Skip to content
.ca
sign in
2 minlow

Elastic on Defence Cyber Marvel 2026: A Technical overview from the Exercise Floor

Elastic provided the core defensive security platform and AI capabilities for the UK Ministry of Defence's Defence Cyber Marvel 2026 (DCM26) cyber exercise. The deployment featured a highly scalable, multi-tenanted Elastic Cloud architecture managed via Terraform, integrating advanced AI assistants and automated workflows to support 40 defending Blue Teams.

Conf:lowAnalyzed:2026-04-09reports
Cyber ExerciseAI AssistantDCM26Elastic SecurityTerraform

Source:Elastic Security Labs

Key Takeaways

  • Elastic deployed a multi-tenanted Elastic Cloud architecture to support 40 Blue Teams during the UK MoD's Defence Cyber Marvel 2026 (DCM26) exercise.
  • The infrastructure was managed entirely as code using Terraform, handling up to 800,000 events per second across 5,000 virtual systems.
  • Advanced AI capabilities were integrated using AWS Bedrock, including Elastic AI Assistant, Attack Discovery, and custom role-based AI agents (GrantPT, REDRock, RefPT).
  • Real-time monitoring of exercise communications was achieved using sentiment analysis and named entity recognition (NER) on RocketChat data.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No detection rules are provided as this article is a technical overview of a cyber exercise infrastructure.

Detection Engineering Assessment

EDR Visibility: High — Elastic Defend was deployed across the exercise range to provide Endpoint Detection and Response capabilities, logging process events and system telemetry. Network Visibility: High — Network visibility was achieved through Elastic integrations and full packet capture provided by Endace. Detection Difficulty: N/A — This article describes a cyber exercise platform, not a specific threat to be detected.

Required Log Sources

  • logs-system.auth
  • logs-system.syslog
  • logs-endpoint.events.process
  • logs-windows.forwarded
  • logs-auditd.log

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Adversaries may utilize command and control frameworks to establish persistent communication channels and beacon out to external infrastructure (T1071.001).Network traffic, Endpoint network connectionsCommand and ControlMedium

Recommendations

Immediate Mitigation

  • N/A

Infrastructure Hardening

  • Utilize Infrastructure as Code (IaC) tools like Terraform to manage and scale security deployments efficiently.
  • Implement strict Role-Based Access Control (RBAC) and data isolation in multi-tenant security environments.

User Protection

  • N/A

Security Awareness

  • Participate in realistic, force-on-force cyber exercises to enhance readiness, interoperability, and resilience.
  • Provide hands-on training for security analysts on enterprise-grade tooling prior to live operations.

Related