Certified Blue Teamer - eXpert
(CBTeamerX)
The Certified Blue Teamer-eXpert (CBTeamerX) exam is an advanced blue teaming and incident response examination. It is designed to assess a candidate’s ability to investigate, correlate, and interpret a sophisticated multi-stage APT intrusion spanning both on-premises Windows Active Directory infrastructure and cloud environments. Candidates must demonstrate expertise in malware reverse engineering, memory forensics, disk forensics, log correlation, cloud security investigation, and attack chain reconstruction across a complex hybrid environment.
Note: The exam will be made available on/before 31st January, 2026.
- Practical
- 7 Hours
- Online
- On-demand
- Real world blue teaming scenarios
£400
Equivalent Industry Certifications*
*Note: We are not affiliated with any of the certifications mentioned here. These are respected industry certifications, and referenced here to show how our Certified Blue Teamer-eXpert (CBTeamerX) exam’s syllabus/difficulty overlaps with these exams.
If you already hold any of these, you’re likely well-prepared to test your knowledge with our exam. If you’re preparing for one, our exam is a great way to test your progress.
Who should take this exam?
The CBTeamerX exam is designed for DFIR analysts, blue teamers, SOC professionals, detection engineers, and anyone seeking to demonstrate competence in real-world intrusion investigation. It is also highly suitable for pentesters and red teamers who want to understand how defenders analyze and investigate multi-stage attacks by examining network captures, Windows event logs, Sysmon telemetry, Active Directory artifacts, and memory forensics.
What is the format of the exam?
CBTeamerX is an intense 7-hours long practical exam. Candidates must investigate a realistic multi-stage intrusion scenario, reconstructing the complete attack chain from initial compromise through to final impact. The investigation spans both on-premises Windows Active Directory infrastructure and cloud environments, requiring candidates to correlate evidence across multiple data sources, analyze malware samples, perform disk and memory forensics, and identify adversary techniques across all phases of the intrusion lifecycle. The exam is delivered online, available on demand, and can be taken from anywhere. Candidates are given access to a dedicated analysis environment preloaded with a SIEM platform containing relevant log sources, forensic images, memory dumps, malware samples, network captures, and cloud platform logs. Candidates must connect to the exam environment via VPN to access all investigation resources and the analysis platform.
What is the pass criteria for the exam?
The pass criteria are as follows:
- Candidates scoring over 60% marks will be deemed to have successfully passed the exam.
- Candidates scoring over 75% marks will be deemed to have passed with merit.
What is the experience needed to take the exam?
This is an expert-level exam. Candidates should have extensive hands-on experience in Windows security monitoring, incident response, enterprise intrusion analysis, and advanced forensic investigation. They are expected to have a deep understanding of topics such as Active Directory telemetry, Kerberos authentication flows, network traffic interpretation, log correlation, host-based forensic investigation, malware analysis, memory forensics, and cloud security fundamentals. Candidates should be proficient in analyzing sophisticated multi-stage attacks, identifying lateral movement patterns, detecting credential abuse and privilege escalation techniques, performing malware reverse engineering, and reconstructing adversary actions using logs, disk images, memory artifacts, cloud platform logs, and SIEM data across hybrid environments.
Note: As this is an expert-level exam, a minimum of five years of professional blue teaming experience is recommended.
What will the candidates get?
On completing the exam, each candidate will receive:
- A certificate with their pass/fail and merit status.
- The certificate will contain a certificate number, which can be used for independent verification.
What is the exam retake policy?
Candidates who fail the exam are allowed 1 free exam retake within the exam fee.
What are the benefits of this exam?
This exam will allow candidates to demonstrate their capability in real-world intrusion investigations, including log analysis, correlation of multi-stage attacks, forensic triage, and reconstruction of adversary actions within an enterprise environment. It provides strong credibility for roles in DFIR, SOC operations, and incident response, as well as for red teamers who want to understand how defenders trace and attribute attacker activity. This exam helps professionals stand out in the cybersecurity field by validating their ability to analyze compromises using authentic evidence, interpret attacker tradecraft, and produce accurate investigative findings using industry-standard tools and processes.
How long is the certificate valid for?
The certificate does not have an expiration date. However, it will include the exam version and issue date. As the exam is periodically updated, candidates are encouraged to retake the latest versions to stay current with modern blue team methodologies.
Will you provide any training that can be taken before the exam?
As an independent certifying authority, we do not provide any training for the exam. Candidates should carefully go over each topic listed in the syllabus and ensure they have adequate understanding, the required experience, and practical knowledge of these topics. Further, the following independent resources can be utilised to prepare for the exams.
