Continuous Purple Teaming

Our purple teaming workshops follow the motto: Adversary Simulation and Detection Engineering. We simulate attacks, you refine your detection rules. And we do this cooperatively, continuously, and with direct improvements.

In each session, experts from our Red Team sit together with colleagues from your Blue Team (SOC, IT admins) in a video call. We show you live how attackers operate — and you can directly check if you detect us. We provide the technical background knowledge you need to not only detect attacks but also understand them.

Instead of a one-off snapshot, our Red Team brings its attack experience into your operations regularly and in a structured manner. Because EDR and SIEM are not “set & forget” tools. Security is a process that must be trained: people and technology.

We are happy to adapt the duration and rhythm of the workshops to your wishes. Our recommendation: every 2 weeks, 2 hours.

Why Continuous Purple Teaming

s

Our most important reasons for Continuous Purple Teaming:

  • Attack techniques evolve rapidly — EDR configurations and detection rules become obsolete if they are not actively maintained
  • What a pentest or red teaming uncovers must be permanently detectable — not just patched once
  • SOC analysts understand attacks better when they are there live, instead of just reading findings in a report
  • Admins and SOC work together — misconfigurations found by the Red Team can be discussed directly with the right people on the call
  • In addition to practical tests, we provide technical background knowledge: how attackers think, how EDRs capture telemetry, and what lies behind the techniques — so that your team gets better independently in the long term
  • Over time, a measurable detection coverage is created: you see in black and white which MITRE ATT&CK techniques you detect today — and which you don’t

When to use Continuous Purple Teaming

In our view, the best times are:

 

  • You have an EDR, SIEM, or SOC in use and want to know if it really works in practice
  • You have conducted a red teaming or alert test and want to ensure that the techniques and attack paths found are permanently detected
  • Your SOC team should be continuously confronted with current attack techniques and further trained — not just once a year after an assessment
  • You want to establish detection and defense as an ongoing process, not as a one-off snapshot

Results

i

Typical results of Continuous Purple Teaming include:

 

  • Insights into which attack techniques your EDR and SIEM detect — and where blind spots lie
  • Detection rules and SIEM adjustments that arise directly from the tests and can be implemented immediately
  • Concrete configuration recommendations for EDR, PowerShell, Active Directory, and Application Control — coordinated with your admins
  • A growing detection coverage map (MITRE ATT&CK) that makes progress measurable over time
  • A SOC team that understands attacks — rather than just seeing alerts

What we need from you

For our Continuous Purple Teaming, we need from you:

 

  • A test device with active EDR from which we conduct the tests (laptop, Citrix, VDI, or similar)
  • SOC analysts and/or admins for our interactive workshops
  • Optional: pentest or red teaming reports as a basis for the first session

Project in Planning?

Whether it's a pentest, red teaming, or a custom request –
we look forward to speaking with you!

Contact
Configurator