Segura on Locked Shields 2026: Lessons in Cyber Defence

Inside the world's largest live-fire cyber defence exercise and what it teaches security leaders about identity, resilience and crisis response.

Modern adversaries rarely act in isolation. They combine ransomware, supply chain compromise, disinformation and identity abuse into coordinated campaigns that overwhelm defenders. Locked Shields 2026, organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), is the global benchmark where blue teams test their ability to defend critical systems under sustained, realistic attack. Segura participated as a partner and brings back lessons that directly impact CISO priorities for the year ahead.

What was announced

Segura published a detailed debrief from Locked Shields 2026, the largest live-fire cyber defence exercise in the world. The event brought together thousands of participants from more than 30 nations, organized into international blue teams defending a fictional country against a full-spectrum cyber assault.

Across roughly 72 hours, teams managed thousands of simulated systems, defended OT environments, responded to legal and media pressure, and coordinated with strategic decision-makers. Segura's experts contributed to identity and privileged access workstreams, sharing observations on what separates high-performing teams from the rest.

Why this matters

For CIOs, CISOs and procurement leaders, Locked Shields is more than a tabletop. It is a stress test of the exact playbooks enterprises rely on during a real crisis. The 2026 edition confirmed three trends already shaping enterprise budgets:

• Identity is the first battlefield: attackers prioritize privileged accounts, service identities and remote vendor access over traditional perimeter breaches.
• Speed of containment beats prevention: the winning blue teams were not those with the most tools, but those with the fastest detection-to-response loop.
• Crisis communication is part of cyber defence: legal, PR and executive coordination directly affected the technical scoring of teams.

Locked Shields shows that resilience is built long before the attack starts. Identity controls, rehearsed playbooks and clear decision rights are what separate recovery from chaos

Technical details

• Scale: over 4,000 virtualized systems, thousands of attack vectors, more than 30 participating nations.
• Duration: approximately 72 hours of continuous live-fire defence.
• Scope: IT, OT, 5G, satellite, financial systems and critical infrastructure simulations.
• Identity focus: privileged account compromise, lateral movement via service accounts, vendor and third-party access abuse.
• PAM relevance: session monitoring, just-in-time privilege, credential rotation and audit trails proved decisive for rapid containment.
• Cross-functional play: blue teams included legal, strategic communications and crisis management roles alongside SOC analysts.

Softprom and Segura

Softprom is the official distributor of Segura. Enterprises and public sector organizations can engage Softprom for licensing, deployment, training and architecture support around Segura's identity-first Privileged Access Management platform.

This content was prepared as part of the Softprom DistriFlow project — an automated system for monitoring and adapting vendor news. Original source: original article.