Overview#
Argus connects to the NATO CCDCOE Providentia cyber exercise environment manager so that exercise infrastructure and exercise detection data live in one operational picture.
When an organisation runs a NATO or partner-nation cyber exercise such as Crossed Swords or Cyber Coalition, the range itself is described in Providentia: scenario topologies, the virtual machines that make up each environment, their network segments, and the role each machine plays. Argus pulls that environment and machine inventory across and persists it locally with organisation scoping and secrecy-level tagging, so exercise planners and blue-team leads can see active topology, machine role assignments, and network counts without leaving the investigation and case-management platform.
The result is a single operational picture across both the exercise infrastructure and the exercise detection data. Teams no longer context-switch between the range management console and the platform where alert analysis, case records, and performance debriefs already happen. Classified scenarios stay protected because every record carries a secrecy level, and reads are filtered against each user's clearance.
Key Features#
- Environment Inventory Sync: Pulls exercise environments from a remote Providentia instance, capturing scenario name, machine count, network count, and status, then upserts them into the organisation's own store as the local source of truth.
- Virtual Machine Records: Imports the individual machines that make up each environment, including IP address, operating-system type, and assigned role, giving planners a full topology view of every scenario.
- Environment and Machine Queries: Exposes environment lists with optional status filtering, per-environment machine inventories, and aggregate statistics covering total and active environments, total machines, and total networks.
- Clearance-Filtered Access: Every read is filtered against the requesting user's clearance, so classified exercise scenarios are visible only to appropriately cleared personnel within the deployment.
- Secrecy-Level Tagging: Each environment and machine record carries a secrecy level, preserving the classification of the originating exercise scenario through ingest, storage, and retrieval.
- Interop Audit Trail: Each import writes an interop audit entry recording the originating standard, record identifier, secrecy level, machine count, and source location, supporting accountability and post-exercise review.
- Data Fusion Publishing: Each synced environment is published as an operational infrastructure entity into the MDOC data fusion layer, where it can be correlated with detection data, cases, and other operational records.
- Organisation Scoping: All data access is scoped to the requesting organisation, keeping each tenant's exercise inventory isolated from every other.
Use Cases#
Cyber Defence Operators#
Blue-team operators running a NATO-affiliated exercise see the live range topology alongside their own detection and case data. When an alert fires during the event, the operator can immediately tie it to the machine, role, and network segment it originated from, rather than reconciling two separate consoles by hand.
Exercise Planners and Managers#
Planners track active environment topology, machine role assignments, and network counts from a single screen. Aggregate statistics give an at-a-glance view of how many environments are active and how large each scenario has grown, supporting capacity and readiness decisions in the run-up to an event.
Post-Exercise Analysis Teams#
After an exercise such as Crossed Swords or Cyber Coalition, analysts join the infrastructure context held in Argus to the exercise detection data and case records already in the platform. That combined picture drives detection-coverage analysis, missed-indicator review, and performance debriefs without re-importing the range layout from elsewhere.
Multinational and Classified Exercises#
For coalition events with classified scenario data, secrecy-level tagging and clearance filtering ensure that sensitive environments and machines are only ever returned to cleared users, allowing mixed-classification exercises to be managed on one platform.
Integration#
Customers plug in by pointing Argus at the base location of their Providentia instance and supplying an access token. The import path then calls the Providentia REST API under /api/v1/environments/ to retrieve environment detail and the machine list for that environment, normalises both into the platform's data model, and stores them locally. Reads and imports are offered through the platform's GraphQL interface, so a console can fetch environment lists, per-environment machine inventories, and aggregate counts in a single typed request, then start an import in the same session.
Every operation requires authentication and is scoped to the calling organisation. Each import records an interop audit entry and publishes the environment as an operational infrastructure entity into the MDOC fusion layer, so the imported topology is immediately correlatable with the platform's normalised operational models, detection data, and case records. The benefit to the customer is a single, governed connection point: one token and one interface bring the entire exercise range into the same place where analysis already happens.
Open Standards#
- REST over HTTP/1.1 (RFC 9110 / RFC 9112): Environment and machine data is retrieved from the Providentia instance through versioned REST resource paths under
/api/v1/environments/, the same resource-oriented model Providentia publishes, ensuring the connector speaks the range manager's own interface. - JSON (RFC 8259): Provider responses are exchanged as JSON and normalised into the platform's internal record model, giving a stable, language-neutral payload format across the import path.
- OAuth 2.0 Bearer Token (RFC 6750): Calls to the Providentia API authenticate with a bearer access token presented in the HTTP Authorization header, the standard mechanism for delegated API access.
- GraphQL (June 2018 specification): Environment lists, per-environment machine inventories, aggregate counts, and the import operation are all exposed through a typed GraphQL interface, letting a console retrieve exactly the fields it needs in one round trip.
- STANAG 4774 / ADatP-4774 (Confidentiality Metadata Label): Secrecy-level tags carried on every environment and machine align with the NATO confidentiality label model, so classification travels with the record from ingest through storage and retrieval.
- STANAG 4778 (Metadata Binding): The platform binds confidentiality labels to data so that classification stays attached to each exercise record, supporting consistent handling of mixed-classification scenarios.
- ISO 3166-1 alpha-3: Releasability and nation markings used in the classification model are validated against the ISO three-letter country codes, keeping coalition releasability statements consistent across partner nations.
Security & Compliance#
All reads and imports require an authenticated session, and every operation is scoped to the requesting organisation so that one tenant can never see another's exercise inventory. Each record carries a secrecy level, and results are filtered against the requesting user's clearance, so classified exercise scenarios are returned only to appropriately cleared personnel.
The local store is treated as the authoritative copy, and each import writes an immutable interop audit entry recording who imported what, from where, and at which classification. That audit trail, combined with the clearance filtering and the NATO-aligned confidentiality labelling, gives exercise managers a defensible record of how classified range data was handled throughout the event.
Last Reviewed: 2026-05-26 Last Updated: 2026-05-26