My Blue Team Certification Journey and Creating Your Own Blue Team Certification Roadmap

Alican Kiraz
8 min readApr 2


Creating by Alican Kiraz

Hi everyone, you know how much I am interested in certificate programs :) You often ask me questions about the certificates I have earned. I wanted to tell you about the experiences I learned by preparing a detailed article.

First of all, the value of a certificate is directly proportional to the education you receive and the experience you gain. While preparing for a certificate program, your goal should not be to get the certificate but to learn information that will be useful for you throughout your journey. I have taken at least half as many different certification exams as the certificates I have received, and I have failed. However, I did not need to retake the exam and get a certificate in some of them because the things I learned in training were sufficient. Of course, sometimes, these documents are required. Because there may be a need due to regulations in your workplace, or it may create new job opportunities in your career.
For this reason, it is necessary to divide the certificates into two. Some are compulsory certificates essential for your career and job, and others are respected and important in their field. Such certificates are taken to demonstrate expertise in the area or step on a journey to improve yourself.


You first see the initial essential certificates in the Blue Team certification roadmap I created for you above. The scopes in these certificates are almost always the same, and it is aimed to form the basis of cyber security knowledge for the student. (BTL1 course is a little different, I will be talking about it.) I started my journey with the CEHv10 certificate, the first of these certificates, and I want to tell you about my journey in order.

EC-Council CEH

Source : EC Council

CEH is a certification program that includes basic teachings called the 101 of cyber security. It is one of the most established certification programs in the Cyber Security industry. It is especially emphasized by HR professionals in job recruitment. The exam is carried out as a verbal test without practice. When I first heard about CEH in 2015, I wanted it for a long time for its price and reputation. In the following years, when my financial situation allowed, I bought it under the Self-Learning package and started working. The rootedness of CEH was evident from the content of its training. It was a very productive process with Lab + Videos and practical tests. But the overall tutorial was more like Offensive Security 101. For this reason, the emphasis was on, especially within, the scope of pentest activities and education. The topics were as follows;

Source :

If you are considering a career specific to the Blue Team, I think CEH should be your second choice, not your first choice at the beginning. Training that first examines basic Cyber Security principles and approaches would be more helpful.

Pros and Cons;
+ It can also be a good start to see the Offensive Security side.
+ Quite good to have Lab + Practice Test + Video in Education
- There are deficiencies in General Information Security and Blue Team
- Examination questions based on memorization of too much

CompTIA Security+

Source : CompTIA

CompTIA Security+ has training and content that is very useful in scope and will shape your overall view of cybersecurity. In CompTIA, some questions are a half-practice, half-multiple choice test. I recommend that experts who want to progress in Blue Team start with Security+.
Security+ topics are;

Source :

As you can see, domains and topics are all-inclusive for building an overall cybersecurity foundation.
Pros and Cons;
+ Addressing Cyber Security issues in 6 separate domains
+ The exam questions are scenario-based
- Purchase of training separately


On the other hand, BTL1 is a very successful training set based on practice and provides 101-level narration in 6 domains in the Blue Team field. The best part is that it is sold with the training + Voucher system.
+ Lots of practice and practice
- Training of domains at 101 level


SANS is an educational institution that makes a difference in the Cyber Security Certification sector with its education and quality. The certification arm of SANS is GIAC. It is a test-style exam that usually consists of verbal multiple-choice questions. However, some certificates have applied sections. Taking GSEC at the beginner level with training+vouncher has the budget to get you almost all the certifications except the sans in the example roadmap :) Therefore, if you have a reasonable budget, I recommend it with the training.
GSEC topics and domains;

Source :

Pros and Cons;
+ Extensive training
+ Many topics covered by Information Security
- Very high tuition and exam fees

STEP 1 Final : Choose your first Certificate

As a result, my recommendation from 4 different certificates at the first start will be to master the essential cyber security domains with Security+. Then, with BTL1, you can go deeper into the Blue Team area or see the Red Team side with CEH.

  • Security+ + BTL1 → Quickstart to Blue Team
  • Security+ + CEH → Getting started with Purple Team 101

Step 2 : My Blue Team Certification Journey

The certificates to be obtained after the beginning of the Roadmap are developed depending on the area to be specialized. Therefore, it would be more logical to proceed with a single certificate in Step 2. I chose CompTIA CySA+ among these certificates, and let’s look at CompTIA CySA+ together.


CompTIA CySA+ is a certificate focusing specifically on Blue Team in cyber security. Many domains that can be useful in the daily work of SOC Analysts are described.
These domains are;

You can get support from the following sources while preparing for the exam;


eCIR was one of the toughest exams I’ve ever taken. Especially, eLearnSecurity’s v1 exams were more challenging than the v2 ones. While there is more research-based analysis in v1s, task-based analysis questions are in v2s. There are generally two different environments in eCIR. First, there are AD environments where you analyze with Splunk and environments where you analyze with Kibana. You are asked to examine the logs and unravel the plot throughout the exam. The first compromise point is given to you in the exam enrollment booklet. Then you have to analyze according to Cyber Kill Chain and write your findings for each machine. The exam time is relatively short. During this time, you must make good analyses in two separate tools and not crash the system (especially for kibana).

Therefore, during the preparation for the exam;

  • Examining the structure of Winevent logs
  • Examining the structure of NIDS logs
  • Researching MITRE ATT&CK TTP’s
  • Working with AD structure
  • Investigation of Cyber Kill Chain steps

You need to work with such steps and practice a lot. As blue team experts, we have very little lab access. That’s why I recommend INE’s Premium Package, which is LAB+Educational content.


eTHPv2 seemed easy to me compared to eCIR. It was lovely that he expected you to solve specific tasks in the exam. While solving these tasks, you still need to analyze different environments. In the first environment, you are expected to perform a volatile forensic analysis in the second environment while performing analysis on Splunk in the third environment and again on Kibana in the third environment. While preparing for the exam;

  • Learning forensic analysis and forensic evidence collection
  • Learning Splunk and Kibana environments
  • Examining the structure of Winevent logs
  • Examining the structure of NIDS logs
  • Researching MITRE ATT&CK TTP’s
  • Understanding the Cyber Kill Chain
  • Knowing the structure of Splunk and Kibana Search Query


Digital Forensics has always been shaped as a particular expertise in my eyes. So much so that when I got into it and started learning it, I realized it is a profound subject. Digital forensics is about more than just taking images or collecting evidence. At the same time, you need to activate your threat-hunting abilities while trying to discover evidence of a possible malicious or breach situation. The eCDFP course on INE is incredibly detailed. I would recommend taking the course. The exam consists of 30 test questions; half are verbal multiple-choice test questions, and the other half are solved with the findings you will obtain in 3 lab environments. The exam was challenging, and I passed on my third try. It would be best if you practiced in a lab environment a lot.

  • Disk inspection and repair should be investigated
  • PCAP analysis should be studied
  • The registry forensics should be studied
  • File analysis should be studied

I wanted to share the information and tricks I have learned about the Blue Team certificates I have earned. Soon, I will publish the second part of this article when I win the remaining SANS certificates mentioned above. I hope the roadmap I prepared was helpful to you. I wish you all a beautiful and exciting certification journey. Thank you for reading. See you later.



Alican Kiraz

Blue Team Lead | CSIE | CSAE | CASP+ | eCIR | CPENT | eWPTXv2 | eCDFP | eCTHPv2 | OSWP | CEH Master | Pentest+ | CySA+ | Security+ | CEHv10 | ISO27001 IA