NATO’s flagship cyber exercise, Cyber Coalition 2025, challenged more than 1,300 cyber defenders from 36 NATO and partner nations to guard against major attacks on critical infrastructure, including power plants, fuel depots, commercial satellites and military networks. During the exercise, from November 28 to December 4, 2025, NATO’s Allied Command Transformation oversaw seven realistic scenarios that required participants to manage a range of advanced cyber incidents.
Cyber Coalition is set up as a collaborative drill, not a contest, said U.S. Navy Cmdr. Brian Caplan, the exercise director. “Other cyber exercises are often about who wins a trophy. Ours is different, it’s about synergy — nations helping nations, and the stronger helping the weaker, so everyone is better prepared,” he said, according to The Record, a cybersecurity news publication.
This year’s cyber exercise was NATO’s largest. It was executed through the Estonian Cyber Security Exercises and Training Centre, or CR14, in Tallinn, Estonia’s capital.
Trainers participated from their respective nations and entities through virtual networks, while an exercise control group assembled in Estonia to execute the event. Only about 200 of the more than 1,300 participants were on site in Estonia.
The exercise comes as NATO has increasingly warned about hybrid threats from Russia as it continues its war on Ukraine. “There is no boundary in cyber — it’s worldwide,” Caplan said in a NATO new release. “The better you can share and collaborate, the stronger and more resilient our collective defences become.”
The seven scenarios that tested participants were challenging and realistic, preparing cyber defenders for real-world events. They included attacks on critical national infrastructure, space-related cyber incidents, and “Ghost in the Backup’’ — involving malicious activity within backup systems. Throughout the scenarios, threat actors led sophisticated cyber operations targeting a NATO mission. These operations triggered coordination and collaboration among NATO and partner cyber defense teams.
“The storylines are designed so no nation can ‘win the war’ unless they communicate with others,” Caplan said, according to The Record. “Only by sharing information and working together can they understand the attack and respond effectively.”
For the seventh year in a row, 16th Air Force (Air Forces Cyber) participated as the U.S. representative at Cyber Coalition. “What our cyber warriors do here during Cyber Coalition further underscores our network of Allies and partners is an asymmetric advantage that our adversaries can never hope to match,” Air Force Lt. Gen. Thomas Hensley, 16th Air Force commander, said in a news release.
“Cyber Coalition is a unique opportunity for our Airmen to gain firsthand exposure to how NATO conducts cyber operations,” Candace Sanchez, 16th Air Force lead exercise planner, said in a U.S. European Command news release. “It is one of the few — if not the only — events where we train simultaneously at the tactical, operational, and strategic levels. It allows us to share tactics, techniques, and procedures; strengthen and mature key partnerships; build and maintain trust; and ensure we are fully prepared to operationalize together.”
In testimony before the Senate Armed Services Committee on February 13, 2025, Gen. Gregory M. Guillot, commander of United States Northern Command and North American Aerospace Defense, said: “Our principal adversaries are concentrating their increasingly sophisticated offensive cyberoperations on U.S. defense and civilian infrastructure. Over the last year, Russian-affiliated cyber actors have conducted attacks on water supply, wastewater, hydroelectric, and energy facilities in the United States, while [People’s Republic of China]-sponsored cyber actors have positioned themselves on IT networks in multiple U.S. sectors, potentially enabling them to rapidly transition to disruptive attacks in the event of a crisis or conflict.”