A firsthand look at how Locked Shields 2026 tests cyber resilience, critical infrastructure defense, identity-based attacks, and decision-making under real crisis pressure.
What to Expect in this blog:
What Is Locked Shields 2026?
Every year, thousands of cybersecurity professionals from around the world come together for one of the most intense and realistic cyber defence exercises ever created. This is not a tabletop discussion or a scripted demonstration. This is Locked Shields, a live-fire cyber defence simulation where defenders must protect critical services while a determined adversary actively tries to disrupt, compromise, and create chaos.
Locked Shields is an annual international cyber defense exercise where multinational Blue Teams defend simulated national systems against active Red Team attacks across critical infrastructure, military systems, communications, digital services, and operational technology.
Organised by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, Locked Shields has become the largest and most complex international cyber defence exercise in the world. Since its launch in 2010, the exercise has evolved alongside the threat landscape, moving far beyond traditional network defence into the realities nations face today: protecting critical infrastructure, responding to hybrid threats, defending digital identities, maintaining public trust, and making difficult decisions under extreme pressure.
In April 2026, I had the opportunity to take part in Locked Shields from a different perspective, not as a Blue Team defender fighting through the chaos like in previous years, but as an observer focused on understanding how the exercise operates: where teams succeed, where friction slows response, and how future simulations can move even closer to real-world cyber conflict.
After years of defending environments under pressure, this gave me a chance to step back and look at the bigger picture. How do teams collaborate? Where do defenders lose valuable time? What information do decision-makers actually need? And how do we make exercises like this prepare us for the threats we'll face tomorrow?
Because the purpose of Locked Shields is not simply to win. The purpose is to learn.
A Live-Fire Cyber Battlefield Designed to Feel Real
Modern cyber incidents are no longer isolated technical problems. A ransomware attack doesn't stop at encrypted servers. A supply chain compromise doesn't stop at a vulnerable application. A stolen identity doesn't stop at a compromised account. The consequences spread quickly into business operations, public communications, legal decisions, government response, and national resilience. Locked Shields recreates that reality.
During the exercise, multinational Blue Teams are placed into a fictional crisis scenario where they must defend the systems of a nation under attack. They inherit unfamiliar environments, limited time, competing priorities, and an adversary that doesn't wait patiently while they prepare.
The 2026 cyber exercise brought together more than 4,000 participants from 41 nations, forming multinational teams defending critical infrastructure and military systems against thousands of simulated cyberattacks.
The scenario placed defenders in support of a fictional nation, requiring them to protect services across a wide range of sectors:
• Government systems
• Energy infrastructure
• Communications networks
• Military capabilities
• Digital services
• Operational technology environments
• Election and voting systems - new for 2026
But the real challenge isn't simply stopping malware or blocking attacks. The challenge is maintaining trust and keeping a nation running. It is as much about keeping services available as it is about hardening and protecting systems.
How Locked Shields Works: Blue Teams vs. Red Teams
At the centre of Locked Shields is the classic defender-versus-attacker model.
The Red Team represents the adversary. Their objective is to behave like real attackers: finding weaknesses, exploiting vulnerabilities, escalating privileges, disrupting operations, and forcing defenders into difficult decisions.
The Blue Teams represent national cyber defence teams. Their mission is simple to describe but incredibly difficult to achieve: keep systems operational, find the attackers, remove their access, protect critical services, report what is happening, coordinate with leadership, and make the right decisions with incomplete information - just like a real cyber crisis.
The defenders must constantly balance competing tasks. Do they patch a vulnerability, investigate suspicious activity, restore a service, collect forensic evidence, or communicate with leadership? There is never enough time, and that is exactly the point. Real incidents don't happen when your team is fully staffed, fully prepared, and waiting. They happen when everything else is already happening.
Why Locked Shields Goes Beyond Technical Cyber Defense
One of the biggest lessons from Locked Shields is that cyber defence is no longer just about technical skills. Technical excellence still matters. You need people who understand networks, operating systems, cloud environments, identity infrastructure, malware analysis, detection engineering, and digital forensics.
But technology alone doesn't win. The best technical response can fail if communication breaks down. The fastest detection can fail if leadership doesn't understand the impact. The strongest security team can fail if priorities are unclear.
This is where Locked Shields stands apart: teams are tested across many different domains at once. Legal teams must evaluate decisions. Communication teams must handle public messaging. Leadership teams must prioritise actions. Technical teams must defend and recover systems. And everyone has to work together because that's how real incidents unfold. Cybersecurity is a team sport.
