Knogin
[Developers]

Roboblue Red and Blue Exercises

A cyber defence team at a national CERT wants to know whether their analysts are improving. They run the same attack scenario three months apart and compare detection times, missed indicators, and response quality. Witho

Back to All Modules
Category: ModulesLast Updated: Mar 25, 2026
modules

Overview#

A cyber defence team at a national CERT wants to know whether their analysts are improving. They run the same attack scenario three months apart and compare detection times, missed indicators, and response quality. Without an automated exercise platform that tracks outcomes consistently across every run, comparing results is largely subjective. Roboblue provides the automation layer: scripted red-team actions, automated blue-team response evaluation, and repeatable scoring so that training outcomes can be measured and compared over time.

The Roboblue Red and Blue Exercises module provides an automated exercise environment for evaluating offensive actions, defensive responses, and overall scenario performance in cyber training and experimentation. Trainers and analysts get a clear view of scenario volume, completed runs, total actions, and average performance scores so they can supervise exercise output and make data-driven decisions about defensive readiness.

Open Standards#

  • MITRE ATT&CK: Every red and blue team action is tagged with a MITRE ATT&CK technique identifier (mitre_attack_id), enabling scenario coverage to be mapped directly to the ATT&CK framework's taxonomy of adversary tactics, techniques, and procedures.
  • CCDCOE Roboblue Exercise Framework: The module integrates with the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) Roboblue platform, the authoritative automated red/blue exercise environment used across NATO cyber defence training programmes.
  • GraphQL (June 2018 specification): All scenario queries, action retrieval, statistics, and scenario launch operations are exposed as a typed GraphQL API, enabling clients to request precisely the exercise data they need.
  • OAuth 2.0 Bearer Token (RFC 6750): The adapter authenticates to the remote Roboblue instance using Bearer token credentials carried in the Authorization HTTP header, conforming to the RFC 6750 bearer token usage scheme.
  • JSON (RFC 8259): All exercise scenario and action data is serialised as JSON for both the Roboblue HTTP integration and the GraphQL response layer.
  • OpenID Connect / JSON Web Token (RFC 7519): Platform-level access control enforces authenticated sessions via JWT-backed bearer tokens, ensuring only authorised analysts and trainers can query or launch exercise scenarios.
  • HTTP/1.1 (RFC 9110): The async HTTP client communicates with the Roboblue REST API over standard HTTP, using conventional resource-path conventions (/api/v1/scenarios) and status-code semantics.

Last Reviewed: 2026-03-25 Last Updated: 2026-04-14

Key Features#

  • Scenario Portfolio Management: Tracks the total number of exercise scenarios available to the organisation, giving training leads a clear picture of the breadth of coverage.
  • Completion Monitoring: Shows how many scenarios have been completed so teams can measure exercise throughput and identify gaps in training coverage.
  • Action Volume Tracking: Summarises total red and blue actions across the scenario portfolio, giving a baseline for comparing training intensity across cohorts or time periods.
  • Performance Scoring: Provides an average score view to support comparison across training runs and exercise designs, enabling data-driven assessment of defensive improvement.
  • Exercise-Oriented Operations View: Gives trainers and analysts a concise control point for cyber exercise supervision without requiring access to the underlying simulation infrastructure.

Use Cases#

  • Automated Cyber Training: Training teams run red and blue exercises repeatedly to assess defensive readiness against standardised scenarios, removing dependence on manual exercise facilitation.
  • Response Benchmarking: Security leaders compare outcomes across scenarios to identify where blue-team response quality is improving or degrading over time.
  • Exercise Supervision: Operators monitor scenario progress and action counts during training events or experimentation campaigns.
  • Capability Evaluation: Teams use scored scenarios to measure the effectiveness of playbooks, tools, or analyst behaviours under pressure.

Integration#

  • Automated cyber exercise and scoring services
  • Cyber-defence training programmes
  • Response analytics and exercise reporting
  • Cyber operations and assurance workbenches

Ready to Build?

Get started with our APIs or contact our integration team for support.