Purple team operations
attack, detect, calibrate, repeat
Run purple team engagements where the red and the blue side work the same record. Tag every action with MITRE ATT&CK, log detections and gaps in real time, and produce a report that drives detection engineering rather than ending in a PDF.
No credit card required. Free plan available forever.
Purple team operations on a single shared record
Most purple team engagements still run on two separate trackers. The red side keeps its actions in a private log. The blue side raises detections in the SIEM ticket queue. The two meet at a readout, the report becomes a chronological narrative, and the detection engineering output is whatever the team can reconstruct from memory in the week after the exercise. The technique-by-technique coverage picture, the replay queue, and the closure evidence rarely make it into a deliverable that the SOC can act on the following Monday.
SecPortal models a purple team engagement as a single shared record. Red operators tag each action with the MITRE ATT&CK technique it represents. Blue operators record the detection outcome inline against the same action. Missed techniques open as structured findings with remediation owners. Replays pair to the original miss on the same record. AI generates a coverage-oriented report when the engagement closes. The deliverable improves detection rather than describing the engagement.
Capabilities purpose-built for collaborative red and blue work
One engagement record for both sides
Red and blue operators work the same engagement, see the same actions, and contribute to the same audit trail. There is no separate spreadsheet for the offensive side and a private detection log on the defensive side that only meet at the readout.
MITRE ATT&CK tagging on every action
Tag each attacker action with the tactic, technique, and sub-technique it maps to. The blue side correlates against the same identifier, so detection coverage is reported by technique rather than by free-text description.
Detection outcome logged inline
For each tagged action, the blue team records detected, partially detected, or missed, plus the SIEM rule, EDR alert, or log query that caught it. Missed techniques become structured findings with remediation owners and target dates.
Replay and re-verify on the same record
After detection rules are tuned, replay the failed techniques and verify coverage against the same engagement. The replay outcome lives next to the original miss, so the record shows attack, gap, fix, and verification end-to-end.
Severity tied to detection outcome
Findings carry CVSS 3.1 severity for the attacker capability and a separate detection-impact rating for the defender gap. A medium technique with no detection coverage often outranks a high technique that already triggers an alert and a paged response.
Branded portal for stakeholders
Internal stakeholders, audit, and risk see the live coverage picture through a branded portal on a subdomain you control. The deliverable is the workspace, not a frozen PDF that ages out the day after the readout.
Where purple teaming sits next to red teaming and pentesting
Purple, red, and traditional pentesting answer different questions and produce different deliverables. Picking the right exercise for the question is half the value of the engagement.
Red team engagement
Adversary simulation against a defending team that does not know the engagement is happening. The red side optimises for stealth, the blue side optimises for real-world detection, and the value of the exercise is what the blue side learns about its current posture under realistic conditions. Best run as a periodic maximum-stealth exercise.
Purple team engagement
Collaborative exercise where red and blue operators work in coordination to validate detection coverage on a defined set of techniques. Speed and feedback win over stealth. The value is detection engineering output, not a list of findings, and the exercise is most useful when run frequently with a tight feedback loop.
Penetration test
Scoped technical assessment focused on identifying and validating vulnerabilities in a defined target. Methodology-driven and report-driven. Useful as a quality bar and a compliance deliverable. Less useful as a detection-engineering input on its own, because the techniques and timing are not coordinated with the defenders.
For the offensive narrative side, the red team reporting workflow keeps tactics, techniques, and timeline in a chronological narrative report. For the scoped technical assessment side, the penetration testing workflow covers methodology, scope, and finding-driven reporting. The blog comparison on red team vs penetration test is a useful primer for stakeholders deciding which engagement they actually need.
Where purple team exercises break, and how the platform closes the gap
The same handful of failure modes show up in almost every purple team exercise that runs on two separate trackers. Each one is a structural problem with a structural fix.
Findings live in a red-team spreadsheet the blue side never sees
The classic purple team failure. The red side records actions in a private log, the blue side records detections in a separate SIEM ticket queue, and the two only meet at the readout. By that point the technique-by-technique correlation is impossible and the report becomes a generic narrative. A shared engagement record fixes this on the first action of the exercise.
Detection outcomes are recorded in free text
When detection results are written as paragraphs, coverage cannot be aggregated, gaps cannot be tracked over time, and the next purple team starts from zero. Recording outcome as a structured field per technique (detected, partial, missed) plus the rule or alert reference makes coverage measurable and replayable.
Replay is treated as a follow-up engagement, not part of the exercise
When replays are scheduled as a separate engagement weeks later, the detection improvements either never get verified or are verified against techniques the team no longer remembers. Pairing the replay to the original miss on the same record keeps verification cheap and timely.
The report is a chronological narrative rather than a coverage document
A narrative report tells the attack story but does not produce a usable detection-engineering deliverable. Reporting by technique and outcome (detected, partial, missed, replayed, closed) gives the SOC, the detection team, and risk a document each one can act on without translation.
One record, five working views
Purple team exercises are multi-stakeholder by construction. Red operators, blue analysts, detection engineers, the engagement lead, and the internal stakeholder each need a different view of the same work. The platform serves all five from the same engagement record so the data stays consistent and the views stay role-appropriate.
| Role | What they see |
|---|---|
| Red team operator | Logs each action against the engagement with the MITRE ATT&CK tactic and technique tag, attaches command output and screenshots, and moves on. The same record is visible to the blue side in real time. |
| Blue team analyst | Reviews tagged actions as they appear, marks each one detected, partial, or missed, links the SIEM rule or EDR alert, and opens findings for missed techniques. No separate ticket queue, no out-of-band Slack thread. |
| Detection engineer | Picks up findings for missed techniques, tunes the rule or query, attaches the new detection logic, and triggers the replay. The same record carries the original miss, the rule change, and the replay outcome. |
| Engagement lead | Sees coverage by technique across the engagement, the open findings, the replay queue, and the deliverables. Approves the report once replays are closed and signs off on the engagement. |
| Internal stakeholder | Sees the coverage picture through the branded portal: which techniques are covered, which are gapped, which are scheduled for replay, and which are closed. The view is live, not a static PDF that aged out the day after the readout. |
Coverage metrics that drive a continuous purple team programme
Once exercises live as structured records, the programme gets a small set of operating metrics that previously took a quarterly spreadsheet to assemble. The six below are the ones most detection programmes settle on.
- Technique coverage rate (detected and partial as a share of all techniques exercised) so the SOC can report on real coverage rather than rule count.
- Mean time to detect per technique, measured from action timestamp to alert correlation, so the team can see where telemetry is fast and where it is slow.
- Replay success rate (techniques moving from missed to detected after rule tuning) so detection engineering can demonstrate output, not just effort.
- Coverage drift between exercises so the team can spot when previously covered techniques regress because of a rule change, a vendor update, or a log source outage.
- Gap aging (how long a missed technique stays open before a fix and a successful replay) so detection backlog is visible the same way vulnerability backlog is.
- Coverage by tactic family so the picture is balanced across initial access, execution, persistence, lateral movement, exfiltration, and impact rather than skewed to whatever the team last cared about.
How purple teaming connects to the rest of the platform
Purple teaming is not a separate module. It sits on top of engagement management for scope and lifecycle, uses team management for role-based assignment across red, blue, and detection-engineering operators, draws from findings management for the structured technique findings, feeds AI reports for the coverage deliverable, and ships through the client portal when the engagement is delivered to internal stakeholders or to a client paying for the exercise. The technique mapping draws from the same MITRE ATT&CK framework workspace the red team reporting workflow uses. After the engagement, missed techniques flow into the remediation tracking workflow with detection-engineering owners and target dates, so closure is tracked the same way vulnerability remediation is.
For pentest firms, MSSPs, internal security teams, and in-house red teams
The shape of the purple team problem changes with the buyer and the operator. The platform serves the four common shapes from the same workspace.
Sell purple team engagements alongside the existing red team and pentest portfolio. One workspace covers scoping, execution, replay, and a coverage report the client can act on without a translation layer.
Run purple team exercises against the detection stack you already operate for the client. The shared record means the SOC analyst and the offensive operator are on the same evidence at the same time, not waiting on a debrief that ages out.
Run a continuous purple team programme without a full GRC stack. Tag exercises by technique, track coverage drift over time, and keep detection engineering output visible alongside vulnerability remediation in the same workspace.
