Knogin
[Moduły podstawowe]

Cyber Defence: CDMCS Exercise Integration

CDMCS (Cyber Defence Monitoring Course System) is the exercise infrastructure platform developed by the CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence) in Tallinn, Estonia.

Metadane modulu

CDMCS (Cyber Defence Monitoring Course System) is the exercise infrastructure platform developed by the CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence) in Tallinn, Estonia.

Powrót do wszystkich modułów

Odwolanie do zrodla

content/modules/cyber-defence-cdmcs-exercises.md

Ostatnia aktualizacja

18 mar 2026

Kategoria

Moduły podstawowe

Suma kontrolna tresci

fd176865f8491b0f

Tagi

modules

Renderowana dokumentacja

Ta strona renderuje Markdown i Mermaid modulu bezposrednio z publicznego zrodla dokumentacji.

Overview#

CDMCS (Cyber Defence Monitoring Course System) is the exercise infrastructure platform developed by the CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence) in Tallinn, Estonia. It provides the blue team monitoring and alerting framework used in NATO-affiliated cyber defence exercises including Crossed Swords and the technical track of Cyber Coalition. Argus integrates with CDMCS to pull live and post-exercise alert and event data into Argus workflows, bridging exercise environments and real-world operational platforms.

Key Features#

Exercise and Alert Synchronisation#

Sync CDMCS exercises and their associated alerts into Argus via 

syncCdmcsExercise
and 
syncCdmcsAlerts
. The 
fetch_cdmcs_exercise
and 
fetch_cdmcs_alerts
clients connect to a remote CDMCS REST API endpoint, retrieve exercise metadata and alert records, and persist them to PostgreSQL. Each sync is logged as an interop ingest audit entry.

Exercise Inventory Management#

Query exercise records via 

cdmcsExercises
with optional filtering by status (
planned
, 
active
, 
completed
). Exercise records include name, start/end timestamps, team assignments, and alert counts. This allows Argus to serve as a unified post-exercise analysis platform across multiple simultaneous exercises.

Alert Analysis and Cross-Referencing#

CDMCS alerts (network events, host-based detections, anomaly triggers) are persisted as structured records with source, severity, event type, and raw data. These can be cross-referenced against MISP threat intelligence feeds and Sigma rules in the Argus environment, enabling exercise red team IOC comparison against blue team detection rates.

Clearance-Filtered Data Access#

Exercise data and alerts carry 

secrecy_level
tags. NATO and partner exercises with classified scenario data can be tagged accordingly.

Use Cases#

  • Exercise Debrief Analysis: After a Crossed Swords or similar exercise, import all CDMCS alert data into Argus to analyse detection coverage, missed indicators, and blue team performance against red team TTPs.
  • Training Environment Integration: Use CDMCS as the detection data source during training and Argus as the investigation and case management platform -- reinforcing production tooling in a training context.
  • Cross-Exercise Benchmarking: Compare detection alert volumes and types across multiple exercise iterations to measure improvement in blue team capability over time.

Integration#

Available via GraphQL: 

cdmcsExercises
, 
cdmcsAlerts
, 
cdmcsStats
(queries); 
syncCdmcsExercise
, 
syncCdmcsAlerts
(mutations). All operations require authentication and organisation scoping.

Compatible with CCDCOE CDMCS API. Designed for NATO and partner nation cyber defence exercise environments. Works alongside Sigma rules (detection coverage analysis) and MISP (exercise IOC management).

Last Reviewed: 2026-03-18