TALLINN, Estonia – More than 40 Maryland National Guard members participated in Immediate Response 2026, a comprehensive cyber exercise, with their Estonian counterparts at Foundation Cyber Range 14, or CR14, May 16-23.
The exercise is part of Sword 26, U.S. Army Europe and Africa's, or USAREUR-AF, premier annual exercise series that occurs from late April through May across eight countries in the High North and Baltic regions. Along with the Estonian Defense Forces, Immediate Response 2026 hosted participants from the Maryland Army National Guard’s Cyber Protection Team 169, the Maryland Air National Guard’s 175th Cyberspace Operations Group and members of the U.S. Army's Information Dominance Company, Multi-Domain Command-Europe.
The intent of the exercise was to strengthen bilateral training between U.S. and Estonian cyber forces, share tactics, techniques and procedures and give participants the chance to plan, analyze and carry out operations in a realistic, simulated environment. The Maryland National Guard has been a partner with Estonia since 1993 through the Department of War National Guard Bureau State Partnership Program.
Opposing teams faced off in a highly dynamic environment with controlled objectives and outcomes. The exercise pitted an Adversary Emulation Force against a Network Defense Force. In the cyber world, these units are traditionally known as the "red team," the aggressors actively attempting to breach and degrade the network, and the "blue team," the sentinels continuously hunting threats and protecting the system.
Adding to the authenticity, the exercise's physical layout mirrored actual operations. While the Network Defense Force operated out of a centralized primary location, the Adversary Emulation Force was intentionally dispersed across multiple off-site locations.
"In the real world, you're not just sitting at your desk next to the adversaries while they tell you what their plan is," said Maryland Air National Guard Maj. Wesley Smith, a cyber operations officer with the 175th Cyberspace Operations Group. "You don't know where they are or when they'll carry out an effort to compromise critical infrastructures that need to remain protected, and we wanted that to be a key understanding in this exercise."
Because of this physical separation and the dynamic environment, defenders had to try to protect the digital house without revealing how or where they were defending it.
“Both the red team and the blue team, we don’t want the others to see what we’re doing,” said Maryland Army National Guard Master Sgt. Luke Thompson, non-commissioned officer in charge of the Cyber Protection Team 169.
The exercise was not focused purely on computers in isolation. CR14 hosted a simulated environment that included power grids, transportation networks, railroad control systems and the operational networks that support military and civilian movement.
In a real conflict, compromising these dual-use systems goes beyond degrading a military force's ability to mobilize. Because modern military logistics and national defense rely heavily on public utilities, any successful cyberattack directly impacts the civilian population. A blackout or a disabled transit grid doesn't just stop troop transport; it shuts down local hospitals, halts civilian commerce and paralyzes critical municipal services.
"Technology integrates into warfighting at a fundamental level," added Maryland Air National Guard Col. David Sturgeon, a cyber warfare operator with the 276th Cyber Operations Squadron. "There are computers that run the power grid, and if you control those computers, you can control the power grid."
To defend against these threats, the Network Defense Force must adopt a methodical, investigative approach. Thompson compared defensive cyber operations to hiring an exterminator to mitigate a pest problem in a house.
In the cyber realm, this translates to threat hunting, clearing out malicious activity and enabling system hardening. Sometimes, that hardening is as simple as identifying obvious vulnerabilities. Finding the threat, however, requires careful analysis. Operators look for indicators of compromise, trace timelines and reconstruct how an intrusion occurred so they can stop it.
“It’s kind of like being a detective,” Thompson added. “You’re trying to solve the case and paint the story.”
While the exercise focused heavily on network defense, it also implemented a broader military priority of foundational readiness. Service members must be prepared to operate in austere environments, proving they are Soldiers and Airmen first, and cyber specialists second.
Operators deploying for missions such as Immediate Response 2026 must consider their physical and logistical needs and ensure they possess basic survival and Soldier skills. This means knowing how to pack the right gear to sustain themselves for a multi-day mission with limited food and resources, and possessing the flexibility to accomplish tasks outside their primary occupational specialty.
Just as an aviation mechanic might need to know how to refuel an aircraft in addition to fixing it, cyber operators must maintain the fundamental readiness required to deploy, survive and adapt when external support is limited.
Successfully conducting an exercise of this scale requires seamless integration, which is made possible by the universal nature of the cyber domain. Because operators across different branches and allied nations use the same digital environments and tools, combining forces becomes a matter of unified strategy.
Technical interoperability is crucial, but the foundation of Immediate Response 2026 is built on a strategic partnership. Estonia maintains one of the most cyber-experienced defense forces in NATO, making Foundation CR14 the ideal environment to simulate a shared threat landscape.
"When you are operating in a physical environment and have to deal with various obstacles that may hinder the completion of the mission, then it is important to find a balance between your sustainable operations and the successful completion of the mission," Estonian Cyber Force Command Chief Col. René Innos said.
Ultimately, the value of Immediate Response 2026 and the broader Sword 26 exercise series lies in the collective readiness it builds. By stress-testing these critical networks now, the U.S. and its NATO allies are actively hardening the real-world infrastructure on which military forces and civilian populations rely every day.