Knogin
[Kernmodule]

Cyber Defence: CDMCS Exercise Integration

CDMCS (Cyber Defence Monitoring Course System) is the exercise infrastructure platform developed by the CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence) in Tallinn, Estonia.

Modulmetadaten

CDMCS (Cyber Defence Monitoring Course System) is the exercise infrastructure platform developed by the CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence) in Tallinn, Estonia.

Zurück zur Liste

Quellreferenz

content/modules/cyber-defence-cdmcs-exercises.md

Letzte Aktualisierung

18. März 2026

Kategorie

Kernmodule

Inhaltsprufsumme

fd176865f8491b0f

Tags

modules

Gerenderte Dokumentation

Diese Seite rendert das Markdown und Mermaid des Moduls direkt aus der offentlichen Dokumentationsquelle.

Overview#

CDMCS (Cyber Defence Monitoring Course System) is the exercise infrastructure platform developed by the CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence) in Tallinn, Estonia. It provides the blue team monitoring and alerting framework used in NATO-affiliated cyber defence exercises including Crossed Swords and the technical track of Cyber Coalition. Argus integrates with CDMCS to pull live and post-exercise alert and event data into Argus workflows, bridging exercise environments and real-world operational platforms.

Key Features#

Exercise and Alert Synchronisation#

Sync CDMCS exercises and their associated alerts into Argus via 

syncCdmcsExercise
and 
syncCdmcsAlerts
. The 
fetch_cdmcs_exercise
and 
fetch_cdmcs_alerts
clients connect to a remote CDMCS REST API endpoint, retrieve exercise metadata and alert records, and persist them to PostgreSQL. Each sync is logged as an interop ingest audit entry.

Exercise Inventory Management#

Query exercise records via 

cdmcsExercises
with optional filtering by status (
planned
, 
active
, 
completed
). Exercise records include name, start/end timestamps, team assignments, and alert counts. This allows Argus to serve as a unified post-exercise analysis platform across multiple simultaneous exercises.

Alert Analysis and Cross-Referencing#

CDMCS alerts (network events, host-based detections, anomaly triggers) are persisted as structured records with source, severity, event type, and raw data. These can be cross-referenced against MISP threat intelligence feeds and Sigma rules in the Argus environment, enabling exercise red team IOC comparison against blue team detection rates.

Clearance-Filtered Data Access#

Exercise data and alerts carry 

secrecy_level
tags. NATO and partner exercises with classified scenario data can be tagged accordingly.

Use Cases#

  • Exercise Debrief Analysis: After a Crossed Swords or similar exercise, import all CDMCS alert data into Argus to analyse detection coverage, missed indicators, and blue team performance against red team TTPs.
  • Training Environment Integration: Use CDMCS as the detection data source during training and Argus as the investigation and case management platform -- reinforcing production tooling in a training context.
  • Cross-Exercise Benchmarking: Compare detection alert volumes and types across multiple exercise iterations to measure improvement in blue team capability over time.

Integration#

Available via GraphQL: 

cdmcsExercises
, 
cdmcsAlerts
, 
cdmcsStats
(queries); 
syncCdmcsExercise
, 
syncCdmcsAlerts
(mutations). All operations require authentication and organisation scoping.

Compatible with CCDCOE CDMCS API. Designed for NATO and partner nation cyber defence exercise environments. Works alongside Sigma rules (detection coverage analysis) and MISP (exercise IOC management).

Last Reviewed: 2026-03-18