Skip to main content

Your Techs Have Never Practiced a Breach. Blue Team Labs Fixes That, Free.

Nick Ross2 min read

TL;DR

  • Blue Team Labs is a free Microsoft 365 security training platform built by CloudCapsule, Empath, and Cyberdrain for MSP technicians.
  • Every challenge is a hands-on investigation of simulated evidence modeled on real incidents: sign-in logs, audit logs, email headers, Conditional Access configs, Intune data, and Graph API outputs.
  • Challenges scale from beginner log reading to full tenant compromises across identity, email, data, and devices.
  • Points, badges, and First Bloods give MSP owners a measurable benchmark of which techs have put in the incident-response reps.
  • Season 1 launched March 15, 2026, and the winner takes home a Switch 2.

The first time most MSP technicians trace a phishing attack through audit logs, it is not a drill. It is a real client, a real breach, and a Google search open in the next tab.

That is the industry's default training model: hand a tech the keys to dozens or hundreds of Microsoft 365 tenants, then let production incidents teach them the job. No structured curriculum. No safe place to practice. If you run an MSP, ask yourself what happened the last time one of your techs had to investigate a compromised mailbox or figure out why a Conditional Access policy was not behaving. Did they know exactly what to do, or were they learning live during a breach?

We built Blue Team Labs to close that gap, and it is free.

What is Blue Team Labs?

Blue Team Labs platform home screen

Blue Team Labs (opens in new tab) is a free cybersecurity training platform built specifically for Microsoft 365. Sign up with your Microsoft 365 account or email, create a profile, and start completing challenges immediately.

It is a collaboration between CloudCapsule, Empath, and Cyberdrain, and the whole platform costs nothing to use.

Blue Team Labs is a collaboration between CloudCapsule, Empath, and Cyberdrain

How do the challenges work?

Every challenge opens with a mission briefing that sets the scene: a realistic scenario based on actual attacks seen in the field. From there you get evidence that mimics the real Microsoft 365 admin portals. Sign-in logs. Audit logs. Email headers. Conditional Access configs. Intune data. Graph API outputs. The data looks and feels like a real incident because it is modeled on real incidents.

Then you investigate. The questions test whether you can identify what happened, how the attacker got in, what was affected, and how to fix it. No multiple-choice slides. No passive videos. You do the work.

A Blue Team Labs challenge with mission briefing and investigation evidence

Difficulty scales from beginner, reading sign-in logs for the first time, up to advanced scenarios involving full tenant compromises that span identity, email, data, and devices. A Level 1 tech and a senior security engineer will both find something that pushes them.

A skills benchmark you can actually read

Every completed challenge earns points that accumulate on your profile and the community leaderboard. Badges mark milestones: finishing challenge categories, hitting point thresholds, keeping streaks alive. And if you are the first person anywhere to complete a newly released challenge, you earn a First Blood, a permanent marker that says you got there before anyone else.

Blue Team Labs leaderboard with points, badges, and First Bloods

For MSP owners and managers, this doubles as something the industry has never really had: a measurable benchmark of incident-response skill across your bench. Instead of hoping your techs know what to do when a tenant gets popped, you can see exactly who has put in the reps and who has not.

Season 1 is live

Season 1 launched March 15, 2026, and the winner takes home a Switch 2. Registration is open now.

Sign up at blueteamlabs.ai (opens in new tab) with your Microsoft 365 account or email, build your profile, and run your first investigation today. The points, badges, and First Bloods are waiting.

Frequently asked questions

What does Blue Team Labs cost?

Nothing. The platform is completely free, built as a collaboration between CloudCapsule, Empath, and Cyberdrain. Sign up with a Microsoft 365 account or any email address and start a challenge immediately.

Is Blue Team Labs only for senior security engineers?

No. Challenges range from beginner exercises, like reading sign-in logs for the first time, to advanced scenarios involving full tenant compromises across identity, email, data, and devices. Level 1 techs and senior engineers both have a ladder to climb.

Does it use a real Microsoft 365 tenant?

No tenant required. Each challenge supplies simulated evidence that mimics the real admin portals, so techs can practice investigations without touching production.

Train the techs. Audit the tenants.

Blue Team Labs sharpens your team's incident response. CloudCapsule handles the other half: a 60-second assessment of 250+ controls across every tenant you manage, so fewer of those incidents happen in the first place.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading