Operation Grounded Eagle
Milima Cyber Academy in Kampala, Uganda
A 3-day aviation cybersecurity training exercise combining tabletop exercises with a live Security Operations Center lab environment — transitioning airport sysadmins into SOC-capable analysts.
Operation Grounded Eagle was designed and delivered in March 2026 through a collaboration between ObsidianCorps and Milima Cyber Academy for an African civil aviation authority. The programme addressed a critical gap: airport IT staff with strong systems administration backgrounds but limited formal cybersecurity training were being asked to defend aviation-critical infrastructure against increasingly sophisticated threats.
Training Days
Exercise Injects
SOC Competencies
Security Events
Docker Containers
About the Client
The Uganda Civil Aviation Authority oversees aviation safety, security, and regulation across the country. Their airport IT teams manage a blend of traditional IT systems, specialised aviation systems, and operational technology — all requiring robust cybersecurity defence capabilities.
The Challenge
Complex attack surface
Airports operate traditional IT (email, finance, HR), specialised aviation systems (flight information, baggage handling, crew scheduling), and operational technology (ACARS, ADS-B, air traffic management) — each with different risk profiles and regulatory requirements.
Skills gap under pressure
IT staff with strong sysadmin backgrounds needed functional SOC capabilities — but the training had to be practical, aviation-specific, and produce measurable competency outcomes within a 3-day window.
Realistic training environment
Generic cybersecurity exercises wouldn't suffice. The training needed aviation-specific scenarios with realistic attack data, a live SIEM environment, and a signal-to-noise ratio that mirrors real operations.
Our Solution
Kill Chain & Aircraft Security
Foundational cybersecurity concepts introduced through an aviation lens — making threats immediate and tangible through hands-on reconnaissance against real-world public footprints.
Incident Response & Emerging Technologies
Active incident handling under time pressure — teams responded to a simulated LockBit 3.0 ransomware attack against airport crew scheduling systems.
SOC Capstone Assessment
A full-day hands-on exercise on a live Wazuh SIEM environment with over 22,000 pre-loaded security events. Participants hunted for attacker persistence, wrote detection rules, and delivered technical leadership briefings.
Technical Infrastructure
A 13-container Docker Compose stack providing complete team isolation across separate network subnets, deployed via a single automated script.
Multi-container SIEM stack per team — manager, indexer, and dashboard
Full network packet capture and analysis per team environment
Deliberately vulnerable web application for hands-on security testing
Proprietary exercise platform for inject delivery, scoring, and analytics
11 SOC Competencies Assessed
SIEM Query Proficiency
KQL queries against live Wazuh data
Threat Hunting
Persistence mechanism identification & IOC reporting
Detection Rule Writing
Sigma rules in valid YAML with MITRE mappings
SIEM Tuning
Noise analysis and threshold adjustment recommendations
Network Security
Firewall gap analysis and hardened rule creation
Log Architecture Design
Per-server log source mapping & storage calculations
Alert Triage
Signal vs. noise separation under time pressure
Incident Investigation
Attack timeline reconstruction with TTP mapping
Containment Execution
Specific technical commands and firewall rules
Playbook Development
SOC runbooks with SOAR automation opportunities
Technical Communication
Evidence-based leadership briefings using live dashboards
Impact & Results
Airport IT professionals acquired functional SOC capabilities in a structured 3-day programme.
Participants worked with realistic signal-to-noise ratios in a live SIEM environment.
Participants consistently referenced ICAO frameworks and sector-specific regulations in their work.
Per-exercise scoring, skill progression analysis, and prioritised capability building recommendations.
Key Results
From sysadmin to SOC-capable analyst
SOC competencies assessed and measured
Security events in live SIEM environment
Exercise injects across all training days
Our Methodology
The programme followed a deliberate progression — each day built on the previous one, with Day 3's capstone assessment validating everything taught across all three days. All exercises were delivered through Scenarium with simultaneous live SIEM lab access.
Expert Insight
"Operation Grounded Eagle validated that realistic, infrastructure-specific training scenarios produce better outcomes than generic cybersecurity exercises. When airport IT professionals see threats mapped to their own systems — ACARS, crew scheduling, flight displays — the material becomes immediately actionable, not just theoretically relevant."
Operation Grounded Eagle was designed and delivered through a collaboration between ObsidianCorps and Milima Cyber Academy, specialising in cybersecurity training and capability building for critical infrastructure organisations.
Bridging the gap between IT operations and cybersecurity — one organisation at a time.