Introduction

Hello everyone! It's me Chicken0248 again and in this blog, I will give my review on the Certified Junior Detection Engineer (CJDE) certification! the first ever detection engineer certificate from Security Blue Team, which is the well-known vendor who made BTL1 and BTL2. you might already know what BTL1 is, then think of CJDE as BTL1 but for "detection engineer"

Detection Engineer is a role that more advanced in SOC but some of L1 already doing it daily on their job, it is technically tuning existing alert/rule or creating a new alert/rule to detect threat effectively and reduce overwhelming false positive alerts that will eventually leads to "alert fatigue" and as SOC becoming a global trend, detection engineer is coming more demanded, some company may not use the word "detection engineer" but tuning alerts and creating rules are still in the job description, some does not even displayed in job description but those who joined the company will find themselves tuning alerts to reduce false positive and to equip you with the right mindset and skills for this task, Security Blue Team had develop this "Certified Junior Detection Engineer" course

The course expects you to have some experience in the field (1–3 years' experience) with the cost of 399 GBP, same price as BTL1, SBT recommended this certificate as the second certification to take after passed BTL1, and the reason why is because you will have to know baseline of what normal and not normal to create effective detection rule!

Once you purchased the course, you can start it anytime you like, but once you started it, the 4 months count down timer will start to tick, you will have total of 4 months to access course content and play with labs, about the exam voucher, you will have 12 months after start your course to take the exam. you have 2 attempts for the exam and if you failed on the first one, you would have to wait for 10 days before taking a new one

Now let's talk about the course in the next section!

Course Experience

CJDE course consist of 18 modules, all of them are text-based so there are a lot of reading waiting for you in the course, and the reason why this certification is called "Junior" is because there are a lot of "essentials" modules as you can see in the image above, even though it is recommended student to have 1–3 years of experience, the course still teach you the most basic thing like "History of network", "Cabling", "OSI Model" and so on.. I did find myself just skimming them and lost my interested in them as all of essential modules already taught in my college.

That's said I didn't engage much with the course as I expected I would be but to keep the momentum, I had to select few interesting modules that will really benefit me which are

• Introduction to SIEM → This module teach ELK, Splunk and Graylog which I didn't use much Graylog so I took it
• Introduction to Threat Intelligence → Learning about different type of IOC and TIP will surely benefit in the rule making and alert tuning
• YARA & Sigma Essentials → always nice to see how other write their rules and apply their methodology when we actually need it
• Zeek Essentials → I hate using it but still had to learn about it, this is where AI-Agent I purchased the subscription for really shine XD
• Malware Analysis for Detection Engineering → not exactly using tool like Ghidra or IDA but focus on static analysis with strings, pestudio and dynamic analysis then eventually write YARA rule to detect them in labs
• Detection Rule Creation and Tuning → Self-explanatory but I didn't expect they would cover "Detection Logic in AWS" here so make sure to check this out
• Threat Intelligence Integration for Detection → This module is a gem here where you will do adversary simulation and write detection rule to detect them
• Behavioral Analytics for Threat Detection → Learn how base-lining and ML can be used to detect suspicious behavior, quite a bit of theoretical with this one with no lab, but still pretty good to know that we can use ML to help us
• AI for Defenders → This is where you applied what you learn from "Behavioral Analytics for Threat Detection" in labs, you will learn how to use python + pandas for anomaly detection and automating alert prioritization

Looking back at it, as soon as you finish the boring part (essential modules) then you will finally get to cook things as a proper "detection engineer"

As you will have 4 months to learn all of these and as you can start the course anytime you want so you will have to plan your learning properly with a backup in case shit got real in your day job and life then you will waste your access time to the course.

Let's talk about labs, you will have total of 120 hours to play and practice all the labs in the course, and this is plenty, I wasted plenty of them without doing anything as I clicked "Start" then got caught up on work which completely forgot about it, luckily for me, after 6 hours, the lab will automatically "Stop". all access to labs will also expires at the same time as your access to the course content.

Each lab will have its own solution in their respective course so in case you get stuck then you can go back to read the solution and take note of it then you can apply them in your exam!

