When Red and Blue Stopped Fighting Each Other and Started Fighting the Real Enemy
I'll never forget the tension in the conference room during what was supposed to be a routine debrief. The Chief Information Security Officer of TechVantage Financial had just spent $340,000 on a red team engagement—two weeks of sophisticated adversary simulation testing their defenses. The red team had compromised 87% of their critical systems, exfiltrated sensitive customer data, and maintained persistent access for 11 days before voluntarily revealing themselves.
The red team leader was proudly walking through their attack chain: "We used a simple phishing campaign targeting your finance department, harvested credentials, moved laterally through your unmonitored east-west traffic, escalated privileges using a known Kerberoasting attack, and established command-and-control through your allowed cloud storage services. Your detection capabilities are fundamentally inadequate."
The blue team leader—the Director of Security Operations—looked like he wanted to flip the table. "You're telling me we spent a third of a million dollars so you could play hacker and make us look incompetent? We never had a chance to actually defend! This was a penetration test with a victory lap, not a security improvement exercise."
The CISO sat between them, realizing he'd just witnessed $340,000 produce a 47-slide PowerPoint deck and two teams that now hated each other. Meanwhile, the actual security gaps that enabled the compromise remained unaddressed, his SOC team felt demoralized, and he had no actionable plan for improvement.
That's when I got the call. Over the past 15+ years, I've witnessed this same dysfunctional dynamic play out at dozens of organizations. Red teams and blue teams operating in isolation, often with conflicting incentives—red teams incentivized to maximize compromises, blue teams incentivized to minimize detections, and neither focused on the actual goal: improving organizational security posture.
Purple teaming changed everything. When I returned to TechVantage six months later to facilitate their first purple team exercise, the atmosphere was completely different. The same red team leader and blue team director sat side-by-side, collaborating in real-time. As the red team executed attacks, they immediately shared indicators of compromise. The blue team tuned detection rules, identified visibility gaps, and tested response procedures—all while the attack was happening. Instead of a surprise gotcha moment, it was a collaborative learning experience.
Over three intensive days, we executed 28 attack scenarios mapped to their specific threat model. The blue team detected 21 of them by the end (up from 3 at the start). More importantly, we documented 47 specific security improvements—detection rules, visibility enhancements, process refinements—that were implemented within 30 days. The cost? $125,000. The value? A measurable, sustained improvement in defensive capability rather than an expensive ego bruising.
In this comprehensive guide, I'm going to share everything I've learned about conducting effective purple team exercises. We'll cover the fundamental differences between red, blue, and purple team approaches, the methodologies that actually drive improvement, the practical logistics of running exercises that produce results rather than resentment, and the integration with major compliance frameworks that increasingly recognize purple teaming as best practice. Whether you're building your first purple team program or trying to salvage a dysfunctional red/blue relationship, this article will give you the roadmap to collaborative defensive excellence.
Understanding Purple Teaming: Beyond Red vs. Blue
Let me start by establishing clear definitions, because terminology confusion undermines many purple team initiatives. The cybersecurity industry loves military-inspired color schemes, but the distinctions matter.
Red Team, Blue Team, Purple Team: The Spectrum of Defensive Testing
Team Type | Primary Mission | Methodology | Success Criteria | Knowledge Sharing |
|---|---|---|---|---|
Red Team | Simulate adversary tactics to test defenses | Covert, adversarial, objective-focused | Achieve objectives without detection | Post-engagement only, often limited |
Blue Team | Defend systems, detect threats, respond to incidents | Monitoring, analysis, incident response | Prevent/detect/respond to attacks | Limited external input during defense |
Purple Team | Improve defensive capability through collaboration | Transparent, educational, iterative | Measurable improvement in detection/response | Continuous, real-time, comprehensive |
The key distinction isn't color—it's philosophy. Traditional red team engagements are zero-sum games where red team success equals blue team failure. Purple teaming reframes the entire dynamic: both teams succeed when organizational security posture improves.
The Evolution from Adversarial to Collaborative Testing
I've watched the industry evolve through three distinct phases over my career:
Phase 1: Penetration Testing (2000s-2010s)
Vulnerability-focused, compliance-driven
"Can we break in?" rather than "How do we defend?"
Checkbox exercise, minimal learning transfer
One-time assessment, no continuous improvement
Phase 2: Red Team Engagements (2010s-2020s)
Threat actor simulation, objective-based
More realistic but still adversarial
Blue team often unaware until debrief
Learning concentrated in final report
Phase 3: Purple Team Exercises (2020s-present)
Collaborative capability building
Real-time knowledge transfer
Iterative improvement across multiple scenarios
Continuous learning embedded in process
At TechVantage Financial, their security testing history exemplified this evolution:
2018: Annual penetration test ($45,000)
Found 23 vulnerabilities
Produced remediation report
12 vulnerabilities still open 12 months later
No improvement in detection capability
2020: First red team engagement ($340,000)
Compromised 87% of critical systems
Excellent attack documentation
Blue team demoralized
Unclear remediation path
2021: Purple team exercise ($125,000)
Executed 28 threat scenarios
47 specific improvements identified
44 implemented within 30 days
Detection rate improved from 11% to 75%
The difference wasn't the sophistication of testing—it was the collaborative approach that translated attacks into actionable defensive improvements.
Why Organizations Need Purple Teaming
The business case for purple teaming centers on three critical advantages over traditional approaches:
1. Accelerated Learning Cycles
Traditional red team engagements compress learning into a final debrief—often weeks after the exercise concludes. By that time, blue team members have forgotten specific alerts, logs have been overwritten, and the learning context is lost.
Purple teaming provides real-time feedback loops. When a red team executes a credential dumping attack, the blue team immediately sees (or doesn't see) the resulting alerts, investigates the detection gap, and tunes their rules—all within minutes. This compressed learning cycle accelerates capability development by 5-10x in my experience.
2. Optimized Resource Utilization
Approach | Cost Range | Duration | Scenarios Tested | Improvements Implemented | Cost per Improvement |
|---|---|---|---|---|---|
Penetration Test | $35K - $90K | 1-2 weeks | 1 objective | 8-15 (patches) | $3,500 - $7,500 |
Red Team Engagement | $180K - $450K | 2-4 weeks | 1-3 objectives | 12-25 (varies widely) | $8,000 - $25,000 |
Purple Team Exercise | $85K - $200K | 3-5 days | 15-30 scenarios | 30-60 (specific) | $1,500 - $4,500 |
Purple teaming achieves better return on investment by focusing explicitly on improvement rather than demonstration. Every hour of purple team time produces actionable defensive enhancements, not just documentation of compromise.
3. Sustainable Capability Building
Red team findings often overwhelm blue teams. A report with 50 recommendations becomes shelf-ware because defenders don't know where to start, which improvements have highest impact, or how to validate fixes.
Purple teaming creates prioritized, validated improvement roadmaps. During TechVantage's exercise, we didn't just identify 47 improvements—we ranked them by impact, estimated implementation effort, and validated fixes in real-time by re-executing attacks after defensive enhancements.
"The purple team approach transformed security testing from an annual judgment day to a continuous capability-building program. We finally understand not just what we missed, but how to catch it next time." — TechVantage Financial CISO
Common Misconceptions About Purple Teaming
Through hundreds of engagements, I've encountered recurring misconceptions that undermine purple team initiatives:
Misconception 1: "Purple teaming is just red and blue teams working together"
Reality: True purple teaming requires fundamental methodology changes, not just better communication. It's collaborative by design, with shared objectives, transparent tactics, and real-time knowledge transfer built into every scenario.
Misconception 2: "We can't do purple teaming because we don't have a dedicated red team"
Reality: Purple teaming can be facilitated by external consultants, internal security staff with offensive skills, or even automated attack simulation platforms. The team composition matters less than the collaborative methodology.
