All Practice Exams
100+ Free BTL1 Practice Questions
Blue Team Level 1 (BTL1) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
In Wireshark, the Statistics > Conversations view is useful for SOC analysts because it shows what?
A
B
C
D
to track
Same family resources
Explore More Security Blue Team Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: BTL1 Exam
24 hours
Exam Window
Security Blue Team
20 tasks
Exam Challenges
Security Blue Team
70%
Passing Score
Security Blue Team
90%+
Gold Coin Threshold
Security Blue Team
$490
Course + Exam Fee
Security Blue Team
6 domains
Content Areas
BTL1 Syllabus
The BTL1 is a 24-hour, browser-based, open-book practical exam comprising 20 task-based challenges mapped to the MITRE ATT&CK framework. Candidates investigate a simulated corporate breach using Splunk (SIEM), Wireshark (network analysis), and Autopsy (digital forensics). A 70% score (14/20 tasks) earns certification; 90%+ on the first attempt earns a rare physical gold challenge coin. The $490 package includes 330+ lessons, 23 browser labs, one exam, and one free resit. This practice bank covers all six domains to prepare candidates for the knowledge required during the practical investigation.
Sample BTL1 Practice Questions
Try these sample questions to test your BTL1 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which component of the CIA triad ensures that data is accessible to authorized users when needed?
A.Availability
B.Confidentiality
C.Integrity
D.Authentication
Explanation: Availability means systems, services, and data are accessible to authorized users whenever needed. Controls such as redundancy, failover clustering, and DDoS mitigation protect availability. Confidentiality restricts unauthorized access, and integrity ensures data is unaltered — but neither addresses continuous access.
2At which OSI layer does IP addressing and routing occur?
A.Layer 2 — Data Link
B.Layer 3 — Network
C.Layer 4 — Transport
D.Layer 5 — Session
Explanation: Layer 3, the Network layer, is responsible for logical addressing (IPv4/IPv6) and routing packets between networks. Routers operate at Layer 3. Layer 2 handles MAC addressing and switching within a single network segment. Layer 4 manages end-to-end connections and port numbers.
3Which type of malware disguises itself as legitimate software while secretly performing malicious actions in the background?
A.Worm
B.Rootkit
C.Trojan horse
D.Adware
Explanation: A Trojan horse masquerades as a benign or desirable program while hiding malicious functionality. Unlike worms, Trojans do not self-replicate. Rootkits hide malicious code from the OS rather than disguising themselves as legitimate user applications. Adware displays unwanted advertisements.
4A security analyst needs to verify whether a suspicious file has been modified since it was last reviewed. Which approach is most reliable?
A.Compare the file's size in bytes to the original
B.Check the file's last-modified timestamp in Windows Explorer
C.Open the file and visually inspect its contents
D.Compare the SHA-256 hash of the current file to the original hash
Explanation: Cryptographic hashes like SHA-256 produce a fixed-length fingerprint of a file's contents. Even a single-bit change results in a completely different hash. Timestamps can be trivially altered by attackers (timestomping), file sizes can stay identical with content swaps, and visual inspection is impractical for binary files.
5Which port is used by SMTP (Simple Mail Transfer Protocol) for server-to-server email transmission by default?
A.Port 25
B.Port 110
C.Port 143
D.Port 587
Explanation: Port 25 is the standard SMTP port for mail transfer between servers (MTA-to-MTA). Port 587 is the submission port used by email clients to send mail to their outbound server and requires authentication. Port 110 is POP3 and port 143 is IMAP — both used for mail retrieval.
6During phishing email analysis, an analyst checks the Authentication-Results header and finds 'spf=pass; dmarc=fail'. What is the most likely explanation?
A.Both SPF and DMARC passed, so the email is legitimate
B.The sending IP is authorized by the SPF record, but the From: domain does not align with the SPF-authenticated envelope domain
C.The SPF record is missing from DNS, causing DMARC to fail automatically
D.DMARC failed because the DKIM signature was invalid
Explanation: DMARC requires domain alignment: the RFC5322 From: header domain must match the domain verified by SPF (envelope sender) or DKIM. When SPF passes on the envelope but the From: domain differs (cousin-domain spoofing), SPF provides no alignment and DMARC fails. This is a common phishing technique.
7An analyst is examining a suspicious email and wants to identify the originating IP address. Which header should they examine first?
A.From:
B.Reply-To:
C.Received:
D.X-Mailer:
Explanation: The Received: header is added by each mail server that handles the message. Reading from the bottom of the chain upward, the oldest (bottom) Received entry contains the originating IP address. The From: and Reply-To: headers are attacker-controlled and easily spoofed. X-Mailer identifies the mail client software.
8A phishing email contains an attachment with a .exe extension renamed to 'invoice.pdf.exe'. Without executing the file, which technique should an analyst use to safely determine what the file actually is?
A.Open the file in a text editor to inspect its contents
B.Rename the file extension to .pdf and double-click it
C.Email the file to a colleague for a second opinion
D.Submit the file hash to VirusTotal or a threat intelligence platform
Explanation: Submitting the file's cryptographic hash (MD5, SHA-1, or SHA-256) to VirusTotal or similar platforms checks it against thousands of antivirus engines and threat intelligence databases without executing the file. This provides safe, rapid identification of known malware. Never execute or rename suspicious executables on a production system.
9Which email authentication protocol adds a cryptographic digital signature to the email header to verify the message has not been tampered with in transit?
A.DKIM (DomainKeys Identified Mail)
B.SPF (Sender Policy Framework)
C.DMARC (Domain-based Message Authentication, Reporting and Conformance)
D.S/MIME (Secure/Multipurpose Internet Mail Extensions)
Explanation: DKIM uses a public/private key pair to add a digital signature in the DKIM-Signature header. Receiving servers retrieve the public key from DNS to verify the signature, confirming the message body and selected headers were not modified in transit. SPF verifies the sending IP; DMARC is a policy layer on top of SPF/DKIM; S/MIME encrypts message bodies end-to-end.
10An analyst uses a sandbox to analyze a URL found in a phishing email. The sandbox report shows the page redirects through three different domains before reaching a credential harvesting page. What is this technique called?
A.DNS amplification
B.URL redirection chaining
C.Domain fronting
D.Click-jacking
Explanation: URL redirection chaining uses multiple intermediate redirects through legitimate or compromised sites to obscure the final malicious destination from email gateways and analysts. Each redirect passes reputation checks independently, making detection harder. Sandboxes follow the entire redirect chain to expose the true payload URL.
About the BTL1 Practice Questions
Verified exam format metadata for Blue Team Level 1 (BTL1) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.