Introduction
Two prominent certifications for established blue teamers are the Certified Defensive Security Analyst (CDSA) and Blue Team Level 2 (BTL2). While both are tailored toward defensive cybersecurity, they may differ slightly in course content and exam format. This article provides a detailed comparison to help you choose the best fit for your goals.
Certified Security Blue Team Level 1 Study Notes
Overview of HackTheBox CDSA
HackTheBox CDSA is an intermediate-level certification designed for individuals looking to deepen their knowledge of defensive cybersecurity practices. It focuses on practical and theoretical skills needed to identify, analyze, and respond to cybersecurity threats and incidents.
The target audience usually covers Entry level Security Analysts, Entry level Forensics Analysts and even IT Administrators.
HackTheBox CDSA cover SIEM Operations, Log Analysis, Malware Analysis and other domains such as Network Traffic Analysis.
The official course content contains Hands-on labs that simulate defensive cybersecurity challenges and is structured to build Security Operations Center analyst skills
Overview of Blue Team Level 2
Blue Team Level 2, offered by Security Blue Team is a certification that evaluates your expertise in advanced defensive cybersecurity areas, including Threat Hunting, Incident Response, Digital Forensics, and Malware Analysis.
BTL2 is tailored for individuals with prior experience in incident response and a solid technical understanding of cyber threats. Candidates are also expected to possess intermediate-level knowledge of Windows and Linux system administration, as the certification does not cover the internal workings of operating systems or enterprise-level Active Directory in detail. Therefore, it is recommended that before pursuing this certification, you gain hands-on experience in defensive cybersecurity areas, such as those offered on the Blue Team Labs Online platform or through the BTL1 certification.
2. Exam Format
HTB CDSA Exam
HackTheBox CDSA exam lasts for 7 days, so be sure to take detailed notes throughout. Document every step carefully, as you’ll need to explain everything in your final report. You are required to create two reports. It’s advisable not to work on both simultaneously,complete one before starting the other.
Make sure you thoroughly understand all the modules in the course material. Go through the final assessments for each module and attempt to solve them without referring to the solutions or explanations beforehand.
I strongly recommend exploring TryHackMe’s Security Operations Center Level 1 path. It provides an opportunity to analyze security incidents involving a substantial volume of logs, helping you refine your methodology,an essential skill for the exam. If you encounter difficulties, you can also refer to the walkthrough videos linked in the video descriptions.
BTL2 Exam
The BTL2 exam spans 72 hours, encompassing both the in-depth investigation of the provided environment and the preparation of the final report for examiners. The exam is designed to test the application of knowledge gained in the labs.
During the first two days, its recommended to document findings, including screenshots of artifacts and evidence related to the attacker’s actions. It’s critical to document everything—even seemingly minor anomalies—since these could later prove to be malicious. Good documentation tools, whether Cherrytree, Obsidian, or even the report itself, can bridge information gaps that arise.
Note that if the exam lab environment left idle for an extended period, the environment will require a restart, causing loss of progress such as malware analysis setups or configurations.
The BTL2 exam is a demanding yet rewarding experience that requires not only technical expertise but also the ability to construct a coherent story from fragmented evidence. While the labs provide a solid foundation, they could benefit from more emphasis on integrating skills into a cohesive investigative approach. Good documentation and resilience are key to success, but addressing the technical challenges in the exam environment would significantly improve the experience for future candidates.
3. Course Content
HTB CDSA Course Content
The CDSA curriculum is delivered through a series of modules, each focusing on specific defensive security domains. Key areas covered include:
- SOC Processes & Methodologies: Understanding the frameworks and procedures essential for effective SOC operations.
- SIEM Operations (ELK/Splunk): Utilizing Security Information and Event Management systems for monitoring and analyzing security events.
- Tactical Analytics: Applying analytical techniques to identify and respond to security threats.
- Log Analysis: Examining system logs to detect anomalies and potential security incidents.
- Threat Hunting: Proactively searching for threats within a network before they manifest into breaches.
- Active Directory Attack Analysis: Investigating and mitigating attacks targeting Active Directory environments.
- Network Traffic Analysis (including IDS/IPS): Monitoring and analyzing network traffic to identify malicious activities.
- Malware Analysis: Studying malware behavior to understand its impact and develop countermeasures.
- Digital Forensics and Incident Response (DFIR) Operations: Conducting forensic investigations and responding effectively to security incidents.
Each module comprises detailed explanations, practical examples, and assessments to reinforce learning. Hands-on labs simulate real-world defensive cybersecurity challenges, enabling learners to apply theoretical knowledge in practical scenarios.
