Threat Research

Elastic on Defence Cyber Marvel 2026: A Technical overview from the Exercise Floor

Elastic.co
Elastic on Defence Cyber Marvel 2026: A Technical overview from the Exercise Floor
Elastic recounts its role as the core defensive platform provider for Defence Cyber Marvel 2026 (DCM26), delivering a single, space-based multi-tenanted Elastic Cloud deployment for 40 Blue Teams, separate Red Team and NSOC deployments, large-scale automation with Terraform/Catapult, and a guarded on-range AI service backed by AWS Bedrock. The exercise validated the architecture at scale (ingesting up to 800,000 EPS), supported custom AI agents (GrantPT, REDRock, RefPT), extensive partner integrations (Tuoni, Tines, Endace, AWS), and strict audit/guardrail controls. #DefenceCyberMarvel #Elastic

Keypoints

  • Elastic provided a single multi-tenanted Elastic Cloud deployment for 40 Blue Teams, isolating teams via Kibana Spaces and datastream namespaces while managing 120 Fleet policies and 400+ integration policies as code.
  • DCM26 ran at scale with 2,500+ personnel from 29 countries, over 5,000 virtual systems, five days of execution, and peak ingestion around 800,000 events per second across teams.
  • A dedicated testing rig validated multi-tenancy at scale (6,000 agents, 50 spaces), proving space isolation, fleet propagation times (~60s), and resilience across multi-AZ failures before live deployment.
  • Elastic delivered an on-range, UK-tenanted AWS Bedrock AI service with strict guardrails, RBAC-aware AI features (AI Assistant, Attack Discovery), and full audit logging (CloudWatch) for traceability.
  • Three custom Agent Builder agents (GrantPT for participants, REDRock for Red Teams, RefPT for White Team) enabled RBAC-scoped AI assistance and operational automation without bespoke authorization code.
  • Industry integrations (Tuoni C2 for Red Teams, Endace packet capture, Tines workflow automation) and automation tooling (Terraform, Catapult, Vault) were essential to provisioning, secret management, and operational workflows.
  • Operational support included pre-exercise training, an Elastic-specific helpdesk (125 support requests handled), proactive triage using Tines+GenAI, and telemetry-driven insights (RocketChat ingestion, NER, meme analysis).

MITRE Techniques

  • [None ] No MITRE ATT&CK techniques were explicitly named in the article – β€˜The article does not name specific MITRE techniques, only references that Attack Discovery maps alerts to the MITRE ATT&CK matrix.’

Indicators of Compromise

  • [Domain ] Range/proxy and service endpoints used in the exercise – http://elastic-proxy.dsoc.XX.dcm.ex:3128, https://tines.dsoc..dcm.ex/
  • [Index / Data stream names ] Team-scoped telemetry and indices used for isolation and detection – logs-system.auth-bt_01_hostnation, logs-endpoint.events.process-bt_01_hostnation (and many bt_XX namespaces)
  • [Vault paths / secrets ] Secret storage paths referenced for enrolment tokens and service credentials – dcm/gt/elastic/prod/enrollment_tokens/BT-XX-Deployed, dcm/gt/elastic/tines-sa/tines-sa-btXX
  • [CloudWatch log group ] AI audit logging context for Bedrock invocations – /aws/bedrock/grantpt-prod/invocations
  • [S3 bucket ] Terraform state backend used for infrastructure as code – elastic-terraform-state-dcm5 (Terraform state key: prod/terraform.tfstate)

Read more: https://www.elastic.co/security-labs/elastic-defence-cyber-marvel