What is a purple team?

01. how it works

How a purple team exercise runs in practice.

The mechanics differ from a standard red team. The goal is systematic detection coverage measurement, not operational surprise.

Technique selection

The exercise starts with a technique library, typically drawn from MITRE ATT&CK and scoped to the threat actors most relevant to your organization. 20–40 techniques is a typical exercise scope. Each technique maps to a specific adversary behavior you need to detect.

Live execution and observation

The red team executes each technique against the live environment. The blue team watches SIEM, EDR, XDR, and any other detection tooling in real time. Both sides observe together: was an alert generated? Was it the right alert? Did it have enough context to investigate?

Gap documentation

Techniques that produce no alert, or a low-fidelity alert missing key context, are documented as detection gaps. Each gap gets a remediation action: a new SIEM rule, an EDR policy change, additional logging configuration, or an architectural change.

Coverage map output

The exercise produces a MITRE ATT&CK coverage map: which techniques you detect reliably, which produce noisy or low-fidelity alerts, and which are completely missed. This is the starting point for your next detection engineering sprint.

Purple team vs red team vs tabletop

The three formats test different things. Using the wrong one for the question you are asking wastes time and produces misleading results.

A standard red team is adversary simulation without defender visibility. The defenders do not know the test is running, which is the point: it measures whether your security team can detect and respond to a real attacker operating under normal conditions. A well-run red team is the most realistic test of organizational response you can run short of an actual incident. What it does not tell you is which specific techniques were missed. You learn that the campaign was not detected. You do not learn whether technique T1055.001 is in your EDR policy or whether your SIEM rule for T1059.001 has a gap in the exclusion logic.

A purple team does not simulate an independent adversary. The red team is a tool for exercising detection controls, not an unknown threat. The collaborative format means both sides know what is being tested and when. This is less realistic than a red team: your defenders know what is being tested and when, so they are not operating under real incident pressure. The tradeoff is diagnostic precision. You leave the exercise knowing exactly which techniques you detect and which you do not, with a prioritized remediation list ordered by ATT&CK tactic and your specific threat profile.

A tabletop exercise is discussion-based. No attack techniques are actually executed. The team talks through how they would respond to a given scenario: who gets paged, who makes the call to isolate a host, what the escalation chain looks like, whether the runbooks are current. Tabletops test your incident response plan, communication, and decision-making. They do not test whether your detection tooling actually generates an alert. They are the least realistic format and the easiest to run: no technical infrastructure required, no risk of production impact, no need for a red team.

Mature security programs use all three. Tabletops run quarterly to validate that processes and runbooks are current. Purple team exercises run quarterly or semi-annually to build and maintain detection coverage. A red team runs once or twice a year to test whether the combined investment actually stops a realistic adversary. Each format answers a different question. Substituting one for another leaves the other question unanswered.

The sequencing that works: run a purple team exercise to establish your detection coverage baseline, run a red team to test whether that coverage holds under realistic adversarial pressure, then use the red team findings to scope the next purple team exercise. The loop closes.

The debrief as the deliverable

The most important part of a purple team exercise is the debrief at the end. The coverage map only matters if it is translated into an ordered remediation backlog before everyone leaves the room: which ATT&CK techniques are detected reliably, which produce partial or noisy alerts, and which are completely missed.

In practice, the debrief produces three outputs. First, a prioritized list of detection gaps with specific remediation actions: write this SIEM rule, change this EDR policy, enable this log source. Second, a map of the techniques that are detected but generating low-fidelity alerts that cannot be investigated efficiently; these get a separate workstream to add context. Third, a baseline the team can measure against in the next exercise: did the rules written after the last purple team actually improve coverage?

The map of "detected, partially detected, missed" also gives the blue team a defensible argument for detection engineering investment. When the CISO asks why the team needs three weeks to write SIEM rules, the answer is a specific list of ATT&CK techniques with no detection coverage and the threat actors known to use them against organizations in your industry.

At pentest.systems, every red team engagement includes a purple team debrief. The red team and the client's defensive team review every technique the red team used, whether it was detected, and what the detection gap looks like. Both sides leave with a shared understanding of what was visible during the engagement and what was not. The debrief is not an add-on. It is where the red team's findings become detection engineering work rather than a report that sits in a queue.

03. common questions

Frequently asked questions.

What is the difference between a red team and a purple team?

A red team operates without visibility into your detection controls. The defenders do not know when or where attacks are coming. This tests whether your security team can detect and respond to a realistic adversary operating under normal conditions. A purple team makes the adversary actions visible to the defenders so they can measure detection coverage technique by technique. Red team tests organizational response. Purple team tests detection control effectiveness. Most mature security programs use both.

What does a purple team exercise actually look like?

The red team and blue team work through an attack technique library together, typically mapped to MITRE ATT&CK. For each technique: the red team executes it against the live environment, the blue team observes their detection tools (SIEM, EDR, XDR) in real time, and both sides document whether the technique was detected, alerted, or missed. Missed techniques become remediation items: new detection rules, new EDR policy, or configuration changes. The exercise produces a detection coverage map: which ATT&CK techniques you can detect and which you cannot.

When does a purple team make sense versus a standard red team?

A standard red team is the right choice when you want to test whether your team can detect and respond to an unknown threat under realistic conditions, measuring actual response capability. A purple team is the right choice when you want to build and validate detection coverage systematically: you know roughly what you are not detecting and want to close gaps. Many organizations run a red team once or twice a year and use purple team exercises quarterly to maintain and improve detection coverage between red team engagements.

→ related

Scoping a red team or purple team exercise?

30-minute scoping call covers your threat model, detection maturity, and whether a red team or purple team is the right format for your organization.

Book a 30-min scoping call Red team page

What is a purple team?

How a purple team exercise runs in practice.

Technique selection

Live execution and observation

Gap documentation

Coverage map output

Purple team vs red team vs tabletop

The debrief as the deliverable

Frequently asked questions.

More on red team and detection testing.

Red team operations

Breach and attack simulation

Penetration testing

Red team objectives that test what matters

Scoping a red team or purple team exercise?