Introduction to Purple Teaming Fundamentals

Introduction to Purple Teaming Fundamentals

Table of Contents

What is Purple Teaming?

📖 Definitions

What is a Purple Team?

A Purple Team is a collaboration of various information security skill sets:

  • Cyber Threat Intelligence - Research and provide adversary tactics, techniques, and procedures (TTPs)
  • Red Team - Offensive team in charge of emulating adversaries and TTPs.
  • Blue Team - The defenders. This may include but is not limited to Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Providers (MSSP).
  • 📖
    Tactics, techniques, and procedures (TTPs) describe the behavior of an actor. Tactics are high-level descriptions of behavior, techniques are detailed descriptions of behavior in the context of a tactic, and procedures are even lower-level, highly detailed descriptions in the context of a technique. TTPs could describe an actor’s tendency to use a specific malware variant, order of operations, attack tool, delivery mechanism (e.g., phishing or watering hole attack), or exploit.

    Via NIST SP 800-150 Guide to Cyber Threat Information Sharing

    As a Purple Team is a collaborative effort between various information security skill sets, it may be applied in a variety of ways. Red Teaming and Purple Teaming both tend to fall under Adversary Emulation, which is when security experts emulate how an adversary or threat actor operates. The goal is to improve how resilient the organization is versus specific adversary techniques.

    RED TEAM ⚔️
    Involves the emulation of a realistic threat actor using TTPs.
    Involves the emulation of a realistic threat actor using TTPs.
    The typical interaction with the blue team is extremely limited.
    In a purple team, red and blue members maximize information sharing and collaboration.
    The goal of the red team is to assess how well the blue team prevents, identifies, detects, and contains a threat actor.
    The goal of the purple is to improve how the blue team prevents, identifies, detects, and contains a threat actor.


    Identify and exploit vulnerabilities on a (series of) system(s) to assess security.
    Assess how resilient an organization is versus a certain adversary.
    Focused on a specific scope (typically an application or network range).
    Focused on the execution of a scenario (typically defined by a number of flags).
    Primarily tests prevention, typically less focus on detection.
    Typically tests both prevention & detection (so is less valuable if there is no blue team).


🎮 Types of Purple Teaming

As a Purple Team is a collaborative effort between various information security skill sets, it may be applied in a variety of ways. Organizations new to Purple Teaming will start with an ad-hoc Purple Team Exercise to foster collaboration between the various teams in a single exercise. As the value of Purple Teaming becomes apparent, more exercises are planned and scheduled.

Eventually, organizations operationalize the Purple Team function to collaborate as new intelligence or TTPs are discovered. Some organizations build dedicated a Purple Team while others keep them separate and use Purple Teaming as a functional, virtual team. Regardless of the model used, the Purple Team can be measured and improved following the Purple Team Maturity Model (PTMM).

Automated Adversary Emulation


Manual Adversary Emulation


🎯 Goals & Objectives

Purple Team Exercises are triggered by the need to test, measure, and improve people, process and technology. Information security professionals from various teams (Blue Team, CTI, and Red Team) will learn and practice their dedicated functions while improving process, and technology. The end goal is increasing resilience to current threats by detecting and responding to attacks before impact. Purple Team Exercises will have specific goals which drive the planning process depending on the maturity level of the organization and current objectives. Purple Team Exercises may have one or more of these goals:

  • Foster a collaborative culture within the security organization
  • Test attack chains against a target organization
  • Train the organization’s defenders (Blue Team)
  • Test TTPs that have not been tested before in the organization
  • Test the processes between security teams
  • Preparation for a zero-knowledge Red Team Engagement
  • Red Team reveal or replay after a zero-knowledge Red Team Engagement


♟ Purple Team Exercise

A Purple Team Exercise is a full-knowledge information security assessment where attendees collaborate to attack, detect, and respond.

Attack activity is generated, exposed, explained by the Red Team and shown to the Blue Team attendees as it occurs, while Blue Team also show how they detect and respond. If an attack is missed, the blue team would need to identify the gap in their alerting tools. In order for purple teaming to succeed, the testing methodology must be robust and cover the techniques commonly used by adversaries.

Purple Team Exercises are "hands-on keyboard" exercises where all attendees work together with an open discussion about each attack technique and defense expectation to test, measure, and improve people, process, and technology in real-time. Purple Team Exercises are Cyber Threat Intelligence led, emulations of Tactics, Techniques, and Procedures (TTPs) to identify and remediate gaps in the organization’s security posture.

At a high level, a Purple Team Exercise is executed with the following flow:


💪 Purple Team Maturity Model

Regardless of the implementation, a purple team program can be measured and matured following the Purple Team Maturity Model (PTMM). The maturity model looks at purple team activities as a unified effort with two key areas of expertise: Threat Understanding and Detection Understanding. Within each area of expertise, there are three levels for teams to measure their maturity by: Deployment, Integration, and Creation. Utilizing this model, purple team programs can chart a strategic map around how to build internal capability for purple team activities.

The Pyramid of Pain


Want to move towards a DevSecOps model for Purple Team work? Consider shifting left with tooling like Leonidas. Leonidas a framework for executing attacker actions in the cloud. It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures (TTPs) and their associated detection properties.

Want to get serious about Purple Team exercises?

Read the Purple Team Exercise Framework (PTEF) by SCYTHE.

⚙️ Purple Teaming Tools

CALDERA is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. It is built on the MITRE ATT&CK™ framework and is an active research project at MITRE. The framework consists of two components: The core system. This is the framework code, consisting of what is available in this repository. Included is an asynchronous command-and-control (C2) server with a REST API and a web interface. Plugins. These repositories expand the core framework capabilities and providing additional functionality. Examples include agents, reporting, collections of TTPs and more.

