Scope definition
We define, together with the client, the goals of the exercise, the assets involved, the priority scenarios, operational restrictions and execution limits.
Purple Team · 03 · service
Offense and defenseevolvingtogether.
Collaborative exercises in which offensive techniques are executed while the Blue Team follows in real time. Each action becomes an opportunity to improve detections, review alerts and strengthen incident response.
Learning in a closed loop.
The difference from Red Team is transparency. In Purple Team, the Blue Team knows the activity is happening, follows the executed techniques, analyzes the generated telemetry and takes part in the defensive adjustments. Every applied technique becomes an opportunity to improve SIEM rules, EDR, WAF, playbooks and response processes. The result is not just a report, but a practical evolution of defensive coverage.
How the exercise works
TTP selection
We select relevant techniques from the MITRE ATT&CK matrix according to the client's context, risks, attack surface and defensive stack.
Controlled execution
We execute the TTPs in an authorized and monitored environment, simulating real adversary behavior without compromising operational continuity.
Joint observation
The Blue Team follows execution in real time, analyzing logs, alerts, events, telemetry and behavior of defensive controls.
Immediate adjustment
When a technique isn't detected, we investigate the cause together and guide the necessary adjustments to rules, correlations, integrations or response processes.
Controlled re-execution
After the adjustments, the technique is executed again to validate whether detection occurs appropriately and within the expected behavior.
Matrix-based coverage
At the end of the exercise, the organization receives an updated MITRE ATT&CK coverage map, indicating covered, partially covered and uncovered techniques.
Enablement and knowledge transfer
We consolidate the lessons learned with the defensive team, reinforcing how to recognize offensive patterns, investigate events and evolve detection based on the executed techniques.
How the exercise is organized
01step
Alignment
We define the TTPs to be evaluated, the environment in scope, the defensive tools involved and the success criteria of the exercise.
02step
Baseline
We map current coverage against the MITRE ATT&CK matrix, establishing the starting point to measure evolution during the exercise.
03step
Transparent execution
Techniques are executed in a controlled and accompanied manner, allowing the Blue Team to observe events, logs, alerts and visibility gaps.
04step
Defensive adjustment
When detection does not occur, or occurs incompletely, we work with the team to review rules, correlations, alerts and procedures.
05step
Re-execution
After each relevant adjustment, the technique is repeated to confirm whether the applied improvement produced the expected result.
06step
Coverage report
We deliver an updated ATT&CK coverage map, including executed techniques, observed detections, applied adjustments, remaining gaps and recommendations.
Why it matters
benefício
Measurable coverage
The organization visualizes the evolution of defensive coverage before and after the exercise, based on real techniques from the ATT&CK matrix.
benefício
Improvements applied during the exercise
The outcome includes practical adjustments to rules, correlations, alerts or processes, reducing the distance between diagnosis and operational improvement.
benefício
Better-prepared Blue Team
The team learns in practice how offensive techniques appear in logs, alerts and the telemetry of security tools.
benefício
Informed investment decisions
The exercise helps differentiate gaps in technology, process, visibility, configuration and team capability.
benefício
Complement between Pentest and Red Team
More collaborative than Red Team and more detection-oriented than Pentest — ideal for teams that want to evolve defensive maturity.
benefício
Continuous defense evolution
It can be carried out in recurring cycles, focused on new techniques, new vectors and progressive improvements in defensive coverage.
FAQ
Not strictly. However, the exercise produces more value when the organization already has some defensive stack in operation, such as SIEM, EDR, XDR, WAF or minimal analysis and response processes. For environments still without structured detection, it may be better to start with Pentest or a defensive assessment.
Want to turn offensive techniques into real detection improvement?
Tell us the context of your Blue Team, the defensive stack in use and the main scenarios you want to validate. We'll come back with an exercise proposal, scope and next steps.