Inside the IDF's cyber war simulator
How Israeli soldiers prepare for thousands of cyberattacks in a battlefield with no tanks or missiles.
"An external attacker has managed to breach an isolated network. The attacker now has full control of the entire network. Starting with nothing more than communication access to another network, he exploited vulnerabilities, escalated privileges, and moved laterally until gaining complete control."
That was the scenario greeting Calcalist at the IDF's Cyber Trainer Facility, where cyber warriors train against simulated real-world attacks. The attacker in this case was Sgt. Y., one of the facility's instructors.
"The defenders are on top of the situation and have already contained the incident," she explained. "One of the things they do particularly well is operational containmentת stopping the attack, stabilizing the environment, and restoring the network to normal operation."
The modest facility, consisting of a handful of offices, an auditorium, and a cyber exercise room, serves the same purpose for cyber defenders that large training grounds serve for combat soldiers. It simulates real-world cyberattacks as closely as possible, replacing armed terrorists, tanks, and missiles with hackers and sophisticated attack groups.
"We conduct regular training exercises for cyber defenders across the IDF to ensure they remain prepared for cyber incidents," said the facility's commander, Capt. N.
"Just as combat units train for battlefield scenarios, cyber defenders must train for digital ones. The principle is the same: hard in training, easier in combat. Our goal is to increase exposure to realistic situations so that when a real incident occurs, they are as prepared as possible."
The exercises are designed by soldiers serving at the Cyber Trainer Facility, who also act as the attackers during the simulations.
"We run a variety of exercises, ranging from single-day simulations to multi-day operations," said Capt. N. "Some focus exclusively on the cyber defender's technical skills, while others examine command-and-control processes.
"A cyber incident doesn't involve only the defender sitting at a keyboard. Commanders, operations officers, and other personnel are involved as well. In some exercises, we deliberately bring commanders into the scenario to evaluate their decision-making under pressure.
"After every exercise, we conduct detailed debriefings. The objective is not only to provide experience, but also to identify lessons learned and areas for improvement."
What does training look like? Are participants told what the scenario is and simply told to run with it?
"The instructor stays with the team throughout the day. Let's say three teams arrive for training. We assign each team a room, and the instructor sits with them and observes everything they do in real time. We can also see their activity through our systems.
"First, they gather in the auditorium for a general briefing. Then they move to their assigned rooms, the scenario is activated, and the exercise begins."
Do they know what the scenario is, or is it kept confidential?
"It depends on the exercise. Sometimes we want them to identify the attack entirely on their own. In other cases, we provide partial information.
"For example, the instructor might say: 'Guys, I can see from the logs that someone copied files from the system.' Then the response team has to jump into action. One of their key tasks is identifying exactly what the attacker did, where they are operating, and how they got there.
"In other scenarios, we may tell them directly: 'This system was attacked. It is a system of type XYZ, and this specific component was compromised.'"
When military units conduct field exercises, they often use lasers and other systems to simulate combat. How similar is cyber training to the real thing?
"The similarity is extremely high because, unlike military exercises that rely on simulation tools, cyber warfare itself is conducted through code and networks.
"What they experience here closely resembles what they may encounter in operational service. The attacks look real because they are real. A cyber defender could see something very similar two weeks later while sitting at a workstation on base. The main difference is the pressure. We try to simulate that as well."
Have cyber defenders returned to their units after training here and successfully stopped real cyberattacks?
"That's a difficult question to answer directly. Let's put it this way: since October 7, the IDF has experienced roughly seven times more cyberattack attempts than before. At the same time, there has been zero successful penetration of operational IDF systems.
"I wouldn't claim all the credit for that, but the training conducted here certainly contributes.
"Many attacks follow patterns we already know. We incorporate those techniques into our exercises. But we don't stop there. We also try to anticipate future attack methods and train for scenarios that have not yet occurred. Some of the exercises we run are extremely sophisticated."
The soldiers who arrive at the Cyber Trainer Facility are selected from among graduates of the cyber defender course at the School of Computing Professions.
According to Capt. N., recruits do not need prior experience in programming or cybersecurity.
"What we're looking for is curiosity," he said. "Curiosity leads to creativity, and creativity is essential in cyber defense.
"We also look for people who can teach, communicate effectively, and maintain a very high professional standard. Our instructors must be experts because they are responsible for training the people who defend IDF networks.
"In addition, they need strong interpersonal skills. Cyber defense is often viewed as a solitary profession, but communication is a critical part of the job. People who are unable to work with others won't succeed here."
What opportunities are available in the civilian market after serving as an instructor?
"Someone who spends five years on the team can enter the civilian market at a very senior level," Capt. N. said.
"Those who served as commanders often move directly into management positions. The experience translates extremely well into cybersecurity, defense industries, and high-tech companies. It is uncommon for our graduates to start in junior roles."
One of the facility's points of pride is its gender balance, something still relatively rare in the cybersecurity industry.
"Our most recent course was roughly 50% women and 50% men," said Capt. N. "Today our team consists of eight women and six men.
"We hope the IDF can help influence the broader market. Companies that have actively recruited women into cybersecurity have gained access to a much larger talent pool."
Sgt. Y. is a typical example of the type of soldier recruited into the Cyber Trainer Facility.
"I had absolutely no computer background before joining the army," she said. "In high school I studied biology and medicine. I never touched programming or cybersecurity."
She originally planned to pursue medicine through one of the IDF's academic tracks.
"Eventually I decided I wanted to study medicine after my military service instead. That's when the IDF suggested the cyber track."
Training is not conducted in isolation. Just as combat units hold joint exercises with foreign militaries, the Cyber Trainer Facility regularly hosts international partners.
"Joint exercises are a major part of what we do," said Maj. B., head of the International Relations Section in the IDF's C4I Directorate.
"Many partner countries come here to train. The facility is unique not only because of its technological platform and capabilities, but also because of the quality of its instructors and the operational experience behind the training.
"That makes the Cyber Trainer Facility a major attraction for partners from around the world. We also travel abroad for exercises. We have conducted training with the United States and with many other countries across the globe."
