Skip to main content

Purple Team Exercise

Updated over 4 months ago

Service Overview

The Purple Team Exercise is designed for organizations with an operational SOC (Security Operations Center) that actively monitors their networks and digital environments for signs of compromise. This exercise evaluates the SOC team’s ability to detect specific threat actor techniques and assess their operational readiness against known attacker behaviors.

The exercise is focused on the technological aspect of security operations, guided by threat intelligence inputs that define the most probable threat actors’ TTPs (Tactics, Techniques, and Procedures). CYE conducts the exercise overtly, working hand-in-hand with the organization’s SOC team to simulate attacker actions and confirm whether detection mechanisms are triggered successfully. Detection success or failure is validated in real time as different exploits are executed within the network.

Methodology

The exercise is based on a curated list of MITRE-based techniques (aka TTPs) known to be used by threat actor groups targeting the organization. Together, CYE and the client’s SOC team review each technique in real-time to determine whether it is currently unseen/logged/alerted/blocked by the existing security control.

The exercise follows three structured phases:

  1. Planning Phase

    • CYE meets with key stakeholders to discuss monitoring capabilities, relevant threat actors, timelines, and communication channels

  2. Alignment Phase

    • CYE performs internal analysis and aligns with the client on the selected TTPs that will be executed during the exercise

  3. Execution Phase

    • A live session is conducted with the client's SOC team, during which the agreed-upon TTPs are executed and detection and alerting are monitored in real time

Deliverables

Upon completion, the client receives a report that includes:

  • Executive summary of the activity and results

  • Methodology

  • Results summary with a detailed list of executed TTPs

  • Description of identified monitoring gaps and recommended remediation actions

Prerequisites

Based on the selected attack scenarios, the following may be required:

  • Threat actor analysis (can be provided through CYE’s CTI service)

  • Technical documentation

  • Access to the tested environment

  • User credentials and passwords

  • Specific pre-requisites will be provided according to the generated TTP

Customer Engagement

The client is expected to:

  • Participate in planning sessions to define scope, attack scenarios, and monitoring goals

  • Provide alignment on selected TTPs

  • Take part in a live collaborative exercise with the SOC team and CYE's technical leads

Relevant Standards

The methodology is based on the MITRE ATT&CK framework.

Security Domains Covered

  • Security operations, monitoring, and incident response

Related Articles
Risk Assessment
Red Team Exercise
SOC Maturity Assessment
Pre-M&A Due Diligence - Organizational
Post-M&A Integration Assessment
Did this answer your question?