No Red, No Blue: Be Purple

Cyberesponder.com >> Uncategorized >> No Red, No Blue: Be Purple
 June 7, 2026
    |   No Comments
    |   Cyberesponder
    |   5:14 pm

Having the Red Team and the Blue Team working in silos limits the effectiveness of your cybersecurity program. Collaboration between attackers and defenders is essential to stay ahead of threat actors.

Defenders cannot rely only on cybersecurity tools and theory. It is essential to understand the tactics and techniques threat actors use to evade controls. Thinking like an attacker is fundamental for the blue team to avoid blind spots during incident response. The worst nightmare for a defender is discovering a persistent threat after believing that all malicious artifacts were eradicated.

Attackers also need to know how defenders react to anomalies, suspicious behaviors, or potential indicators of compromise. While common and non-sophisticated techniques are still heavily used, most of them will be mitigated effectively by the security tools and controls already implemented. Hence, attackers need to understand how the “enemy” defends to consider a more sophisticated strategy to evade controls.

The “Attackers vs Defenders” competitions have been heavily promoted over the last few years, especially during worldwide cybersecurity events. These activities attract a lot of attention; they look nice and fancy, but they are not necessarily realistic. During a cybersecurity attack, organizations will activate response protocols and will be hyper vigilant for any minor suspicious behavior if they know there is an ongoing attack. But most attacks are conducted silently, and threat actors will attempt not to generate noise so guardians don’t “wake up.” Here, the scenario is different, it is not a face-to-face battle necessarily. This is why purple teams play a key role in enabling cross-knowledge transfer between defenders and attackers.

Many companies hire and train Red Team members to assess the security controls in place, spot security gaps, and implement corrections to prevent security incidents. This is a good and effective approach to assess potential vulnerabilities and the likelihood of exploitation, and it provides useful information to define priorities for patching vulnerable assets. The scope of this assessment not only includes vulnerabilities but also compensating controls in place that can reduce the risk of compromise while remediation is implemented. In essence, Red Teams are essential to provide practical enrichment to intelligence and vulnerability reports.

These existing responsibilities of red teamers are generally fine, but an organization’s overall security strategy can be significantly improved by implementing purple team exercises. The concept is simple: the purple team combines red and blue teams during specific efforts. While I’ve heard people say they work permanently as purple team security analysts, I prefer combining a specialized attacker and a specialized defender during a defined timeframe rather than having somebody with “good enough” skills in both —though that’s just my opinion.

There are unlimited reasons why you should do purple team exercises, and here I would like to share three that I have proven experience of success:

Purple Teams for Detection Engineering Efforts

The detection engineering official role in organizations is becoming more common. Before, this role was embedded into the SOC responsibilities, and I won’t jump into my objections of doing that (…in this post), but let me just say that it is good to have people focused on making sure that security events are ingested and correlated to generate security alerts to the SOC for future triage and investigation. When I had the opportunity to build the detection engineering runbook myself, the basic flow started by ingesting threat intelligence reports and ended by releasing use cases into the SOC. There was a gap there!

Weeks or months later, while I was working on a root cause analysis of a security incident, we noticed that a few techniques executed by the threat actor did not generate an alert (we were lucky enough to catch him on time!). Deeper analysis revealed that the attacker did minor variants on the attack, different from how the detection engineers conceived them. We took this root cause analysis and replicated the attack path followed by the threat actor. The Red Team member replicated the attack and implemented a few variants while our detection engineers were looking at it, and we could finally spot gaps, adjust thresholds, and add variables to the logic of the detection. This information was also useful to provide insights to some of our security tools vendors so they could learn as well.

Another practical scenario is conducting purple team exercises, where both the Red Team and the Detection Engineering team can consume the same intelligence feed, build the attack and the detection strategy, implement the detection logic, and launch the attack. Thumbs up if the alerts trigger, otherwise, that’s a good chance to check the logs and the detection logic to understand what happened. If the alerts trigger, the Red Teamers can assess possible variants during the exercise to try to bypass the alert—that’s brilliant.

Believe me, it is better to test and find gaps during purple team exercises than finding that the alerts did not trigger during a real attack.

Purple Teams for Playbooks Validation

This is where things get more interesting.

In a similar experiment, after we assess the logic designed by the detection engineering team for specific techniques, it is time to test the next part of the process: the SOC. In a very interesting scenario, we found that our SOC analysts did not understand what story the alert was telling and how to investigate once it shows in the queue. And of course, you don’t expect that your SOC analysts will be the most experienced and skilled guys since the SOC itself is an entry-level position, but that will help you to know if documentation is available for alert handling, and also to make sure that the security alerts triggered have the proper priority, description, and come with the basic information for the analysts to do a basic and quick triage. The last thing you want is to close an alert because it doesn’t have the information the analyst needs to handle it, leading them to make wrong decisions.

During a purple team exercise including your Security Operations Center analysts, the red team can launch the attack simulation, make sure that the security tools are creating an alert, and once in the queue, that the SOC analysts will have enough information to proceed, or request your detection engineers on the same call to perform additional correlation or embed additional fields and telemetry into the alert.

Purple Team for Use Case Understanding

Cybercriminals evolve as fast as the technology itself. Every day, we learn about new tactics and techniques that threat actors are utilizing to get a foothold on a company’s network. It is not always script kiddies trying to find an easy-to-exploit vulnerability. Targeted attacks can be more sophisticated, and threat actors will attempt to learn your existing architecture to find holes in your defense. Attackers can use many available resources, information, and playbooks to launch the attack once they identify a victim. It is difficult for the defenders to keep pace.

Purple team exercises between the Red Team and the incident response team can be extraordinary: they can show the incident response team how a more sophisticated attack is conducted, and how the attacker can attempt to disguise and avoid detection, or implant persistence mechanisms that could go unnoticed. In some cases, an incident that everybody believed was 100% remediated comes again for a sequel. These scenarios can work as an eye-opener for an incident response team, but also for the Red Team to get deeper knowledge on security tools and how the blue team would normally respond to the attacker, so they can redefine the strategy and make these exercises more interesting.

Cybersecurity is not static; it is becoming more dynamic than ever due to financially motivated actors, geopolitical conflicts, and rapidly evolving regulations that are adding more restrictions and liability for protecting sensitive data. Whether for better or worse, all of these factors contribute to the rapid pace at which cybersecurity evolves and how attackers behave. As a result, having a purple teaming practice as part of your cybersecurity strategy is not just a nice-to-have—it is quickly becoming a necessary practice. As with any new process or procedure, it can be difficult at the beginning, but once it is established, the cadence can increase, and the benefits will become evident.

Leave a Reply

Your email address will not be published. Required fields are marked *

TOP

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by