Sekoia.io delivered its technology and expertise to the NATO CCDCOE’s Crossed Swords 2025 (XS25) exercise to gather critical insights and validate our defensive capabilities in a military-grade environment. Hosted by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, this Command Post Exercise (CPX) is designed to train military command elements and cyber specialists to successfully plan and conduct both offensive (OCO) and defensive cyber operations (DCO) within a simulated crisis environment. The execution phase of XS25 took place from November 3–7, 2025.

Operating in a Complex Geopolitical Scenario

XS25 leveraged the fictional CCDCOE Berylia scenario, which was enhanced this year with the addition of a new nation, Netoria. The exercise was conducted in two parallel scenarios:

1. Berylia (BER): An open conflict environment where Berylian Defence Forces plan and execute OCO and DCO to disrupt the military and informational capabilities of Crimsonia (CRI)
2. Netoria (NET): A crisis escalating toward open conflict, where Netorian Defence Forces (a NATO and EU member) similarly conduct OCO/DCO to impair Crimsonian capabilities and reinforce national sovereignty.

The scenario focused on protecting digital sovereignty from hostile state actors during times of crisis and conflict. Adversarial actions included those conducted by Crimsonia-linked groups such as GrizzlyStrike, known for espionage targeting military networks and Critical National Infrastructure (CNI), CrimsonGold, which engages in financial attacks linked to funding separatist activities, and DarkVortex, which targets CNI sectors like the power grid, transportation, and water utilities. Protecting CNI is a key operational objective for countries like Netoria.

Sekoia’s contribution to detection and defense

Sekoia.io’s participation focused on providing critical tooling and expertise in detection, continuing our support from the 2023 edition. Our private sector involvement was specifically utilized in the Threat Hunting track and contributed to the larger DCO response planning process alongside public and military sectors.

Our primary role involved supporting the Threat Hunting (TH) team, composed of cybersecurity professionals from both nations and the private sector, focused on enhancing participants’ skills at operational and tactical levels through realistic scenarios and hands-on exposure.

Validating platform performance and next-generation features

The Sekoia SOC Platform was deployed to provide visibility, threat hunting, and detection capabilities for the teams. In this large-scale offensive environment, our platform handled substantial volumes of data:

• Over 50 million events were collected and ingested from various sources, including the Sekoia Agent, CrowdStrike Falcon EDR and Stamus Suricata.
• During the attack, over 500 alerts were raised in real time, leading to the processing of dozens of investigation cases on a large monitored perimeter.

This performance demonstrates the platform’s robustness in supporting threat hunting operations. As emphasized by CCDCOE in prior years, industry partners introduce the training audience to cutting-edge technologies, and XS25 provided a unique environment to test and validate new platform capabilities. These included:

• AI Cases (Automated Case Management): Used to streamline analyst workflows.

• Query Builder: Utilized to facilitate key analysis extraction and refine detections.

• Retrohunt: Employed on IoC collections to quickly identify past compromises.

• Sekoia Agent: Provided extended visibility by collecting and normalizing events across workstations.

Furthermore, the exercise reinforced the value of seamless integration with external tools, such as Network Detection and Response (NDR) systems, which was essential for effective detection.

Enhancing collective cyber resilience

Crossed Swords 2025 reaffirmed the crucial importance of collaborative exercises in reinforcing collective cyber defense capabilities. The central theme of XS25 was the promotion of a secure and resilient cyber ecosystem achieved through collaboration across civilian, military, and private sector stakeholders.

We, alongside other industry partners, contribute to this ecosystem by providing expertise, evaluating our own technology in high-fidelity offensive environments, and identifying gaps to strengthen detection logic and refine workflows. Exercises like these ensure that defenders constantly learn from evolving tactics and improve their resilience through shared experience.

“Threat hunting is a core component of the Crossed Swords exercise, strengthening defenders’ ability to identify and counter adversaries operating within complex digital environments. The exercise is significantly enhanced through close cooperation with industry partners such as Sekoia, whose capabilities contribute directly to operational realism and effectiveness.” – Major John William Dall, Crossed Swords 2025 Exercise Director

The continued participation in exercises like Crossed Swords, where military and private sector experts stress-test defensive capabilities against sophisticated threats, mirrors a highly advanced military supply chain: just as the battlefield requires the newest equipment to be reliable, the cyber domain requires the latest detection tools to prove their efficacy under extreme pressure, ensuring that continuous improvement translates directly into enhanced national and collective security.

Read also: https://blog.sekoia.io/detecting-berylian-attacks-sekoia-soc-platform-used-in-nato-ccdoe-crossed-swords-2023/

Share this post: