BIPI
BIPI

Building a Purple Team Cadence: Red Tests, Blue Detections, Closed Gaps

Cybersecurity

Annual red team engagements deliver a report that gets read once and shelved. A purple team cadence delivers continuous validation, closed coverage gaps, and a measurable detection improvement curve. Here is how to operate one without burning out either side.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 26, 2023 · 10 min read

#purple-team#red-team#detection-engineering#atomic-red-team#caldera#mitre-att&ck

A red team report contains thirty findings, gets read by three people, and produces two patches. The detection engineering team learns nothing from it because the report was not written for them. The blue team scrambles for two weeks, fixes the most visible issues, and stops. Six months later, the same red team finds the same gaps with slightly different techniques. The cycle costs hundreds of thousands of dollars and improves nothing measurably.

Purple as a Cadence, Not an Event

Purple teaming is not a quarterly workshop. It is a continuous cadence in which red executes techniques on a known schedule, blue is alerted only by its detections rather than by red announcing the test, and gaps are closed before the next iteration. The right tempo for most organizations is one technique sprint per week, run for two days, evaluated for three.

  • Week one: red executes T1003.001 LSASS dumping using three variants from Atomic Red Team
  • Week two: red executes T1059.001 PowerShell with encoded commands and download cradles
  • Week three: red executes T1078.004 valid cloud accounts with anomalous geography
  • Each week is scoped, isolated, measurable, and produces a written outcome

Tooling for the Cadence

Atomic Red Team provides the test library, with over 1,400 technique tests mapped to ATT&CK. Caldera adds adversary emulation chains, useful when you want to test multi step intrusions rather than isolated techniques. Both are free, both are well maintained, and both are sufficient for 80 percent of purple team needs. Reserve commercial breach and attack simulation tools for advanced use cases like cross domain testing.

The Scorecard

  1. Was telemetry generated by the technique: yes, no, partial
  2. Did a detection alert fire: yes, no, with what latency
  3. Was the alert triaged by a human within the SLA: yes, no
  4. Was a containment action taken or initiated: yes, no, applicable
  5. What changed between this run and the last run of the same technique

Closing the Gap

Every purple iteration that finds a gap must produce one of three outcomes within two weeks. A new detection rule covering the missed technique, deployed and validated against the same test. A documented coverage gap with telemetry or tooling reason and a remediation owner. A risk acceptance signed off explicitly. Iterations without a written outcome are wasted.

Measurement Over Time

Track the same set of 50 high priority techniques across iterations and chart detection rate over time. A healthy program shows steady improvement: 40 percent detection in iteration one, 55 percent by iteration four, 75 percent by iteration twelve. A flat line means the team is testing without learning, almost always because gaps are not being closed before the next iteration.

Common Failure Modes

  • Red team owns the scoring and grades to its own benefit, treating evasion as success rather than collaboration
  • Blue team treats every purple test as production response, exhausting analysts on simulated incidents
  • No telemetry baseline before the test, so success is measured against intuition rather than data
  • Tests run only against the corporate environment, leaving cloud, SaaS, and OT untested
Red teams that grade themselves on bypasses make detection engineering harder. Red teams that grade themselves on gaps closed make detection engineering possible.

Cultural Wiring

The hardest part of purple teaming is not technical. It is convincing both teams that the goal is shared improvement rather than competitive scoring. Co locate red and blue in a shared channel during purple weeks. Share the queries that did and did not catch the activity. Celebrate the closed gap, not the bypass. Over a year, this changes the culture from adversarial to collaborative, and the detection improvement curve reflects it.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.