Misconception 3: "Purple teaming means the red team goes easy on defenders"
Reality: Purple team exercises use the same sophisticated techniques as red team engagements. The difference is timing of knowledge sharing (real-time vs. post-engagement) and focus on improvement rather than just compromise.
Misconception 4: "Purple teaming is only for mature security programs"
Reality: Purple teaming benefits organizations at any maturity level. Less mature programs actually gain more value because they have larger improvement opportunity. We've successfully run purple team exercises for organizations with single-person security teams through global financial institutions with 200+ security staff.
Misconception 5: "Purple teaming replaces red team engagements"
Reality: Both approaches serve different purposes. Red teams validate overall security posture against sophisticated adversaries. Purple teams build defensive capability through collaborative learning. Most organizations benefit from both—typically an annual red team engagement plus quarterly purple team exercises.
At TechVantage, we established a balanced testing program:
Quarterly Purple Team Exercises: Focused capability building, specific technique testing
Annual Red Team Engagement: Comprehensive adversary simulation, objective-based
Continuous Automated Testing: Daily attack simulation using commercial platforms
This combination provided continuous improvement (purple), periodic validation (red), and baseline monitoring (automated).
Phase 1: Purple Team Exercise Planning
Effective purple team exercises don't happen spontaneously—they require careful planning aligned with organizational threat landscape, security maturity, and strategic objectives.
Defining Exercise Objectives
The first step in any purple team exercise is establishing clear, measurable objectives. Vague goals like "improve security" or "test defenses" lead to unfocused exercises that satisfy no one.
I use this objective-setting framework:
Primary Objective Categories:
Objective Type | Focus Area | Example Objectives | Success Metrics |
|---|---|---|---|
Detection Capability | Visibility gaps, rule tuning, alert quality | Improve detection of credential dumping attacks<br>Validate EDR visibility into PowerShell execution | Detection rate increase, false positive reduction, mean time to detect |
Response Capability | Procedures, escalation, containment | Test incident response playbook for ransomware<br>Validate containment procedures for lateral movement | Response time reduction, procedure success rate, containment effectiveness |
Tool Validation | Security product effectiveness | Evaluate SIEM correlation rules<br>Test EDR prevention capabilities | Tool performance metrics, coverage gaps identified |
Process Improvement | SOC workflows, communication, documentation | Optimize alert triage process<br>Improve SOC-to-IT communication | Process efficiency gains, handoff time reduction |
Threat-Specific | Particular adversary TTPs | Defend against APT29 techniques<br>Detect ransomware attack chains | Scenario-specific detection rates |
Compliance | Framework requirements | Validate NIST CSF detection controls<br>Test SOC 2 incident response | Compliance evidence generation, control validation |
For TechVantage Financial, we established these specific objectives for their first purple team exercise:
Primary Objectives:
Improve detection rate for credential-based attacks from current baseline (11%)
Validate incident response procedures for ransomware scenarios
Identify visibility gaps in east-west network traffic monitoring
Test SIEM correlation rules against MITRE ATT&CK techniques
Secondary Objectives:
Generate evidence for SOC 2 control testing
Build SOC analyst skill in investigating sophisticated attacks
Document defensive gaps for budget justification
Success Criteria:
Detection rate >50% by exercise conclusion
All incident response procedures tested at least once
Minimum 20 specific improvements identified
Complete MITRE ATT&CK coverage mapping
These concrete objectives drove scenario selection, resource allocation, and success measurement.
Threat Modeling and Scenario Selection
Not all attack techniques are equally relevant to your organization. Purple team exercises should focus on threats that actually matter to your specific risk profile.
Threat Modeling Framework:
Factor | Assessment Questions | Impact on Scenario Selection |
|---|---|---|
Industry | What threats commonly target our sector?<br>What regulatory threats apply? | Prioritize industry-specific attack patterns (e.g., payment card attacks for retail) |
Architecture | What technology stack do we use?<br>What are our critical assets? | Focus on attacks targeting your specific platforms (e.g., Azure attacks for cloud-native orgs) |
Maturity | What's our current detection capability?<br>Where are our known gaps? | Start with foundational techniques, progress to advanced |
Threat Intelligence | What adversaries target organizations like ours?<br>What recent incidents affected our industry? | Emulate relevant threat actor TTPs |
Business Context | What would be most damaging to our operations?<br>What scenarios keep leadership awake? | Include business-impact scenarios (e.g., customer data exfiltration) |
For TechVantage, our threat model revealed:
High-Priority Threat Scenarios:
Financially-Motivated Cybercrime: Ransomware, payment fraud, business email compromise (70% of industry incidents)
Nation-State Espionage: Customer PII theft, trading algorithm exfiltration (25% of sophisticated attacks)
Insider Threats: Credential misuse, data theft by employees (5% but high impact)
Based on this threat model, we selected 28 specific attack scenarios mapped to MITRE ATT&CK:
Selected Attack Scenarios:
MITRE Tactic | Specific Technique | TechVantage Relevance | Detection Priority |
|---|---|---|---|
Initial Access | T1566.001 - Spearphishing Attachment<br>T1566.002 - Spearphishing Link<br>T1078 - Valid Accounts | Primary attack vector in financial sector | Critical |
Execution | T1059.001 - PowerShell<br>T1059.003 - Windows Command Shell<br>T1204 - User Execution | Common post-compromise execution | High |
Persistence | T1136 - Create Account<br>T1053.005 - Scheduled Task<br>T1547.001 - Registry Run Keys | Enables long-term access | High |
Privilege Escalation | T1078.002 - Domain Accounts<br>T1558.003 - Kerberoasting<br>T1068 - Exploitation for Privilege Escalation | Critical for lateral movement | Critical |
Defense Evasion | T1070 - Indicator Removal<br>T1562.001 - Disable Security Tools<br>T1027 - Obfuscated Files | Current detection gap | Critical |
Credential Access | T1003.001 - LSASS Memory<br>T1110 - Brute Force<br>T1555 - Credentials from Password Stores | High-value targets | Critical |
Discovery | T1087 - Account Discovery<br>T1135 - Network Share Discovery<br>T1018 - Remote System Discovery | Precursor to lateral movement | Medium |
Lateral Movement | T1021.001 - Remote Desktop Protocol<br>T1021.002 - SMB/Windows Admin Shares<br>T1550 - Use Alternate Authentication Material | Unmonitored east-west traffic | Critical |
Collection | T1560 - Archive Collected Data<br>T1005 - Data from Local System<br>T1039 - Data from Network Shared Drive | Customer data protection | High |
Command and Control | T1071 - Application Layer Protocol<br>T1573 - Encrypted Channel<br>T1102 - Web Service | Egress monitoring gaps | High |
Exfiltration | T1041 - Exfiltration Over C2<br>T1567 - Exfiltration Over Web Service<br>T1030 - Data Transfer Size Limits | Customer PII protection | Critical |
This mapping ensured comprehensive coverage while focusing on TechVantage's specific threat landscape.
