Purple Team - Definition & Explanation

Purple Teaming is the synergistic combination of Red Team (attack) and Blue Team (defense). Instead of conducting separate exercises, both teams work together: the attacker demonstrates a technique, the defender checks whether they can detect it—and if not, both work together to improve detection.

Red Team vs. Blue Team vs. Purple Team

Red Team:

Simulates real attackers
Goal: remain undetected, achieve objectives
Result: "We penetrated without being detected"
Problem: Blue Team doesn’t know why they missed it

Blue Team:

Defends the environment
Responds to incidents
Problem: never sees how attackers actually operate

Purple Team:

Red + Blue work together
Red executes the technique → Blue tests detection
If not detected: create detection rules together
Iterate until coverage is complete
Result: "For technique T1059.001, we now have 3 detection rules"

Purple Team Exercise - Procedure

Preparation

MITRE ATT&CK Framework as a basis
Threat model: Which APT groups are relevant? (“We are in the financial sector → APT28, Lazarus Group”)
Scope: Which ATT&CK techniques are we testing today? (e.g., Credential Access: T1003, T1110, T1558)

Execution (iterative for each technique)

Red Team: Announce the technique (no surprise effect!) - "We are now performing Kerberoasting (T1558.003)"
Red Team: Execute the technique

GetUserSPNs.py -request firma.de/analyst:Password123

Blue Team: Check logs immediately - "Did we see this in our SIEM?"
If missed: Analyze together - "What should have been detectable?" / "Event ID 4769 with RC4 encryption - why no rule?"
Create detection rule - "Alert if: EventID=4769 AND TicketEncryptionType=0x17"
Test rule: Red Team repeats technique - "Alert now?" → Yes: next technique

Measure ATT&CK coverage

MITRE ATT&CK Navigator

Visualizes which techniques can be detected
Green: Detection available
Yellow: Partial detection
Red: No detection

Before Purple Team Exercise

Many red fields (no coverage)
Especially T1059 (Command & Scripting), T1003 (Credential Dumping), and T1486 (Ransomware Encryption) are often uncovered

After Purple Team Exercise

Coverage has measurably increased
Each red area has been prioritized
Detection gaps documented + roadmap for closure

Reporting to Management

> "We tested 15 ATT&CK techniques today. 10 were detected, 5 were improved. Remaining gap: T1190 (Exploit Public-Facing Application) → Requires NGFW-IPS update (planned for Q2 2026)"

Purple Teaming with MITRE CALDERA

# CALDERA - Open Source Adversary Emulation Platform
# Execute MITRE ATT&amp;CK technique and verify detection

# Start CALDERA
git clone https://github.com/mitre/caldera.git
cd caldera
pip3 install -r requirements.txt
python3 server.py --insecure

# In the browser: http://localhost:8888
# Admin/admin

# Operations:
# 1. Select an Ability (technique) from the ATT&amp;CK library;
# 2. Compile an Adversary (attack profile)
# 3. Start operation → Agent executes technique
# 4. Check logs in SIEM

# Popular Abilities:
# T1059.001: PowerShell Execution (Test: What is logged?)
# T1003.001: LSASS Memory Dump (Test: EDR Alert?)
# T1071.001: HTTP C2 Beaconing (Test: NDR Detection?)

# Atomic Red Team (alternative):
# Invoke-AtomicTest T1059.001 -TestNumbers 1

Purple Team vs. Penetration Testing

Criterion	Penetration Testing	Purple Team
Goal	Find vulnerabilities	Improve detection & response
Result	List of findings + recommendations	Improved SIEM rules, playbooks
Perspective	Attacker’s perspective	Joint (Red + Blue)
Output	“These vulnerabilities exist”	“These techniques are now detected”

When to use which method?

Penetration testing: First: Identify and fix vulnerabilities
Purple Team: Next: Systematically improve detection coverage
Red Team Exercise: Real-world attack test (following the Purple Team phase)

For which companies?

Approach	Target audience
Penetration testing	All (minimum requirement)
Purple Team	Companies with their own SOC team
Red Team	Enterprises with a mature security program