Part III: Running Your Purple Team Event
Continuing from “Part II: The Purple Ascent Framework” and our “Shifting Sands of Resilience” saga, we dive deeper into Purple Teaming by discussing how to run a Purple Team Event…
Purple Teaming in Action
We’ve reached the final chapter. In Part I, we discussed the importance of Purple Teaming and essential elements for success. In Part II, we explored the Purple Ascent Framework, a collaborative approach that fosters proactive cooperation between red and blue teams to enhance security. We discussed how the Purple Ascent Framework offers a structured path for cybersecurity teams to advance through foundational, advanced, and threat actor TTPs by emphasizing defense functions, event types, and focus areas.
Now, in Part III, we put that knowledge into practice. Before you run your event, ensure you’ve addressed the critical components and aspects we discussed in the previous articles. Here we go…
Figure 1: Purple Team Event Phases
Event Planning
This phase lays the groundwork for everything that follows. Just like constructing a building, the stronger your foundation, the more robust the final structure will be. The goal is to ensure that the event provides valuable lessons and actionable improvements to security posture.
Figure 2: Event Planning Steps
Setting Objectives:
The first step is to clearly define what you want to achieve. Are you testing a specific vulnerability or assessing your incident response capabilities? By setting clear objectives, you give your team a target to aim for, ensuring everyone is aligned with the same end goal. Again, this is where The Purple Ascent Framework comes in action.
Defining Scope:
Next, we define the scope. This is where you decide which systems, networks, or assets will and will not be included in the event. Whether it’s a broad scope involving multiple environments or something more focused, having a well-defined scope keeps your exercise organized and manageable.
Assembling the Team:
Once the scope is set, it’s time to assemble the team. Both red and blue Teams need to be fully prepared and briefed on their roles. This includes ensuring they understand the scenario and the goals.
Selecting Scenarios:
Now comes the exciting part—selecting scenarios. We recommend leveraging the Purple Ascent Framework for scenario planning to ensure the attack simulations your team designs reflect real-world threats your organization might face. These scenarios are crafted based on industry-specific risks, recent cyberattack trends, and insights from threat intelligence. By creating realistic, targeted scenarios, both red and blue teams can engage in meaningful exercises that test and strengthen the organization’s defenses, detection capabilities, and incident response strategies.
Establishing Success Criteria:
Finally, you need to establish how success will be measured. What does a ‘win’ look like for your organization? Whether it’s minimizing response time or detecting threats more effectively, having clear success criteria helps you quantify the effectiveness of the exercise.
By focusing on these five areas during planning, you’re laying the foundation for a truly effective purple teaming event. The next phase is all about execution but remember—it’s the groundwork here that ensures a smooth, impactful exercise later.
Event Execution
Proper execution is critical for ensuring the collaboration between Red and Blue Teams yields actionable insights. We’ll break down each step, from pre-event planning to post-event reporting, outlining key responsibilities for each team and ensuring that the event drives meaningful improvements in your organization’s security posture.
As you begin, keep in mind the different roles and responsibilities of all 3 types of players. We will keep this flow for the remainder of the article, highlighting major functions of each team at that time. Here’s a high-level reminder:
White Team Coordinates
The white team oversees the engagement, ensuring adherence to the scope and rules of engagement (ROEs). They are responsible for facilitating communication between red and blue teams, monitoring progress, and resolving any conflicts. Throughout the event, the white team should adjust the scenario as needed to maintain engagement objectives and relevance. It is critical that the white team captures detailed notes and observations on the actions taken by both teams throughout the event, to include key moments, decision points, and any deviations from the plan.
Red Team Attacks
The main purpose of the red team is to execute the attacks scenarios – launching the planned attacks according to the agreed timeline and methodology. They should adapt tactics as necessary based on the blue team’s responses. Throughout the event they should keep a detailed log of all actions taken, including what worked, what did not work, and any changes made to the original plan.
Blue Team Defends
The blue team is your defender. They will monitor your systems for signs of attack, identify and log any indicators of compromise (IoCs), respond to alerts, and implement defensive measures. This could include blocking IPs, isolating systems, or activating incident response protocols. They should maintain open communication with the white team and provide feedback on detected activities.
