Building Security Blue Team From the Inside of a SOC
When I joined my first SOC during my university placement year, I wasn’t thinking about starting a company. I was focused on whether I was good enough. I soon realised that businesses face the same challenge: bringing SOC teams up to speed quickly and effectively.
What struck me quickly was the gap between academic preparation and operational reality. I remember asking whether there was training I could do to get up to speed faster. At the time, the options were mostly theory-heavy certifications or very expensive courses that weren’t realistic for someone in my position. Neither reflected what I was actually doing day to day.
So, I learned the way most analysts do: by doing the job, making mistakes, asking questions, and relying heavily on more experienced colleagues. I was fortunate to be in a team where senior analysts involved me in discussions beyond my level and accelerated my development. But it was clear to me that progress depended heavily on the environment you happened to land in. There wasn’t a course I could take that would help me prepare for what I would need to do inside a SOC and not just the theory.
And that was the first time I thought seriously about bridging that gap not just for myself, but in a way that could help businesses develop their teams faster and more effectively.
Building What I Couldn’t Find
When I returned to university for my final year, I decided to build practical, hands-on blue team training as my dissertation project. It wasn’t driven by commercial ambition. It was driven by frustration as I wanted a certification that would support me and others like me. I graduated and went back to work in a SOC, but I continued to develop the course in the evenings and that was the early version of Blue Team Level 1 (BTL1).
I shared early versions for free to see if anyone else felt the same gap, and they did, so I continued discussing and developing until I had a final version of what is now BTL1.
Then for several years, I built Security Blue Team alongside industry roles. I would finish a day in the SOC and then spend evenings writing labs and building content. It didn’t feel like running two careers. It felt like solving a problem that was still in front of me every day.
Growing Beyond the Garage
The shift from community project to company wasn’t dramatic. It was gradual and, at times, uncomfortable.
About six months in, it became clear that I couldn’t do everything alone. I couldn’t answer every email, maintain the platform, write content, and support learners while working full time. The first hires came organically from the community itself. People who believed in what I was building stepped in to help.
We moved away from third-party exam platforms and built our own labs. We replaced improvised systems with purpose-built infrastructure. We matured operationally with accounting, finance, internal structure, all those things that no one teaches you when you start building something in a garage.
What surprised me most was how quickly the demand scaled, not just from individuals, but from businesses who wanted to buy multiple licenses for their SOC teams to support analyst growth and operational resilience. Today, we work with hundreds of organisations, including some of the largest companies in the world. We offer numerous certifications, taking analysts from their early career with BTL1 and Certified Junior Detection Engineer right through to career growth and leadership with BTL2 and our Certified Security Operations Manager (CSOM) certifications.
Then in January this year, we were recognised as a G2 Leader in our category while retaining our High Performer badges. For me, that milestone matters because it reflects feedback from real users, analysts and teams applying the training in live environments.
The garage is a long way behind us.
But the original problem isn’t.
Why It Resonates With SOC Teams
Security Blue Team wasn’t designed in isolation from security operations. It was built from within it.
The conversations we now have with SOC leaders aren’t abstract. They’re about reducing time to operational competence. They’re about building judgement, not just knowledge. They’re about creating progression that strengthens teams rather than simply adding certifications.
I’ve sat in the position of the junior analyst trying to prove I could handle more responsibility. I’ve also worked under leaders who understood that development isn’t a luxury, it’s part of building a resilient team.
When training strengthens fundamentals, analysts adapt faster. They rely less on rigid workflows. They escalate with clearer reasoning. They contribute earlier. Over time, that compounds.
That’s the lens I still bring to the company today. Even as CEO, I stay close to product and content. If we ever drift too far from operational reality, the training loses its purpose.
Join the Learning Journey
If you want to see how your SOC team can benefit from the same learning journey that shaped my career, explore our certifications to accelerate onboarding, strengthen judgment, and build resilient security teams.
Got 10 minutes for a quick chat? Book a meeting with our team to discuss a solution tailored to your organisation
