NATO Locked Shields 2026: ExtraHop NDR Powers Joint Cyber Defense Stack

In the world’s largest cybersecurity exercise, ExtraHop’s network detection and response (NDR) platform provided critical network visibility — including the decryption of malicious traffic and packet-level forensics.

In April, cyber defenders from 41 nations gathered to repel waves of simulated attacks against fictional national infrastructure. The occasion: Locked Shields 2026, NATO's annual live-fire cyber exercise — and the largest of its kind globally.

In 2026, the exercise convened 4,000+ experts from 41 NATO allied and partner nations, uniting cyber defenders, legal strategists, and communication specialists to protect thousands of virtual systems against sophisticated, persistent offensive operations.

This year's exercise marked a milestone for the Republic of Croatia and the Republic of North Macedonia, which fielded a joint Blue Team for the first time under the leadership of Croatia's Ministry of Defense (MORH).

It also marked a milestone for ExtraHop, which deployed a top expert and the ExtraHop RevealX NDR platform in support of the joint team, alongside industry partners ReversingLabs and Forescout.

Here’s what you need to know about Locked Shields 2026, and three key lessons to carry forward.

A Brief History of Locked Shields

Since 2010, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) has hosted Locked Shields in Tallinn, Estonia. What began as a modest four-nation exercise with 60 participants has scaled into the world’s premier cyber defense event.

In 2026, the exercise convened 4,000+ experts from 41 NATO allied and partner nations, uniting cyber defenders, legal strategists, and communication specialists to protect thousands of virtual systems against sophisticated, persistent offensive operations. What distinguishes Locked Shields from a standard technical exercise is its focus on integrated crisis response. It isn't just a race to patch vulnerabilities; it is a test of how a nation maintains mission continuity under fire.

Blue Teams must defend thousands of virtual systems at a wartime tempo, forcing a synchronized response between technical defenders and the leadership responsible for legal, strategic, and public communication decisions.

To mirror the current threat landscape, the 2026 exercise expanded into high-stakes domains including cloud infrastructure, operational technology (OT), and AI-driven exploits.

Maintaining Mission Continuity Under Fire

Within the initial eight hours, NATO’s Red Team launched hundreds of coordinated attacks against the Croatia–North Macedonia Blue Team, penetrating several defensive layers.

This forced the team into an immediate "fight-through" posture: defenders had to triage compromised systems in real-time while simultaneously repelling new waves of attacks to keep critical national infrastructure functional.

By day two or three, the operational tempo shifted. As communication protocols tightened and response processes were refined, the Blue Team regained the initiative. Despite being a debut squad, the joint Croatia-North Macedonia team achieved competitive standings against much more established Blue Teams.

This performance was officially recognized by the Croatian Ministry of Defense, which awarded a Certificate of Appreciation for the critical technical contributions that secured the range.

Real-Time Visibility in the Conflict Zone

Throughout the exercise, the SOC utilized the ExtraHop RevealX NDR platform to maintain a comprehensive view of the attack surface. By providing unified decryption and packet-level forensics, ExtraHop enabled defenders to identify lateral movement and exfiltration attempts that bypassed traditional perimeter defenses.

The real-time network intelligence provided the "ground truth" for the Blue Team’s triage efforts, allowing them to correlate network telemetry with file-based threats and push actionable indicators of compromise (IOCs) into the MISP threat-sharing platform.

Working alongside partners ReversingLabs and Forescout, ExtraHop’s deployment provided the joint team with a specialized defensive stack. While ReversingLabs focused on deep file analysis, ExtraHop’ provided the full-spectrum visibility required to detect threats in motion.

Through live-fire PCAP analysis, ExtraHop demonstrated how NDR radically compresses the timeline from compromise to remediation.

"Cyber defense at this scale is a team sport," said Sarah Cleveland, Senior Director of Federal Strategy at ExtraHop. "By pairing real-time network visibility with deep forensic analysis, we aren’t just giving defenders more data. We’re giving them the 'home field advantage' needed to outpace nation-state actors."

“Close collaboration by defenders and their tech partners is critical in the real life cyber incidents that Locked Shields emulates,” says ReversingLabs CEO and co-founder Mario Vuksan.

“Locked Shields put real people, real tools, and real pressure together in real‑world scenarios on hybrid networks,” said Barry Mainz, CEO, Forescout. “Forescout was honored to stand shoulder to shoulder with ReversingLabs and ExtraHop to support the joint Croatia–North Macedonia team as they built resilience under fire. The exercise highlighted the importance of comprehensive device intelligence and policy‑driven control — areas where Forescout excels and which become even more powerful when combined with complementary partner capabilities.”

Together, the integration of network detection, asset visibility, and malware analysis provided the joint Blue Team with a modern defensive framework. This collaborative approach proved that when technologies are layered and used complementarily, defenders can maintain a decisive advantage even under the pressure of a coordinated nation-state assault.

Pillars of Defensive Success

The shift in momentum on day two was the result of three specific operational advantages.

1. Compressing the Detection Gap

High-tempo operations are defined by the ability to maintain clear, high-fidelity visibility across the network. It’s the baseline for any effective response. 

By surfacing network traffic in real-time, defenders could cut through the noise, identify the scope of an intrusion, and prioritize their efforts where they would have the most significant impact on mission continuity.

2. The Strength of an Integrated Defensive Ecosystem

Locked Shields demonstrated that isolated tools are insufficient against sophisticated adversaries. A complete defensive posture requires an ecosystem where network detection and deep forensic analysis work in concert. 

This integrated approach creates a unified feedback loop, ensuring that technical intelligence is shared across the stack to identify, analyze, and neutralize threats before they can achieve their objectives.

3. The Power of Preparation

Blue Teams that come in cold get rolled. Success in Locked Shields favored teams that had rehearsed their response processes, pre-tuned their visibility platforms, and trained their operators to communicate under pressure. Those who were ready stood a fighting chance, even against the world’s best Red Team.

Locked Shields 2026 is over, but Locked Shields 2027 is, in a sense, already underway. Congratulations to the Croatian Ministry of Defense, the Armed Forces of North Macedonia, our partners at ReversingLabs and Forescout, and every defender who took part. ExtraHop is honored to have stood with you.