Pair offensive operations with detection engineering on shared engagement records. Technique findings, evidence, and detection gaps live on the same finding the next operation will plan against rather than in a debrief deck.
Purple teaming is one of those workflows where the operating leverage is in the feedback loop, not in the engagement itself. When attack, detection, gap, fix, and verification live on the same record, every exercise leaves the detection programme in a measurably better place. The goal of this workflow is to make running purple teams the path of least resistance for the offensive operator, the SOC, and the detection engineer at the same time.
Frequently asked questions about purple team operations
What is a purple team operations platform?
A purple team operations platform is software that runs collaborative red and blue team exercises on a single shared record. SecPortal lets red operators log actions tagged with MITRE ATT&CK, lets blue operators record detection outcomes against the same actions in real time, opens structured findings for missed techniques, supports replay against the same record after detection rules are tuned, and produces a coverage-oriented report rather than a chronological narrative.
How is purple teaming different from red teaming?
Red team engagements optimise for stealth and simulate an unannounced adversary; the defending team learns by responding to a realistic incident. Purple team engagements optimise for feedback; red and blue operators work in coordination on a defined set of techniques to validate detection coverage. Both are valuable, but they answer different questions. SecPortal supports both: red teaming lives in the dedicated red team reporting workflow, while purple teaming uses this collaborative shared-record workflow.
Do you support MITRE ATT&CK technique tagging?
Yes. Every finding can be tagged with MITRE ATT&CK tactics, techniques, and sub-techniques, and the engagement view aggregates coverage by tactic and technique. The dedicated MITRE ATT&CK framework page covers the tagging model and how it ties to red team and purple team reporting.
How do replays work after a missed technique?
A missed technique becomes a finding with the technique ID, the evidence from the original action, and a remediation owner on the detection-engineering side. After the rule or query is tuned, the replay is logged against the same finding with the new evidence and the updated outcome. The audit trail shows attack, gap, rule change, replay, and final outcome on a single record so the engagement does not depend on a shared spreadsheet.
How is severity scored when both attack capability and detection gap matter?
Findings carry CVSS 3.1 severity for the attacker capability so the rating is comparable to other findings in the platform. The detection-impact rating sits alongside it as a separate field captured at triage time. A medium-severity technique with no detection coverage often outranks a high-severity technique that already triggers an alert, and reporting the two ratings side by side keeps risk decisions grounded.
Can multiple operators work the same purple team engagement at once?
Yes. Multi-operator engagements are first-class. Role-based access keeps red operators, blue operators, detection engineers, and engagement leads scoped to the work they own while the engagement record stays shared. Activity is timestamped per user so the audit trail shows who logged what, when, and against which technique.
How does the report differ from a red team narrative report?
A red team narrative report walks the reader through the attack story chronologically. A purple team report is organised by technique and outcome (detected, partial, missed, replayed, closed) so the deliverable is a coverage document the SOC, the detection team, and risk can act on directly. AI generates both formats from the same underlying tagged findings; the choice is a report-template decision per engagement.
How it works in SecPortal
A streamlined workflow from start to finish.
Plan the exercise with shared objectives
Capture the engagement scope, the threat scenarios in scope, the rules of engagement, and the detection objectives the blue team is calibrating against. Both sides see the same record from kickoff.
Execute attacks with technique tagging
Tag every action with the MITRE ATT&CK tactic and technique (T-ID and sub-technique) it represents. Attach evidence inline so the blue team can correlate against telemetry without waiting for a debrief.
Log detections and gaps in real time
The blue team marks each technique as detected, partially detected, or missed, and links the SIEM rule, EDR alert, or log query that caught it. Missed techniques become structured findings with remediation owners.
Calibrate, replay, and verify
Tune detection rules against the gaps, replay the failed techniques, and verify the new coverage on the same record. The replay outcome lives next to the original miss so the audit trail shows attack, gap, fix, and verification.
Report by technique and outcome
AI generates a purple team report organised by technique and outcome (detected, partial, missed, replayed, closed) rather than by chronological narrative. Deliver through the branded portal so internal stakeholders see the live coverage picture, not a frozen PDF.
Features that power this workflow
Run purple teams that improve detection
One record for attack, detection, gap, fix, and verification. Start free.
No credit card required. Free plan available forever.