In March 2026, Mauno Pihelgas @mpihelgas and Raido Karro took part in the Locked Shields Partners' Run organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). The Partners' Run serves as the final rehearsal for the main event of Locked Shields, helping validate the environment and scenarios while still giving participants the full pressure of a live-fire cyber defense event.
It was not our first time taking part of this exercise. Over the years, Raido has participated with the TalTech Cyberdefenders team, while Mauno has joined the joint AI Research Team together with armasuisse, NATO CCDCOE, and the Netherlands Defence Academy. In 2026, according to CCDCOE, the Partners' Run was the largest to date. It brought together 16 Blue Teams from academia, industry, and defense organizations, tasked with defending a simulated national infrastructure against approximately 6,000 cyberattacks.
Those numbers are impressive, but what stays with us is not only the scale. It is also the pace. Any system might be compromised at any moment, and you have to decide quickly what matters most, what can wait, and how to keep services running while the red team keeps pushing.
For us, the value of participating has been consistent over the years. Locked Shields compresses a remarkable amount of learning into a short time. It is not just a technical exercise either. Teams also handle situation reports, cyber threat intelligence, media communication, strategic decision-making, and forensic challenges. The exercise demands the full range of defensive skills, not just endpoint hardening.
Why exercises like this matter
Cyber exercises are valuable because they show how people, processes, and technology behave together under pressure. In a controlled lab, it is easy to assume that playbooks are clear, alerts are actionable, and teams will naturally coordinate. In a realistic exercise, those assumptions are tested immediately.
Locked Shields is especially demanding because it goes well beyond technical incident response. Teams also deal with situation reports, threat intelligence, strategic decision-making, media communication, and forensic analysis. That mix makes the exercise useful not only for analysts and engineers, but for anyone interested in operational readiness.
Recurring participation adds another layer of value. Returning to an exercise like this year after year helps build judgment: when to contain, when to observe, how to avoid self-inflicted service outages, and how to keep the wider team aligned while the pressure keeps rising.
What remains valuable after the scoreboard stops
One aspect that is easy to overlook is the long-term value of the exercise data which reflects realistic defender decisions, attacker behavior, and the ambiguity that makes cyber defense difficult in practice. Unlike many synthetic datasets, exercise data captures the messy, fast-moving conditions that defenders actually face. Used appropriately, it can support:
- Training and onboarding with realistic material
- Security research based on rich attacker-defender interactions
- Detection engineering and product improvement grounded in evidence from the exercise
In other words, the learning does not end when the exercise ends. A two-day event can continue producing value for months if teams make deliberate use of the data.
Where can AI help in live defense
Another clear takeaway from this year's exercise is that AI is becoming more relevant in operational defense, but only when it is tied to real workflows.
Traditional defensive actions such as blocking attacker IP addresses are often less effective than they used to be. Many attacks, including in the exercise, now originate from distributed cloud infrastructure, where addresses rotate quickly and infrastructure can be recreated in minutes. Defenders still need those controls, but they also need faster ways to analyze signals, enrich findings, and decide what matters now.
This is where realistic exercises become particularly useful for evaluating AI. They create a fast-moving environment with noisy signals, limited time, and real operational tradeoffs, while remaining separate from production. That makes them a strong proving ground for AI-assisted detection and response.
For Mauno, this has been especially relevant through the joint AI Research Team. That team has been experimenting with ML and AI models for years, and participation in Locked Shields has been an excellent way to explore what AI-driven cyber defense agents can actually do in a realistic exercise environment, such as:
- Triaging large volumes of alerts
- Enriching findings with system and threat context
- Prioritizing incidents that are most likely to affect service availability
- Reducing repetitive investigation steps so defenders can focus on decisions
The next step in AI-driven defense is therefore unlikely to be a single general-purpose assistant, but rather several specialized agents working together. One agent might focus on detection, another on enrichment, another on log or packet analysis, and another on remediation guidance. That model becomes even more powerful when agents can share intelligence across systems. In one experiment, several hosts were affected by the same vulnerability. Each agent identified it independently at a slightly different stage, but shared context could have significantly accelerated detection across the environment.
Looking ahead
Looking ahead
Locked Shields 2026 reinforced a simple lesson for us: if you want to understand how defense really works, you need realistic conditions, time pressure, and consequences for bad decisions. Exercises like this sharpen technical skills, but they also build the judgment and coordination that teams rely on during real incidents.
This is one of the reasons we keep coming back.
That combination of realistic operational pressure and thoughtful experimentation is what makes exercises like Locked Shields so valuable.
This is one of the reasons we keep coming back.
That combination of realistic operational pressure and thoughtful experimentation is what makes exercises like Locked Shields so valuable.
1 Comment
