What is the BTL2 exam format?

BTL2 is a 72-hour practical exam where you receive a simulated corporate network intrusion scenario, investigate it using the skills from the course, and submit a professional written incident response report. There are no multiple-choice questions — the entire assessment is hands-on and report-based. Your report is hand-marked by Security Blue Team instructors within 30 working days.

What score do I need to pass BTL2?

You need 70% or higher to pass and earn the BTL2 certification, a digital PDF certificate, Credly badge, and printed certificate. Scoring 90% or above on your first attempt earns you a gold challenge coin in addition to the standard silver coin. One free retake is included if you do not pass on the first attempt.

What are the prerequisites for BTL2?

There are no formal prerequisites, but Security Blue Team strongly recommends completing BTL1 first or having 2+ years of hands-on security operations experience in roles such as SOC analyst, DFIR specialist, threat hunter, or malware analyst. The course is not designed for beginners — it assumes solid foundational knowledge of Windows internals, SIEM operations, and network analysis.

What tools does BTL2 cover?

BTL2 covers a comprehensive defensive toolkit including: PEStudio, YARA, yarGen, CyberChef, ProcDOT, Regshot, AutoRuns (static/dynamic malware analysis); Velociraptor, KAPE, RITA, Chainsaw, DeTT&CT, JumpList Explorer, PECmd, Windows File Analyzer (threat hunting); Splunk, Elastic, Sigma (SIEM); OpenVAS, Nmap, Nikto, WPScan (vulnerability management); Atomic Red Team, ATT&CK Navigator (adversary emulation).

How long does BTL2 preparation take?

Security Blue Team estimates 50-70 hours for most students to complete the coursework. The 5-month access period gives you flexibility. You also have access to 28 browser-based labs totaling 120 hours of hands-on practice. Candidates with prior BTL1 or equivalent experience typically complete preparation in 6-10 weeks. Those coming from a less hands-on background may need the full 5 months.

Does this practice exam reflect the real BTL2?

This is a multiple-choice knowledge practice exam. The real BTL2 is a 72-hour hands-on practical where you investigate a live simulated environment and write a professional report. This practice exam tests your theoretical knowledge of the tools, techniques, and concepts covered in the BTL2 curriculum — helping you understand the 'why' behind each technique so you can apply it effectively during the practical exam.

All Practice Exams

100+ Free BTL2 Practice Questions

Blue Team Level 2 (BTL2) practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

In the context of IOC reporting, what is the purpose of the Traffic Light Protocol (TLP) marking applied to threat intelligence reports?

To classify network traffic by bandwidth priority

To categorize malware families by their network communication method

To indicate the severity level of a vulnerability on a red/amber/green scale

To define how widely the recipient may share the intelligence with others, using four color-coded levels

to track

Same family resources

Explore More Security Blue Team Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

2026 Statistics

Key Facts: BTL2 Exam

72 hours

Practical Exam Window

Security Blue Team

70%

Minimum Passing Score

Security Blue Team

£1,999

Course + Exam Fee

Security Blue Team

120 hours

Lab Access Time

Security Blue Team

5 months

Course Access Period

Security Blue Team

30 days

Report Grading SLA

Security Blue Team

BTL2 (Blue Team Level 2) is Security Blue Team's advanced practical certification for defenders with 2+ years of SOC/DFIR experience. The 72-hour practical exam simulates a corporate network intrusion requiring hands-on investigation and a professional written report (70% to pass, 90%+ earns a gold coin). The £1,999 course includes 231 lessons, 28 browser labs (120 hours), and one exam attempt. Core domains: vulnerability management (OpenVAS, CVSS), malware analysis (PEStudio, ProcDOT, YARA), threat hunting (Velociraptor, RITA, Chainsaw), advanced SIEM/detection engineering (Sigma, Splunk, Elastic EQL), and adversary emulation (Atomic Red Team, ATT&CK Navigator).

Sample BTL2 Practice Questions

Try these sample questions to test your BTL2 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which CVSS v3.1 metric specifically captures whether an attacker needs user interaction to exploit a vulnerability?

A.User Interaction

B.Attack Complexity

C.Privileges Required

D.Scope

Explanation: The User Interaction (UI) metric in CVSS v3.1 indicates whether the vulnerability requires a user other than the attacker to perform an action before the vulnerability can be exploited. It takes values of None or Required. This is distinct from Attack Complexity, which relates to conditions the attacker cannot control.

2An OpenVAS scan returns a vulnerability with a CVSS base score of 9.8. Before scheduling remediation, which additional contextual factor should a vulnerability manager consider to adjust effective priority?

A.Whether a public exploit exists and whether the asset is internet-facing

B.The hostname length of the affected system

C.The operating system vendor's release date

D.The number of open ports on the scanner host

Explanation: A CVSS base score provides theoretical severity but does not account for environmental context. Exploit availability (whether a working public exploit exists) and asset exposure (internet-facing vs. internal) are the two most critical contextual factors for adjusting priority. CVSS Environmental and Temporal metrics codify exactly this adjustment.