Upon completion of the course modules, candidates are eligible to undertake a rigorous 7-day examination. This assessment involves performing actual security analysis, SOC operations, and incident handling activities against real-world, heterogeneous networks. Candidates are also required to compose a commercial-grade security incident report, demonstrating their ability to communicate findings effectively.
BTL2 Course Content
In BTL2, the domains covered include:
Domain 1 — Malware Analysis
Introduction to Malware Analysis
Build Your Own Analysis Lab
Static Analysis Tools and Techniques
Dynamic Analysis Tools and Techniques
Malware Analysis Practice
Domain 2 — Threat Hunting
Introduction to Threat Hunting
Build Your Own Hunting Lab
Endpoint Threat Hunting
Network Threat Hunting
Hunting at Scale
Hunt Reflection and Report Writing
Domain 3 — Advanced SIEM
Introduction to Advanced SIEM
SIEM Architecture
Proactive SIEM (Hunting)
Adversary Emulation, Detection, and Analysis
Domain 4 — Vulnerability Management
Introduction to Vulnerability Management
Host Discovery
Vulnerability Discovery
Analysis, Prioritization, and Threat Intelligence
Reporting and Remediation
The course material is structured into two primary sections: theoretical content and practical labs. These sections cover topics such as Malware Analysis, Threat Hunting, Advanced SIEM, Vulnerability Management, and a final preparation segment for the certification test.
The theoretical material is comprehensive, featuring well-chosen examples that are highly relevant for completing the practical labs. For those transitioning to an intermediate level, it is advisable to thoroughly read and take notes on the theory sections, as they provide detailed insights. However, this section can feel extensive due to the lack of video content.
For individuals with experience in the offensive side of cybersecurity, their background provides a significant advantage for this certification. Thinking like a threat actor can be invaluable during the labs, as it enables you to anticipate the steps typically taken during an intrusion. This perspective is especially helpful in the Threat Hunting section, where tracing a threat actor’s movements through artifacts becomes much easier when adopting their mindset.
Additionally, the Vulnerability Assessment section is straightforward for those familiar with tools like OpenVAS, Nikto, or Nmap. This prior knowledge can significantly simplify the tasks in this part of the course.
Cost
HTB CDSA Cost
To be eligible for the certification exam, candidates must complete the SOC Analyst job-role path on HTB Academy, which comprises 15 modules.
Hack The Box Academy Access to these modules requires a subscription to HTB Academy. The Silver Annual plan, priced at $490 per year, provides access to all modules up to Tier II, including those in the SOC Analyst path.
Therefore, the total cost to obtain the HTB CDSA certification is approximately $700, excluding VAT. This includes the $490 annual subscription for the necessary training modules and the $210 exam voucher.
BTL2 Cost
At the time of writing this article, the Blue Team Level 2 (BTL2) certification, offered by Security Blue Team, is priced at £1,999.
Career Impact and Industry Recognition
HackTheBox CDSA is becoming widely recognized as an intermediate-level certification, CDSA is highly regarded for its focus on real-world defensive scenarios. It positions candidates for higher-level roles, including security operations center analysts and threat hunters, and provides the tools necessary to work in complex cybersecurity environments.
The BTL2 certification is also highly regarded in the cybersecurity industry. Professionals with this credential demonstrate their capability to manage complex threats, making them attractive candidates for roles like Security Analyst, Incident Responder, and Threat Hunter.
Both BTL2 and CDSA are recognised and respected certifications to pursue bearing in mind that determining which one is more difficult relies on your knowledge and expertiese. For me, the experience was similar and both certifications may be simialr as to the difficulty level.
5. Which Certification to Pursue?
Choose CDSA if:
- You have prior experience or foundational knowledge in cybersecurity.
- You’re aiming for mid-level or specialized defensive roles like incident responder or threat hunter.
- You want to tackle more advanced and realistic challenges that reflect complex cybersecurity environments.
- You want more affordable certificate. As of today, HTB CDSA costs 210$ which is way cheaper than BTL2.
Choose BTL2 if:
- You completed BTL1 and ready for a more challenging certificate.
- You want to build more practical skills in malware analysis and vulnerablity management.
Conclusion
Both the Certified Defensive Security Analyst (CDSA) and Blue Team Labs 2 (BTL2) offer a great way to demonstrate intermediate and advanced SOC and incident response skills.
Your choice ultimately depends on your current knowledge, career aspirations, and the level of expertise you wish to achieve. Either way, these certifications provide a strong foundation for thriving in the dynamic world of cybersecurity.
