Sandfly Blog

One of Sandfly's clients took part in the NATO Locked Shields 2026 exercise which tests cyber defense under live fire.  While working on the Linux defense team, they put Sandfly to the test against aggressive red teams known for finding inventive ways to hide and persist on Linux systems.

Deployment and Automation

The participant stated Sandfly deployed quickly and worked immediately, running across varied Linux hosts without impacts.

Sandfly scales with nodes, not agents:

"Decoupling scanning nodes from the server allowed us to quickly spin up scanning nodes on our laptops. This kept the server prepared in the cloud in advance and enabled scanning from multiple hosts."

Sandfly’s REST API allowed defenders to automatically move at modern attacker speed:

"Robust API, covering all the functions, with documented examples. I've used the API extensively, I think more than the web UI. This one was a game changer for an exercise where speed and automation matter most."

Agentless Linux Malware Detection

Sandfly uncovered advanced fileless malware and other attacks operating on Linux:

“Sandfly managed to find some true-positive vulnerabilities and real implants during the exercise, even after we applied our hardening scripts. The most interesting finding was a fileless implant still running as root on the host we were sure was already handled and properly hardened. Without this we would most probably completely lose that machine … Sandfly correctly flagged many things, and a few of those flags saved the day. A few of our teammates were also using it, and they were quite satisfied. Keep it going like that - great product.”

Why agentless matters for Linux defense

NATO Locked Shields simulates large-scale cyber conflict to test the participants' capabilities and decision-making under pressure. Agent-based tools add deployment risk, compatibility gaps, and impacts on systems that cannot tolerate disruption during a crisis. 

Sandfly is Linux-first and agentless. No agents to push, nothing to break when a host is upgraded, and no outbound telemetry required, so it runs in isolated and air-gapped environments. A responder can point Sandfly at a host and start hunting in minutes, even mid-incident.

Sandfly gives instant Linux protection without endpoint agents or drama.

About Locked Shields

Locked Shields is the annual cyber defense exercise run by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). It is one of the largest and most complex real-time network defense exercises in the world, focused on protecting national IT systems and critical infrastructure under intense cyberattack. It is built to sharpen national cyber defenses, deepen cooperation among governments, industry, and allied nations, and advance new approaches to cyber defense.