Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Offensive Security Glossary

Red Team / Blue Team / Purple Team

Red Team: The attacker team simulates realistic cyberattacks. Blue Team: The defender team detects and responds. Purple Team: Both teams collaborate to maximize learning outcomes.

Red Team and Blue Team are two opposing perspectives in cybersecurity—the attackers and the defenders. Their collaboration makes companies more resilient against real-world attacks.

Red Team

The Red Team adopts the attacker’s perspective and simulates realistic cyberattacks against an organization—with the goal of identifying vulnerabilities in processes, people, and technology that a real threat actor would exploit.

Difference from a traditional penetration test:

  • Pentest: Technically focused, defined scope, often white-box
  • Red Team: Holistic (people, processes, technology), realistic attacker scenario, often black-box, longer timeframe

Typical Red Team Activities:

  • Phishing campaigns targeting employees
  • Physical intrusion attempts (tailgating, lockpicking)
  • Exploitation of technical vulnerabilities
  • Social engineering against IT support and helpdesk
  • Lateral movement within the network after initial access
  • Data exfiltration as "proof of concept"

Tools: Cobalt Strike, Metasploit, Impacket, BloodHound, Evilginx2

Blue Team

The Blue Team is responsible for defense: detection, response, and improvement of the security posture.

Blue Team Tasks:

  • Security Operations Center (SOC) - 24/7 monitoring
  • Incident Response - responding to detected incidents
  • Threat Hunting - proactive search for attackers
  • Security Engineering - hardening of systems
  • Vulnerability Management - vulnerability scanning and remediation

Tools: SIEM (Splunk, Microsoft Sentinel), EDR (CrowdStrike, Defender), Threat Intelligence Feeds, SOAR

Purple Team

The Purple Team is not a third group, but rather the structured collaboration between Red and Blue:

  1. The Red Team executes an attack and documents every technique (MITRE ATT&CK mapping)
  2. Blue Team attempts to detect the attack
  3. Joint analysis: What was detected? What wasn’t? Why?
  4. Improvement of detection rules and response processes
  5. Iteration until the attack technique is reliably detected

Benefits: Maximum learning effect—Red and Blue Teams work together instead of against each other. Direct transfer of attack know-how into improved defense capabilities.

TIBER-EU

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is a European framework for red team testing at financial institutions—developed by the ECB and coordinated by national central banks. Mandatory for certain DORA-regulated companies.

The BSI offers similar frameworks for critical infrastructure.

Red team exercises require written authorization with a clearly defined scope. Without authorization, red team activities are punishable by law (Section 202a et seq. of the German Criminal Code [StGB] on computer fraud and trespassing in the case of physical tests).

AWARE7 Services on This Topic

Penetrationstest
Back to Glossary Book a free consultation