Figure 3: Event Execution Steps
Scenario Planning
Before the exercise begins, each team—red, blue, and white—should carefully plan their role. The red team defines how they will attempt to breach the system, while the blue team maps out their defense strategy. The white team oversees the operation and manages the logistics.
White Team
As the facilitators and organizers, the white team ensures that all planning aspects align with the event’s overarching goals. They define the rules of engagement and set the boundaries within which both the Red and Blue Teams must operate. The white team also handles event logistics—scheduling, defining success metrics, and ensuring that the exercise complies with legal, regulatory, and ethical standards. Their role is to balance the engagement so that it challenges the blue team without overwhelming them. The white team also ensures clear communication between red and blue teams while maintaining the integrity of the exercise.
Red Team
The red team is responsible for identifying the offensive tactics, techniques, and procedures (TTPs) that will be used in the event. Their goal is to challenge the blue team’s defenses with realistic attack vectors aligned with the white team’s overall objectives. For example, they may plan to simulate phishing attacks, lateral movement, or exploitation of known vulnerabilities. The red team ensures that these attack paths are relevant to the environment and objectives of the exercise, pushing the defenders to test their detection and response capabilities. They must also consider the constraints set by the white team to avoid crossing boundaries or causing unintended impact.
Blue Team
The blue team uses the planning phase to prepare its defenses. This involves reviewing current security configurations, ensuring that detection systems such as SIEM (Security Information and Event Management) tools, EDR (Endpoint Detection and Response), and firewalls are properly tuned, and ensuring incident response processes are well understood by all members. While the specific attack vectors are kept undisclosed to the blue team, they focus on readiness by hardening their environment and addressing known vulnerabilities, simulating how they would respond to an actual attack. The blue team may also practice coordination internally to refine processes for rapid response.
Team Sync
This is where transparency comes in. Before the scenario kicks off, both teams communicate their plans internally to make sure everyone on their respective teams is on the same page. The goal is to ensure everyone knows the objectives and roles. Clear communication here ensures alignment between the teams.
Figure 4: Example Agenda
Scenario Execution
The actual attack-defense simulation. Each side—the red team (offensive) and the blue team (defensive)—takes action based on the scenario objectives. The red team simulates an attack while the blue team defends. Both teams document their steps in real time to ensure nothing is missed. The exercise focuses on documenting what worked, what didn’t, and identifying areas for improvement on both sides.
White Team
During execution, the white team assumes a supervisory role, ensuring the exercise remains on track and within the predefined rules of engagement. They monitor the performance of both the red and blue teams, ensuring data is collected for post-exercise analysis. The white team also steps in if necessary to adjust the scope or timing of the event, such as by introducing unforeseen variables or ensuring neither team is overwhelmed. Their primary role is to ensure objectivity and fairness while facilitating the learning process.
Red Team
The red team initiates the planned attacks, attempting to breach the blue team’s defenses using the tactics identified during the planning phase. Their goal is to simulate real-world threats as accurately as possible, adapting to the defenders’ responses in real-time. For example, the red team might execute a phishing campaign followed by an attempt to escalate privileges once access is gained. The red team documents each step of the attack chain to later provide insights into what was effective and where defenses succeeded or failed.
Blue Team
The blue team works in a reactive capacity, leveraging their tools and incident response strategies to detect and mitigate the attacks launched by the red team. Throughout the execution phase, the blue team’s focus is on identifying malicious activities, responding effectively to contain threats, and minimizing damage. The team relies on its monitoring systems and playbooks to quickly respond, assess the situation, and take action, whether it’s isolating an affected system or tracing the source of the attack.
Scenario Review
Once the scenario concludes, both teams come together in the debrief to discuss findings. This is where we identify major issues (often called “big rocks”) and pinpoint root causes. It’s a no-blame zone where we focus on how both teams can improve. After the debrief, adjustments are made to the purple team strategy. Whether it’s improving the red team’s attack tactics or the blue team’s defenses, the aim is continuous improvement—the backbone of a successful purple team program. At the completion of each scenario, we recommend a review to allow the teams to regroup, assess, and adjust their strategies.
White Team
The white team leads the discussion, ensuring both teams have a chance to share their observations. Based on feedback, the white team can suggest changes to the event plan, timeline, or scenarios. Finally, they should check in on the teams’ energy and focus, addressing any concerns or fatigue that may arise.
Red Team
The red team shares what has been successful so far and discusses any challenges faced. The group can suggest changes to tactics based on what the team has learned.