Scope Definition and Rules of Engagement
Purple team exercises require clear boundaries to prevent disruption while maintaining realism. I develop detailed rules of engagement that balance these competing concerns:
Scope Definition Components:
Component | Considerations | TechVantage Example |
|---|---|---|
In-Scope Systems | Production vs. test environments<br>Critical vs. non-critical systems<br>Cloud vs. on-premises | Production Azure environment<br>Corporate network<br>Workstations and servers<br>Exclude: customer-facing trading platform |
In-Scope Techniques | Destructive vs. non-destructive<br>Disruptive vs. stealthy<br>Realistic vs. theoretical | All non-destructive techniques<br>No denial-of-service<br>No actual data exfiltration<br>Credential theft allowed, usage limited |
Timing | Business hours vs. after-hours<br>Blackout periods (e.g., quarter-end)<br>Duration and intensity | Tuesday-Thursday, 9 AM - 6 PM<br>Avoid month-end close period<br>3-day exercise with daily 8-hour sessions |
Authorization | Legal approval, change management<br>Third-party notifications<br>Incident response coordination | Legal counsel review<br>Change advisory board approval<br>Executive notification<br>IR team on standby |
Communication | Real-time channels, escalation paths<br>Knowledge sharing protocols<br>Emergency stop procedures | Dedicated Slack channel<br>15-minute feedback cycles<br>"Red card" emergency stop authority |
Rules of Engagement Document:
At TechVantage, we documented rules of engagement in a formal agreement signed by CISO, CIO, and legal counsel:
PURPLE TEAM EXERCISE - RULES OF ENGAGEMENT
This formal documentation prevented misunderstandings and provided legal protection for all participants.
Resource and Logistics Planning
Purple team exercises require coordination of people, technology, and facilities. Poor logistics undermine even well-designed technical plans.
Resource Requirements:
Resource Category | Specific Needs | TechVantage Allocation |
|---|---|---|
Personnel | Red team operators (2-4)<br>Blue team analysts (4-8)<br>Facilitator (1-2)<br>Observers (optional) | 3 red team operators<br>6 SOC analysts<br>1 external facilitator (me)<br>CISO observing day 1 |
Technology | Attack infrastructure<br>Monitoring/logging tools<br>Communication platforms<br>Documentation systems | Dedicated attacker workstation<br>SIEM, EDR, network monitoring<br>Slack workspace<br>Confluence wiki |
Facilities | War room for blue team<br>Separate space for red team<br>Debrief room<br>Remote participation capability | Conference room A (blue team)<br>Conference room B (red team)<br>Executive boardroom (debriefs)<br>Zoom for remote participants |
Budget | External facilitator fees<br>Tool licensing (if needed)<br>Participant time (opportunity cost)<br>Remediation budget | $85,000 external facilitation<br>$12,000 temporary tool licenses<br>~$45,000 participant time<br>$150,000 remediation budget |
Participant Preparation:
Three weeks before the exercise, we conducted preparation activities:
Technical Preparation:
Baseline security posture assessment
Tool validation and configuration
Attack infrastructure setup
Backup and recovery testing
Team Preparation:
Role assignments and responsibilities
Communication protocol training
Purple teaming methodology overview
Rules of engagement review
Logistical Preparation:
Facility setup and network configuration
Catering and break schedules
Documentation templates
Emergency procedures review
This preparation investment ensured the exercise ran smoothly and maximized learning during the compressed 3-day timeframe.
Phase 2: Exercise Execution Methodology
The actual execution of a purple team exercise follows a structured methodology that balances attack realism with collaborative learning.
The Purple Team Feedback Loop
The core of purple teaming is a rapid feedback loop that compresses traditional multi-week engagements into real-time collaboration:
Standard Purple Team Cycle (15-30 minutes per iteration):
Phase | Duration | Red Team Activity | Blue Team Activity | Facilitator Role |
|---|---|---|---|---|
1. Attack Execution | 5-10 min | Execute specific technique<br>Document actions<br>Capture indicators | Monitor for detection<br>Document alerts received | Observe both teams<br>Time the cycle |
2. Blue Team Analysis | 3-5 min | Pause attack activity<br>Prepare to explain | Investigate alerts<br>Document findings<br>Assess detection success | Note detection gaps |
3. Knowledge Transfer | 5-10 min | Reveal all attack details<br>Share indicators<br>Explain techniques | Ask clarifying questions<br>Identify visibility gaps<br>Propose improvements | Facilitate discussion<br>Document learnings |
4. Defensive Tuning | 5-10 min | Provide real-time feedback on blue team changes | Implement quick wins<br>Tune detection rules<br>Add monitoring | Guide prioritization<br>Validate changes |
5. Validation | 3-5 min | Re-execute same attack | Validate improved detection | Confirm improvement<br>Document delta |
At TechVantage, this cycle was transformative. Here's a real example from Day 1:
Scenario: Credential Dumping via LSASS Memory Access (T1003.001)
Iteration 1 (9:15 AM - 9:42 AM):
Red Team: Executed Mimikatz to dump LSASS memory on compromised workstation
Blue Team: No detection, no alerts generated
Knowledge Transfer: Red team revealed technique, shared process execution details
Gap Identified: EDR not configured to alert on LSASS access
Quick Win: Enabled LSASS protection in EDR policy
Validation: Re-executed attack, EDR blocked and alerted
Result: Detection rate 0% → 100% in 27 minutes
Iteration 2 (9:45 AM - 10:12 AM):
Red Team: Used alternate credential dumping via task manager memory dump
Blue Team: No detection initially, but investigated after facilitator prompt
Knowledge Transfer: Process memory dump technique explained
Gap Identified: No alerts on process memory dumping
Quick Win: Added SIEM rule for taskmgr.exe creating .dmp files
Validation: Re-executed attack, SIEM alerted, SOC investigated
Result: Detection rate 0% → 80% (alert generated but required investigation)
This rapid iteration achieved in 90 minutes what traditional red team engagements might not accomplish at all—real-time defensive improvement with validated results.
Facilitator Role and Responsibilities
The purple team facilitator is not just an observer—they're the orchestrator who ensures collaboration remains productive and learning objectives are achieved.
Facilitator Responsibilities:
Responsibility | Activities | Impact on Exercise Success |
|---|---|---|
Neutral Arbiter | Resolve disputes<br>Enforce rules of engagement<br>Maintain professional atmosphere | Prevents adversarial dynamics from undermining collaboration |
Knowledge Broker | Translate technical details for different audiences<br>Connect attack techniques to defensive capabilities<br>Identify learning opportunities | Ensures both teams extract maximum value from each scenario |
Time Manager | Keep scenarios on schedule<br>Prevent rabbit holes<br>Balance depth vs. breadth | Maximizes scenario coverage within limited timeframe |
Learning Documenter | Capture improvements identified<br>Record detection gaps<br>Document successful defenses | Produces actionable output beyond verbal discussion |
Skill Developer | Coach junior analysts<br>Provide context on adversary behavior<br>Explain defensive best practices | Builds team capability beyond specific techniques tested |
Executive Translator | Summarize technical findings for leadership<br>Connect gaps to business risk<br>Prioritize improvements by impact | Enables executive decision-making and resource allocation |
During the TechVantage exercise, my facilitation included:
Intervening when the blue team leader started blaming analysts for missing detections (shifted focus to systemic gaps)
Explaining why certain evasion techniques are realistic vs. theoretical (managed red team temptation to use overly sophisticated attacks)
Connecting detection gaps to specific MITRE ATT&CK techniques (gave blue team framework for documentation)
Translating technical findings into risk language for CISO (enabled afternoon executive briefings)
Coaching junior SOC analysts on investigation techniques (built skills beyond exercise)
"The facilitator made all the difference. Without that neutral party managing collaboration, we would have reverted to finger-pointing and defensiveness within an hour. Instead, we stayed focused on learning." — TechVantage SOC Director
Real-Time Documentation and Tracking
Documentation during purple team exercises serves multiple purposes: real-time situational awareness, post-exercise analysis, and remediation tracking.
