< Back
Blue team + Red team = Purple team: an alliance serving cybersecurity

Tags:

TCS BELUX Risk and threat evaluation TCS BELUX Services
19 June 2025

Blue team + Red team = Purple team: an alliance serving cybersecurity

Introduction

On the eve of the DORA (Digital Operational Resilience Act) regulations, applicable from 2025, and since the recent update of the TIBER-EU in February 2025, Purple Teaming is becoming mandatory for systemic entities subject to these regulations.

In this article, we will review the fundamentals of Purple Teaming, present how Thales supports its customers in implementing these services, and highlight how this collaborative and proactive approach can offer real added value to sustainably strengthen your organization's security posture.

Definition and concepts

▪️ What is a Purple Team: It's not necessarily a separate team, but rather a collaborative methodology that aims to maximize the effectiveness of the Red Team (offensive) and Blue Team (defensive). It symbolizes the union of these two colors (Red 🔴 + Blue 🔵 = Purple 🟣).

▪️ The main objective: Improve a company's overall security posture by establishing collaboration and knowledge-sharing between Red Team and Blue Team to refine detection and response to simulated attacks. The aim is to test, evaluate and improve detection and response capabilities.

▪️ How it works: The Purple Team establishes an exercise perimeter where the Red Team executes its TTPs on the organization, and the Blue Team integrates this feedback to readjust its defenses, perfect its detections and accelerate its response; this arrangement truly tests configurations and establishes close collaboration and an exchange of know-how.

Overview: Red vs Blue vs Purple Team vs Pentest

Overview: Red vs Blue vs Purple Team vs Pentest

The specific objectives of a Purple Team

1️⃣ Test and validate existing safety controls:

One of the first objectives of the Purple Team is to pragmatically assess the effectiveness of the security mechanisms in place, whether they be technologies (SIEM, EDR, firewalls, etc.) or processes (incident response playbooks, escalation, alert management). This ensures that control detects and block threats in an operational context.

2️⃣ Identify gaps in detection and response:

Purple Team exercises reveal blind spots, configuration errors or inefficient processes that compromise the organization's ability to detect and respond rapidly to incidents. These tests help to pinpoint the weaknesses that need to be corrected.

3️⃣ Improve the capabilities of defensive teams:

By exposing the Blue Team to the attack techniques used by the Red Team, the Purple Team helps SOC analysts and incident response teams to improve their skills. This enables them to fine-tune their tools, correct their detection rules and adjust their procedures according to concrete scenarios.

4️⃣ Provide fast, actionable feedback:

Direct collaboration between offensive and defensive staff provides immediate feedback on simulated attacks, facilitating a clear understanding of events and continuous improvement. This on-the-spot feedback optimizes reactivity and learning.

5️⃣ Measure changes in safety posture:

Purple Team campaigns track improvements in detection, response and mitigation capabilities over time. These metrics are essential for demonstrating progress in cybersecurity maturity and justifying the efforts made.

_______________________________________________________________________________

The central objective of a Purple Team approach is not to discover new technical vulnerabilities, but to improve detection and response capabilities in the face of realistic attacks. By concentrating on exploiting known or plausible vulnerabilities and tactics, the Purple Team maximizes the value of existing controls by superimposing, for each TTP, adapted layers of defense and detection, in a logic of defense in depth, while validating the effectiveness of the mechanisms put in place in the face of realistic scenarios.

Benefits of Purple Teaming

▪️ Control validation: Ensures that detection and isolation tools (SIEM, EDR, etc.) and processes work as intended.

▪️ Realistic improvement: Tests based on real attack scenarios relevant to the organization (based on CTI and techniques actively used by the red team).

▪️ Increased efficiency: rapid feedback loop for immediate adjustments, as opposed to long delays between a pentest/red team and remediation.

▪️ Better communication: Fosters a collaborative environment and a proactive safety culture.

▪️ Skill development: Excellent training exercise for the Blue Team.

▪️ Dwell time reduction: Improving detection reduces the time an attacker can remain undetected.

Who is the Purple Team for?

The Purple Team exercise is aimed primarily at organizations that have reached a certain level of cybersecurity maturity, in particular those with:

▪️ an in-house Blue Team or managed security services (SOC / MSSP)

▪️ detection tools such as SIEM, EDR, NDR, or other monitoring solutions

It is also invaluable for companies investing in security technologies and wishing to verify the effectiveness, coverage and configuration of their existing controls.

In highly regulated sectors, such as finance, telecommunications or healthcare, the Purple Team even becomes indispensable for meeting the requirements of frameworks such as DORA or TIBER-EU, which impose realistic tests based on threat scenarios.

