Detection & Response

Your defenses have never met a real adversary. Introduce them.

A red team finds the way in. A blue team holds the line. Purple is where they sit in the same room, so every attack teaches the defense something it keeps. We run all three, and the point is the learning.

Plan an exerciseMeet the teams ›
Why purple matters

A red team report that lands on a shelf changes nothing. The value is created when attacker and defender sit together and turn each finding into a detection. Purple is a verb, not a team.

We bring offensive and defensive expertise that talks to each other. The red team emulates real adversary behavior, the blue team measures what they catch, and in the purple session every gap becomes a new detection, a tuned alert, or a closed path. You leave with measurably better defenses, and a record of exactly what changed.

Three colors, one goal

How the teams work

Each plays a distinct role, and the real outcome is what happens where they meet.

Red

Attack

We emulate a real adversary against agreed objectives, using the tactics attackers actually use.

  • Adversary emulation and scenario design
  • Phishing and initial access
  • Lateral movement and privilege escalation
  • Objective-based, not noisy
Blue

Defend

Your defenders, supported by ours, work to detect and respond while the exercise runs.

  • Detection and response under test
  • Measured against real attacker actions
  • Gaps and blind spots surfaced
  • Response playbooks pressure tested
Purple

Improve

Red and blue in the same session, turning every finding into a lasting improvement.

  • Each attack mapped to a detection
  • Alerts tuned on the spot
  • Coverage measured against MITRE ATT&CK
  • Improvements verified, not assumed

The purple session is the product. Where red and blue meet, an exercise stops being a test and becomes an upgrade your defenses keep.

Formats

Pick the depth that fits

From a focused validation to a full adversary simulation, scoped to what you need to learn.

01

Penetration test

Find and prove exploitable weaknesses in a defined scope.

02

Red team

Objective-based adversary emulation against your live defenses.

03

Purple team

Collaborative sessions that turn findings into detections, live.

04

Breach simulation

Continuous, automated validation of controls over time.

Inside a purple session

An hour where the defense gets permanently better

This is what "purple is a verb" looks like in the room. Attack, miss, fix, prove, in the same sitting.

Purple session · transcriptIllustrative
RED10:42

Kerberoast attempt against svc-backup. Ticket extracted, cracking offline.

BLUE10:44

Nothing fired. Telemetry has the 4769 events, no rule looks at encryption type.

PURPLE10:58

Detection written for RC4 service ticket requests, tested against the replay. Fires in under two minutes.

RED11:15

Re-running the same attack path.

BLUE11:17

Alert fired, case enriched, analyst paged. Caught.

Detection kept by the SOC. Path re-tested and closed. One of a dozen exchanges in a session.
Part of the loop

Where teaming sits in VIGILE

Test and sharpen

Validate the defenses, Learn from every gap

ValidateRed, Blue & Purple TeamingLearn

Teaming is the Validate and Learn motions made adversarial. We prove what holds under real attack, and the purple session turns every gap into a detection the SOC keeps.

See Managed Detection and Response ›
FAQ

Top 10 questions, frequently asked

A penetration test finds and proves weaknesses in a defined scope. A red team is objective-based: we emulate a real adversary trying to achieve a goal, against your live defenses, to see whether you would detect and stop it. Red team is broader and more realistic, pen test is more focused.

Because the report alone rarely changes anything. In a purple session, red and blue work together so each finding becomes a detection or a closed path on the spot, and we verify it. You leave with measurably better defenses rather than a list of problems to schedule.

No. Exercises are scoped and rules of engagement are agreed in writing first. Destructive actions are simulated, production tests are supervised, and there is a live channel to stop instantly if anything real is at risk.

Directly. The detections built in the purple session go into the iTDC, so the improvement is permanent. If you run our Managed Detection and Response, teaming is how we keep proving and sharpening what it catches.

A focused red team exercise typically runs three to six weeks including scoping and reporting. Purple sessions run as one to two week sprints with your defenders in the room.

The attack narrative with every step evidenced, the detections that fired and the ones that did not, and a prioritized fix list. Purple engagements also leave behind new detection rules, tested live.

Around the scenarios that would actually hurt you: the crown jewels, the likely entry paths, and the assumptions you want pressure-tested. Scope and safety boundaries are signed before anything runs.

Cloud, identity, endpoint, email, and people are all in scope when you want them to be. Modern paths run through credentials and SaaS more often than through the perimeter.

An annual full exercise with quarterly purple sprints is the common rhythm. Re-tests after major fixes confirm the path is actually closed.

It is the Learn motion at full strength: every exercise turns into detections, hardening, and evidence that the same path no longer works.

Red, Blue & Purple Teaming datasheetThe three roles, the formats, a purple session transcript, and the deliverables.
Download the datasheet

Related services

Service

Managed Detection and Response

Where the detections you build in the exercise live and work.

Learn more ›Service

Agentic AI Red Teaming

The same adversarial rigor applied to your AI Agents.

Learn more ›Service

Threat Exposure Management

Find and prioritize the exposures before an attacker does.

Learn more ›

Test your defenses for real

Talk to a Principal Engineer about an exercise scoped to what you need to learn.

Plan an exerciseBrowse all services ›