Inside Hack The Box’s contribution to Locked Shields 2026

Hack The Box (HTB) contributed Digital Forensics and Incident Response (DFIR) content to Locked Shields 2026, the world’s largest and most complex international live-fire cyber defence exercise, hosted annually by the NATO Cooperative Cyber Defence Centre of Excellence. The 2026 edition concluded on 24 April and brought together more than 4,000 participants from 41 nations. Across 16 multinational teams, defenders were tasked with protecting critical infrastructure and military systems while responding to 8,000 real-time cyberattacks.

For HTB, this was its first contribution of this kind in recent years and a meaningful step in applying its exercise and training approach in a complex, mission-driven environment. Working within the broader exercise storyline, HTB designed several DFIR challenges for the execution phase and supported the exercise on-site.

“What made the exercise highly realistic was the intensity of the challenges”, said Andi Morris, Director of Defensive Content Engineering at Hack The Box, who provided on-site support during execution. “Cybersecurity teams had to analyse forensic artefacts, answer challenge questions, defend against live attackers, provide situational reports, and keep critical infrastructure online, all at the same time.”

Locked Shields is not a typical technical exercise. It is designed to strengthen cyber defence capabilities, promote public, private, and multinational cooperation, and test how teams perform when technical response intersects with operational pressure, legal considerations, strategic communications, and higher-level decision-making. That is what makes the exercise so valuable. Real cyber incidents do not stay within one team or one workflow. They escalate quickly, force trade-offs, and demand coordination across technical, operational, and leadership layers at once.

The 2026 exercise reflected that reality clearly. Teams were challenged not only by live attacks, but also by the wider demands that come with defending critical systems in a high-pressure environment. In that kind of setting, effective response depends on more than technical skill. It depends on context, coordination, and the ability to make sound decisions while the situation is still unfolding.

HTB’s contribution to Locked Shields 2026 was developed as part of the wider exercise narrative, not as a set of standalone technical tasks. That distinction matters. The exercise is built around the protection of vital services and critical infrastructure that modern societies and military operations depend on, with systems and scenarios designed to reflect authentic risks and real-world conditions. In an environment like that, defenders rarely solve isolated problems. They work with incomplete information, shifting priorities, and decisions that affect the wider response. Training is most effective when it reflects that reality.

For HTB, that meant designing DFIR challenges not just to test whether teams could complete a task, but whether the content felt relevant inside a live, high-pressure environment. The aim was to help defensive teams sharpen incident response, better understand how adversaries operate, identify gaps faster, and work more effectively across functions.

Locked Shields 2026 offers a clear view of where cyber preparedness is heading. As incidents become more complex and defenders operate across technical, operational, legal, and communications layers at once, training needs to reflect that same complexity. HTB’s contribution points to a broader shift in cyber training: the closer training gets to the conditions teams face in real operations, the more valuable it becomes. That means moving beyond isolated tasks and toward scenario-led environments that test how people investigate, adapt, prioritise, and work together under pressure.

“It was a real honour to contribute to the exercise, from building challenges around the wider fictional geopolitical scenario to seeing teams complete them and hearing positive feedback”, Morris added. “With recent defensive team-based launches such as Crisis Control and Threat Range, HTB keeps pushing the limits of cyber defence training and exercises.” 

For HTB, the exercise was not just a contribution to a major event, but a meaningful step in shaping exercises and training for the realities that defenders already face.