysis. 

The exam gives you a full seven days to conduct two real incident investigations with mandatory reporting, and a human instructor actually reviews your work, which completely separates it from standard automated exams.

Coming in at around $210 with an HTB Academy subscription, the CDSA delivers incredible industry recognition and proves you have actual, practical capabilities, especially if you supplement your preparation by tackling their forensics-focused Sherlocks challenges.

The Newer Contender: TryHackMe SAL 2 If you are already deeply comfortable in the TryHackMe ecosystem, their newer SAL 2 certification is a legitimate contender designed specifically for mid-tier analysts transitioning from their foundational content. The format provides a 72-hour exam window featuring twelve multi-stage blue team scenarios covering digital forensics, incident response, log analysis, and Active Directory analysis, firmly placing it right between the CDSA and BTL2 in terms of both price and difficulty.

Because it is still relatively new to the market, its brand recognition in job postings is still growing and currently lags behind the BTL2, meaning you should choose it primarily for the excellent, structured skill development it offers rather than immediate resume prestige.

The Premium Track: SANS GIAC We also cannot discuss blue team certifications without mentioning the premium track: SANS GIAC certifications like the GSEC, GCIH, and GCED, which carry an immense amount of institutional weight in large enterprises and the defense sector.

If your company is willing to completely foot the bill for a course that routinely costs between five and eight thousand dollars, these credentials will absolutely open major corporate and government doors for you.

However, if your training budget has realistic limits, you can achieve highly comparable hands-on skill development through the BTL2 or CDSA for a fraction of the cost, and arguably walk away with better practical capabilities since SANS relies on proctored written exams rather than live, simulated operational environments.

Handle With Care: CySA+ and CEH Finally, regarding credentials like CompTIA's CySA+ and EC-Council's CEH, it is important to treat them with realistic expectations rather than outright dismissing them.

CySA+ is a perfectly valid mid-level certification if your target employers heavily utilize the CompTIA framework for their career progression paths, making it a very safe compliance checkbox for certain organizations. The CEH, while massively recognized by human resources departments, is widely known by actual technical practitioners as a purely knowledge-based exam that will not meaningfully improve your analytical skills, meaning you have likely already surpassed its practical value simply by earning your BTL1 and working day-to-day in a real SOC.

The Two Technical Areas You Absolutely Need

Regardless of which specific certification you ultimately decide to pursue, there are two critical technical areas you must prioritize as active, hands-on skills rather than just theoretical concepts you read about.

First and foremost, you need to develop deep proficiency in both Splunk and Elastic, as these are the dominant SIEM platforms utilized in real-world SOC environments and they feature heavily in every mid-tier certification assessment you will face. 

An analyst who can actively build custom detection rules, thoroughly investigate complex alerts, and construct meaningful operational dashboards in these platforms is infinitely more valuable to an employer than someone who just understands the underlying concepts.

Secondly, you must heavily lock down your malware analysis fundamentals, as mid-tier certs will test your ability to extract indicators of compromise and identify suspicious strings, while advanced certs like BTL2 will demand a firm grasp of static and dynamic analysis, PE headers, and advanced memory forensics using tools like Volatility.

Making Your Final Decision

To make your final decision as straightforward as possible, use this simple framework to guide your choice based on your specific circumstances and career goals.

Choose the BTL2 if you already have solid hands-on incident response experience, want the most respected mid-tier practical credential, and have the company funding to comfortably cover it.

Go with the CDSA if you want to maximize your training budget's value while still proving your skills through a rigorous, seven-day practical investigation that earns fast industry recognition.

Opt for the SAL 2 if your primary goal is structured skill development within the familiar TryHackMe platform and you view it as a stepping stone toward more advanced work.

Finally, select a SANS GIAC certification only if your budget is practically unlimited and you are specifically targeting government or massive enterprise roles that strictly demand that specific brand name.

Important Note: A training budget should never be treated exclusively as a certification purchasing fund; it is an overall capability fund.

If you have any money left over after buying your exam voucher, you should absolutely invest those remaining funds into resources that will continuously build your actual day-to-day capabilities. Consider spending that extra money on:

  • Dedicated lab time on platforms like HTB Sherlocks or TryHackMe's advanced blue team rooms.

  • Premium sandbox access, such as ANY.RUN, to practice live malware analysis safely.

  • High-quality practitioner reference books, like The Practice of Network Security Monitoring or The Threat Intelligence Handbook.

Your chosen certification is simply the signal to employers that you possess a specific capability, but it is this supplementary, continuous practice that actually builds and maintains that capability over time.

You have already made incredibly smart choices by earning your BTL1, landing the job, and taking the time to research your next move before burning your budget on the wrong thing. Apply that exact same discipline to this decision, execute your study plan, and you will undoubtedly come out significantly ahead of your peers.

 

 

 

0 comments

Leave a comment

Our Best Pick of Cyber Security Notes
Certified Security Blue Team Level 2 (BTL2) Study Notes (Unofficial)

Cyber Security Certification Notes

The Kali Linux Pentesting Cheat Sheet

Cyber Security Study Guides

Master AI for Content Creation, Business & Marketing

AI & ML Study Guides

The Definitive Networking Cheat Sheet (Tools)

IT Study Guides

Cybersecurity · Offensive & Defensive · Practitioner-First

Stop reading docs.
Start thinking like an attacker.

Field-ready notes, methodology breakdowns, and certification cheat sheets built by a practitioner for practitioners.

Browse Free Notes Unlock Premium →
62K+YouTube Subscribers
20K+Web Visitors
4K+Students and Professionals Using The Notes

What's in the vault

Two tiers.
One clear mission.

Whether you're just getting started or deep in the trenches, there's a tier built for where you are right now. Free notes cover the essentials — premium unlocks the full playbook.

Free Access

The essentials,
on the house.

A curated library of beginner and intermediate notes you can access right now — no signup, no friction.

  • Introductory walkthroughs on core concepts
  • Tool overviews: Nmap, Burp Suite, Metasploit & more
  • Selected HTB writeup summaries
  • Foundational blue team methodology notes
  • YouTube companion write-ups
Start Reading Free
Premium

The full
practitioner playbook.

Every note, every cheat sheet, every methodology breakdown — structured the way a senior analyst actually thinks.

  • Full OSCP, CPTS, OSWE, HTB CDSA prep DISCOUNTS
  • Complete HTB machine writeups (Guardian, Expressway & more)
  • AI Red Teaming tooling comparison notes
  • SOC analyst learning roadmaps & playbooks
  • Threat intelligence methodology guides
  • Malware analysis case studies (NotPetya & more)
  • New content added continuously
Become a Member →

Coverage

What you'll actually use.

Notes built around real engagements, real exam objectives, and real SOC workflows — not a rehash of vendor documentation.

#Penetration TestingOSCP · CPTS · HTB
#Web App SecurityOSWE · Bug Bounty
#SOC & Blue TeamCDSA · SIEM · IR
#Threat IntelligenceTAXII · YARA · MITRE
#Malware AnalysisReverse Engineering
#AI Red TeamingGarak · PyRIT · LLM Sec
#Network SecurityActive Directory · Pivoting
#Tooling & AutomationScripts · Integrations

Cert Coverage

OSCP CPTS OSWE HTB CDSA CEH CompTIA Sec+ eJPT

The author

Motasem Hamdan

I'm a cybersecurity practitioner, technical writer, and content creator who got tired of resources that treat readers like beginners forever.

My notes are built the way I wish someone had built them when I was grinding through certs and CTFs — methodology-first, practitioner-grade, and structured for how analysts actually think on the job.

Over 62,000 people on YouTube follow along. Thousands more read on the site every month. These aren't notes for passing an exam and forgetting everything — they're references you'll keep coming back to.

YouTube Channel @MotasemHamdan · 62K+ subscribers Main Site motasem-notes.net Store shop.motasem-notes.net
motasem_notes — practitioner.sh
whoami
motasem_hamdan — cybersec_practitioner

cat expertise.txt
offensive_security: advanced
blue_team_soc:      advanced
threat_intel:       advanced
technical_writing:  practitioner-grade

ls content/
htb_writeups/  cert_cheatsheets/
ai_red_team/   soc_methodology/
threat_intel/  malware_analysis/

cat philosophy.txt
"teach how to think,
 not just what to type."

_

Membership

One subscription.
Everything unlocked.

Skip the hours lost searching fragmented resources. One membership gives you the full library, updated continuously as the threat landscape evolves.

Free $0 forever
  • Foundational notes library
  • Selected HTB summaries
  • YouTube companion write-ups
  • Tool overview guides
Start Reading
Most Popular Premium Member $15 / month · cancel anytime
  • Full notes library (100+ resources)
  • Cert prep DISCOUNTS: OSCP, CPTS, OSWE, CDSA
  • Complete HTB machine writeups
  • SOC analyst methodology playbooks
  • AI Red Teaming notes
  • Threat intelligence guides
  • New content every week
  • Priority access to new releases
Become a Member →
Store : One-Time Pay What You Want
  • Buy individual cheat sheets
  • Downloadable PDFs & guides
  • No recurring commitment
  • Yours to keep permanently
Browse Store

FAQ

Good questions.


The free tier has solid foundational content. Premium notes are written for intermediate-to-advanced practitioners — they assume you know the basics and want to go deeper. If you're grinding toward OSCP or working in a SOC, you'll feel right at home.
Continuously. New walkthroughs, methodology updates, and cheat sheets drop regularly — aligned with new HTB machines, cert updates, and emerging threat topics. As a member, you get access to everything as it lands.
Yes, absolutely. Membership is managed through Buy Me a Coffee — you can cancel any time directly from your account. No long-term lock-in, no awkward cancellation flows.
The membership gives you ongoing access to the full library for a monthly fee. The store lets you buy individual resources once and own them permanently — good if you just need one specific cert pack.
Definitely. Head to @MotasemHamdan on YouTube — over 62K subscribers and a large back-catalogue of walkthroughs, tool demos, and methodology breakdowns. Best way to see if the teaching style clicks for you before committing to anything.
motasem-notes.net Practitioner-grade cybersecurity notes & resources.
Site Store YouTube Membership