An analysis by political analyst Tarık Özcan published this week in Meer captures something those of us working in European cyber defense have been living with for years: "NATO today is facing threats of a scale and complexity it has not dealt with before."

The piece, entitled "NATO at the digital frontline," details how cyberattacks, disinformation campaigns, and hybrid warfare tactics are testing the Alliance's collective defense mechanisms in ways that traditional military doctrine never anticipated. It's a comprehensive look at threats ranging from Russian-backed sabotage operations in Poland to AI-driven deepfakes targeting Ukraine, from the systematic "Ghostwriter" campaign in the Baltics to coordinated attacks on critical infrastructure across NATO member states.

Reading through the analysis, I kept recognizing scenarios I've seen our team work through firsthand - not in theoretical conference rooms, but on the digital training grounds of NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia. Since 2016, Stamus Networks has participated in both Locked Shields and Crossed Swords, the two exercises prominently featured in the Meer article as NATO's primary mechanisms for building cyber resilience.

2026 marks our 10th consecutive year of participation. A decade of deploying Clear NDR in live-fire scenarios. A decade of training NATO member state teams on threat hunting and network forensics. A decade of watching these threats evolve from close range and adapting our detection capabilities in response.

The timing of this analysis feels particularly relevant as we plan to celebrate this milestone along with CCDCOE leadership. More importantly, it validates why this work matters – not just for us as a company, but for the government, defense, and critical infrastructure organizations across Europe that depend on proven security solutions in an increasingly hostile digital environment.

The Threats Described Are the Scenarios We Train Against

The Meer article doesn't pull punches in describing what modern hybrid warfare looks like in practice. It details the May 2024 arson attack on a Warsaw shopping mall that destroyed 1,400 businesses – linked to Russian intelligence. It describes how Ukrainian power grids were hit with the HermeticWiper malware hours before Russia's 2022 invasion, leaving government systems crippled just as tanks crossed the border. It explains how the Viasat satellite network disruption affected not just Ukraine but parts of Europe, demonstrating how cyber operations cascade across borders.

These aren't distant, theoretical threats. They're documented attacks against the same types of infrastructure that NATO exercises are designed to defend.

The analysis notes: "Each year, [CCDCOE] organizes large-scale cyber exercises such as Locked Shields, which test the skills of Allied teams. In the 2023 edition, teams from 38 countries worked together in real time to defend more than 5,500 information systems in a simulated cyberattack."

What that description doesn't convey is the intensity of those scenarios. Locked Shields simulates coordinated attacks on power grids, financial systems, telecommunications networks, and government infrastructure - simultaneously. Teams face DDoS attacks while investigating network intrusions while responding to data exfiltration while dealing with system compromises. All in real time. All while attackers (the Red Team) adapt their tactics based on what defenses are working.

My Stamus Networks’ colleagues and I have been part of that testing ground since 2016 (and some colleagues began the relationship even earlier). And Clear NDR has been deployed in exercise infrastructure. Used by Blue Teams defending simulated national networks and Yellow Teams monitoring the exercises. Stress-tested under conditions designed to mirror exactly the kinds of attacks the Meer article describes.

When the article mentions "strikes against critical infrastructure are deepened by parallel information operations," it's describing a core design principle of these exercises: cyber operations don't happen in isolation. They're coordinated with other destabilizing and/or kinetic activities. A power grid attack might be accompanied by false reports of broader failures to amplify panic. A financial system intrusion might be paired with disinformation about economic collapse.

This is why network visibility matters so much in these scenarios. When systems are under attack from multiple vectors simultaneously, security teams need to cut through the noise and understand what's actually happening on their networks. They need high-precision detection that doesn't bury them in false positives. They need evidence they can act on immediately. And they need a rich pool of data for real-time threat hunting.

That's what gets tested. That's what improves year after year based on exercise learnings.

Public-Private Partnership Isn't Theoretical - It's Our Reality

One of the strongest themes in the Meer analysis is NATO's need for deeper industry collaboration. The article argues that "hybrid threats are a collective problem, and only a united response can effectively meet them." It calls for NATO to work more closely with technology companies, to leverage private sector expertise, and to build partnerships that strengthen collective defense.

