Skip to content

Purple Team Exercise Framework

Bridge the Gap Between Offense and Defense

Purple teaming is the collaborative practice of combining red team attack simulation with blue team detection and response — run simultaneously, with shared visibility, to measurably improve an organization's security posture. This framework provides a structured, repeatable methodology for planning, executing, scoring, and reporting purple team engagements aligned to MITRE ATT&CK.

What Is Purple Teaming?

Traditional security testing follows a sequential model: the red team attacks, writes a report, and months later the blue team receives findings. Purple teaming replaces that hand-off with a real-time feedback loop.

Aspect Red Team Blue Team Purple Team
Goal Find weaknesses Detect & respond Validate detection coverage
Visibility Covert Reactive Collaborative
Feedback Post-engagement report Alert triage Real-time, per-technique
ATT&CK alignment Opportunistic Detection-driven Systematic technique coverage
Cadence Annual / ad-hoc Continuous Sprint-based (weekly/monthly)

Red team operators execute specific ATT&CK techniques in a controlled manner. Each technique is run with a known-good procedure so the team can isolate whether a detection gap is caused by the tool, the telemetry source, or the analytic logic. The red team documents exact commands, timestamps, and host identifiers for post-exercise correlation.

Blue team analysts monitor their tooling stack — SIEM, EDR, NDR, UEBA — for alerts generated by the red team activity. For each exercise, they validate whether an alert fired, how long detection took (MTTD), and whether the alert contained enough context for an analyst to investigate without prior knowledge of the exercise.

The facilitator coordinates timing, ensures safety controls are in place, records pass/fail outcomes per technique, and drives the debrief. The facilitator owns the scoring spreadsheet and publishes the final detection-coverage heat map.

Benefits and ROI

Measurable Outcomes

Organizations that adopt recurring purple team engagements typically observe:

  • Detection coverage increase of 25-40% within two quarters (measured against ATT&CK technique count with validated alerts).
  • MTTD reduction of 30-60% for techniques that were previously undetected or had delayed alerts.
  • False-positive tuning: each exercise surfaces noisy rules, reducing analyst fatigue by 15-25%.
  • Cross-team communication: red and blue teams develop shared vocabulary, reducing friction during real incidents.

Cost-Benefit Model

Investment Return
2-4 hours per exercise (2 analysts + 1 operator) Validated detection for 1-3 ATT&CK techniques
1 sprint (10 exercises over 2 weeks) ATT&CK heat map with quantified gaps
4 sprints per year (40 exercises) Full kill-chain coverage assessment + trend data

Rule of thumb: A single undetected lateral movement technique in a real breach costs an average of $150K in additional containment effort. Validating that detection for 8 hours of purple team labor is a strong return.

How to Use This Framework

graph LR
    A[Select Exercises] --> B[Pre-Engagement Checklist]
    B --> C[Execute Red Team TTP]
    C --> D[Blue Team Validates Detection]
    D --> E[Score Pass / Partial / Fail]
    E --> F[Debrief & Remediate]
    F --> G[Re-Test Failed Exercises]
    G --> A

Framework Components

Component Description Link
Exercise Library 80 exercises covering 10+ ATT&CK tactics (including AI/ML, cloud-native, memory forensics, and advanced identity), each with red/blue actions, scoring criteria, and detection queries Exercise Library
Scoring Methodology Pass / Partial / Fail criteria with weighted scoring aligned to technique severity Scoring Section
Velocity Metrics Track exercises per day, detection coverage percentage, and MTTD improvement over time Metrics Section
Reporting Template Structured format for executive summaries, technical findings, and remediation tracking Reporting Section

Quick-Start Guide

Get Your First Purple Team Exercise Done in Under 2 Hours

Follow these five steps to run your first exercise today.

Step 1 — Assemble the Team

You need a minimum of three people:

Role Responsibility
Red Operator Executes the attack technique in the lab or controlled environment
Blue Analyst Monitors SIEM/EDR and validates detection
Facilitator Coordinates timing, records results, drives debrief

Step 2 — Choose an Exercise

Start with a Difficulty 1 (one star) exercise from the library. Recommended first exercises:

  • PT-001 — Spear-Phishing Attachment (Initial Access)
  • PT-009 — PowerShell Command Execution (Execution)
  • PT-035 — Kerberoasting (Credential Access)

These are well-documented techniques with mature detection content available in most SIEM platforms.

Step 3 — Pre-Engagement Checklist

Before executing any technique, confirm:

  • [ ] Scope document signed — target hosts, networks, and time window defined
  • [ ] Safety word established — a code word to immediately halt all red team activity
  • [ ] Rollback plan documented — how to undo any persistence or configuration changes
  • [ ] Stakeholders notified — SOC shift lead, IT operations, and management aware
  • [ ] Logging verified — confirm telemetry sources are ingesting to SIEM for target hosts
  • [ ] Baseline captured — note current alert volume so you can distinguish exercise alerts

Step 4 — Execute and Score

  1. Red operator announces the start time and exercise ID.
  2. Red operator executes the technique per the exercise procedure.
  3. Blue analyst has a detection window (typically 15-60 minutes depending on difficulty).
  4. Facilitator records: alert fired (yes/no), alert name, time-to-detect, analyst assessment.
  5. Score the exercise using the scoring methodology.

Step 5 — Debrief and Document

Hold a 15-minute debrief immediately after scoring:

Debrief Questions
  1. Did the expected detection fire? If not, why?
  2. Was the telemetry available in the SIEM? (Log source gap vs. analytic gap)
  3. Was the alert actionable — could an analyst investigate without prior knowledge?
  4. What is the remediation plan for any gaps found?
  5. When will the re-test occur?

Document findings in the reporting template and schedule re-tests for any Fail or Partial results within 30 days.

Maturity Progression

As your program matures, increase complexity:

Maturity Level Exercises / Quarter Characteristics
Level 1 — Ad Hoc 5-10 Single techniques, lab environment, manual scoring
Level 2 — Repeatable 15-25 Chained techniques, staging environment, standardized scoring
Level 3 — Defined 25-40 Full kill-chain scenarios, production-adjacent, automated scoring
Level 4 — Managed 40-50 Continuous purple team sprints, MTTD trending, executive dashboards
Level 5 — Optimizing 50+ Adversary emulation plans, threat-intel-driven exercise selection, ML-assisted gap analysis

Prerequisites

Environment Requirements

All exercises in this framework are designed for isolated lab environments or production-adjacent staging with proper authorization. Never execute red team techniques against production systems without written approval, a rollback plan, and stakeholder notification.

Minimum lab setup:

  • Windows Server 2019/2022 with Active Directory (1 DC + 2 workstations)
  • Linux server (Ubuntu 22.04+) for cross-platform exercises
  • SIEM instance (Splunk, Microsoft Sentinel, Elastic) ingesting endpoint and network logs
  • EDR agent deployed on all lab endpoints
  • Network monitoring (Zeek or Suricata) on lab subnet

Tooling (red side — concepts only, all synthetic):

  • Atomic Red Team test definitions
  • Custom PowerShell/Python scripts per exercise
  • C2 framework in lab-only configuration

Tooling (blue side):

  • SIEM with KQL or SPL query capability
  • EDR console with process tree and timeline views
  • Threat intelligence platform for IOC enrichment

Next: Exercise Library — 80 purple team exercises organized by ATT&CK tactic.