Documentation Framework:
Document Type | Content | Owner | Update Frequency |
|---|---|---|---|
Attack Log | Techniques executed<br>Timestamps<br>Indicators of compromise<br>System modifications | Red Team | Real-time (per attack) |
Detection Log | Alerts generated<br>Detection source<br>Investigation findings<br>Success/failure assessment | Blue Team | Real-time (per scenario) |
Gap Register | Capability gaps identified<br>Root cause analysis<br>Proposed improvements<br>Priority ranking | Facilitator | End of each scenario |
Quick Win Tracker | Immediate improvements implemented<br>Validation results<br>Before/after metrics | Blue Team | Real-time (per implementation) |
Lessons Learned | Key insights<br>Surprising findings<br>Process improvements<br>Training needs | Facilitator | End of each day |
Executive Dashboard | High-level metrics<br>Critical gaps<br>Resource requirements<br>Business impact | Facilitator | Daily summary |
At TechVantage, we used a shared Confluence space with live documentation:
Live Documentation Example:
SCENARIO 7: KERBEROASTING (T1558.003)
Execution Time: 10:23 AM - 10:51 AM
MITRE Tactic: Credential Access
This granular documentation enabled post-exercise reporting and remediation tracking.
Handling Unexpected Discoveries
Purple team exercises often uncover security gaps beyond the planned scenarios. The facilitator must balance exploring unexpected findings with maintaining exercise focus.
Decision Framework for Unplanned Discoveries:
Discovery Type | Response | Rationale |
|---|---|---|
Critical Vulnerability | Immediate pause, emergency remediation | Business risk trumps exercise schedule |
Active Compromise Indicators | Pause, launch incident response | Real threat requires real response |
Interesting Technique Variation | Quick exploration (15 min), add to parking lot | Maintains learning opportunity without derailing |
Tangential Security Issue | Document for later, continue exercise | Prevents scope creep |
Process Improvement Opportunity | Note for debrief, continue | Keeps exercise on track |
At TechVantage, we encountered an unplanned discovery on Day 2:
Unexpected Finding: Unmanaged Cloud Resources
While executing lateral movement scenarios, the red team discovered an Azure subscription that wasn't in the asset inventory—a shadow IT project from the marketing department with production customer data. No logging, no monitoring, no security controls.
Our Response:
Immediately notified CISO (10:14 AM)
Paused exercise for emergency assessment (10:15 AM - 11:30 AM)
IT security assessed scope and risk
Marketing VP notified and systems locked down
Resumed exercise with modified scope including the discovered subscription
This discovery resulted in an emergency security project ($85,000, 3-week timeline) to assess and secure all cloud resources. It also became a powerful case study demonstrating purple teaming's value beyond planned scenarios.
Phase 3: Common Attack Scenarios and Defensive Patterns
Through hundreds of purple team exercises, I've identified recurring attack patterns and corresponding defensive strategies that provide maximum learning value.
Initial Access Scenarios
Initial access techniques are the most critical to detect—stopping attacks at this stage prevents all downstream compromise.
Phishing Attack Simulation (T1566)
Attack Variation | Red Team Execution | Blue Team Detection Strategy | Common Gaps |
|---|---|---|---|
Malicious Attachment | Send email with macro-enabled document<br>Payload executes on open | Email gateway inspection<br>Sandbox detonation<br>User reporting | Users disable macros protection<br>Sandbox evasion techniques<br>Low user reporting rates |
Credential Harvesting Link | Send email with fake login portal<br>Harvest credentials submitted | Email link analysis<br>Web proxy blocking<br>URL reputation | Newly-registered domains bypass reputation<br>Cloud services abused (trusted domains)<br>No visibility into credential entry |
Drive-by Download | Email links to compromised website<br>Exploit kit delivers malware | Network IDS/IPS<br>Endpoint protection<br>Browser isolation | Zero-day exploits<br>Encrypted traffic<br>BYOD devices |
TechVantage Phishing Scenario Results:
Scenario | Initial Detection Rate | Post-Exercise Rate | Key Improvements |
|---|---|---|---|
Macro-enabled document | 40% (email gateway) | 95% (gateway + EDR) | Added EDR rule for Office spawning PowerShell |
Credential harvesting | 15% (user reporting) | 85% (proxy + awareness) | Implemented real-time URL analysis in proxy |
Drive-by download | 60% (IPS signature) | 90% (IPS + behavioral) | Added behavioral detection for unusual downloads |
Validated Account Compromise (T1078)
Even more insidious than phishing—attackers using legitimate stolen credentials:
Compromise Method | Detection Challenge | Purple Team Learning |
|---|---|---|
Password Spraying | Low-and-slow attempts blend with normal failures | Establish failed login baselines, correlate across users |
Credential Stuffing | Breached credentials from other sites | Impossible login detection (geography/device), password policy |
MFA Fatigue | User approves repeated MFA prompts | User training, MFA alert fatigue monitoring |
At TechVantage, the validated account scenarios revealed their most significant gap: no correlation of authentication events across systems. A compromised account could authenticate to VPN, email, Azure, and file shares without triggering any alerts because each system logged independently.
Quick Win Implemented: SIEM correlation rule aggregating all authentication events by username, alerting on:
First-time country logins
Impossible travel (two locations <1 hour apart)
Off-hours access for normally daytime users
High-privilege account weekend use
This single rule increased detection of account compromise from 8% to 76% by exercise end.
Privilege Escalation Scenarios
Once attackers have initial access, they escalate privileges to gain deeper control.
Kerberoasting Scenario (T1558.003) - Detailed Walkthrough
This was TechVantage's most impactful learning scenario, so I'll share detailed execution:
Attack Chain:
Red team compromised low-privilege user account (simulated phishing)
Enumerated domain for service principal names (SPNs)
Requested Kerberos service tickets for accounts with SPNs
Captured TGS-REP messages containing encrypted service account credentials
Offline cracking of weak service account password (simulated, actually identified weak password)
Authenticated as service account with domain admin privileges
Initial Blue Team Performance:
Detection: 0%
Mean Time to Detect: Never (would not have detected without exercise)
Root Cause: No monitoring of Kerberos authentication patterns, service accounts using weak passwords
Purple Team Collaboration: After attack execution, red team walked blue team through each step, sharing:
Specific PowerShell commands used
Log entries generated (4769 events)
Network traffic patterns
Service account identified
Immediate Improvements Implemented:
Visibility Enhancement:
Domain Controller security logs added to SIEM (previously not forwarded)
Cost: $0 (configuration change only)
Time: 12 minutes
Detection Rule Creation:
SIEM rule for unusual volume of TGS requests from single source
Threshold: >10 requests in 1 minute (based on baseline analysis)
Cost: $0
Time: 18 minutes
Behavioral Monitoring:
Added monitoring for service account authentication from workstations (normally only from servers)
Cost: $0
Time: 8 minutes
Validation: Red team re-executed exact same attack. Blue team detected within 30 seconds, investigated, and identified the attack as Kerberoasting within 4 minutes—compared to never detecting it initially.
Long-Term Improvements Identified:
Service account password rotation policy (90-day, 25+ characters)
Migration to Group Managed Service Accounts (gMSAs)
Honeypot service accounts with intentionally detectable SPNs
Budget: $45,000 for gMSA migration project
Timeline: 90 days
This single scenario produced measurable improvement in <1 hour and generated a strategic security project.
Lateral Movement Scenarios
Lateral movement is where many attacks succeed or fail—can defenders detect adversaries spreading through the network?
East-West Traffic Monitoring Scenarios
TechVantage had a classic vulnerability: strong north-south security controls (perimeter firewalls, IDS/IPS at internet boundary) but almost no east-west monitoring (internal network traffic between systems).
Lateral Movement Technique | Initial Detection | Post-Exercise Detection | Key Learning |
|---|---|---|---|
RDP (T1021.001) | 12% | 88% | Added SIEM rule for RDP from workstations to workstations (legitimate admin uses jump servers) |
SMB File Shares (T1021.002) | 5% | 72% | Enabled SMB logging, created baseline of normal file access patterns |
Pass-the-Hash (T1550.002) | 0% | 65% | EDR configured to alert on NTLM authentication (should use Kerberos), monitoring for unusual process access to credential stores |
PSExec/WMI (T1047, T1569.002) | 8% | 81% | Monitored for remote service creation, suspicious WMI consumer creation |
The pattern was consistent: TechVantage's perimeter controls were strong, but once attackers gained initial access, lateral movement was essentially undetectable. Purple teaming exposed this gap and provided specific remediation steps.
"We spent millions on perimeter security and almost nothing on internal network monitoring. The purple team exercise showed us that modern threats bypass the perimeter—we needed to defend differently." — TechVantage CIO
Persistence and Command & Control
Attackers establish persistence to maintain access and command-and-control to orchestrate activities.
Advanced Persistence Mechanisms:
Technique | Red Team Method | Blue Team Success Rate | Critical Detection Control |
|---|---|---|---|
Scheduled Tasks (T1053.005) | Create task for payload execution | 45% → 89% | Windows Event 4698 (scheduled task created), SIEM correlation with process execution |
Registry Run Keys (T1547.001) | Add payload to Run key | 34% → 78% | Registry monitoring for HKLM\Software\Microsoft\Windows\CurrentVersion\Run modifications |
Service Creation (T1543.003) | Install malicious service | 67% → 93% | Service creation monitoring (Event 7045), binary signing validation |
WMI Event Subscription (T1546.003) | WMI persistence | 0% → 52% | WMI monitoring (difficult to implement, required specialized tooling) |
C2 Channel Detection:
TechVantage's egress monitoring was also weak. Red team established command-and-control through multiple channels:
DNS Tunneling: Detected 0% → 45% (added DNS query volume monitoring)
HTTPS to Cloud Services: Detected 12% → 68% (application-layer inspection, cloud access patterns)
Legitimate Remote Management Tools: Detected 0% → 71% (TeamViewer, AnyDesk usage tracking)
The purple team exercise revealed that TechVantage's security architecture assumed attacks would be obvious and noisy. Modern attacks are subtle and blend with legitimate traffic—requiring behavioral analytics rather than signature-based detection.
Phase 4: Measuring Success and Generating Actionable Output
Purple team exercises must produce concrete, measurable outcomes—not just "we learned a lot."
Quantitative Metrics
I track specific metrics throughout exercises to demonstrate improvement:
Core Purple Team Metrics:
Metric | Calculation | TechVantage Baseline | TechVantage Final | Industry Benchmark |
|---|---|---|---|---|
Detection Rate | (Detected scenarios ÷ Total scenarios) × 100 | 11% (3/28) | 75% (21/28) | 60-80% (mature SOC) |
Mean Time to Detect (MTTD) | Average time from attack start to first alert | N/A (rarely detected) | 8.4 minutes | <15 minutes (mature SOC) |
Mean Time to Investigate (MTTI) | Average time from alert to investigation complete | 47 minutes | 18 minutes | 15-30 minutes (mature SOC) |
False Positive Rate | (False positives ÷ Total alerts) × 100 | 68% | 34% | <20% (well-tuned) |
Alert Quality Score | (Actionable alerts ÷ Total alerts) × 100 | 32% | 66% | >70% (well-tuned) |
Coverage Percentage | (Monitored attack techniques ÷ MITRE ATT&CK) × 100 | 23% | 64% | 70-85% (comprehensive) |
These metrics provided objective evidence of improvement and identified remaining gaps.
Before/After Comparison - TechVantage Financial:
Capability Area | Before Purple Team | After Purple Team | % Improvement |
|---|---|---|---|
Initial Access Detection | 2/6 scenarios (33%) | 5/6 scenarios (83%) | +150% |
Privilege Escalation Detection | 0/5 scenarios (0%) | 4/5 scenarios (80%) | +∞ |
Lateral Movement Detection | 1/8 scenarios (13%) | 6/8 scenarios (75%) | +477% |
Persistence Detection | 0/4 scenarios (0%) | 3/4 scenarios (75%) | +∞ |
C2 Detection | 0/5 scenarios (0%) | 3/5 scenarios (60%) | +∞ |
Qualitative Outcomes
Numbers tell part of the story, but qualitative outcomes matter equally:
SOC Capability Improvements:
Area | Specific Improvements | Impact |
|---|---|---|
Analyst Skills | Hands-on experience investigating sophisticated attacks<br>Understanding of attacker TTPs<br>Confidence in analysis | Junior analysts gained investigation skills equivalent to 6-12 months of real-world experience |
Playbook Refinement | Updated incident response procedures based on exercise learnings<br>Added specific detection→investigation→response workflows | Response time improved 61% in subsequent real incidents |
Tool Understanding | Learned capabilities and limitations of existing tools<br>Identified tool optimization opportunities<br>Justified new tool procurement | Optimized existing tool investment before purchasing new solutions |
Team Dynamics | Broke down red/blue adversarial relationship<br>Built collaborative security culture<br>Improved cross-team communication | Created "security champions" network across IT and security teams |
Organizational Improvements:
Executive Understanding: CISO could articulate specific security gaps and required investments (previous reports were too technical)
Budget Justification: $1.2M security enhancement budget approved based on exercise findings
Compliance Evidence: SOC 2 auditor accepted purple team documentation as control testing evidence
Strategic Direction: Shifted security strategy from perimeter-focused to assume-breach model
"The purple team exercise was the most valuable security investment we made in five years. We didn't just find gaps—we fixed them in real-time and built lasting defensive capability." — TechVantage Financial CISO
Improvement Prioritization Framework
Purple team exercises typically identify 30-100 potential improvements. Not all can be implemented immediately, so prioritization is critical.
I use this prioritization matrix:
Improvement Priority Scoring:
Factor | Weight | Scoring (1-5 scale) |
|---|---|---|
Impact | 40% | 5=Blocks critical attack path<br>4=Significantly impairs attacker<br>3=Moderate defensive value<br>2=Minor improvement<br>1=Negligible effect |
Effort | 30% | 5=Can implement in <1 hour<br>4=Can implement in <1 day<br>3=Can implement in <1 week<br>2=Requires 1-4 weeks<br>1=Requires >1 month |
Cost | 20% | 5=Free (configuration only)<br>4=<$5K<br>3=$5K-$25K<br>2=$25K-$100K<br>1=>$100K |
Sustainability | 10% | 5=No ongoing maintenance<br>4=Minimal maintenance<br>3=Moderate maintenance<br>2=Significant maintenance<br>1=Unsustainable burden |
Priority Score = (Impact × 0.4) + (Effort × 0.3) + (Cost × 0.2) + (Sustainability × 0.1)
TechVantage Top 10 Improvements (by priority score):
Rank | Improvement | Impact | Effort | Cost | Priority Score | Status |
|---|---|---|---|---|---|---|
1 | Enable LSASS protection in EDR | 5 | 5 | 5 | 5.0 | ✓ Completed Day 1 |
2 | Forward DC logs to SIEM | 5 | 5 | 5 | 5.0 | ✓ Completed Day 1 |
3 | Alert on NTLM auth (should use Kerberos) | 5 | 5 | 5 | 5.0 | ✓ Completed Day 1 |
4 | Monitor RDP from workstation→workstation | 5 | 5 | 5 | 5.0 | ✓ Completed Day 2 |
5 | Implement impossible travel detection | 5 | 4 | 5 | 4.8 | ✓ Completed Day 3 |
6 | PowerShell logging + suspicious keyword alerts | 5 | 4 | 5 | 4.8 | ✓ Completed Day 2 |
7 | Service account password policy enforcement | 5 | 3 | 5 | 4.5 | ✓ Completed Week 2 |
8 | Deploy deception technology (honeypots) | 4 | 3 | 4 | 3.8 | ○ In progress (Month 2) |
9 | Implement microsegmentation for critical systems | 5 | 2 | 3 | 3.7 | ○ Planned (Month 3-4) |
10 | Migrate to gMSAs for service accounts | 5 | 1 | 4 | 3.5 | ○ Planned (Month 4-6) |
This prioritization ensured quick wins were implemented immediately while complex improvements were scheduled appropriately.
