Tines’ mission is to power the world's most important workflows, including the critical work of defending nations against cyber threats. That's why we were honored to return to Defence Cyber Marvel 2026 (DCM 2026) as an industry partner, deploying over 40 self-hosted instances onto the CR14 NATO Cyber Range to support teams from 29 countries in Singapore.
This week-long exercise brought together more than 2,500 personnel from 70 different organizations across 36 teams, demonstrating the scale and complexity of modern cyber defense.
DCM is the world's largest defense-led cyber exercise, evolved from a British Army Cyber Association initiative into a tri-service operation now led by the UK's MOD Cyber and Specialist Operations Command (CSOC).
Following our participation in DCM4 in South Korea, 2026 marked the first time the exercise was hosted in Singapore, reflecting the strategic importance of the Indo-Pacific region and the UK's commitment to deepening cyber defense partnerships beyond NATO allies.
"DCM 2026 places cooperation and shared learning at its heart. With cyber-attacks from our adversaries now a daily threat to the UK, our allies and our partners, this exercise builds relationships and shared procedures essential for responding to cross-border threats."
Air Marshal Suraya Marshall, Deputy Commander of Cyber and Specialist Operations Command
The exercise included blue teams (defenders), red teams (attackers), green teams (the operational backbone), and yellow teams (exercise control) operating from a central command point. Scenarios mirror genuine cyber threats: from state-level attacks to critical infrastructure disruption - testing not just technical skills but decision-making under pressure.
Industry partners, such as Tines, were key members of the green team, providing best-in-class capabilities to participants. Colonel Ian Hargreaves, Chair of the Army Cyber Association, explained the significance of industry partner involvement for the event:
“The UK Government's most recent Defence reviews emphasise persistent engagement, information advantage, and a digitally integrated force. We cannot deliver that in isolation. Capability in digitally interconnected cyberspace today sits across the Whole Force — Regulars, Reservists, civil servants, and critically, industry.
Bringing industry partners into DCM makes the exercise realistic. It mirrors how we would actually operate: leveraging commercial innovation inside military missions. That alignment shortens the gap between technological advancement and operational adoption.”
Deployment at scale
The Tines team deployed over 40 self-hosted instances directly onto the CR14 NATO Cyber Range; one of the most sophisticated cyber training environments in the world.
This wasn't a cloud deployment or a managed service. This was full self-hosted infrastructure running in an air-gapped, classified environment.
Why self-hosting matters for defense
When you're defending critical infrastructure or classified networks, you can't rely on external services. You need:
Complete data sovereignty: All workflow data, logs, and artifacts stay within your controlled environment
Zero external dependencies: No internet connectivity, operating fully air-gapped
Rapid deployment: Spin up new instances in minutes, not days or weeks
Total visibility: Full access to infrastructure, logs, and configurations
At DCM 2026, this meant blue teams, red teams, green teams, and yellow teams could all operate Tines instances independently, with no shared infrastructure or potential cross-contamination between exercise elements.
Universal adoption
What made DCM 2026 particularly unique was seeing Tines adopted across all team types, demonstrating the platform’s versatility. As Colonel Hargreaves observed:
“During DCM 2026, what stood out to me was how automation platforms acted as electronic ‘connective tissue’ across blue, red, green, and yellow teams. Rather than each team operating in silos with manual handoffs, automation created shared workflows that moved information in real time.
For blue teams, automation reduced dwell time by immediately enriching alerts with context—pulling threat intelligence, validating indicators, and triggering predefined response actions. For red teams, automation enabled faster iteration and feedback. As the engines running the exercise, green and yellow teams benefited from structured workflows that translated technical findings into operational or leadership-relevant insights. Automation ensured that the right stakeholders were notified with the right level of detail at the right time, reducing friction and miscommunication.”
Blue teams (defenders)
Defending teams used Tines to automate threat triage, orchestrate incident response, and coordinate defensive actions across multiple security tools.
Red teams (attackers)
Offensive teams leveraged Tines to automate workflows which integrated with the Tuoni threat emulation framework.
