Knogin
[Developers]

Cyber Defence: CDMCS Exercise Integration

After a Crossed Swords exercise at the NATO CCDCOE in Tallinn, the blue team lead needs to know which attack TTPs went undetected, where detection coverage held up, and how the team's performance compares to the previous

Back to All Modules
Category: ModulesLast Updated: Mar 18, 2026
modules

Overview#

After a Crossed Swords exercise at the NATO CCDCOE in Tallinn, the blue team lead needs to know which attack TTPs went undetected, where detection coverage held up, and how the team's performance compares to the previous year's event. That analysis requires the exercise alert data alongside the team's own investigation and case management records. CDMCS (Cyber Defence Monitoring Course System) is the exercise infrastructure platform that generated those alerts; Argus is where the post-exercise analysis happens.

CDMCS is developed by the CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence) and provides the blue team monitoring and alerting framework used in NATO-affiliated cyber defence exercises including Crossed Swords and the technical track of Cyber Coalition. Argus integrates with CDMCS to pull live and post-exercise alert and event data into Argus workflows, bridging the exercise environment and real-world operational platforms.

Open Standards#

  • MITRE ATT&CK: Exercise alert records are cross-referenced against ATT&CK technique IDs (extracted from Sigma rule tags) to identify which adversary TTPs went undetected during an exercise.
  • Sigma (SigmaHQ Detection Rule Format): Blue team detection coverage is measured by comparing CDMCS alerts against Sigma rule definitions; the platform parses Sigma YAML and can translate rules to SIEM query languages for gap analysis.
  • MISP (Malware Information Sharing Platform) Threat Intelligence Standard: CDMCS alerts are cross-referenced against MISP IOC feeds within Argus to compare red team indicators against blue team detection rates during post-exercise debrief.
  • STANAG 4774 (NATO Confidentiality Metadata Label Syntax): All exercise and alert records carry a secrecy_level field aligned to the STANAG 4774 classification hierarchy, enforcing clearance-based access filtering for NATO and partner-nation exercises with classified scenario data.
  • OAuth 2.0 Bearer Token (RFC 6750): The CDMCS API client authenticates to remote CDMCS instances using an HTTP Authorization: Bearer token header, as defined in RFC 6750.
  • GraphQL: All Argus-side access to exercise and alert data (queries cdmcsExercises, cdmcsAlerts, cdmcsStats; mutation syncCdmcsExercise) is exposed via a strongly-typed GraphQL API.

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Key Features#

Exercise and Alert Synchronisation#

Sync CDMCS exercises into Argus via syncCdmcsExercise. The exercise sync persists exercise metadata and makes associated alerts available through cdmcsAlerts, with all ingest activity logged as an interop audit entry.

Exercise Inventory Management#

Query exercise records via cdmcsExercises with optional filtering by status (planned, active, completed). Exercise records include name, start/end timestamps, team assignments, and alert counts. This allows Argus to serve as a unified post-exercise analysis platform across multiple simultaneous exercises.

Alert Analysis and Cross-Referencing#

CDMCS alerts covering network events, host-based detections, and anomaly triggers are persisted as structured records with source, severity, event type, and raw data. These records can be cross-referenced against MISP threat intelligence feeds and Sigma rules in the Argus environment, enabling exercise red team IOC comparison against blue team detection rates.

Clearance-Filtered Data Access#

Exercise data and alerts carry secrecy_level tags. NATO and partner exercises with classified scenario data can be tagged accordingly, restricting access to cleared personnel within the Argus deployment.

Use Cases#

  • Exercise Debrief Analysis: After a Crossed Swords or similar exercise, import all CDMCS alert data into Argus to analyse detection coverage, missed indicators, and blue team performance against red team TTPs.
  • Training Environment Integration: Use CDMCS as the detection data source during training and Argus as the investigation and case management platform, reinforcing production tooling in a training context.
  • Cross-Exercise Benchmarking: Compare detection alert volumes and types across multiple exercise iterations to measure improvement in blue team capability over time.

Integration#

Available via GraphQL: cdmcsExercises, cdmcsAlerts, cdmcsStats (queries); syncCdmcsExercise (mutation). All operations require authentication and organisation scoping.

Compatible with CCDCOE CDMCS API. Designed for NATO and partner nation cyber defence exercise environments. Works alongside Sigma rules (detection coverage analysis) and MISP (exercise IOC management).

Ready to Build?

Get started with our APIs or contact our integration team for support.