Unlike Red Teams, which focuses on penetrating a single, high-value attack path, Purple Teams take a more comprehensive approach addressing a broader range of threats with a collaborative and efficient strategy.
Our Purple Team exercises are designed to maximise value and enhance your overall security operations. We offer two distinct methodologies tailored to meet your specific needs, always threat-driven, based on real-world scenarios, and aligned with the MITRE framework. We go beyond traditional IoC-based intelligence to provide deeper insights and actionable results—delivering you far more than just a report.
We deliver Purple Team using our Offensive Security best resources who developed years of experience working as Red Teamers and now are focusing on Research. Purple Team is the essence of our research.
We define the entire exercise together, during a technical kick-off to discuss: planning, communication, selection of TTPs (curated), setup of the testing environment.
The core execution phase, it's about running the selected playbooks. The "curated" list comes from the CTI selection.
Average time: 2 weeks
To bump up the value, wee need to debrief with the SoC, replay necessary attacks, discuss detectability and visibility getting the feedback and review Identity issues
We provide an extensive report that might include an executive summary.
The write up is not limited to paper reports, we'll share detection rules on a repository (git).
It's a program definition phase, where together we define the program, the objectives, and upfront plan the baseline simulation+the continuous model.
At the beginning of the program we run an initial purple team, a big "drop". This is the moment to rate current detection capabilities and perform an AD (identity) sanity check.
The core phase of the program, where our hybrid model-human, AI, Automation, helps executing playbooks produced by our offensive research on the sim-environment.
Status and progress reports are periodically, mostly targeted to executive/management.
Access to a client portal allows monitoring of the program at all time.
For Red and PurpleTeams, we provide real-time updates on a portal, allowing clients and the WhiteTeam leader to track the simulation’s progress. In Red Team exercises, the WTL(client) knows what to expect next, while in Purple Team, we continuously report on TTP and playbooks execution.
Our clients asked more than just a report, they wanted to actively get involved to improve operations, detection and remediate missed attacks. We decided to trial a new concept, merging together Threat Intelligence - to prioritise efforts to what is really relevant for the business, Attack Simulation leveraging the modern automation by code and human manual execution, and finally, the Detection Engineering to rate visibility of missed attacks and immediately produce Detection Code to inject into the SIEM/SOAR platform.