Cybersecurity can be a thankless profession.
I don't mean that as a slight (honestly) I mean it in a practical sense.
You can spend months hardening infrastructure, writing playbooks, upskilling, maybe you’ve passing the BTL1 or BTL2 and sometimes the measure of your success is... nothing happening.
If all goes well, your work can often be invisible, even if you handle incidents super efficiently and avoid down times - it often goes unnoticed.
And that’s by design
Which is why an exercise like Locked Shields is the opposite of that.
So, What is Locked Shields Exactly?
First, I want to provide a bit of background information. CCDCOE do that a little better than me, so here is what they have to say:
"Locked Shields is the world's largest and most complex international live-fire cyber defence exercise, hosted annually by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) since 2010. The exercise aims to strengthen and enhance the cyber defence capabilities of participating nations, promote public, private, and multinational cooperation, and accelerate innovation across the cyber domain."
Live fire. International. Backed by NATO. 35 Countries. It represents a realistic model of a massive scale cyber war, not some average tabletop, but an actual working cyber environment where systems crash, attackers adapt and teams need to make decisions while being under extreme pressure. All of the legal aspects related to crisis communications, and strategic coordination are included. The scenarios are based on real threats, using realistic models of both military and civilian infrastructure.
If you’ve ever wanted to understand what a truly coordinated and intense cyber war would look like in practice, then Locked Shields is as close as it gets, short of it actually happening.
A Personal Note on Why This Mattered
I (Seb, Director of Content at SBT) have participated in Locked Shields before, about seven years prior to this, so when we were invited to support the forensics track as a content partner, it wasn't my first time in that environment.
I had a clear idea of exactly the kind of content to deliver to properly challenge the teams. These are some of the sharpest operators in government and defence security across 35 nations. So knowing we were developing content for some of the highest-performing operators gave us licence and the expectation to push hard on what we created. These were teams who'd seen everything.
So we cooked.
We were invited as subject matter experts to support the largest multinational live-fire cyber exercise in the world, building bespoke content for operators from these 35 nations. It was one of those rare moments where you get to see the direct output and real-world value of your work materialise in front of you, which was pretty sweet.
So…. What did we develop?
Compromise of a CI/CD Pipeline. Attacking the software delivery process itself, targeting the trust chain between development and production. A scenario highly relevant to modern DevSecOps environments and increasingly common in sophisticated intrusions.
Serverless Crypto Mining. Abusing cloud-native compute resources for covert financial gain. Lightweight, difficult to detect, and a scenario that reflected real threat actor behaviour against organisations with elastic cloud footprints.
Supply Chain Scenario with a Custom Mission Planning System. Built around aircraft support systems, this scenario placed participants in the middle of a targeted supply chain attack against critical military infrastructure. This is the category of threat that keeps national security teams awake at night, potentially targeting airgapped systems.
Recreation of Smartloader. A reconstruction of a real-world malware loader, giving participants the opportunity to work against a realistic threat artefact rather than a sanitised simulation.
Bespoke Malware. Two Variants Worth Talking About:
The first used a 4G dongle as an exfiltration channel, bypassing traditional network monitoring entirely by routing data over mobile infrastructure. Clean, hard to detect at the perimeter, and representative of the kind of creative evasion that well-resourced threat actors actually employ.
The second was arguably the most ambitious piece we built. An AI-powered, multi-stage payload using undocumented Windows internals, custom cryptography, and dynamic code generation for exfiltration. Like most of what we create, it wasn’t theoretical, it functioned, this was a working piece of malware designed to challenge operators who already know what they're doing.
Depth Matters
Having members of our content engineering team who've participated in Locked Shields in previous years, alongside their experience across military environments, means we weren’t guessing at what "realistic" looked like. We knew the operational context. We understood the pressure these teams are under, and we understood what a scenario needs to feel like to be genuinely valuable rather than just technically interesting.
Building content for operators at this level forced us to ask harder questions at every stage of development: Is this scenario too obvious? Would a real threat actor actually do this? Is the forensic trail realistic, or have we inadvertently handed them a clean path through what should be a messy environment? Don’t get me wrong, we go through this process almost every time, but the lead up to this and impact on NATO teams who learn off the back of it is immense.
We have to remember, government and national cyber defence is, in many ways, everyone’s problem. Its really easy to view exercises like this as something distant. A government concern, hidden away in classified briefing rooms with little relevance to the day-to-day reality of most individuals.
That couldn’t be further from the truth. Here’s why.
Modern societies, don’t run on good intentions alone.
Everything that keeps us moving day to day, infrastructure, power grids, water treatment, hospitals, water treatment systems, emergency services, it’s underpinned by digital systems. And all of them are a target. If these systems fail, it’s not just financial, the impact can often be measured in human life.
The HSE ransomware attack in 2021, (something I've spoken about in detail elsewhere), made that reality clear. Ambulance services. Cancer screening. ICU patient records. When Conti hit the Irish health service, the question wasn't "what's our SLA for recovery?" It was "which patients are at immediate risk because we've lost visibility of their care?" That's the stakes governments are operating at, and it's the stakes that Locked Shields is designed to simulate.
Beyond direct harm, there's a second-order effect that doesn't get discussed enough: trust.
Democratic governments rely on public confidence. When critical services fail, when hospitals go dark, when fuel pipelines shut down, when financial systems freeze, that confidence erodes.
Threat actors targeting government infrastructure aren't always after data. Often the objective is simply disruption itself. Demonstrating that a government cannot protect its own systems is a geopolitical win for an adversary, regardless of what data was or wasn't exfiltrated.
There's also the interdependency problem. Critical national infrastructure doesn't sit inside a clean government boundaries. It's operated by a complex web of private contractors, third-party suppliers, and multinational vendors.
The supply chain scenario we built for Locked Shields targeting aircraft mission planning systems wasn't a random edge case. It reflected how modern infrastructure actually works and how adversaries actually attack it. A vulnerability in a contractor's environment can be the entry point for an attack on sovereign military capability
This is also why the multinational dimension aspect of Locked Shields matters so much. Cyber threats don't respect national borders. An intrusion that originates in one jurisdiction, transits infrastructure in three others, and lands in a fifth isn't a problem any single nation can respond to in isolation.
The relationships built in exercises like this, the shared understanding of how different teams operate, the trust between analysts who've worked alongside each other under pressure matter.
It’s far better for those things to exist before an active incident, not during one.
My Takeaways
I had more takeaways from Locked Shields than I can fit into a single post, so I’ll leave you with my headline observations.
Scale matters. Not just at the nation-state level, not just for government teams with commercial tooling and military backing, but at every level. The principle is the same whether you're running a two-person SOC or coordinating a multinational response across 35 countries: you have to train the way you fight. As close to reality as you can possibly get!
Controlled environments with sanitised scenarios and no real consequences produce teams that perform well in controlled environments with non-realistic scenarios and no real consequences. That isn’t really how incidents play out. Thats where this exercise comes in. It closes the gap and brings real pressure, systems and the decisions you make have a whole lot of weight.
So not really a surprising lesson, but if I was to put it into one statement it would be “Train hard, exercise at scale”.
And on a personal note - this exercise has grown every single year since I first attended, back when my knees were less achey and my hips were considerably more mobile. The fact that it keeps growing tells you everything about how seriously the people who matter are taking this problem.
