Red Team and Blue Team Exercises in Ukraine's Cyber Defense

Adversarial testing through red team (offensive) versus blue team (defensive) exercises provides a ground-truth assessment of defensive capabilities that no audit or review process can replicate. Red teamers simulate real attacker behavior—using the same tools, techniques, and procedures (TTPs) that actual threat actors employ—against defended networks. Blue teams defend, detect, and respond using their operational capabilities. The gap between what defenders believe they can detect and what red teamers actually achieve reveals the most consequential security weaknesses.

Ukraine Government Red Team Capability

Ukraine has developed internal government red team capability through a combination of existing Ukrainian cyber talent and structured capacity building with international partners. The NSA plays a role in supporting Ukrainian offensive and defensive cyber capability development—a partnership in which NSA cyber professionals work alongside Ukrainian counterparts to conduct assessments of Ukrainian government networks and share advanced tradecraft. The specifics of NSA-Ukraine cooperation remain classified, but Ukrainian officials have publicly acknowledged the partnership and its significance for building red team capability that can reflect current threat actor techniques rather than only historical ones.

The government red team has conducted authorized penetration tests against Ukrainian ministries, critical infrastructure operators, and military-adjacent systems, with findings classified and used to drive remediation. A consistent pattern in these assessments—acknowledged in general terms by SSSCIP—has been that initial access through phishing and exploitation of internet-facing systems remains achievable even in relatively mature organizations, with the key differentiator being detection and response speed after initial compromise.

Locked Shields Blue Team Participation

NATO CCDCOE's Locked Shields exercise provides one of the few open-source reference points for assessing Ukrainian blue team capability against peer competitors. Ukrainian blue teams compete against teams from other NATO and partner nations defending identical infrastructure against a common red team. The exercise scoring includes not just technical defensive performance but also strategic decision-making components that test leadership responses to simulated political, legal, and communications crises accompanying the cyber incident—reflecting the real-world multi-domain nature of cyber incidents.

Red vs. Blue Exercise Structure for Ukrainian Critical Infrastructure

Purple Team Methodology

Purple teaming—in which red and blue team members collaborate in real time rather than conducting separate assessments—has been introduced into Ukraine's exercise program with international facilitation. In purple team exercises, red team operators conduct attacks transparently while blue team analysts observe and attempt to detect them, immediately discussing detection logic, tool configurations, and gaps in visibility. This collaborative model generates faster capability improvement than traditional red/blue separation, at the cost of some realism in testing actual operational responses under adversarial conditions.

Purple team exercises have been particularly valuable for improving SIEM detection rule coverage, identifying specific log sources whose absence creates detection blind spots, and tuning threat hunting workflows to focus on the highest-value indicators of techniques that are actually used by the threat actors targeting Ukrainian systems.

Findings Classification and Remediation Tracking

Red team findings against Ukrainian government networks are classified according to the sensitivity of the specific vulnerabilities and the operational context in which they were identified. Top-level findings from NSA-supported assessments are shared only with senior Ukrainian officials with direct responsibility for remediation and are not shared with partner nations below the classification level appropriate for the specific vulnerability. SSSCIP maintains a national vulnerability and findings registry that tracks remediation status of red team and audit findings, with oversight from the National Security and Defense Council for critical infrastructure findings.

Capability Development Through Adversarial Testing

The operational model adopted by Ukraine—treating red team exercises as a systematic capability development tool rather than a compliance checking mechanism—has been endorsed by international partners as a model for mature cyber defense programs. When red team findings drive immediate remediation, detection rule updates, and network architecture changes rather than being filed in compliance reports, the exercise program generates compounding improvements in real defensive capability over time.

FAQ

What ethical and legal framework governs red team testing of Ukrainian critical infrastructure?

Red team assessments of Ukrainian critical infrastructure are conducted under written authorization agreements specifying scope, timing, notification procedures, and emergency stop conditions. Testing critical systems like power grid control software requires heightened caution given potential for real operational impact; exercises are typically conducted against system replicas or at carefully controlled times when disruption risk is minimized.

How does a purple team differ from traditional red vs. blue exercises?

Traditional red vs. blue exercises test operational defensive performance with the realism of defenders not knowing attack timing, target, or technique. Purple teaming has the red and blue teams collaborate, with attacks conducted transparently while defenders observe and tune detection. Purple increases learning speed but reduces operational realism—both approaches are valuable for different developmental purposes.

Does Ukraine share red team findings with NATO partners?

Aggregate findings—general categories of vulnerability types discovered (e.g., "phishing remains a primary initial access vector")—are shared with NATO partners through appropriate channels to inform alliance-wide defensive improvement. Specific technical findings about vulnerability details in specific Ukrainian systems are generally not shared to prevent intelligence about Ukrainian network weaknesses from being exposed.

What is the most commonly discovered weakness in Ukrainian government red team assessments?

According to publicly acknowledged summary findings from Ukrainian officials, the most consistent finding is insufficient detection visibility—blue teams often do not have logging coverage across all relevant systems and therefore cannot detect lateral movement that occurs in network segments not covered by security monitoring tools. Initial access through phishing also remains consistently achievable.

How does Ukraine's red team compare to Russian cyber threat actors?

Government red teams simulate adversary behavior using documented TTPs but are not the same as the actual threat actor groups. Ukrainian government red teams work against Ukrainian systems while Russian groups work against them from the outside—the simulation is valuable but cannot perfectly replicate sophisticated state-sponsored groups with their own unique tooling, zero-day vulnerabilities, and prior access to their targets' networks.

Sources

1. NATO CCDCOE — "Locked Shields Exercise Technical Report 2023," ccdcoe.org
2. SSSCIP Ukraine — "Mid-Year Cyber Defense Report 2023," publicly available
3. SANS Institute — "Purple Team Exercise Framework," sans.org
4. NSA/CISA — "Advisory on Russian State-Sponsored Cyber Operations Against Critical Infrastructure," 2022
5. Mandiant — "Ukraine Cyber Defense Capability Assessment Framework," 2023