Adversary simulation
A Purple Team is not a blind attack: it is your red team and your blue team working side by side. We attack with real techniques while your defense team watches live, and together you check what gets detected, what slips through and why, sharpening the rules as you go. Where a Red Team tells you whether they see you, the Purple Team stays to make them see you.
For organizations with defensive capability, their own or managed, that want to get the most out of it.
What it is
The name says it all: the red team that attacks and the blue team that defends, instead of competing, mix together and work as one. Out of that mix comes purple, and a defense that improves with every attack.
The one who attacks. Runs the techniques of a real adversary against your systems.
The one who defends. Your SOC, which has to detect what is happening and respond in time.
The two together. Instead of measuring up blind, they collaborate live so the defense learns from every attack.
The exercise
It is not a surprise attack: it is a working session where we launch real techniques and your defense team watches them land in the moment, to adjust whatever is needed without waiting for a report.
We agree which attacks to try from the MITRE ATT&CK catalog, usually the ones that worry you most or the ones a Red Team already uncovered.
We run each technique with your defense team right there, watching their own telemetry. This is not about catching anyone out, but about learning together.
You compare what happened with what reached the analyst: what fired, what did not and why. If a log, a rule or a response was missing, it gets noted.
You adjust rules and response in the moment, and we launch the technique again to confirm that now it is detected.
What we test
We do not improvise the attacks: we start from MITRE ATT&CK, the catalog that describes how a real adversary behaves, their tactics, techniques and procedures. We pick with you the ones that matter most, we launch them and we measure, one by one, whether your defense sees them.
How an attacker gets in and manages to run their first code inside your systems.
How they stay inside and gain privileges without any alarm firing.
How they jump from one machine to another until they reach what really matters.
How they take your data out, the moment every defense should detect.
And we prefer to do it well rather than do it all: testing a group of techniques thoroughly and checking what happens with each one, rather than skimming over an entire catalog without learning anything. Every technique we launch stays mapped to its ATT&CK identifier, so your team can reconstruct afterward what happened, when and where the gap was.
What you take away
A Purple Team does not end in feelings: it ends in concrete changes to your detection and in a measurable snapshot of how you were before and how you stand after.
The map of each technique tested with its status: detected, partially detected or not detected. At a glance you see where you are blind.
The adjustments we make live on your SIEM and your EDR so what used to go unnoticed now fires.
Reviewed playbooks so your team not only detects, but knows what to do the moment it detects.
Your blue team has seen the attack up close and learned by doing, not by reading a report.
Detection coverage, and how it evolves, is a measure that a committee understands and that helps decide where to invest next.
The evidence that your controls do not just exist on paper, but stop real attacks.
When
A Red Team shows you what slips past you. The Purple Team is the step that fixes it, sitting attack and defense down on those same blind spots.
You have just deployed or migrated your SIEM or your EDR. Before trusting it, it pays to check that it detects what it claims to detect.
Your blue team learns more in one session watching real attacks than in months of theory.
You arrive able to demonstrate, with real techniques, that your controls work and do not just appear in a document.
Fits with
The Purple Team sharpens a defense that already exists, so its natural partner is Sondriva, our SOC: the blue team that gets trained in the exercise. And it is the collaborative face of the Red Team: where that one attacks you blind to see whether you detect it, the Purple Team sits with you to fix exactly those blind spots. Many organizations chain the two, first the test and then the training.
Questions
It comes down to attitude. A Red Team attacks you blind and measures whether you detect it, without your team knowing. A Purple Team is done in the open: the attacker and the defender work together, seeing the same thing at the same time, to sharpen detection on the fly. One tests you, the other trains you.
It is the catalog that describes how a real adversary behaves: their tactics, techniques and procedures, the TTPs. We use it as the script for the exercise because it gives us a common language with your team: we pick specific techniques from the catalog, launch them and measure detection coverage, what percentage of those relevant techniques your defense sees.
Yes, you need defensive capability, your own or managed, because that is exactly what gets sharpened. If you do not yet have detection in place, the Purple Team arrives too early: first it pays to have a SOC and some controls, and then we come to get the most out of them.
Yes, and that is the difference with the Red Team. This is not about catching anyone out, but about learning together: your defense team is right there, sees every technique we launch and adjusts its rules and its response on the spot.
With numbers, not with feelings. Every technique we launch is recorded with its status: detected, partially detected or not detected. That matrix is your detection coverage, and we compare it before and after the adjustment. We also look at how long it takes for the alarm to fire, because detecting late is sometimes almost like not detecting at all.
We sharpen them alongside your team, live. When a technique slips through, we see why (a log was missing, a rule, a response), we propose the adjustment on your SIEM or your EDR and we launch the attack again to confirm that now it does fire. That second attempt, the retest, is what sets a Purple Team apart from tuning rules blind.
A matrix of the techniques tested with their detection status, the rules sharpened on your SIEM and your EDR, the reviewed response playbooks, a blue team that has learned by doing and a coverage metric that a committee can understand and that serves to prove to an auditor that your controls stop real attacks.
Yes, it fits perfectly. When your defense is a managed SOC, the Purple Team is the way to sharpen together what is watched and how it is answered. With Sondriva, our own SOC, the exercise is even more direct, because the team that defends and the one that sharpens speak the same language.
They usually go together in time. A Red Team tells you what slips past you, and the Purple Team is the step that fixes it, sitting attack and defense down to sharpen those blind spots. Many organizations start with the Red Team and follow up with Purple Team sessions.
Shall we talk?
Tell us how you defend today, with your own team or with a managed SOC, and we will set up a Purple Team to sharpen what you already have.
Get in touch