From where we sit, this isn't a future aspiration – it's what we've been doing for a decade.

The article specifically highlights CCDCOE as "NATO's main think tank and training hub in the cyber field" and notes that it "works with contributions from over 30 Allied and partner nations." What it mentions but doesn't elaborate on is how industry partners contribute to this ecosystem.

Here's what that partnership looks like in practice:

Technology Deployment: We provide Clear NDR systems to support exercise infrastructure. This isn't a demo environment or a sanitized test bed - it's full production deployment under the most demanding conditions imaginable. When something doesn't work as expected, we find out immediately. When a detection engine misses something or generates noise, Blue, Red, or Yellow Team analysts let us know. This feedback loop has directly shaped our product development for years.

Training Delivery: Our team members deliver training to NATO member state personnel on Suricata-based threat hunting, network forensics methodologies, threat hunting, and NDR deployment best practices. We've trained Red teamers and Blue teamers from militaries, governments, law enforcement, and other critical infrastructure in countries across Europe on how to extract actionable intelligence from network traffic, how to investigate lateral movement, and how to build detection logic for emerging threats.

Direct Participation: Stamus personnel have participated as members of Yellow Teams (exercise monitoring and control), Blue Teams (defenders), and White Teams (scenario designers) over the years. This gives us insight into how exercises are structured, what challenges defenders face, and how attack scenarios evolve.

Continuous Improvement: After each exercise, we conduct internal debriefs to identify what Clear NDR did well and where it fell short, and we share these learnings in training workshops with our customers. Detection algorithms get updated. User interfaces get refined. Workflow and integration improvements get prioritized. The product that exists today has been shaped by hundreds of hours of real-world stress testing in environments that most vendors never experience.

The article argues that "combating AI-driven disinformation will require not just technical solutions but also educated citizens and close cooperation between governments and the private sector." This is exactly the model these exercises demonstrate: government cyber teams working alongside industry experts, sharing knowledge, testing capabilities, and building collective resilience.

It's worth noting what this partnership isn't: We're not selling to NATO. We're not lobbying for procurement contracts. We're contributing expertise and technology to strengthen the Alliance's collective defense capabilities - which ultimately benefits the security posture of member states and, by extension, the organizations within those states that depend on robust cyber defense.

That's the kind of public-private collaboration the article calls for. And it's been our reality since 2016.

The Eastern Flank Needs More Than Awareness - It Needs Proven Solutions

The Meer analysis dedicates significant attention to the Baltic states and Poland, noting that "Russia's hybrid methods are tested most intensively in the eastern flank countries." It describes the systematic "Ghostwriter" campaign that infiltrated Lithuanian and Polish media outlets to publish fabricated stories designed to undermine trust in NATO. It details how Russian-speaking minorities in Latvia, Lithuania, and Estonia are targeted with pro-Kremlin propaganda. It explains how geography and history make these countries primary targets.

What resonates deeply is that these exercises - Locked Shields and Crossed Swords - take place in Tallinn, Estonia. Right in the heart of the region facing the most intense hybrid warfare pressure. And it just so happens, we have a development office in Tallinn.

This isn't coincidental. Estonia established CCDCOE in 2007 after experiencing some of the first large-scale state-sponsored cyberattacks in history - a series of DDoS attacks that took down government, banking, and media websites for weeks. The lesson Estonia learned, and subsequently shared with NATO, was that cyber defense requires constant preparation, not reactive responses after attacks have already succeeded.

The article notes that Baltic states are "trying to build their own resilience against information warfare" through digital literacy programs, volunteer fact-checking groups, and multilingual media initiatives. What it doesn't mention is that organizations in some of these same countries are also deploying battle-tested security technologies validated through the exercises happening in their backyard.

There's something powerful about battle-testing network security solutions in the same region that faces daily hybrid warfare attempts. It's not an abstract exercise conducted in a neutral location. It’s capability development happening where capabilities matter most.

