CyberDefenders' participation in Locked Shield 2026

CT
CyberDefenders Team
Share this post:
CyberDefenders' participation in Locked Shield 2026

CyberDefenders Joins NATO CyberDefense Center for Locked Shields 2026 to Sharpen the Next Generation of Defenders

Bridging the gap between modern cloud security training and real-world cyber defense operations through adversary-driven simulation.

Cyber threats targeting critical infrastructure, national systems, and enterprise environments are no longer edge cases they are the baseline. Yet most defenders train in environments that lag years behind the adversaries they face. CyberDefenders is proud to be a partner in NATO CCDCOE Locked Shields 2026, the world's largest and most complex live-fire cyber defense exercise, bringing our expertise in hands-on, scenario-driven training to one of the most consequential stages in global cybersecurity.

What is Locked Shields?

Locked Shields is run annually by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) and brings together international blue teams tasked with defending a simulated nation's critical infrastructure against a sustained, coordinated attack. It is not a theoretical exercise. Every decision made on the defense side carries real operational weight. Systems degrade, services fail, and the consequences ripple across interconnected environments in real time.

This year, participating teams faced an especially complex threat landscape: hybrid IT and OT environments, AI-integrated tooling, and attack chains that exploit the trust relationships modern organizations take for granted.

Our Contribution to Locked Shields

At CyberDefenders, we design training that reflects how modern organizations actually operate. Our contribution to Locked Shields 2026 is grounded in that same philosophy: build scenarios that match the complexity of the environments defenders are protecting, not simplified abstractions of them.

The simulation we developed spans a fully configured Azure tenant with hybrid identity and Conditional Access enforcement, an AWS account with production workloads and cross-service role trust, an Active Directory domain with tiered administration, and an AI assistant platform integrated into the developer workflow. The attack chain does not begin with an obvious exploit. It begins with a poisoned skill on an AI assistant marketplace, a realistic foothold that expands by abusing permissions, trust relationships, and architectural decisions organizations make as a matter of normal operations.

From that single entry point, the red team demonstrated a full-chain compromise: MFA bypass across the Azure tenant by abusing hybrid identity trust, lateral movement via cross-account AWS AssumeRole calls using credentials provisioned for legitimate automation, data exfiltration from both AWS S3 and Azure Blob Storage, and finally deployment of a custom APT-style wiper targeting endpoints and cloud storage simultaneously. Nothing in the scenario required a vulnerability that an attacker would not find in the first hours of a real engagement.

The Gap We Chose to Close

We built it this way deliberately. Security teams train against yesterday's threats: malware on endpoints, phishing in inboxes, brute-force attempts at login pages. The threat landscape has moved. Attackers now:

  • Abuse hybrid identity trust to bypass MFA without triggering an authentication challenge.
  • Assume cross-account roles in AWS using credentials that were provisioned for legitimate automation pipelines.
  • Poison AI supply chains import a malicious skill through a trusted marketplace to land inside the network without sending a single phishing email.
  • Deploy wipers that reach into cloud storage, not just local disks, blurring the line between ransomware and state-sponsored destructive attacks.

These are not theoretical risks. They are the patterns behind the most significant breaches of the past several years, and the exact attack surfaces that most training programs have not yet caught up to.

Operational Readiness, Not Theory

Participating in Locked Shields is not a capture-the-flag exercise. It is an operational readiness test under pressure, at scale, with real stakes for the teams involved. What defenders gain from working through a CyberDefenders-designed scenario is not a list of techniques or tool names. It is the instinct to recognize when activity that looks normal is not across an Azure tenant, an AWS account, and a domain-joined enterprise simultaneously.

Concretely, that means learning to identify a legitimate-looking sign-in to an Azure tenant that actually represents an MFA bypass via hybrid identity abuse. It means recognizing a normal-looking AssumeRole call in CloudTrail as the moment an attacker pivoted from cloud-to-cloud. And it means catching a routine skill import on an AI platform before it becomes a full organizational compromise.

Skills That Transfer to Production

Teams that go through this simulation walk away with something that cannot come from a report or walkthrough: operational clarity about where their visibility actually ends, not where they assume it ends. Specifically, defenders learn to:

  • Correlate Azure sign-in anomalies with AWS CloudTrail API activity and on-premises Active Directory authentication events simultaneously, across platforms and clouds.
  • Identify where Conditional Access policies, IAM role boundaries, and AI tooling trust models hold under adversarial pressure and where an attacker can walk straight through them.
  • Recognize AI supply chain compromise at the point of ingestion, before a poisoned skill propagates into the broader developer environment.
  • Detect cross-cloud data exfiltration spanning AWS S3 and Azure Blob Storage in a coordinated, multi-stage operation.
  • Respond to wiper deployment that targets both endpoints and cloud storage, requiring a response posture that extends beyond traditional endpoint containment.

Those lessons do not come from reading a report or watching a walkthrough. They come from being in the environment, making decisions under pressure, and seeing the consequences, including which assumptions an attacker can invalidate in minutes.

Our Commitment to the Defender Community

CyberDefenders exists to close the gap between training and operational readiness. The attack surface now includes AI supply chains, hybrid identity infrastructure, multi-cloud storage, and custom adversary tooling that blurs the line between ransomware and state-sponsored destruction. Our community of defenders, analysts, engineers, incident responders, and security leaders deserves scenarios that take the threat as seriously as they do.

Locked Shields is one of the most demanding environments in the world to build for, and that is precisely why we are proud to contribute to it. Partnering with NATO CCDCOE reflects what we have always believed: that meaningful progress in cyber defence comes from realistic, high-fidelity practice, the kind that exposes assumptions, builds instincts, and prepares defenders for the environments they will actually face. Not checkboxes. Not compliance reviews. The first time a security team encounters this kind of attack chain should be in our lab, not in their environment.

We are grateful to NATO CCDCOE for the opportunity to contribute at this level, and to every defender who stepped into the exercise this year. The work you do matters.

About CyberDefenders

CyberDefenders is a hands-on training platform for blue team practitioners, providing realistic, scenario-based labs and exercises designed to build the detection, analysis, and response skills defenders need in modern threat environments.

About NATO CCDCOE

The NATO Cooperative Cyber Defence Centre of Excellence is the leading hub for NATO allies and partner nations to strengthen cyber defence capabilities. Based in Tallinn, Estonia, the Center brings together 39 nations for research, training, and exercises, including Locked Shields.

Tags:best soc trainingsoc training labsDFIRSOC analystsCybersecurityLocked Shields 2026