Operation Grounded Eagle
Milima Cyber Academy in Kampala, Uganda
A 3-day aviation cybersecurity training exercise combining tabletop exercises with a live Security Operations Center lab environment — transitioning airport sysadmins into SOC-capable analysts.
Operation Grounded Eagle was designed and delivered in March 2026 through a collaboration between ObsidianCorps and Milima Cyber Academy for an African civil aviation authority. The programme addressed a critical gap: airport IT staff with strong systems administration backgrounds but limited formal cybersecurity training were being asked to defend aviation-critical infrastructure against increasingly sophisticated threats.
Training Days
Exercise Injects
SOC Competencies
Security Events
Docker Containers
About the Client
The Uganda Civil Aviation Authority oversees aviation safety, security, and regulation across the country. Their airport IT teams manage a blend of traditional IT systems, specialised aviation systems, and operational technology — all requiring robust cybersecurity defence capabilities.
The Challenge
Complex attack surface
Airports operate traditional IT (email, finance, HR), specialised aviation systems (flight information, baggage handling, crew scheduling), and operational technology (ACARS, ADS-B, air traffic management) — each with different risk profiles and regulatory requirements.
Skills gap under pressure
IT staff with strong sysadmin backgrounds needed functional SOC capabilities — but the training had to be practical, aviation-specific, and produce measurable competency outcomes within a 3-day window.
Realistic training environment
Generic cybersecurity exercises wouldn't suffice. The training needed aviation-specific scenarios with realistic attack data, a live SIEM environment, and a signal-to-noise ratio that mirrors real operations.
Our Solution
Kill Chain & Aircraft Security
Foundational cybersecurity concepts introduced through an aviation lens — making threats immediate and tangible through hands-on reconnaissance against real-world public footprints.
Incident Response & Emerging Technologies
Active incident handling under time pressure — teams responded to a simulated LockBit 3.0 ransomware attack against airport crew scheduling systems.
SOC Capstone Assessment
A full-day hands-on exercise on a live Wazuh SIEM environment with over 22,000 pre-loaded security events. Participants hunted for attacker persistence, wrote detection rules, and delivered technical leadership briefings.
Technical Infrastructure
A 13-container Docker Compose stack providing complete team isolation across separate network subnets, deployed via a single automated script.
Multi-container SIEM stack per team — manager, indexer, and dashboard
Full network packet capture and analysis per team environment
Deliberately vulnerable web application for hands-on security testing
Proprietary exercise platform for inject delivery, scoring, and analytics
11 SOC Competencies Assessed
SIEM Query Proficiency
KQL queries against live Wazuh data
Threat Hunting
Persistence mechanism identification & IOC reporting
Detection Rule Writing
Sigma rules in valid YAML with MITRE mappings
SIEM Tuning
Noise analysis and threshold adjustment recommendations
Network Security
Firewall gap analysis and hardened rule creation
Log Architecture Design
Per-server log source mapping & storage calculations
Alert Triage
Signal vs. noise separation under time pressure
Incident Investigation
Attack timeline reconstruction with TTP mapping
Containment Execution
Specific technical commands and firewall rules
Playbook Development
SOC runbooks with SOAR automation opportunities
Technical Communication
Evidence-based leadership briefings using live dashboards
Impact & Results
Airport IT professionals acquired functional SOC capabilities in a structured 3-day programme.
Participants worked with realistic signal-to-noise ratios in a live SIEM environment.
Participants consistently referenced ICAO frameworks and sector-specific regulations in their work.
Per-exercise scoring, skill progression analysis, and prioritised capability building recommendations.
Key Results
From sysadmin to SOC-capable analyst
SOC competencies assessed and measured
Security events in live SIEM environment
Exercise injects across all training days
Our Methodology
The programme followed a deliberate progression — each day built on the previous one, with Day 3's capstone assessment validating everything taught across all three days. All exercises were delivered through Scenarium with simultaneous live SIEM lab access.
Expert Insight
"Operation Grounded Eagle validated that realistic, infrastructure-specific training scenarios produce better outcomes than generic cybersecurity exercises. When airport IT professionals see threats mapped to their own systems — ACARS, crew scheduling, flight displays — the material becomes immediately actionable, not just theoretically relevant."
Operation Grounded Eagle was designed and delivered through a collaboration between ObsidianCorps and Milima Cyber Academy, specialising in cybersecurity training and capability building for critical infrastructure organisations.
Bridging the gap between IT operations and cybersecurity — one organisation at a time.
Lessons Learned
Sector-Specific Scenarios Produce Significantly Better Retention
Generic cybersecurity exercises — "a company was attacked" — produce lower engagement in critical infrastructure contexts than scenarios grounded in aviation-specific operations. When Exercise Grounded Eagle injects referenced airport SCADA systems, ATC communication disruption, and passenger check-in data compromise, participants applied their analysis skills more quickly and accurately because the context matched their professional mental models. Every inject was written against the UCAA's actual operational environment, and participants consistently rated the realism of scenarios as the single most valuable aspect of the exercise.
Live SIEM Environments Reveal Actual Skill Levels That Classroom Assessment Cannot
Pre-exercise interviews suggested participants had moderate familiarity with log analysis. The live Wazuh environment told a different story: several analysts had never performed threat hunting against a real event stream under time pressure, and initial alert triage was slow and inconsistent. The gap between conceptual knowledge and hands-on execution was only visible because the lab environment generated authentic noise — 22,000+ security events — rather than pre-filtered, textbook-clean data. This diagnostic insight directly informed the post-exercise skills roadmap provided to UCAA leadership.
Cross-Cultural Training Delivery Requires Structural Adaptation, Not Just Translation
Delivering a 3-day technical exercise across cultural and organisational contexts requires more than adjusting vocabulary. Group dynamics, comfort with publicly acknowledging errors, and attitudes toward hierarchical decision-making all influence how participants engage with incident response exercises. In Kampala, creating psychological safety — framing mistakes as expected and valuable data — required explicit facilitation design: anonymous team scoring during Day 1, anonymous individual scoring only from Day 2 onward, and debrief sessions that led with what teams did well before discussing gaps. Local partnership with Milima Cyber Academy was essential for understanding these dynamics in advance.