Locked Shields 2026

Each year, the NATO Cooperative Cyber Defence Centre of Excellence organizes the Locked Shields live-fire cyber defence exercise. As they nicely describe on their website:

At Locked Shields, the teams must put their skills to the test, protecting the IT systems that keep our everyday life running—including critical infrastructure, air defence and e-voting. The teams demonstrated strong capabilities in detecting and responding to malicious cyber activities.

The key now is to take the lessons identified from the exercise and translate them into real-world readiness, particularly as AI capabilities continue to transform both the defence and attack sides of the cyber domain

TLPBLACK was part of Romania's team in Blue Team 11, together with Ukraine and Republic of Moldova. There were a total of 16 Blue Teams, each consisting of 2 or 3 countries. TLPBLACK members were part of System Administration (SA) for Linux systems and this is our debrief.

TLPBLACK at Locked Shields 2026

During this 2-day live-fire exercise, we had to patch and manage systems which were misconfigured, vulnerable in different and unique ways or running vulnerable applications. Blue Teams have multiple hours to prepare and harden the VMs in the week prior to the main event. Then, on the first day of the main event, blue teams have an initial 30-minute window to patch and harden their systems as much as possible. The Red Team then began probing the environment - identifying vulnerable systems and establishing footholds - in preparation for the second day's full offensive.

An interesting challenge introduced in this year's Locked Shields event was the voting platform which allowed citizens to vote for their next representatives. TLPBLACK members were in charge of all voting systems, both front-end and backend systems. On the first day we managed to protect against an attempt from the Red Team to disrupt the voting system. On the 2nd day they managed to gain root access on one of the frontend machines and wiped the bootloader. Interestingly, together with our friends from Threat Hunting Linux we managed to restore the VM and voting was able to continue.

Overall we were happy to meet so many familiar and old faces, as well as new ones. We quickly realized that the true aim and the real winner is not who finishes in first place, but it's all the connections, cooperation and emotions (laughs, tears of joy, anger) we develop during those two days. We met wonderful people, from Ukraine, from Republic of Moldova and from Romania and we're looking forward to meeting them again soon at another exercise!

Locked Shields exercise proved (again and again) that the real challenge is not only technical, but also people management. Coordinating a team of more than 300 professionals is not an easy task. However, we believe this is the beauty of this exercise: it creates a safe space to fail, learn, and grow - so that real-world readiness is earned, not assumed. Secondly, jumping into the live-fire arena, where seconds matter and mission-critical systems (such as SCADA systems controlling water, electricity, or even voting systems!) have to be online with as few disruptions as possible is an environment that few events or exercises manage to simulate at this large scale.

We would like to thank all the people who worked with us late at night, patching, testing, reverting VM snapshots, reversing malware and writing Yara rules. You know who you are :)

Lastly, we would like to thank all organizers, both from Romania and the NATO Cooperative Cyber Defence Centre of Excellence for organizing this event and we are looking forward to participating in next year's Locked Shields!

Our Home for two weeks. The sky is the limit!