Post-Exercise Reporting
The final deliverable from a purple team exercise should be actionable, executive-friendly, and provide clear guidance for improvement.
Report Structure:
Section | Audience | Content | Length |
|---|---|---|---|
Executive Summary | C-suite, Board | Business risk context, key findings, investment recommendations | 2-3 pages |
Metrics Dashboard | CISO, Security Leadership | Detection rates, MTTD/MTTI, coverage analysis, improvement tracking | 1 page |
Scenario Results | SOC Manager, Technical Teams | Detailed findings per scenario, gaps identified, improvements implemented | 15-25 pages |
Remediation Roadmap | CISO, IT Leadership | Prioritized improvement list, effort/cost estimates, timeline | 3-5 pages |
MITRE ATT&CK Mapping | SOC Analysts, Threat Intel | Coverage heatmap, detection capability by technique | 2-3 pages |
Compliance Mapping | Compliance Team, Auditors | How findings relate to framework requirements (SOC 2, ISO 27001, etc.) | 2-3 pages |
Technical Appendix | SOC Analysts, Engineers | Detailed logs, indicators, detection rules, investigation procedures | 20-40 pages |
TechVantage's final report was 47 pages with these highlights:
Executive Summary Opening:
EXECUTIVE SUMMARY
This executive framing connected technical findings to business outcomes—critical for securing implementation budget.
Phase 5: Compliance Framework Integration
Purple team exercises provide valuable evidence for multiple compliance frameworks. Smart organizations leverage this work to satisfy requirements across multiple standards simultaneously.
Purple Teaming and Major Frameworks
Framework | Relevant Requirements | Purple Team Evidence | Audit Value |
|---|---|---|---|
NIST CSF | DE.CM-1: Network monitored<br>DE.CM-4: Malicious code detected<br>DE.DP-4: Event detection communicated<br>RS.AN-1: Notifications investigated | Detection capability testing<br>Alert analysis and tuning<br>Communication protocols<br>Investigation procedures | Demonstrates detection capability validation |
ISO 27001 | A.12.6.1: Technical vulnerability management<br>A.16.1.5: Response to security incidents<br>A.16.1.7: Collection of evidence<br>A.17.1.3: Verify business continuity | Attack surface assessment<br>Incident response testing<br>Forensic evidence collection<br>Scenario testing | Provides evidence of control effectiveness testing |
SOC 2 | CC7.2: System monitored<br>CC7.3: Anomalies evaluated<br>CC7.4: Incidents responded to<br>CC7.5: Incidents communicated | Detection rule validation<br>Investigation procedures<br>Response playbook testing<br>Communication protocols | Satisfies control testing requirements for security monitoring |
PCI DSS | Req 10: Log and monitor<br>Req 11: Security testing<br>Req 12.10: Incident response | Log monitoring effectiveness<br>Penetration testing alternative<br>IR plan testing | Provides evidence of security testing and incident response validation |
HIPAA | 164.308(a)(1)(ii)(A): Risk analysis<br>164.308(a)(6): Security incident procedures<br>164.312(b): Audit controls | Risk assessment of technical vulnerabilities<br>Incident procedures testing<br>Audit log effectiveness | Demonstrates ongoing security assessment |
FedRAMP | CA-8: Penetration testing<br>IR-3: Incident response testing<br>SI-4: Information system monitoring | Alternative to traditional pen testing<br>IR procedure validation<br>Monitoring effectiveness | Provides continuous assessment evidence |
Building Compliance-Friendly Documentation
Auditors want specific evidence that controls are operating effectively. I structure purple team documentation to directly address audit requirements.
SOC 2 Example - Control CC7.3 (Anomalies Evaluated):
CONTROL TESTING EVIDENCE: CC7.3 - Detected Anomalies Evaluated
This documentation format directly answered auditor questions and was accepted as control testing evidence for TechVantage's SOC 2 audit.
Continuous Compliance Through Purple Teaming
Rather than treating purple team exercises as point-in-time assessments, I recommend integrating them into ongoing compliance programs:
Purple Team Exercise Schedule Aligned with Compliance:
Exercise Timing | Focus | Compliance Benefit |
|---|---|---|
Q1 (January) | Initial access and credential attacks | Generate fresh evidence for annual audits |
Q2 (April) | Lateral movement and privilege escalation | Validate control improvements from Q1 findings |
Q3 (July) | Data exfiltration and ransomware | Address high-risk scenarios before Q4 financial close |
Q4 (October) | Comprehensive threat actor simulation | Full-scope testing before year-end audit season |
This quarterly cadence provided TechVantage with continuous compliance evidence while maintaining defensive capability through regular testing.
Phase 6: Building a Sustainable Purple Team Program
One-time purple team exercises provide value, but sustained programs drive long-term security improvement. Here's how to build lasting capability.
Internal vs. External Purple Team Resources
Organizations face a fundamental choice: build internal purple team capability or engage external providers.
Resource Model Comparison:
Model | Pros | Cons | Best For | Typical Cost |
|---|---|---|---|---|
Fully External | Deep expertise<br>Fresh perspective<br>No staff overhead<br>Flexible engagement | High per-engagement cost<br>Limited availability<br>Less organization context<br>Knowledge transfer challenges | Small/medium orgs<br>Immature security programs<br>Quarterly/annual exercises | $85K-$200K per exercise |
Hybrid (Facilitated) | External facilitation + objectivity<br>Internal team skill building<br>Lower cost than full external<br>Better knowledge retention | Requires capable internal staff<br>Still has external costs<br>Scheduling complexity | Medium/large orgs<br>Developing programs<br>Monthly/quarterly exercises | $35K-$80K per exercise + internal time |
Fully Internal | Lowest ongoing cost<br>Deep org knowledge<br>Flexible scheduling<br>Continuous testing | Requires significant investment<br>Groupthink risk<br>Lacks fresh perspective<br>Staff overhead | Large enterprises<br>Mature programs<br>Weekly/continuous exercises | $450K-$900K annual (3-5 FTEs) |
TechVantage's Journey:
Year 1: Fully external purple team exercises quarterly ($125K per exercise, $500K annually)
Year 2: Hybrid model—hired internal red team engineer ($180K), external facilitation quarterly ($45K per exercise, $360K annually including salary)
Year 3: Primarily internal with annual external validation ($220K annually—primarily salaries, $65K external review)
This progression built sustainable capability while managing costs.
Skill Development for Purple Team Personnel
Both red and blue team members need specific skills for effective purple teaming. These differ from traditional penetration testing or SOC operations.
Red Team Skills for Purple Teaming:
Skill Area | Traditional Red Team | Purple Team Additions | Development Method |
|---|---|---|---|
Technical Skills | Exploit development, evasion, covert operations | Indicator documentation, defensive control awareness, teaching ability | SANS SEC660, Offensive Security OSEP, mentoring junior analysts |
Communication | Report writing, executive briefings | Real-time technical explanation, patience with junior defenders, constructive feedback | Facilitation training, teaching experience, purple team observation |
Methodology | Objective achievement, stealth, persistence | Collaborative mindset, scenario-based testing, validation discipline | Purple team apprenticeship, facilitator shadowing |
Blue Team Skills for Purple Teaming:
Skill Area | Traditional SOC | Purple Team Additions | Development Method |
|---|---|---|---|
Technical Skills | Alert triage, log analysis, incident response | Attack technique knowledge, detection engineering, rapid rule development | SANS SEC555, ATT&CK training, capture-the-flag events |
Communication | Ticket documentation, escalation | Real-time collaboration with attackers, technical questions formulation | Cross-training with red team, tabletop exercises |
Methodology | Reactive investigation | Proactive gap identification, hypothesis-driven detection, metrics focus | Detection engineering courses, purple team participation |
TechVantage invested $85,000 annually in purple team training:
SANS SEC660 (Advanced Penetration Testing) for red team: $8,500
SANS SEC555 (SIEM with Tactical Analytics) for blue team: $8,500 × 3 analysts
MITRE ATT&CK Defender training: $2,500 × 6 analysts
Purple team facilitation training (external): $12,000
Internal knowledge sharing (weekly sessions): ~$25,000 (time costs)
This investment built capability that reduced external consulting needs over time.
