Crossed Swords 2025: Lessons From the Frontlines of Cyber Defense with Splunk Enterprise Security

For the 4th consecutive year, Splunk participated in the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) cyberwarfare exercise “Crossed Swords” by providing tooling and personnel. The exercise itself provides training on how to conduct offensive cyber operations as well as defensive activities.

Splunk’s Role at Crossed Swords 2025

As part of the yellow team, Splunk provided framework and data collection as well as guidance for the offensive teams on how to improve their OPSEC and evade detections.

Our role was threefold:

1. Provide relevant feedback to the offensive teams on how to improve their techniques to avoid leaving traces.
2. To evaluate how our existing detection and analytics capabilities perform in a high‐fidelity offensive environment.
3. To derive actionable insights to improve the product including our content and the overall user experience

Deployment & Architecture

We deployed the Splunk platform, including Splunk Enterprise Security, and ingested logs and telemetry from endpoints via Sysmon on Windows and Auditd on Linux, as well as network telemetry in the form of Suricata logs. We enabled related out‐of‐the‐box content, installed the latest Splunk ESCU version, and supplemented the rest of the yellow team with custom hunting searches.

Insights and Detections

As one might expect, Splunk was a key component in this exercise, as the flexibility of SPL and the power of Splunk Enterprise Security allowed the yellow team to catch a wide range of activities performed by the red teamers.

Many of our built-in ESCU detections triggered as expected, successfully catching a plethora of techniques. Below is a pie chart covering the TOP 15 detections that were triggered over the course of the exercise.

^{Figure 1: TOP 15 Triggered ESCU Detections}

^{Figure 2: Enterprise Security Mission Control View During Red Team Activity}

This year the feedback was provided to the red teamers in an immediate way via a new platform that interfaces with MISP called the “Wall of OPSEC Failures”.

^{Figure 3: Wall Of OPSEC Failures Example}

Each afternoon we participated in a briefing where we summarized the findings along with direct advice to the teams, with special focus on how to operate stealthily.

Gaps Identified and Lessons We Took Home

Whilst we caught many of the attacks, some obviously slipped through, and as you would expect from a detection engineering feedback loop, we took these gaps with us as points of improvement that will be shipped in future versions of ESCU.

These improvements include changes to detections that produce “findings” by modifying them to rather produce “intermediate findings” to better reflect the expectations of the defenders and the amount of noise produced by attackers.

Additional analytics will also be created to enhance the coverage of certain attack vectors.

In terms of the Splunk Enterprise Security User Experience, triage and analyst workflows showed some friction; this feedback was reported to appropriate internal teams and will be considered for inclusion in future Splunk Enterprise Security versions.

ESCU detections leverage the Common Information Model (CIM) to provide a common field taxonomy across different telemetry sources. During the exercise we were able to identify new fields that could be added to enhance the detection authoring, triage, and analyst experience. We will assess if these fields can be introduced in future CIM versions. These include, for example, adding the “Image” (process_name) field to both the Endpoint Filesystem as well as the Network Traffic Data Models to ease the tuning process.

Key Lessons & Takeaways for Customers and SOCs

• Hunters and analysts need powerful tooling: Splunk is the tooling. SPL and Splunk Enterprise Security were key factors in the success of the Yellow Team.
• Continuous improvement is critical: Every exercise, simulation or real incident reveal gaps. Treating them as opportunities to build stronger detection logic, better telemetry pipelines, and refined triage workflows.

Conclusion

Crossed Swords 2025 demonstrated the immense value of collaborative cyber exercises in strengthening collective defense capabilities. Bringing together public and private participants and best-in-class vendors fosters a unique environment for testing tools, refining detection strategies, and sharing operational insights across the cybersecurity community. These scenarios not only reveal technical gaps but also highlight opportunities to enhance workflows and adapt to evolving cyber domain tactics.Ultimately, exercises like Crossed Swords ensure that defenders, whether in the military, government, or other industry, continue to learn from each other, evolving their capabilities through shared experience and a commitment to resilience.

Contributors

We would like to thank Nasreddine Bencherchali, Mikael Bjerkeland, and Kendrick Tugwell for authoring this post and for their valuable contribution during this year's Crossed Sword exercise.