For government and defense organizations in Poland, the Baltics, Romania, and other NATO frontline states, this matters. When evaluating network security vendors, they're not just comparing feature lists - they're assessing whether solutions have been proven under conditions that mirror their threat environment.

Can your NDR system perform when under sustained attack from sophisticated adversaries? Has it been tested in scenarios designed to replicate nation-state level threats? Do the people deploying and operating it have experience hunting threats in high-pressure environments?

These are legitimate questions for organizations operating on the digital frontline. And they're questions that a decade of NATO exercise participation helps answer.

The article describes how Lithuania created volunteer "elf" groups to fight disinformation online, how Estonia added digital literacy to school curricula, and how Latvia uses multilingual media to reach Russian-speaking citizens. These are crucial resilience measures. But resilience also requires the technical capability to detect when your networks are being infiltrated, to investigate suspected intrusions with confidence, and to respond before small compromises become major breaches.

That's where proven network security capabilities become part of the resilience equation.

What 'Full-Spectrum Defense' Actually Requires

Perhaps the most important section of the Meer analysis is its conclusion, which argues that "NATO must build a full-spectrum defense and deterrence strategy for the digital frontline." The article calls for clear red lines, coordinated responses, permanent hybrid threat task forces, and significantly more investment in social resilience.

From our technical perspective, full-spectrum cyber defense requires several foundational capabilities:

1. Comprehensive Network Visibility

You can't defend what you can't see. The article describes attacks that combine malware deployment, DDoS operations, data exfiltration, and system sabotage - often simultaneously across multiple network segments. Defenders need visibility into East-West traffic (lateral movement between systems), North-South traffic (external communications), encrypted traffic metadata, and cloud workloads. And defenders need visibility into activities involving network devices, operational technology, and industrial control systems that are invisible to other security controls like EDR.

This is where Clear NDR's architecture matters. Built on Suricata - the open-source network security engine that powers defenses for governments and critical infrastructure globally - Clear NDR provides the depth of network visibility that exercises consistently prove is necessary. Not just alerts. Not just logs. But actual network evidence that analysts can investigate, correlate, and act upon.

The article mentions that "Ukraine became a model of digital resilience" by rapidly repairing infrastructure and maintaining communications even under sustained attack. That resilience depends partly on having visibility into what's being attacked, how attacks are evolving, and whether defensive measures are working.

2. Precision Threat Detection

One of the harsh lessons from NATO exercises is that alert fatigue is as dangerous as missing threats entirely. When Blue Teams are buried in false positives, they miss the real intrusions hidden in the noise. The article touches on this when discussing how "AI can expand disinformation both in scale and sophistication." The same principle applies to cyberattacks. Attackers are getting better at blending malicious activity into normal traffic patterns.

Clear NDR's approach to this problem is what we call "Declarations of Compromise" - high-confidence alerts that identify serious threats with the evidence to back them up. Not thousands of low-confidence indicators. Not generic vulnerability notices. But specific, actionable findings that say "this behavior is malicious, here's why, and here's what you need to investigate."

This matters enormously in the kinds of scenarios NATO exercises present. When you're defending against coordinated attacks from skilled adversaries, you need detection you can trust.

3. Network Forensics Capability

The Meer article describes how investigations into incidents like the Warsaw arson or the Ghostwriter campaign require detailed forensic analysis to attribute attacks and understand their scope. The same applies to cyber incidents. When a compromise is detected, defenders need to answer critical questions: How did attackers get in? How long have they been here? What systems did they access? What data was exfiltrated? Are there other footholds we haven't found yet?

This requires rich network forensics - the ability to reconstruct attacker behavior from network evidence, to pivot from one indicator to related activity, and to build a complete picture of the incident timeline.

In Locked Shields scenarios, Blue Teams face exactly these challenges. An initial detection might reveal one compromised system, but the real question is whether it's part of a broader campaign. Forensics capability determines whether teams can answer that question quickly or spend critical hours in the dark.

