Picture this: 213 critical cyber incidents. 48 hours of relentless attacks. A power grid, voting systems, and 5G infrastructure all under siege. Welcome to Locked Shields 2025, NATO's premier cyber defense exercise, where Blue Team 12 faced the ultimate test of enterprise security operations.
Coordinated from Tallinn, Estonia by NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE), Locked Shields 2025 brought together over 2,000 cybersecurity professionals across dozens of international blue teams. In May 2025, Cydarm Technologies provided our SOC Case Management to the local contingent of one of these teams - BT12 - a diverse group of around 200 specialists from military, academic, and industry backgrounds who defended the fictional nation of Berylia against sophisticated adversaries.
What unfolded was not just another tabletop exercise - it was a live fire drill for cyber incident management under extreme pressure, revealing both the power and limitations of modern cybersecurity operations platforms when every second counts. For Cydarm, now in our second year of involvement with Locked Shields, the exercise represents the ultimate real-world testing ground - a chance to prove our SOC Case Management platform can handle the chaos and complexity that breaks traditional incident response systems.
The Challenge of Incident Response at Scale
Locked Shields 2025 showed what happens when cyber defense becomes a wartime operation, and why an ad-hoc approach to incident response crumbles under pressure. Blue Team 12 didn't face just one problem. They battled simultaneous attacks across web applications, industrial systems, and network infrastructure. Website defacements hit public services while backdoors infected critical systems. Attackers targeted industrial controls and compromised firewalls, threatening to flood the network with lateral movement.
The coordination challenge was equally brutal. With specialists spread across network security, systems administration, and malware analysis, every incident needed instant routing to the right expert. A SQL injection requires different skills than a compromised firewall or defaced website.
During peak periods, new cases started every few minutes while the team simultaneously investigated ongoing incidents, implemented containment, and documented findings. Email chains and shared spreadsheets simply do not keep pace in this environment.
The exercise revealed a fundamental truth: in modern cyber defense, information management is not just infrastructure - it's the difference between coordinated response and complete chaos.
What Worked: SOC Case Management Success Stories
Despite overwhelming pressure, Blue Team 12's case management delivered measurable results. The platform transformed chaos into coordinated cyber defense through systematic incident routing and accountability.
Cross-Team Coordination Excellence
The numbers prove effective case management breaks down silos: 98.5% of incidents were assigned across organizational boundaries, ensuring specialist expertise handled each threat type. The Cydarm SOC Case Management platform was configured with a hierarchy of almost 50 team organizations, grouped into 5 top-level units under the Blue Team 12 structure.
Network security teams owned firewall compromises and infrastructure attacks. Systems administrators managed server vulnerabilities and application security. Malware analysts tackled suspicious executables and backdoor investigations. This systematic routing meant the right skills addressed each cyber incident immediately.
Key success examples included routing SWAT historian industrial control system attacks to OT specialists, firewall containment requests to network teams, and website defacements to web security experts. Each incident reached the appropriate expertise without delays or confusion.
Accountability and Visibility That Scaled
Managing 213 cyber incidents required bulletproof tracking. Cydarm's case assignment feature ensured 95% accountability - 202 of 213 incidents had designated owners to ensure that the details of threats did not slip through cracks.
Status workflow tracking provided critical leadership visibility during crisis operations. Commanders saw real-time progress across triage, analysis, and containment phases, enabling informed resource allocation decisions when seconds mattered.
The platform created shared situational awareness - teams understood their role in the broader coordinated defense rather than working in isolation. This visibility prevented duplicate efforts and ensured comprehensive threat coverage across all attack vectors.
Optimization Opportunities for SOC Case Management at Scale
The Locked Shields 2025 exercise revealed key areas where even successful case management implementations can achieve greater impact through strategic improvements.
1. Centralized Knowledge Integration
Scattered response procedures across multiple platforms, including decision protocols, slowed incident resolution when speed was critical. Analysis shows this particularly impacted website defacement and SQL injection responses where analysts needed quick access to remediation procedures. Leading SOCs pre-populate Cydarm’s case management platform with integrated playbooks for quick access.
2. Threat Intelligence Utilization
Despite the availability of a feature for capturing structured threat information (STIX), only a few STIX observables were recorded on cases. With more proficiency and training, analysts can use Cydarm’s observable recording features to create indicators during threat analysis, for rapid export and dissemination.
3. Automated Workflow Enhancement
Manual processes dominated when automation could have freed analysts for strategic threat hunting. The unused automation capabilities represented lost force multiplication potential during peak attack periods when every efficiency gain multiplied team effectiveness.
Preparing for Large-Scale Cyber Defense Exercises
The Locked Shields 2025 experience provides a tactical roadmap for organizations planning similar large-scale cyber defense exercises or enterprise incident response drills.
Pre-Exercise Setup
- Populate knowledge first: load SOPs, incident playbooks, and response guides directly into your case management platform before operations begin. Blue Team 12's delayed website defacement responses could have been accelerated with pre-loaded remediation procedures accessible within case workflows.
- Assign platform administrators: designate dedicated case management roles focused on ticket hygiene, deduplication, and case linking. This prevents skilled analysts from administrative tasks when expertise is needed for threat analysis.
- Configure intelligence integration: set up automated cyber threat intelligence context gathering and export beforehand. The underutilization of available threat intelligence shows what happens when integrations aren't prepared in advance.
Exercise Execution
- Enforce systematic routing: Blue Team 12’s 98.5% cross-organizational assignment rate proved that proper specialist routing multiplies effectiveness during high-tempo operations. Design team structures that automatically route incidents to appropriate expertise.
- Maintain case linking discipline: train teams to connect related incidents under pressure. Coordinated attacks like systematic website defacements should be immediately recognized as campaigns, not isolated incidents, and grouped together.
- Monitor real-time metrics: track assignment rates, resolution times, and case linking during operations to identify process breakdowns before they impact response effectiveness.
Organizational Design
- Balance specialization with visibility: structure teams for deep expertise while maintaining leadership oversight. Specialized routing works, but commanders need real-time progress visibility across all incident types.
- Create tactical-strategic feedback: pattern recognition from linked incidents should rapidly escalate to leadership for broader defensive adjustments, transforming case management into proactive force multiplication.
The Bottom Line: Case Management as a Force Multiplier
Locked Shields 2025 proved that case management isn't administrative overhead - it's the engine that transforms individual expertise into coordinated defense capability.
Blue Team 12's specialists successfully defended critical infrastructure not because they had more people, but because they had better coordination. The platform's cross-organizational routing turned diverse skills into unified response capability, while systematic case assignment ensured no threat fell through operational cracks.
The ROI calculation is stark: without structured case management, the same team would have needed significantly more personnel to achieve equivalent coverage. Manual coordination methods - email chains, spreadsheets, verbal handoffs - simply cannot scale to enterprise-level attack volumes while maintaining response quality.
More importantly, the exercise demonstrated that case management platforms become force multipliers when properly leveraged. Every efficiency gain frees analysts from administrative tasks to focus on what they do best: threat hunting, analysis, and strategic response.
The organizations that will succeed in tomorrow's threat landscape aren't just those with the most skilled people, but those who multiply that expertise through systematic coordination. In modern cyber defense, your case management platform is not just software - it's your operational backbone for turning chaos into coordinated success.