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios. Each scenario is composed of AWS resources arranged together to create a structured learning experience. Some scenarios are easy, some are hard, and many offer multiple paths to victory. As the attacker, it is your mission to explore the environment, identify vulnerabilities, and exploit your way to the scenario's goal(s).

Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.

Leonidas, a framework for executing attacker actions in the cloud. It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures (TTPs) and their associated detection properties. These definitions can then be compiled into:

These scripts can be used as proof-of-concept to generate several Amazon GuardDuty findings. guardduty-tester.template uses AWS CloudFormation to create an isolated environment with a bastion host, an ECS cluster running on an EC2 instance that you can ssh into, and two target EC2 instances. Then you can run that starts interaction between the tester EC2 instance and the target Windows EC2 instance and the target Linux EC2 instance to simulate five types of common attacks that GuardDuty is built to detect and notify you about with generated findings.

Incident Response Playbooks Mapped to MITRE Attack Tactics and Techniques.

Infection Monkey by Guardicore. Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self-propagate across a data center and reports success to a centralized Monkey Island server.

Meerkat is a collection of PowerShell modules designed for artifact gathering and reconnaissance of Windows-based endpoints without requiring a pre-deployed agent. Use cases include incident response triage, threat hunting, baseline monitoring, snapshot comparisons, and more.

Like MetaSploit?

Purple Team ATT&CK Automation is a tool to automatically emulate adversary tactics in order to evaluate detection and response capabilities via MITRE ATT&CK TTPs as Metasploit Framework post modules. As of this release there are automated a little over 100 TTPs as modules.

Metasploit's advantage is its robust library, capability to interact with operating system APIs, and flexible license. In addition, we're able to emulate the features of other tools, such as in-memory .NET execution, via leveraging Metasploit's execute_powershell functionality. This allows Blue Teams to ensure that their tools are alerting on the actual TTP behavior and not execution artifacts (such as encoded PowerShell).

Like BloodHound?

PlumHound is for Blue and Purple teams to more effectively use BloodHoundAD in continual security life-cycles by utilizing the BloodHoundAD pathfinding engine to identify Active Directory security vulnerabilities resulting from business operations, procedures, policies and legacy service operations.

PlumHound operates by wrapping BloodHoundAD's powerhouse graphical Neo4J backend cypher queries into operations-consumable reports. Analyzing the output of PlumHound can steer security teams in identifying and hardening common Active Directory configuration vulnerabilities and oversights.




ATT&CK is largely a knowledge base of adversarial techniques — a breakdown and classification of offensively oriented actions that can be used against particular platforms, such as Windows. Unlike prior work in this area, the focus isn’t on the tools and malware that adversaries use but on how they interact with systems during an operation.

The October 2022 (v12) ATT&CK release updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v12 are the addition of detections to ATT&CK for ICS, and the introduction of Campaigns.
How often is ATT&CK updated?” - Bi-annually.

ATT&CK organizes these techniques into a set of tactics to help explain to provide context for the technique. Each technique includes information that’s relevant to both a red team or penetration tester for understanding the nature of how a technique works and also to a defender for understanding the context surrounding events or artifacts generated by a technique in use.

Tactics represent the “why” of an ATT&CK technique. The tactic is the adversary’s tactical objective for performing an action. Tactics serve as useful contextual categories for individual techniques and cover standard, higher-level notations for things adversaries do during an operation, such as persist, discover information, move laterally, execute files, and exfiltrate data.

Techniques represent “how” an adversary achieves a tactical objective by performing an action. For example, an adversary may dump credentials to gain access to useful credentials within a network that can be used later for lateral movement. Techniques may also represent “what” an adversary gains by performing an action. This is a useful distinction for the Discovery tactic as the techniques highlight what type of information an adversary is after with a particular action. There may be many ways, or techniques, to achieve tactical objectives, so there are multiple techniques in each tactic category.

Another important aspect of ATT&CK is how it integrates cyber threat intelligence (CTI). Unlike previous ways of digesting CTI that were used primarily for indicators, ATT&CK documents adversary group behavior profiles, such as APT29, based on publicly available reporting to show which groups use what techniques.

The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel. We've designed it to be simple and generic - you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques or anything else you want to do. The Navigator doesn't care - it just allows you to manipulate the cells in the matrix (color coding, adding a comment, assigning a numerical value, etc.). We thought having a simple tool that everyone could use to visualize the matrix would help make it easy to use ATT&CK.

The principal feature of the Navigator is the ability for users to define layers - custom views of the ATT&CK knowledge base - e.g. showing just those techniques for a particular platform or highlighting techniques a specific adversary has been known to use. Layers can be created interactively within the Navigator or generated programmatically and then visualized via the Navigator.


#1 Consider all ATT&CK techniques equal Given the size of the ATT&CK matrix, it’s impossible to (a) prevent or (b) detect all techniques. You only have limited resources and should thus prioritize! #2 Misjudge your coverage Most ATT&CK techniques are not “Boolean”. It’s possible that you detect or block certain variations of a technique, but others not. Scoring should thus be fine-grained. #3 Consider ATT&CK as the “holy trinity” ATT&CK is a valuable tool, but it’s not a silver bullet. Recognize that, for some use cases, ATT&CK is not perfect. Furthermore, not everything is documented in ATT&CK.

General Resources:

Did you know there is a MITRE D3FEND framework that aligns to ATT&CK?

⚔️ Example Adversary Emulation Manual