Technology Enablement
While purple teaming is fundamentally about people and process, technology can enhance efficiency and scale.
Purple Team Technology Stack:
Category | Tools | Purpose | Cost Range |
|---|---|---|---|
Attack Simulation | Atomic Red Team, Caldera, Infection Monkey, Prelude Operator | Automate attack execution, consistent scenario reproduction | Free - $75K annually |
Detection Engineering | Sigma rules, Elastic Detection Rules, Splunk Security Content | Standardize detection rule development and sharing | Free - $25K annually |
Documentation | Confluence, Notion, Security documentation platforms | Structured knowledge capture, playbook management | $3K - $15K annually |
Communication | Slack, Teams, Dedicated collaboration platforms | Real-time team coordination, rapid feedback loops | $0 - $8K annually |
Metrics/Tracking | Custom dashboards, GRC platforms, Purple team platforms | Improvement tracking, executive reporting, trend analysis | $0 - $45K annually |
MITRE ATT&CK | ATT&CK Navigator, Detection coverage tools | Technique mapping, coverage visualization | Free |
TechVantage's technology evolution:
Year 1: Minimal tooling—manual attack execution, Confluence documentation, basic Slack coordination ($8K)
Year 2: Added Atomic Red Team for scenario consistency, Sigma rules for detection standardization, custom dashboard for metrics ($32K)
Year 3: Deployed Prelude Operator for automated continuous testing, integrated with SIEM for automated validation ($68K)
This gradual technology adoption supported scale from quarterly manual exercises to continuous automated validation.
Maturity Model Progression
Purple team programs evolve through predictable maturity stages:
Maturity Level | Characteristics | Typical Timeline | Capabilities |
|---|---|---|---|
1 - Initial | First purple team exercise<br>External facilitation<br>Basic scenarios<br>Manual execution | Starting point | 15-20 scenarios<br>Detection rate 40-60%<br>Basic improvements |
2 - Developing | Quarterly exercises<br>Some internal capability<br>Scenario variety increasing<br>Documented methodology | 6-12 months | 25-30 scenarios<br>Detection rate 60-75%<br>Systematic improvement tracking |
3 - Defined | Monthly exercises<br>Internal facilitation<br>Comprehensive scenarios<br>Automated elements | 12-24 months | 30-40 scenarios<br>Detection rate 75-85%<br>Metrics-driven program |
4 - Managed | Continuous testing<br>Internal execution<br>Threat-intel driven<br>Automated validation | 24-36 months | 50+ scenarios<br>Detection rate 85-92%<br>Predictive analytics |
5 - Optimized | Fully automated<br>Self-improving<br>Industry-leading<br>Innovation-focused | 36+ months | 100+ scenarios<br>Detection rate 92-97%<br>Machine learning integration |
TechVantage's progression:
Month 0 (First exercise): Level 1
Month 12 (Four quarterly exercises): Level 2
Month 24 (Monthly exercises, internal capability): Level 3
Month 30 (Current state): Level 3-4 transition
Setting realistic maturity expectations prevents disillusionment and maintains momentum.
Real-World Success Stories: Purple Teaming in Action
Beyond TechVantage Financial, I've facilitated purple team programs across industries. Here are three additional success stories demonstrating different contexts:
Healthcare System: Regional Medical Network
Organization Profile:
8 hospitals, 45 clinics across 3 states
12,000 employees, $2.8B annual revenue
Legacy IT infrastructure, limited security maturity
Recent ransomware near-miss (detected by luck, not capability)
Purple Team Challenge: Demonstrate security improvement to board after scary incident, build SOC capability from near-zero baseline, address compliance requirements (HIPAA, SOC 2)
Program Design:
Three 2-day exercises over 6 months (18 scenarios total)
Focus: Ransomware kill chain, credential attacks, data exfiltration
Investment: $240,000 (external facilitation + internal time)
Results:
Detection rate: 7% → 68%
Mean time to detect: Never/rarely → 14 minutes average
Specific improvements implemented: 52
Major investments justified: $1.8M infrastructure modernization
Compliance: SOC 2 audit findings reduced from 14 to 3
Key Learning: Healthcare's challenge was foundational gaps—missing logging, limited visibility, under-resourced SOC. Purple teaming revealed specific, prioritized improvements rather than overwhelming the team with generic recommendations.
Manufacturing Company: Industrial Equipment Manufacturer
Organization Profile:
Global operations, 23 manufacturing facilities
Mix of IT and OT networks
8,500 employees, $4.2B annual revenue
Strong perimeter security, weak internal monitoring
Purple Team Challenge: Validate security controls after major IT modernization project, test OT/IT boundary security, prepare for sophisticated nation-state threats
Program Design:
Two 4-day exercises annually (35 scenarios per exercise)
Focus: Supply chain compromise, OT network access, intellectual property theft
Investment: $380,000 annually (hybrid model)
Results:
Discovered critical OT network exposure (unpatched systems, default credentials)
Detection rate: 42% → 79%
Prevented estimated $12M loss from OT compromise scenario
Built internal red team capability (3 FTEs hired)
Supply chain security program launched ($2.4M, 18 months)
Key Learning: Manufacturing environments have unique challenges—OT systems can't be updated easily, production downtime is expensive, and threat actors are increasingly targeting industrial environments. Purple teaming adapted scenarios to these constraints.
Financial Services: Investment Management Firm
Organization Profile:
Assets under management: $180B
2,200 employees across 15 offices
Highly mature security program (already had red team)
Regulatory pressure (SEC, FINRA, state regulators)
Purple Team Challenge: Move beyond traditional red team "gotcha" exercises, build continuous improvement culture, demonstrate control effectiveness for regulators
Program Design:
Monthly 1-day exercises (12-15 scenarios per exercise)
Focus: Trading platform protection, insider threats, sophisticated financial fraud
Investment: $520,000 annually (internal team + quarterly external validation)
Results:
Detection rate improved from already-strong 78% → 94%
False positive rate reduced 68% → 21%
Regulatory exam findings: Zero for 3 consecutive years
Threat intelligence integration formalized
Industry leadership (presented at SIFMA conference)
Key Learning: Even mature security programs benefit from purple teaming. The focus shifts from basic detection to optimization—reducing false positives, improving investigation efficiency, and demonstrating measurable control effectiveness for regulatory purposes.
Common Pitfalls and How to Avoid Them
Through hundreds of purple team engagements, I've seen recurring mistakes that undermine exercises. Here's how to avoid them:
Pitfall 1: Reverting to Red vs. Blue Dynamics
The Problem: Teams fall back into adversarial relationships. Red team tries to "win" by maximizing compromises. Blue team becomes defensive about failures. Collaboration breaks down.
Warning Signs:
Red team celebrating compromises rather than teaching
Blue team making excuses instead of learning
Facilitator acting as referee rather than educator
Post-exercise blame rather than improvement focus
Prevention:
Establish shared success criteria (improvement, not domination)
Facilitator actively intervenes when adversarial behavior emerges
Frame failures as learning opportunities, not judgments
Celebrate improvements, not compromises
TechVantage Example: Day 1, hour 3—blue team leader became defensive when red team compromised his "secure" network segment. I called a break, reframed the finding as identifying a critical gap nobody knew existed, and shifted focus to "how do we detect this next time?" Tension dissolved, collaboration resumed.
