RL Joins NATO's Live-Fire Cyber Event

For two punishing days in late April, cyber defenders from 41 nations huddled in front of screens around the globe, repelling waves of simulated attacks against fictional national infrastructure. The occasion: Locked Shields 2026, NATO's annual live-fire cyber exercise — and the largest of its kind in the world. ReversingLabs (RL) was proud to be a part of it.

This year's exercise marked a milestone for the Republic of Croatia and the Republic of North Macedonia, which fielded a joint Blue Team for the first time under the leadership of Croatia's Ministry of Defense (MORH). It also marked a milestone for RL, which deployed four of its top experts and its Spectra Analyze malware analysis platform in support of the joint team— alongside industry partners ExtraHop Networks, Inc. and Forescout Technologies, Inc.

Here’s what you need to know about Locked Shields 2026 — and three key lessons to carry forward.

A Brief History of Locked Shields

Held annually since 2010 by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, Locked Shields has evolved rapidly in recent years. Just four nations and about 60 participants took part in the inaugural event. By 2026, Locked Shields had grown to bring together more than 4,000 participants from 41 NATO Allied and partner nations. They included cyber defenders, legal experts, strategists, and communicators charged with defending thousands of virtual systems against a relentless stream of attacks.

What sets Locked Shields apart from a typical capture-the-flag is its realism. Blue Teams don't just face technical exploits, they wrestle with strategic decision-making, forensic analysis, legal questions, public communications, and coordinated incident response — all at wartime tempo. Each year, the exercise incorporates new domains: cloud, operational technology, AI-enabled attacks, even quantum computing concepts in this year's Strategic Decision-Making track.

A Tough — and Telling — Debut

The first day was, by every measure, brutal. NATO's Red Team launched hundreds of attacks against the Croatia–North Macedonia Blue Team in just eight hours, with many reaching their targets. Like defenders in real world incidents, the Blue Team was challenged to quickly orient themselves and triage the victims of the red team attacks, while also battling new attacks and fighting to keep critical systems and infrastructure functioning. 

"It felt like ‘two steps forward, one step back’ at times, said Hrvoje Samardžić, a threat intelligence researcher at RL who took part in the exercise and served on the Reporting and CTI team. "As one case was solved, three new ones were being opened."

By day two of the exercise, however, things started to look different. Processes had been sharpened, communication tightened, and the Blue Team began to find its footing. By the end of the exercise, the joint Croatia-North Macedonia squad had posted competitive standings against far more experienced Blue Teams — and earned RLRL a Certificate of Appreciation from Croatia's Ministry of Defense for its contribution.

Spectra Analyze Under Fire

Throughout the exercise, the Croatian SOC team relied on RL's Spectra Analyze platform to triage malware samples encountered by the Blue Team — quickly, privately, and without reliance on public sandboxes that could leak sensitive operational data. In several cases, Spectra Analyze extracted full malware configurations, yielding actionable indicators of compromise (IOCs) that defenders pushed into MISP, where they were consumed by intrusion-detection systems for tracking and blocking.

Joining RL at Locked Shields were ExtraHop and Forescout, two partner organizations that were on the ground in Zagreb as well. Both firms held workshops for SOC and network team members and demonstrated their solutions' value against PCAPs collected from the cyber range.

"ReversingLabs is honored to have participated in the 2026 Locked Shields exercise,” said Mario Vuksan, the CEO and co-founder of RL.

“Close collaboration by defenders and their tech partners is critical in the real life cyber incidents that Locked Shields emulates. So is having a comprehensive defensive technology stack like the one RL and our partners at ExtraHop and Forescout are building."

Together, the three vendors gave the joint Blue Team a defensive stack covering network detection, asset visibility, and deep file analysis — critical capabilities that modern SOCs need to navigate today's threat landscape. 

"Cyber defense at this scale is a team sport. By pairing real-time network visibility with deep forensic analysis, we aren’t just giving defenders more data. We’re giving them the 'home field advantage' needed to outpace nation-state actors," says Sarah Cleveland, Senior Director of Federal Strategy at ExtraHop.

“Locked Shields put real people, real tools, and real pressure together in real‑world scenarios on hybrid networks,” said Barry Mainz, CEO, Forescout. “Forescout was honored to stand shoulder to shoulder with RL and ExtraHop to support the joint Croatia-North Macedonia team as they built resilience under fire. The exercise highlighted the importance of comprehensive device intelligence and policy‑driven control — areas where Forescout excels and which become even more powerful when combined with complementary partner capabilities.”

Lessons Worth Carrying Forward

Three clear takeaways from Locked Shields 2026 stand out.

1. Scale and Tooling Matter

Defenders are perpetually outnumbered. Tooling that automates triage — particularly malware analysis that returns IOCs and configurations in minutes rather than hours — is a necessity, not a luxury.

2. Integration is the Next Frontier 

One ambition for the initiative was to wire ExtraHop's and Forescout's network-detection capabilities directly into Spectra Analyze: detect a suspicious file on the wire, submit it for analysis, and receive a reputation verdict back to drive automated blocking. Cyber-range constraints kept that workflow from being fully realized this year — but it points clearly to where defensive operations are heading. Should similar technologies be deployed by potential targets of state sponsored attacks, those organizations would stand a much better chance of turning back attacks like those in the Locked Shields exercise, experts agreed.

3. Preparation is Everything

Blue Teams that come in cold get rolled. Teams that have rehearsed their processes, pre-tuned their tooling, and trained their operators stand a fighting chance — even against the world's best Red Team.

Locked Shields 2026 is over. Locked Shields 2027 is, in a sense, already underway. Congratulations to the Croatian Ministry of Defense, to the Armed Forces of North Macedonia, to our partners at ExtraHop and Forescout, and to every defender who took part. RL is honored to stand with you.