From Blue Team Defender to Locked Shields Observer
In previous Locked Shields exercises, I experienced the intensity directly as a Blue Team defender, watching alerts appear, attackers moving through systems, services failing, and everyone trying to understand what was happening while the clock kept moving.
This year was different. My role was to observe, and sometimes observing teaches you even more than participating. Instead of focusing on one system or one problem, I was able to watch how teams operated as a whole: how information flowed between them, how decisions were made, how defenders prioritised actions, where good process helped, where complexity slowed response down, and how tooling supported or overwhelmed defenders.
When you step back, patterns become clearer. Cyber defence is rarely lost because teams don't have enough tools. It is often lost because they don't have enough clarity.
Identity-Based Attacks Are Changing the Cyber Battlefield
One of my biggest observations from this and other real-world incidents is that attackers increasingly don't break in - they log in. The perimeter has changed, and the new battlefield is identity.
Attackers target credentials, privileged accounts, service accounts, API keys, secrets, machine identities, and cloud permissions. Once they gain access, the questions that matter most become: who are they, what access do they have, what can they reach, and how quickly can we contain them?
Traditional security focused heavily on endpoints and networks. Those remain important, but identity has become the control plane that attackers abuse to move through modern environments. During high-pressure exercises like Locked Shields, visibility becomes critical - you cannot protect what you cannot see, and you cannot remove an attacker if you don't know where trust has been abused.
Cyber Resilience Depends on Preparation Before the Crisis
A major lesson from Locked Shields is that response speed is built before the incident happens. During a crisis, you don't rise to the level of your documentation - you fall to the level of your preparation.
The teams that perform well are usually the ones that have already practised the basics: how they communicate, who makes decisions, who has authority, where critical information is stored, how they recover, and how they validate trust again afterward. The middle of an attack is the worst possible time to discover your processes don't work, and Locked Shields creates the pressure needed to expose those gaps safely.
How Future Cyber Defense Exercises Need to Evolve
As an observer, one of my focuses was looking at how exercises like Locked Shields need to keep evolving as the threat landscape changes. A few areas stand out for future scenarios:
- AI-driven threatsAttackers will increasingly use automation, AI-generated phishing, faster vulnerability discovery, and autonomous attack techniques.
- Identity-first attacksFuture scenarios must keep expanding beyond system compromise into trust compromise. The question is no longer just which machine was hacked, it's which identity was abused.
- Machine identities and automationModern environments contain more non-human identities than human users. Service accounts, workloads, APIs, and automation pipelines are becoming major targets.
- Decision-making under uncertaintyFuture defenders must become comfortable making decisions without perfect information, because attackers will never give us perfect conditions.
The Real Victory of Locked Shields: Collaboration
Although Locked Shields includes scoring and rankings, the real value isn't the scoreboard - it's the collaboration. Government, military, industry, and academic teams, spanning dozens of countries and just as many different cultures and approaches, all working toward the same goal: building stronger collective cyber resilience.
Locked Shields 2026 demonstrated that cyber defence is not something any single organisation or nation can solve alone. The exercise brought together thousands of experts across national, public, private, and academic communities to improve collective readiness.
Cyber threats cross borders. Cyber defence has to do the same.
Final Thoughts: Train Like Reality Before Reality Tests You
Locked Shields is one of the closest experiences defenders can get to the pressure of a major cyber crisis without living through an actual incident. Systems fail. Attackers adapt. Information is incomplete. Pressure builds, people get tired, and mistakes happen. That is exactly why it works. Resilience isn't built during calm moments. It's built through practice.
My biggest takeaway from observing Locked Shields 2026 is that the future of cyber defence depends on combining technology, people, communication, and trust. The defenders of tomorrow won't simply be those with the best tools. They will be the teams who understand their environment, protect their identities, collaborate effectively, and make better decisions faster than the adversary.
That is the true mission of Locked Shields: preparing defenders today for the battles of tomorrow.
Prepare for the Next Identity-Driven Cyber Crisis
Locked Shields 2026 showed what happens when cyber defenders are tested under real pressure: systems fail, attackers adapt, decisions get harder, and identity becomes one of the most important control points in the fight.
The lesson for security leaders is clear. Resilience starts before the incident.
In Identity Security Intelligence, Joseph Carson shares practical guidance on how organizations can strengthen identity security, reduce privileged access risk, and prepare for the threats already reshaping modern cyber defense.
Get the Identity Security Intelligence ebook and learn how to build stronger identity security before the next crisis tests your team.
