We’re All in This Together: The Case for Purple Teaming

February 21, 2025 14 mins

We’re All in This Together: The Case for Purple Teaming

Why should you consider a purple team? What can you gain from it, and how do you make it work for your organization?

After running a few penetration tests or phishing simulations, you might ask, "How do we simulate a more advanced attack?" Red team engagements are often the next step. Red teams simulate real adversaries with a wide scope and focus on stealth. Unlike real attackers who can typically take their time to avoid detection, red teams have a time limit and don’t always have the luxury of using slow, methodical techniques. Instead, red teams often skip viable attack paths or ignore time-consuming tactics to focus on a narrow set of reliable strategies and the execution of a small number of end-to-end attack paths. This limits realism and exploration.

That's not to say red teams aren't effective—identifying a single end-to-end exploit chain from your perimeter to your internal network and into a critical database or fileshare is inherently valuable. However, if you're aiming for a defense-in-depth approach, you may want to consider a more thorough assessment. Think of the Swiss cheese model: while finding one alignment of overlapping holes is helpful, tomorrow those slices might shift, like layers in a messy, overstuffed sandwich. A more holistic assessment can help maintain resilience even as the ingredients move around, and conditions change.

This is where the capabilities of red teams are necessarily restricted—how do you truly simulate an advanced threat when you simply don’t have enough time? A nation state or APT is often able to spend months inspecting and learning the inner workings of your network undetected, whereas a red team has a deadline. An APT can work in shifts over the weekend and on holidays, where a red team is usually working around business hours. Well, what if the red team could leverage the insider knowledge of the blue team during a test? It sounds like cheating, right? That’s only if you view security as blue vs. red, rather than blue and red vs. the adversary. After all, any good marriage counselor will tell you that in the face of conflict, it should never be spouse vs. spouse, but rather both spouses vs. the issue. This is especially important when the issue in question could potentially result in your primary fileshare being locked by a ransomware until you pay substantially.

Understanding Purple Teaming

Purple teaming integrates red and blue teams, creating a feedback loop that can enhance both offensive and defensive capabilities. The red team can communicate with the blue team to expedite actions that would otherwise require stealth. For example, instead of spending days on stealthy network enumeration to evade network and host-based detection tools, the red team, after enumerating a few hosts without detection, might simply ask the blue team for location of an application which stores sensitive data, simulating a patient attacker without wasting time. In exchange for bypassing detection (a “trade” that sacrifices realism for efficiency), the red team gains the ability to perform deeper testing in less time, allowing for a more comprehensive assessment. In this way, the red team trades a stealthy but limited demonstration for a more comprehensive result set, allowing for deeper evaluations, quicker iterations, and better security improvements without the need for slow stealth, overcoming the time (and as may often be the case – budgetary) restrictions that may plague this type of work.

Keep in mind that just putting red and blue teams together doesn't guarantee improved security. You need a strategy, clear goals, and a way to maximize the value of these exercises. This approach can be a cost-effective way to help test defenses against potential sophisticated attackers.

Assessing Your Organization’s Cybersecurity Maturity

Before starting a purple team, evaluate your organization’s cybersecurity maturity. You don't want to make the investment in an advanced red team assessment only to have the red teamer stroll in and compromise your entire network with a 2005-era exploit on day one.

Less mature organizations may rely on basic tools (or no tools) and struggle with advanced threats (or basic threats) whereas more mature organizations often use integrated, automated systems for real-time monitoring and alerting. Incident response processes also can reveal maturity—immature teams’ processes are typically ad hoc, while mature ones routinely have formal, regularly tested plans.

How do you know if your organization is mature? Consider the following which are some of the generally recognized hallmarks of cybersecurity maturity:

Monitoring and detection:

EDR, IDS, and SIEM: Mature organizations effectively integrate these tools for seamless real time detection and response.
Log Management: Are logs from different sources collected and correlated to provide attack context? Logs should include detailed data from endpoints, network devices, and cloud infrastructure.
Deception Technologies: Mature organizations often use honeypots and deception technologies to detect attackers that have bypassed initial defenses.

Incident Response Capabilities:

Incident Response Plan: A mature organization has a documented, regularly tested incident response plan. Teams should practice the plan using tabletop exercises and live drills.
Time to Detection and Response: Mature organizations track and minimize the average time to detect and respond to incidents using automated tools and ongoing proactive threat hunting.