Clear NDR's emphasis on evidence - captured packets, full transaction logs, enriched host metadata (e.g. Host Insights) - supports this kind of investigation. It's why our training sessions at NATO exercises focus heavily on forensics methodologies, not just alert response.

4. Transparency Over Black Boxes

The article doesn't address this directly, but it's implicit in the discussion of democratic values and resilience. Organizations defending critical infrastructure for democratic societies need security tools they can understand, customize, and control. They can't afford vendor lock-in to proprietary systems where detection logic is hidden, customization is limited, and migration is expensive.

This is especially true for government and defense organizations that face regulatory requirements, sovereignty concerns, and long-term operational independence needs.

Clear NDR's foundation in open-source Suricata reflects a deliberate architectural choice: transparency, customization, and user control over proprietary black boxes. Detection algorithms are visible and editable. Data pipelines are documented. Integrations are standards-based. Organizations maintain control over their security infrastructure.

In NATO exercise contexts, this architectural approach matters because different member states have different requirements, different existing tool sets, and different operational preferences. A transparent, flexible NDR platform can adapt to those environments. A rigid, proprietary system can't.

From Validation to Real-World Defense

The Meer analysis concludes with a powerful reminder: "Wars in the 21st century often begin long before tanks or missiles appear—they start at keyboards and behind cameras. The Alliance must stay alert and adapt quickly to the enemy's tactic of 'capturing minds first.'"

For those of us who've spent a decade participating in NATO's efforts to build cyber resilience, this resonates deeply. The threats are real. The adversaries are capable. The stakes are high.

What the article calls for - proven solutions, genuine public-private partnerships, battle-tested capabilities - is exactly what the NATO CCDCOE exercise program has been developing for years.

Our 10-year participation milestone isn't just about longevity. It's about accumulated learning. It's about relationships built with cyber defense professionals from across NATO member states. It's about technology that's been refined through hundreds of hours of operational testing. It's about contributing to the collective defense mission in a tangible, meaningful way.

For government, defense, and critical infrastructure organizations across all European NATO countries - particularly those on the eastern flank described so vividly in the Meer analysis - the question isn't whether cyber threats will intensify. The article makes clear they will. The question is whether your network security capabilities are proven under the kinds of pressure you're likely to face.

Certifications matter. Compliance frameworks matter. Vendor claims matter.

But nothing validates capability quite like a decade of battle-testing at the world's most demanding cyber defense exercises, in partnership with the organization responsible for NATO's cyber defense readiness, in the region facing the most intense hybrid warfare pressure.

That's not a marketing claim. That's our reality. And in 2026, as we mark this 10-year milestone, we're honored to continue supporting NATO's mission to defend the digital frontline.

About Stamus Networks' NATO CCDCOE Participation

Since 2016, Stamus Networks has partnered with NATO's Cooperative Cyber Defence Centre of Excellence to support Locked Shields and Crossed Swords exercises. Our contributions include:

• Technology deployment: Clear NDR systems supporting exercise infrastructure
• Training delivery: Threat hunting and network forensics training for NATO member states
• Direct participation: Team members serving on Yellow, Blue, and White teams
• Continuous improvement: Exercise learnings directly informing product development

Learn more about our NATO participation at https://www.stamus-networks.com/nato-ccdcoe-participation

Resources for Government & Defense Organizations

Interested in discussing how battle-tested NDR capabilities apply to your network defense requirements?

• Request a consultation: Connect with our team to discuss NATO-validated capabilities for your environment - Contact us
• Schedule a demonstration: See how Clear NDR provides the visibility, detection, and forensics capabilities proven in NATO exercises - Request demo
• Download our NATO exercise report: Get detailed insights into lessons learned from a decade of participation (available soon)
• Explore our government solutions: Learn how Clear NDR addresses compliance, sovereignty, and operational requirements for government and critical infrastructure - Solutions page
  
  

Related Reading:

• NATO at the digital frontline - Meer Magazine analysis
• Clear NDR: The Network Intelligence Foundation for AI-Powered Security Operations
• Replace Your Legacy Intrusion Detection System
• Achieve Regulatory Compliance with NDR