Blue Team
The blue team reflects on the effectiveness of detection and response efforts so far, identifies any gaps, and discusses potential improvements. They can adjust defensive strategies based on the feedback and observations during the review.
Remember: debrief at the end of every scenario. Refine your plans accordingly. Then continue with the next scenario – to include red team and blue team actions. Ultimately, the goal of this loop is not just to simulate attacks but to refine defenses and evolve as a team. This is a continuous process where lessons learned are applied, weaknesses are addressed, and defenses become more resilient over time.
Event Reporting
The post-event phase is where the true value of a Purple Team exercise comes to life. In this section, we cover the essential steps of debriefing, conducting a retrospective, and writing a comprehensive report. This is the moment to reflect on what worked, what didn’t, and how both teams can improve. Through careful analysis and documentation, the organization can turn lessons learned into actionable insights, ensuring continuous growth and enhanced security resilience moving forward.
Figure 5: Event Reporting Cycle
Data Collection & Analysis
After the event, the white team will lead the effort to gather all relevant data from the red and blue teams. This includes detailed logs of the attacks performed, detection and response data from the blue team, and any communications or observations noted by the white team. Carefully analyze this data to determine which attacks were detected, how effectively defenses responded, and where gaps may have occurred. The analysis forms the foundation for future improvements.
Conduct Hot Wash
Once the scenario is complete and data is gathered, teams meet to discuss the events and identify improvements. This helps foster a learning attitude and encourages open-mindedness through constructive feedback to build an environment of trust where team members can share openly. Encourage self-assessment and honest evaluations of individual and team performance. Focus on accurately reconstructing the events to identify strengths and areas for improvement.
In our experience, the most successful teams avoid blaming other people or factors outside their control. They take the time to identify the root cause of issues before dedicating resources to fix actions.
Capture Lessons Learned
Once all the feedback and data has been collected, conduct a more thorough review. Identify the strengths and weaknesses in your detection and response efforts. Focus on areas for improvement, such as refining detection rules, enhancing response protocols, or improving team communication. These lessons should be documented for future reference and incorporated into training and procedures.
Draft Engagement Report
The white team is the lead for compiling the report. To be effective, it must be detailed and well organized, including an executive summary, detailed findings, and an actionable plan. The report should be clear and tailored to the intended audience. Once reviewed by all applicable parties, the white team will distribute the report, sharing it with relevant stakeholders including executives, IT management, and the security team.
The red team provides input on the attack scenarios, tactics used, and the effectiveness of the blue team’s responses. They will assist with any follow-up activities, such as further training, refining attack simulations, or advising on control improvements.
The blue team must carefully review the findings and recommendations while ensuring the action plan addresses all identified gaps. Then they work on implementing the recommended improvements, whether they involve process changes, tool enhancements, or additional training.
Outbrief w/Stakeholders
Present the report to key stakeholders, including executives, IT management, and security teams. Use this opportunity to explain the value of the Purple Team exercise, highlight areas for improvement, and outline the steps being taken to enhance overall security. The outbrief should emphasize the business impact of the event and align security recommendations with broader organizational goals.
Continuous Improvement
The final step is to integrate the lessons learned into ongoing security practices. Use the insights gained from the event to refine detection mechanisms, adjust incident response protocols, and improve team collaboration. Regular Purple Team exercises should be part of a continuous feedback loop, with each event building on the successes and challenges of the previous one. This ongoing refinement will strengthen your organization’s security resilience over time.
Conclusion
Executing a purple team event requires meticulous planning, clear communication, and continuous collaboration across the white, red, and blue teams. By assigning specific roles and responsibilities at each stage of the event, you can ensure that your team is aligned, effective, and focused on continuous improvement. This structured approach helps identify security gaps and fosters a culture of learning and collaboration.
This concludes our three-part series on Purple Teaming – the best way for your company to proactively prepare for cybersecurity threats. If you haven’t yet, we highly recommend you check out CYYNC, our collaboration platform built for cyber teams. We would love to provide a product demo and show you how CYYNC can unlock purple teaming for your organization. We’re also happy to help get your program up and running – go ahead and book a discovery session today.
Lastly, if you want to stay up to date on compelling and effective ways for cyber to enable your business to thrive, sign up for our newsletter here.