Learning Resources
Exam Syllabus
Advanced Security Operations
SOC Architecture & Maturity
- Designing and scaling SOC operations for enterprise environments
- SOC maturity models and capability assessments
- Tool integration and security stack optimization
- Metrics, KPIs, and operational effectiveness measurement
- Automation strategies and workflow optimization
Advanced SIEM Engineering
- Complex query development and optimization (SPL, KQL, etc)
- Log source onboarding and data normalization at scale
- Correlation rule development for multi-stage attack detection
- Performance tuning and search optimization
- Custom parser and field extraction development
- Data pipeline architecture and log management
SOAR & Automation
- Playbook design for complex incident scenarios
- API integration and custom connector development
- Decision logic and conditional workflow design
- Automation effectiveness measurement
- Human-in-the-loop vs fully automated response decisions
Security Data Analytics
- Statistical analysis for anomaly detection
- Baseline development and deviation analysis
- Machine learning concepts for security operations
- Large-scale data analysis and pattern recognition
Advanced Detection Engineering
Detection Development Lifecycle
- Threat-informed detection strategy
- Detection-as-code principles and version control
- Testing and validation methodologies
- False positive analysis and tuning strategies
- Detection coverage mapping and gap analysis
Rule Development
- Sigma rule creation and cross-platform conversion
- YARA rule development for malware detection
- Snort/Suricata rule creation for network detection
- Behavioral detection vs signature-based approaches
Detection Frameworks
- MITRE ATT&CK mapping and coverage analysis
- Detection maturity frameworks
Threat Simulation for Detection
- Purple team exercises for detection validation
- Atomic Red Team and attack simulation frameworks
- Adversary emulation for detection gaps
Advanced Threat Hunting
Hunt Program Development
- Building and maturing threat hunting programs
- Hunt team structure and skill requirements
- Defining hunt scope and objectives
- Measuring hunt program effectiveness
Hunt Methodologies
- Hypothesis-driven hunting techniques
- Intelligence-driven hunt operations
- Behavioral and anomaly-based hunting
- Data-driven and statistical hunting approaches
Advanced Hunt Techniques
- Living-off-the-land technique detection
- Fileless malware and memory-only threat hunting
- Lateral movement pattern identification
- Persistence mechanism discovery
- Data exfiltration behavior detection
- Long-dwell-time threat identification
Hunt Across Environments
- Endpoint-focused hunting strategies
- Network traffic analysis for hunting
- Cloud environment hunting techniques
- Identity-based threat hunting
Threat Intelligence Operations
Intelligence Program Management
- Building threat intelligence capabilities
- Collection management and source evaluation
Tactical Intelligence
- Indicator of Compromise (IOC) management
- Indicator lifecycle and decay considerations
- Enrichment and contextualization
Operational & Strategic Intelligence
- Threat actor profiling and tracking
- Campaign analysis and attribution
- Industry and sector-specific threat landscape
- Emerging threat identification and trending
Intelligence Analysis
- Structured analytic techniques
- Competing hypothesis analysis
- Intelligence product development
Advance Incident Response
IR Program Leadership
- IR program development and maturity
- IR plan development and maintenance
- Tabletop exercises and simulation design
Complex Incident Management
- Managing multi-vector, multi-system incidents
- Parallel workstream coordination
- Incident command and team leadership
Advanced Containment Strategies
- Network segmentation and isolation techniques
- Credential reset and access revocation at scale
- Coordinated containment across hybrid environments
- Balancing containment with evidence preservation
Eradication & Recovery
- Complete threat removal verification
- System rebuild vs restore decisions
- Coordinated recovery planning
- Post-recovery monitoring and validation
Digital Forensics
Advanced Windows Forensics
- File system deep analysis (NTFS internals, MFT, USN Journal)
- Registry forensics and artifact analysis
- Execution artifact analysis (Prefetch, AmCache, ShimCache)
- Event log analysis and correlation
- Anti-forensics detection and handling
Advanced Memory Forensics
- Memory acquisition and analysis techniques
- Process and thread analysis
- Code injection and rootkit detection
- Credential extraction from memory
- Memory-only malware analysis
Linux & macOS Forensics
- Linux file system and log analysis
- Authentication and access artifact analysis
- macOS-specific artifact analysis
- Container and virtualization forensics
Network Forensics
- Packet capture analysis and reconstruction
- Protocol analysis and anomaly detection
- Encrypted traffic analysis techniques
- Network artifact correlation with endpoint evidence
Timeline Analysis
- Multi-source timeline construction
- Timestamp analysis and correlation
- Attack chain reconstruction