Green teams (operational infrastructure)
The green team is responsible for the full operational environment, the infrastructure, networks, SOC, industry partners, helpdesk, and senior leadership that keep the exercise running. They used Tines to:
Manage network operations and infrastructure workflows
Coordinate between SOC analysts and Infrastructure teams
Route helpdesk tickets based on threat indicators
Yellow teams (exercise control)
Exercise coordinators used Tines to do scenario reporting and analysis between blue teams.
When everyone from attackers to defenders to infrastructure operators to senior leadership is using the same workflow platform, it demonstrates just how universal intelligent workflows have become in modern operations.
Tines + Elastic: alert enrichment across defense and operations
One of the most powerful workflows at DCM 2026 was the combination of Tines and Elastic for alert enrichment supporting blue teams, red team, and green team operations.
The challenge
During a cyber exercise (and in real-world operations), security teams and infrastructure teams are overwhelmed with alerts. Most require context before action: Who's the target? Is this IP malicious? What's the business impact? Is this a security threat or an infrastructure issue? Manually enriching each alert is very difficult at scale.
The solution: blue team defensive automation
Blue teams had Tines workflows that automatically:
Ingested alerts from Elastic Security (SIEM) in real-time
Enriched with context by querying threat intelligence feeds, asset databases, and vulnerability scanners
Prioritized threats based on severity, target criticality, and attack patterns
Routed to responders with all necessary context already assembled
Orchestrated response actions across EDR, firewall, and network isolation tools
The solution: green team operational excellence
Green team operations include managing infrastructure, networks, SOC, industry coordination, helpdesk, and senior leadership communication. The green team used Tines to:
Correlate security alerts with infrastructure events from Elastic to distinguish attacks from legitimate technical issues
Automate triage routing: security incidents to SOC, infrastructure problems to IT, critical issues to senior leadership
Coordinate cross-functional response between network teams, security analysts, and external industry partners
Manage escalation workflows ensuring the right information reached senior leadership at the right time
Track incident resolution across all operational teams with unified visibility
Why this matters for federal and military operations
This isn't just an exercise optimization, it's how modern defense and government operations must work.
Speed is survival: Adversaries move in seconds; defenses must too
Context is critical: The right decision requires the right data, immediately
Cross-functional coordination: Security, IT, leadership, and external partners must work as one
Integration is essential: No single tool has all the answers; orchestration connects them
Repeatability scales: What works in exercises works in operations
“What mattered most was the compression of the OODA loop—observe, orient, decide, act. When adversaries are operating in seconds, human-only processes simply can’t keep up. Automation doesn’t replace human judgment, but it removes latency: it gathers context, enforces consistency, and accelerates coordination. In short, automation transformed coordination from sequential and reactive to parallel and proactive—and that shift is critical when defending against modern threats.”
Colonel Ian Hargreaves
From exercise to operations: building defense readiness
What happens during DCM doesn't stay in the exercise environment. The 40+ Tines instances deployed on CR14 gave hundreds of users, from SOC analysts to network engineers to senior leaders, hands-on experience with intelligent workflows in high-pressure scenarios.
Participants left DCM 2026 with:
Practical skills building defensive and operational automation under time pressure
Proven workflows they can adapt for their own organizations
Understanding of integration patterns across security, infrastructure, and enterprise tools
Cross-functional collaboration techniques bridging SOC, IT, helpdesk, and leadership
Confidence to automate critical defensive and operational processes
International network of peers facing similar challenges
For military and government cyber professionals and IT operators, this capability directly enhances operational readiness. Real-world incidents and adversaries demand the muscle memory developed through this approach specifically, thinking in workflows, automating responses, and orchestrating tools across complex organizational boundaries which is essential for effective defense and operations teams.
Looking ahead
We're incredibly grateful to the British Army Cyber Association, the UK Ministry of Defence, and our partners in Singapore for making DCM 2026 possible.
Cyber threats continue to evolve in speed, sophistication, and scale. Exercises like DCM 2026 prove that intelligent workflows, in the hands of skilled defenders and operators, with strong international partnerships, can provide a decisive advantage.
The mission-critical work happening in defense and government deserves mission-critical tools.
Ready to see how Tines can support your federal, government, or military operations?