3When running Nmap with the flag combination `-sV --script vuln`, what type of output should you primarily expect?

A.Service version banners and vulnerability checks via NSE scripts

B.A list of open ports only

C.A full packet capture of the scan traffic

D.Only CVE identifiers without any port information

Explanation: The `-sV` flag enables service/version detection, while `--script vuln` runs the Nmap Scripting Engine (NSE) category of vulnerability-checking scripts. Together they produce version banners on each open port plus automated checks for known vulnerabilities associated with those services, including CVE references where available.

4A Nikto scan of a web application returns the finding: `X-Frame-Options header is not present`. What vulnerability class does this most directly indicate?

A.Clickjacking

B.SQL Injection

C.Cross-Site Scripting (XSS)

D.Server-Side Request Forgery (SSRF)

Explanation: The X-Frame-Options HTTP response header prevents a browser from rendering a page inside a frame or iframe. Its absence means the application is susceptible to clickjacking attacks, where an attacker overlays a transparent iframe on top of a legitimate page to trick users into clicking unintended elements.

5In the vulnerability management lifecycle, which phase directly follows identification and involves determining which vulnerabilities pose the greatest business risk?

A.Prioritization

B.Remediation

C.Verification

D.Reporting

Explanation: After vulnerabilities are identified through scanning, the next step is prioritization — ranking them by business impact, exploitability, asset criticality, and CVSS score. This ensures limited remediation resources are directed at the highest-risk issues first rather than treating all findings equally.

6A static malware analyst opens a suspicious Windows PE file in PEStudio. Which field most directly reveals whether the sample likely performs network communication?

A.Imported functions such as WSAStartup, connect, and send from Ws2_32.dll

B.The PE file's section entropy values

C.The file's compile timestamp

D.The presence of the .rsrc section

Explanation: Imported functions are a primary static analysis indicator of capability. WSAStartup initializes Winsock, and functions like connect/send from Ws2_32.dll indicate socket-based network communication. PEStudio's imports view highlights suspicious libraries and functions, making network I/O capability immediately visible without executing the sample.

7During dynamic analysis of a malware sample, you observe a Regshot snapshot comparison showing new registry keys under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`. What does this most likely indicate?

A.The malware is establishing persistence via autorun registry keys

B.The malware is performing a DNS lookup

C.The malware is spawning a new network socket

D.The malware is elevating privileges to SYSTEM

Explanation: The `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` registry hive is a well-known Windows autorun location. Any entry added here causes the specified program to launch automatically when the user logs in. Observing new keys there during a Regshot comparison is a classic persistence indicator.

8When using YARA to write a detection rule for a known malware family, which combination of conditions provides the highest specificity with lowest false-positive rate?

A.A combination of unique byte sequences, import hashes, and behavioral strings specific to the family

B.A single generic string such as 'cmd.exe'

C.A file size condition alone (filesize < 1MB)

D.Matching any PE file with entropy greater than 7.0

Explanation: YARA rules achieve high specificity by combining multiple conditions that together uniquely characterize a malware family: unique byte sequences from the code, import hashes that reflect the same compilation artifacts, and family-specific strings such as mutex names or C2 paths. Single generic conditions produce too many false positives.

9An analyst uses ProcDOT to visualize dynamic analysis results. ProcDOT is specifically designed to correlate which two data sources?

A.Process Monitor (Procmon) logs and Wireshark PCAP files

B.Regshot output and VirusTotal reports

C.Windows Event Logs and Sysmon events

D.Memory dumps and PE import tables

Explanation: ProcDOT takes Process Monitor (Procmon) CSV logs and Wireshark PCAP captures as input and correlates them into an interactive graph showing process behaviors, network connections, file/registry activity, and the relationships between processes — providing a visual timeline of the malware's execution.

10A static analysis of a PDF attachment reveals obfuscated JavaScript within the file. Which tool is most appropriate for decoding and extracting the obfuscated content without executing the file?

A.PDFid combined with pdf-parser and CyberChef

B.Resource Hacker

C.Regshot

D.ProcDOT

Explanation: PDFid provides a quick triage of a PDF's dangerous elements (JavaScript, embedded files, AcroForms), and pdf-parser extracts the raw content of specific objects. CyberChef can then decode Base64, hex, or other obfuscation. Together these tools enable full static extraction and decoding of malicious JavaScript without risk of execution.

About the BTL2 Practice Questions

Verified exam format metadata for Blue Team Level 2 (BTL2) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.

100+ Free BTL2 Practice Questions

Explore More Security Blue Team Certifications

Security Blue Team Blue Team Level 1 (BTL1)

Security Blue Team Certified Junior Detection Engineer (CJDE)

Security Blue Team Certified Security Operations Manager (CSOM)

Key Facts: BTL2 Exam

Sample BTL2 Practice Questions

About the BTL2 Practice Questions