Finally, any organization wishing to proactively improve its detection and response capacity in the face of an ever-changing threat landscape will benefit fully from this approach.

At Thales: how we carry out our Purple Team missions

1️⃣ Upstream planning

Before launching the Purple Team exercise, we identify the contact points on the Blue Team side responsible for reporting alerts and detections on an ongoing basis. We define the perimeter (Active Directory, internal infrastructure, external perimeter, the entire organization, etc.) and then select the scenarios to be tested (initial access via phishing, internally with physical device exploitation, etc.).

We specify whether to replay vulnerabilities already exploited during previous pentests or Red Team tests. We set clear objectives, aligned with business risks (some customers consider the exfiltration of sensitive data - such as financial or medical information - to be a more critical threat than the compromise of a Domain Administrator account).

Finally, we validate the Blue Team's commitment by confirming communication channels, internal SLAs and the necessary availability.

2️⃣ Execution

The Red Team executes its scenarios by documenting each TTP in our Purple Team platform: which tool was used (those commonly used in Red Team and by malicious actors, as reported in Threat Intelligence feeds), which commands were launched, the execution period, origin and target. Tests cover all phases of the kill chain according to the MITRE ATT&CK framework (Reconnaissance, Initial Access , Execution , Persistence, Privilege Escalation , Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact), based on Atomic Red Team TTPs and techniques commonly observed by CTI.

At the same time, we develop and launch bespoke TTPs focused on real impact - ransomware or cryptocurrency mining on high-intensity servers - to validate the relevance of warning rules and the effectiveness of response processes.

The Blue Team monitors all actions on the platform in real time, noting for each TTP whether it has been blocked and/or detected.

3️⃣ Analysis and Report

At the end of the exercise, each TTP is analyzed for detection and blocking: if the attack goes undetected, we identify the causes (lack of logs, unsuitable rules, misconfigurations) and specify the events and logs to be monitored to improve coverage.

For each TTP, the report compiles the tools and commands used, the results (detected/undetected, blocked/unblocked), the potential risk and the impact.

We integrate performance indicators (% of TTPs blocked, % of TTPs detected, % by MITRE technique) to highlight areas for improvement and remediation, then provide an interactive Excel spreadsheet enabling the Blue Team and the whole organization to rework the data and prioritize corrective actions.

3. Analysis and Report

Common pitfalls and challenges

In implementing a Purple Team approach, several pitfalls and challenges can arise and compromise the effectiveness of the exercise: 

▪️ Incorrect tool configuration: many customers configure their security solutions (SIEM, EDR, NDR, etc.) incorrectly - or not at all - rendering them largely ineffective.

▪️ Silos and lack of collaboration: the core problem that Purple Teaming aims to solve. It's all about creating a culture of collaboration and common goals and scenarios.

▪️ Poorly defined scope and scenarios: unclear objectives lead to ineffective exercises. You need to take the time to understand the customer's IS and business risks (which are often different from traditional penetration test) in order to target priority threats and critical areas where TTPs can be played and detected.

▪️ False sense of security: limiting detection to basic attacks creates an illusion of protection; it is crucial to validate controls against advanced TTPs.

▪️ Resources and time: the exercise requires dedicated skills and an hourly investment (automation helps mitigate this point).

▪️ Skills: it requires Blue Team members with a Hacker Mindset, willing to explore offensive techniques and challenge the processes in place in their organization.

Conclusion

Purple Teaming is not an exercise in discovering new technical vulnerabilities - that's neither its objective nor its main added value. Its real role is strategic: to validate the real effectiveness of existing defenses and improve, in a concrete and measurable way, the ability to detect and respond to realistic threats.

It's a resolutely collaborative and operational approach, where Red Team and Blue Team work together to test existing controls, identify blind spots, adjust detection rules and reinforce incident response procedures. It's no longer a confrontation, but a process of mutual learning and continuous improvement.

Beyond the technical benefits, Purple Teaming also meets increasingly precise regulatory requirements. Frameworks such as DORA (Digital Operational Resilience Act) and TIBER-EU now require security tests based on realistic scenarios, with close coordination between offensive and defensive teams. Purple Teaming has thus become not only the best practice, but also a strategic compliance lever.

Adopting this approach means moving from a theoretical defensive posture to an active, evidence-driven resilience focused on the actual effectiveness of defenses in the face of today's threats.

Authors

Pierre Ceberio & Joachim De Bats

Quote request

Discover more on this topic

cards image

CryptoLove Report
cards image

Implementation of a Cyber risk analysis for an Air Traffic Control Centre
cards image

Cyber Risk Assessment for Air Traffic Management: Insights and Best Practices from Thales and SMATSA