Vulnerability Management and Patch Management:

Patch Timeliness: Mature organizations promptly patch vulnerabilities, prioritizing based on risk assessment and automating processes where possible.
Continuous Vulnerability Assessments: Assessments should be ongoing and aligned with industry-standard frameworks. Mature organizations promptly remediate discovered vulnerabilities.

Planning a Purple Team Engagement

Setting clear goals for the purple team is essential. Are you testing defensive tools, response times, or attack scenarios, or something else? Goals should be specific, realistic, and simulate the tactics and objectives of real attackers.

Even though the red team and blue team are collaborating, they will have different goals.

❌ Red team goals should not prioritize:

See how far you can get
Compromise the network
Improve security posture

✅ Red team goals should include:

Demonstrate read access to production database at 10.10.10.50
Gain write access to the primary fileshare at 10.10.10.25
Circumvent network firewalls and gain access to the network at 10.10.10.0/24

Notice that none of these goals refer to specific tools. You might think that a useful goal would be “Ensure our IDS triggers when the red team compromises a host”. While this may seem useful, this goal may not align with the comprehensive objectives of the blue team because it limits their focus to triggering specific alerts rather than exploring the network comprehensively. Red team goals should be about understanding how well your defenses work in practice, not just triggering alerts. The blue team should have their own goals, which align to the tools they're using, and can be assessed during the engagement. There's nothing wrong with simply asking the red team to fire off a few commands when they reach a specific part of the network you're interested in.

Once specific goals are defined for both the red team and blue team, you need to get buy-in from all stakeholders, including management and technical teams, to ensure everyone is aligned. And of course, you should tailor the engagement to your organization’s maturity. For example, if you're still developing, you may want to focus on tool effectiveness and incident response basics. More mature organizations may want to assess new changes within the organization, new security boundaries, and efficacy of alerts. Do alerts and controls detect a specific tool, or do they detect the underlying mechanism of the vulnerability?

Case Studies: Demonstrating Purple Team Approaches

Below, we showcase four distinct purple team engagements we performed last year. Each demonstrates how tailored approaches can address varying levels of organizational maturity, goals, and challenges, ultimately providing actionable insights and the opportunity for real improvements for the underlying clients. Each case study includes insights into effective strategies and factors to consider when selecting an approach.

Automotive Company

Given this organization's evolving cybersecurity maturity, an automated framework was determined as an appropriate approach for their purple team engagement. We used an automated PowerShell-based framework to conduct tests, each aligned with the MITRE ATT&CK framework. Over five days, we executed hundreds of test cases and recorded the results, sharing our screens during video calls to discuss the tests and outcomes in real-time.

Benefits of this approach: The approach was quick to set up and allowed us to execute many tests quickly, providing broad coverage. It was essentially a plug-and-play solution, making it accessible to the organization as an effective starting point. The client was able to provide instantaneous feedback and point us to their important assets, areas of interest, and concerns as defenders. They were able to make modifications in real time and have us re-run the test cases to help ensure they had closed the gaps we identified.

Practical considerations: This method had limitations, in particular as the organization matured and implemented our initial recommendations. When we used the same framework the following year, their new security measures effectively blocked many of the PowerShell tests we had previously used. To ensure continued effectiveness, we adapted our approach by incorporating evasions to validate the protections they implemented based on our initial recommendations. These measures effectively strengthened their defenses, and our adjustments were necessary to confirm that the new safeguards were functioning as intended.

Manufacturing Company

This organization wanted to assess whether its endpoint detection and response (EDR) system was properly configured and effective at preventing advanced malware and evasion techniques. We developed a series of EDR test cases, each targeting specific malware techniques, ranging from basic to sophisticated. Testing was conducted in stages: Stage 1 used off-the-shelf payloads designed to be detected; Stage 2 used the same payloads but obfuscated with encoders and crypters; Stage 3 employed fully customized malware. This staged approach revealed gaps not only in the EDR's configuration but also in its inherent capabilities. The client was able to modify its EDR configuration and implement additional defensive tooling to help address the gaps we identified.

Benefits of this approach: The staged approach provided a comprehensive understanding of the EDR's detection capabilities, allowing the organization to pinpoint the gaps at each level of sophistication. It highlighted both configuration weaknesses and the inherent limitations of the tool, leading to specific, actionable improvements.

