Exeon at Locked Shields 2026: Testing NDR where it matters most
Cybersecurity exercises come in many forms. Most simulate controlled scenarios in isolated environments. Locked Shields is different.
Organized annually by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), Locked Shields is the world’s largest live-fire cyber defense exercise. 41 nations, thousands of participants, and coordinated cyberattacks executed in real time against teams defending critical national infrastructure. There is no safety net. The attacks are real. The pressure is real.
This year, Exeon was proud to support Blue Team 1, the joint team of Switzerland, Germany, Austria, and Luxembourg, throughout the five-day exercise. The team secured 2nd place overall.
Deploying Exeon.NDR in a live-fire environment
Exeon deployed Exeon.NDR across all four nations of Blue Team 1, trained analysts on its use, and provided support throughout the exercise. Under those conditions, the platform detected multiple command-and-control (C2) channels, lateral movement, and confirmed instances of custom malware developed specifically for the scenario by the exercise’s Red Team.
This is what Locked Shields uniquely provides: not synthetic test data, but real attack telemetry generated by skilled adversaries operating under exercise conditions designed to replicate nation-state-grade threats.
As Simon Sommerhalder, Pre-Sales Engineer and AI Innovation Manager at Exeon, reflected after the exercise:
Locked Shields is as close to real nation-state-grade attack conditions as our technology can be tested. The result is a strong validation of Exeon.NDR – and of the analysts who used it under pressure.
Piloting AI-Assisted Network Analysis with โExeonย Wรคchterโย
Beyond the core deployment, Locked Shields 2026 gave Exeon the opportunity to pilot something we have been developing internally: Exeon Wรคchter, a prototype integration of Exeon.NDR with an LLM-powered workflow that allows analysts to query live network telemetry using natural language prompts.
The operational logic behind Exeon Wรคchter is straightforward. During a high-tempo defensive operation, the bottleneck is rarely data – it is the time and cognitive load required to extract meaning from it. Natural language querying removes a layer of friction between detection data and decision-making, allowing analysts to ask questions of their network in real time rather than navigating dashboards under pressure.
Approximately 85 analysts logged in to Exeon Wรคchter during the exercise. Roughly half adopted it actively in their workflow.ย
Key Outcomes
- 2nd place overallย for joint Blue Team 1 (Switzerland, Germany, Austria, Luxembourg).ย
- Detection of multiple C2 channels, lateral movement, and confirmed custom malwareย developed by the Red Team for the exercise.ย
- Successful field pilot ofย Exeonย Wรคchter,ย Exeonโsย LLM-assisted analyst interface, with ~85 users onboarded.ย
- Cross-border deployment and analyst trainingย across all four participating nations of Blue Team 1.
About Locked Shieldsย
Locked Shields is an annual live-fire cyber defense exercise organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia. It is widely regarded as the most complex and realistic exercise of its kind, challenging Blue Teams from participating nations to defend critical national infrastructure against sustained, advanced attacks under realistic conditions. The 2026 edition included 41 nations.
๐๐ฉ๐ฐ๐ต๐ฐ ๐ค๐ฐ๐ถ๐ณ๐ต๐ฆ๐ด๐บ ๐ฐ๐ง Kommando Cyber