Pitfall 2: Unrealistic Scope or Scenarios
The Problem: Testing unrealistic attacks that don't match threat model, or testing so many scenarios that nothing gets adequate attention.
Warning Signs:
Scenarios requiring nation-state resources for financially-motivated threats
Zero-day exploits when off-the-shelf tools would succeed
50+ scenarios in a 2-day exercise (impossible to do justice to any)
Attacks that would never happen in your environment
Prevention:
Threat model drives scenario selection
Scenarios match adversary sophistication to your value as a target
Quality over quantity—better to deeply explore 15 scenarios than superficially touch 40
Reality check: "Would real attackers do this?"
Pitfall 3: Failure to Document and Track
The Problem: Insights are lost because documentation is inadequate or improvements aren't tracked.
Warning Signs:
Verbal discussions without written capture
"We'll remember what we need to do" (spoiler: you won't)
No ownership assigned to improvements
No follow-up on whether improvements were implemented
Prevention:
Dedicated documentation role (often the facilitator)
Real-time capture in shared system
Improvement tracking with owners, deadlines, validation
Post-exercise follow-up reviews (30/60/90 days)
Pitfall 4: Neglecting the Blue Team Experience
The Problem: Purple team exercises become red team demonstrations with blue team as audience rather than active participants.
Warning Signs:
Blue team members checking phones/laptops instead of engaging
Red team talking 80% of the time
Blue team says "just tell us what to fix" instead of investigating
Analysts leave feeling demoralized rather than empowered
Prevention:
Blue team investigates before red team reveals details
Balance explanation with discovery
Celebrate blue team successes enthusiastically
Coach analysts through investigation process
Frame gaps as opportunities, not failures
Pitfall 5: No Post-Exercise Follow-Through
The Problem: Exercise produces great findings, nothing gets implemented, next exercise finds same gaps.
Warning Signs:
Improvement backlog with no progress after 60 days
Same vulnerabilities found in subsequent exercises
"We're too busy for improvements" mentality
Metrics show no improvement over time
Prevention:
Executive sponsorship for implementation
Resource allocation for improvements (time, budget, personnel)
Regular improvement tracking and reporting
Next exercise validates previous improvements
Tie bonuses/performance to improvement completion
The Path Forward: Implementing Your Purple Team Program
You've absorbed a comprehensive guide to purple teaming. Now what? Here's your implementation roadmap.
Months 1-2: Foundation and Planning
Week 1-2: Assessment and Buy-In
Assess current red/blue team capability
Evaluate security maturity and baseline detection rate
Build business case for purple teaming
Secure executive sponsorship and budget
Investment: $15K-$35K (assessment and business case development)
Week 3-4: Threat Modeling and Scope Definition
Conduct threat modeling for your environment
Identify relevant attack scenarios
Define exercise scope and rules of engagement
Select exercise facilitator (internal or external)
Investment: $10K-$25K
Week 5-8: Logistics and Preparation
Schedule exercise dates
Assemble teams (red, blue, facilitator)
Prepare attack infrastructure
Validate blue team monitoring capabilities
Conduct team orientation and methodology training
Investment: $20K-$45K
Months 3-4: First Exercise Execution
Week 9-11: Initial Purple Team Exercise
Execute 15-25 scenarios over 2-3 days
Real-time collaboration and improvement
Document findings and quick wins
Daily executive briefings
Investment: $85K-$150K (external facilitation) or $25K-$50K (internal time if capability exists)
Week 12-16: Remediation and Follow-Up
Implement prioritized improvements
Validate fixes through re-testing
Update documentation and playbooks
Conduct lessons learned review
Investment: $40K-$120K (improvement implementation)
Months 5-12: Program Establishment
Quarters 2-4: Quarterly Exercise Cadence
Conduct exercise every 3 months
Progressive scenario complexity
Measure improvement over time
Build internal capability through repetition
Investment: $250K-$450K annually (3 additional exercises plus improvements)
Year 2+: Program Maturity
Ongoing Evolution:
Increase frequency (quarterly → monthly → continuous)
Transition from external to internal facilitation
Add automation and tooling
Integrate with threat intelligence
Achieve measurable security improvement
Investment: $300K-$600K annually (depending on maturity level)
Expected ROI
Based on industry data and my engagement history:
Investment | Timeline | Expected Outcomes | ROI Calculation |
|---|---|---|---|
$500K Year 1 | 12 months | Detection rate +200-400%<br>MTTD reduction 60-80%<br>40-60 improvements implemented | Prevented incident cost: $3.2M average<br>ROI: 540% |
$400K Year 2 | 24 months | Detection rate +100-200% additional<br>Sustainable internal capability<br>Compliance evidence | Prevented incident cost: $2.1M average<br>Ongoing ROI: 425% |
$350K Year 3+ | Ongoing | Continuous optimization<br>Industry-leading capability<br>Reduced insurance premiums | Prevented incident cost: $1.8M average<br>Insurance savings: $180K<br>Ongoing ROI: 565% |
These ROI figures are conservative—they don't account for reputation protection, customer trust, competitive advantage, or regulatory penalty avoidance.
Conclusion: Collaborative Defense is the Future
As I reflect on 15+ years in cybersecurity, the shift from adversarial to collaborative security testing represents one of the most significant evolutions in our field. The traditional model—red teams trying to embarrass blue teams, blue teams resenting red teams, and organizations paying for expensive demonstrations of compromise—was fundamentally broken.
Purple teaming fixed it. By aligning incentives around improvement rather than domination, by sharing knowledge in real-time rather than post-mortem, and by focusing on capability building rather than capability demonstration, purple team exercises transform security testing from a judgment into an investment.
I think back to that first contentious meeting at TechVantage Financial—the red team leader's victory lap, the blue team director's frustration, the CISO's realization that $340,000 had purchased resentment rather than improvement. The transformation over the following 24 months was remarkable. Quarterly purple team exercises built defensive capability that paid dividends every single day. The same blue team director who wanted to flip the table became an advocate for collaborative testing. Detection rates improved 7x. Real incidents were contained in minutes rather than days.
That's the promise of purple teaming—not just finding gaps, but fixing them. Not just demonstrating compromise, but building resilience. Not just testing defenses, but improving them.
Your Purple Team Journey Starts Now
The threat landscape will continue evolving. Adversaries will get more sophisticated. Attack techniques will become more subtle. But one truth remains constant: organizations that continuously test and improve their defenses will fare better than those that don't.
Purple teaming provides the methodology, the structure, and the culture to make continuous defensive improvement not just possible but practical. Whether you're a small organization conducting your first purple team exercise or a large enterprise building a mature program, the principles I've shared in this guide will serve you well.
The question isn't whether purple teaming works—hundreds of successful programs prove it does. The question is whether you'll invest in it before or after your next major security incident.
Don't wait for your 2:47 AM phone call. Don't wait for the catastrophic breach that could have been prevented. Don't wait for the red team engagement that demoralizes your blue team without improving your security.
Start your purple team journey today. Build collaborative defensive capability. Transform security testing from a source of conflict into a driver of improvement.
Your organization's security posture—and your defenders' morale—will thank you.
Ready to launch your purple team program? Have questions about collaborative defensive testing? Visit PentesterWorld where we facilitate purple team exercises that build lasting defensive capability. Our team of experienced practitioners has guided organizations from adversarial security testing to collaborative excellence. We've seen what works, what doesn't, and how to navigate the cultural and technical challenges of purple teaming. Let's build your defensive capability together.