Practical considerations: The approach required considerable time and effort to conduct each stage, particularly as obfuscation techniques and custom malware were introduced. The need for evasions also made it more challenging for the red team, slowing down the process and increasing the complexity of managing the engagement.

Heavy Rail Organization

This organization was a unique case involving a comparative assessment across four subsidiaries, each with its own security operations center (SOC). The parent organization wanted a standardized approach to evaluate all four subsidiaries fairly. Instead of running identical tests against each SOC, we employed the same level of effort across all organizations and coordinated with each SOC, allowing for an effective comparison of their maturity and capabilities.

Benefits of this approach: This approach provided a fair comparison across subsidiaries without bias towards any particular environment. By tailoring the level of effort instead of the exact tests, we were able to adapt to the different environments while still maintaining an equivalent benchmark, allowing the parent organization to clearly identify strengths and weaknesses across the subsidiaries. These results were then used to identify where to focus resources to help improve each subsidiary.

Practical considerations: The varying environments added complexity to coordinating the tests effectively, as each SOC had different configurations and capabilities. The lack of uniformity made it challenging to standardize findings directly, requiring additional effort to contextualize results based on the specific environment of each subsidiary.

SOC-as-a-Service Company

This organization was one of the most mature organizations we've worked with—security was embedded into every aspect of their operations. As a result, the purple team engagement was extremely hands-on. The organization set specific objectives, such as reaching certain parts of the network, or compromising particular databases. Each morning, we had a call to discuss the previous day’s progress and the current day’s plan. If we faced challenges, the company provided the resources needed, such as credentials, to simulate a real attacker with extended time. This approach allowed us to push their defenses in a controlled, methodical manner, replicating a persistent adversary with ample time. Ultimately, we were able to identify numerous critical and high-risk vulnerabilities that a traditional red team would have likely missed, since they would have been detected very quickly and unlikely to penetrate the inner networks due to typical time and budgetary constraints associated with red team testing as noted earlier.

Benefits of this approach: The highly collaborative approach allowed us to fully explore the organization's defenses, revealing vulnerabilities that would have likely otherwise gone undetected in a traditional red team engagement. The combination of specific objectives and resource support from the client enabled us to simulate a highly persistent adversary in a realistic yet efficient manner. The daily debriefs helped align both teams and allowed us to adapt the strategy on the fly, maximizing the effectiveness of the engagement.

Practical considerations: The engagement required a high level of involvement from the client's security team, which could be challenging for organizations with limited resources. The constant communication and adjustments also required flexibility from both sides, making it more demanding in terms of time and coordination compared to a traditional red team assessment.

A note on communication

Each organization needs to decide how much communication between red and blue teams is appropriate and what form it should take. This could be anything from a shared Slack channel for ad hoc questions, to daily stand-up meetings, or even all-day screen sharing sessions during critical phases of the engagement. The choice often depends on factors such as team availability, engagement scope, and the desired balance between stealth and transparency. Organizations should consider, among other things, their resources, the complexity of their defenses, and how quickly they want to iterate on findings to determine the communication model that fits their needs for their purple team engagements. Clear expectations upfront can help to ensure smooth, productive collaboration.

Building — Support

Contact our cyber response teams for urgent breach assistance.

Contact Us

Wrapping Up

Purple teaming isn’t just another checkbox on a compliance list. It’s a strategic collaboration that offers unique benefits. Purple teaming is efficient, can skip the lengthy stealth requirements of a traditional red team, and enables both sides to learn from each other in real-time, offering the ability to save time and resources. It also provides broader coverage, testing a variety of attack vectors in a shorter period. Since vulnerabilities can be identified and addressed during the engagement, organizations can benefit from the opportunity to implement real-time improvements.

Thinking about a purple team engagement? Reach out to us. We can help you elevate your security posture, close gaps, and work to outpace emerging threats.

Explore More

Capability Overview

Cyber Resilience
Product / Service

Penetration Testing Services
Product / Service

Red Team Assessments

Aon’s Thought Leader

Aidan Barrington

Manager, Security Testing, Cyber Solutions

Cyber security services are offered by Stroz Friedberg Inc., its subsidiaries and affiliates. Stroz Friedberg is part of Aon’s Cyber Solutions which offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT specialists before implementing any recommendation, following any of the steps or guidance provided herein. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.