Exam Preparation and Experience

I hesitated to take the exam as detection engineering is not totally my thing, but then I discovered a special lab that simulate exam environment which is called "CJDE Playground" which they finally released it in Jan 2026, and the reason why I took the exam so late (I purchased it back in their early launch with discounted) is because I was waiting for this so I would know what I should expect in the exam and I'm glad I did

CJDE Playground have everything I need to know for the exam environment and with that even though deep down I still thought I'm not ready for the exam, but the show must go on.

I planned to take the exam on Thursday, 29th Jan 2026 which I want to take my day off on that day (I attended LLM Research Bootcamp on 23–25 Jan, so I need another day to rest) but as I took a look at CJDE Playground one last time on Tuesday, 27th Jan 2026 after taking dinner and had enough rest, I suddenly thought "alright fail is fail, pass is pass, nothing matters, let's take the exam now and let's see I can finish it in 4 hours!" (SPOILER ALERT: I DID), with that thought consuming my mind, I clicked the "Start Exam" button like a devil possessed me.

Once exam environment finally initialized, 24 hours timer ticking, I got to read long-ass instruction and even though I got some of it from the playground, it is completely different story in the actual exam environment, I wanted to make sure I didn't miss a single thing as I purchased this exam out of my pocket.

In this exam, you cannot cheese by manually analyze artifacts and threat hunt them on SIEM, nuh uh. you must write your own Sigma and YARA rule (in some case even Zeek) and push them to CI/CD pipeline since we don't have artifacts presented to us to analyze them so but no worries, they got you covered by giving you an instruction on how to setup environment on your part and you will finally learn how it works in a couple minutes (or an hour)

You will also have TI report to read as well and MAKE SURE TO READ them all as it will help you so much in the exam, in fact the majority of the score is depends on how you interpret them and create detection rules according to them.

This escalated to threat hunting lab real fast, and it does feel not different at all from the situation that I have to make splunk query in any threat hunting lab, just changing from SPL to Sigma and YARA

I forgot to mention that I used https://detectionstream.com/ to practice and understand how to write YARA and Sigma rule, I even copied some of them to practice rule writing and modified them to fit for my hunting (and yes, I used some of them in the exam as well)

After 3 hours and 40 minutes (It's already pass midnight too), I cooked my last detection rule and finally submitted my exam which the result shown that I FAILED! In order to pass the exam, I need to get at least 70% and to earn the gold coin I need 90%. even though I was prepared to fail, It still disappointing when it comes to this but as life must go on, I went to sleep and ready for the next day (working day)

After woke up, I checked my email and dm as my morning routine and 1 email and 1 person I know from SBT messaged me last night to congratulate me and ask about feedback after I went to sleep. it turns out that I passed the exam with only 1 question wrong, but the format is off resulting in the result I've shown before and now with a proper evaluation (manual review by SBT team), I can see that my rule writing is not that bad as I thought I am and hat off to them to monitoring every student exam without me messaging / asking them to check.

And with that I can confidently say that I'm certified junior detection engineer!

Before we concluded this, I want to answer the question some of you might have in mind, is there any labs you can practice for the exam? in BTLO, no but then use can use https://detectionstream.com/ to practice your rule writing instead.

Exam Tips & Key takeway

• Plan your exam day wisely, you have 24 hours timeframe
• Read all instructions (IMPORTANT)
• Take time to understand your exam environment, the exam environment is complex at first glance, but you will get a gist of it soon after writing some test rule to test it
• Read every TI report (IMPORTANT)
• Read the question carefully (IMPORTANT)
• Writing rule in text editor of choice (Such as sublime text or nano) in the exam and push it using git, it is faster.
• Make a copy of each rule, I know you have version control, but it is harder to revert the rule back then renaming the filename
• When pushing the rule, instead of using 3 consecutive git commands, use this simply one → git commit -a -m "test" && git push , its simple and fast. but do not use this in actual environment 🤷
• Use https://detectionstream.com/ to practice your YARA and Sigma rule writing
• This is junior detection engineering, your rules do not need to be complex

That's it for this blog

Peace ✌️