- Pivot point and patient zero identification
Malware Analysis
Static Analysis
- File format analysis and anomaly detection
- Disassembly and code analysis
- Packer and obfuscation identification
- String and resource extraction
- Import/export analysis
Dynamic Analysis
- Sandbox analysis and behavioral observation
- API monitoring and call tracing
- Network traffic analysis during execution
- Anti-analysis technique bypass
Advanced Reverse Engineering
- Assembly language analysis (x86/x64)
- Code flow analysis and function identification
- Cryptographic implementation analysis
Script-Based Malware
- PowerShell obfuscation analysis and deobfuscation
- JavaScript and VBScript analysis
- Macro malware analysis
Malware Classification
- Malware family identification
- Variant analysis and tracking
- IOC extraction and documentation
- Threat intelligence integration
Active Directory Integration
AD Attack Detection
- Credential-based attack detection (Kerberoasting, AS-REP Roasting)
- Ticket attacks (Golden Ticket, Silver Ticket, Pass-the-Ticket)
- Replication attacks (DCSync, DCShadow)
- Privilege escalation path detection
AD Threat Hunting
- Privileged account monitoring
- Group membership change detection
- GPO modification tracking
- Trust relationship abuse detection
AD Forensics
- Domain controller forensic analysis
- Replication and SYSVOL forensics
- Deleted object recovery and analysis
- AD database (NTDS.dit) analysis
AD Security Hardening
- Tiered administration model
- Privileged access workstation concepts
- Credential hygiene and protection
- Monitoring and alerting strategies
Cloud Security Operations
Cloud Security Monitoring
- Cloud-native logging and monitoring (CloudTrail, Azure Monitor, GCP Logging)
- Cloud SIEM integration and analysis
- Identity and access monitoring
- Resource configuration monitoring
Cloud Threat Detection
- IAM abuse and privilege escalation detection
- Data exfiltration pattern detection
- Cryptomining and resource abuse detection
- Serverless and container threat detection
Cloud Incident Response
- Cloud-specific IR procedures
- Evidence collection in cloud environments
- Containment strategies for cloud resources
- Cross-account and cross-cloud investigation
Cloud Forensics
- Cloud log analysis and correlation
- Virtual machine and container forensics
- Storage and database forensics
- Serverless function analysis
Network Security Monitoring
Advanced Traffic Analysis
- Deep packet inspection techniques
- Protocol analysis and abuse detection
- Encrypted traffic analysis
- Baseline deviation and anomaly detection
Network Threat Detection
- Command and control communication detection
- Lateral movement traffic patterns
- Data exfiltration indicators
- Tunneling and covert channel detection
Network Security Tools
- IDS/IPS tuning and optimization
- Network detection and response (NDR)
- Full packet capture and analysis
- Flow analysis and visualization
Endpoint Security
EDR Operations
- EDR deployment and configuration
- Alert triage and investigation workflows
- Threat hunting with EDR data
- EDR evasion technique awareness
Endpoint Detection
- Process and execution monitoring
- File system and registry monitoring
- Memory protection and analysis
- Behavioral detection strategies
Endpoint Response
- Remote investigation techniques
- Isolation and containment
- Evidence collection from endpoints
- Remediation and recovery/li>
Security Architecture and Defense
Defense-in-Depth
- Layered security architecture
- Control placement and effectiveness
- Redundancy and resilience
- Security stack integration
Zero Trust Concepts
- Zero trust architecture principles
- Identity-centric security
- Micro-segmentation strategies
- Continuous verification approaches
Leadership & Communication
Team Leadership
- Building and developing security teams
- Skills assessment and development planning
- Knowledge transfer and documentation
- Mentorship and coaching
Stakeholder Communication
- Executive reporting and briefings
- Translating technical findings for business audiences
- Risk communication and quantification
- Incident communication strategies
Cross-Functional Collaboration
- Working with IT operations teams
- Development and DevOps integration
- Legal and compliance coordination
- External party coordination (vendors, law enforcement)
Crisis Management
- Crisis communication principles
- Managing high-pressure situations
- Decision-making under uncertainty
- Post-incident review facilitation
Governance, Risk & Compliance
Security Governance
- Policy development and maintenance
- Standards and procedures
- Security awareness program management
- Governance framework alignment
Risk Management
- Risk assessment methodologies
- Risk quantification and prioritization
- Risk treatment and acceptance
- Risk communication and reporting
Compliance & Regulatory
- Regulatory requirement interpretation
- Compliance monitoring and evidence
- Audit preparation and support
- Breach notification requirements
Legal Considerations
- Evidence handling and chain of custody
- Privacy and data protection
- Law enforcement coordination
- Litigation support and e-discovery