Purple Team Exercise Framework
Version 4 Is Here.
Purple Teaming Just Got a Framework It Deserves.
The free, open-source standard for running structured purple team exercises, now with a Detection Engineering lifecycle, Maturity Model, graded scoring, and AI/ML coverage. No C2 framework. No paid tools required.
v4
Latest release
10
Printable one-pager guides
3
Native emulation plans included
100%
Free & open source
The Problem
Most purple team exercises produce findings, not outcomes.
Teams run exercises, generate a report, and file it away. Pass/fail scoring doesn't capture nuance. Findings don't automatically feed the detection engineering pipeline. There's no map of where the program stands or how to advance it. PTEF v4 was built to close every one of those gaps.
Pass/Fail
is how most teams score exercises today, a binary that tells you nothing about detection quality, visibility gaps, or which controls actually degraded attacker capability.
Siloed
exercise findings never reach the detection engineering pipeline, hunt observations stay in spreadsheets instead of becoming production detections your SOC can actually act on.
No Map
of where your program stands. Without a maturity model, teams repeat the same exercise level indefinitely, never knowing what "advanced" looks like or how to get there.
What Is PTEF
Not a checklist. Not a playbook. An operational standard.
The Purple Team Exercise Framework is SCYTHE's open-source standard for planning, executing, and measuring adversary emulation exercises across red and blue teams. PTEF gives organizations a repeatable, scoreable, and maturity-tracked approach (from scoping through detection engineering) without requiring any paid tools or vendor platforms.
Vendor-Neutral
Works with any tooling stack. No C2 framework, no SCYTHE license required. The three included emulation plans run natively.
Full-Lifecycle
Covers scoping, threat intel selection, exercise execution, detection gap analysis, and the feedback loop into production detection engineering.
Measurable
Graded 0–5 outcome scoring and a gap categorization framework replace subjective pass/fail assessments with data you can act on.
Community-Driven
Built by practitioners, iterated in public. v4 incorporates feedback from teams running exercises across enterprise, cloud, OT, and government environments.
What's New in v4
Eight upgrades that change what purple teaming can produce.
v4 moves PTEF from an exercise guide to a complete program framework, with maturity tracking, detection engineering integration, AI/ML coverage, and everything a modern security team needs to run structured exercises at scale.
Process & Scoring
Graded Outcome Scoring
A 0–5 scale replaces binary pass/fail. Each score represents a meaningful detection posture: from no visibility (0) to automated, tuned response (5). Finally, data you can trend over time.
Gap Categorization Framework
Five gap types (from visibility gaps to process gaps) give teams a structured vocabulary for what went wrong and who owns the fix. No more vague "detection missed this."
Detection Engineering Lifecycle
Exercise outcomes are now formally integrated into a detection engineering lifecycle. Findings don't die in a report, they feed a structured process for building and validating production detections.
Threat Hunt → Detection Pipeline
A first-of-its-kind pipeline that turns hunt findings into production detections. Hunt observations become validated, documented detections, closing the loop between offensive exercise and defensive outcome.
Coverage & Program
Purple Team Maturity Model
A self-assessment model that maps where your program stands today and what a path to advancement looks like. Finally answer the question every CISO asks: "Are we getting better?"
AI/ML Attack Surface Coverage
MITRE ATLAS-mapped coverage for AI and ML attack surfaces. As adversaries incorporate AI-enabled techniques, your exercises can now test whether your defenses keep pace.
Cloud & Identity Scoping
Dedicated scoping guidance for cloud and identity attack paths, the two most exploited surfaces in modern breaches. Stop running endpoint-only exercises in a hybrid-cloud world.
MITRE ATT&CK Alignment
Updated to current ATT&CK versions with expanded technique coverage across all three included emulation plans: Volt Typhoon, PsExec lateral movement, and AI Discovery.
What's Included
Everything you need to run, score, and improve exercises.
PTEF v4 ships as a complete operational package, not a document you have to interpret. Print the guides, load the templates, and run the emulation plans in your own environment, starting today.
Reference Guides
10
Printable One-Pager Guides
Quick-reference cards covering scoring, gap types, detection engineering stages, maturity model levels, cloud scoping, identity attack paths, AI surface coverage, and more.
Sample guides include
→ Graded Outcome Scoring Reference
→ Gap Categorization Quick Card
→ Detection Engineering Lifecycle
→ Maturity Model Self-Assessment
Exercise Templates
4
Ready-to-Use Exercise Templates
Pre-built exercise frameworks for different program maturities and scoping contexts, from first-run exercises through advanced, multi-domain campaigns covering cloud, identity, and AI surfaces.
Templates cover
→ Scoping & Threat Intel Selection
→ Exercise Execution Runbook
→ Outcome Scoring & Gap Logging
→ Detection Engineering Handoff
Native Emulation Plans
3
Production-Ready Emulation Plans
Three fully documented adversary emulation plans built to run natively, no C2 framework, no additional vendor tool required. Execute in your environment on day one.
Included Plans
→ Volt Typhoon (nation-state, critical infra)
→ PsExec Lateral Movement
→ AI Discovery (MITRE ATLAS mapped)
New in v4 — Maturity Model
Where does your purple team program actually stand?
The PTEF v4 Purple Team Maturity Model gives teams a self-assessment framework with five defined levels, from initial, ad-hoc exercises through a continuously optimized, intelligence-driven program. Know where you are. Know what "next" looks like. Benchmark without a consultant.
01
Initial
Ad-hoc exercises with no consistent structure or scoring methodology.
02
Developing
Defined process exists. Exercises are documented and repeatable across teams.
03
Defined
Graded scoring applied. Gap categorization in use. Findings feed detection reviews.
04
Managed
Detection engineering loop closed. Hunt-to-detection pipeline active. Metrics tracked over time.
05
Optimizing
Continuous, intelligence-driven program. AI/ML and cloud surfaces covered. Measurable posture improvement quarter-over-quarter.
Who Uses PTEF
Built for operators. Relevant to everyone in the security org.
PTEF v4 was built by practitioners who run exercises for a living. But with the Maturity Model, Detection Engineering lifecycle, and executive-ready gap analysis, it now speaks to every layer of the security organization.
Red Teams
Three emulation plans run natively, no platform purchase required. Volt Typhoon, PsExec, and AI Discovery give you current, relevant scenarios with ATT&CK coverage baked in. Spend time emulating, not building.
Blue Teams / Detection Engineers
The Detection Engineering lifecycle and Threat Hunt → Detection Pipeline were built for you. Exercise findings no longer vanish into a PDF, they become structured detection engineering work items with documented validation evidence.
Purple Team Leads
Four exercise templates, 10 reference guides, graded scoring, and five gap categories give you a complete operational toolkit. Run more exercises, faster, with consistent methodology across every engagement.
CISOs & Security Leadership
The Maturity Model and graded scoring give you the metrics to answer "Are we improving?" in board language. Gap categorization maps directly to investment decisions, visibility gaps, process gaps, and tooling gaps require different budget conversations.
How It Works
Download today. Run your first exercise this quarter.
01
Download & Baseline
Download PTEF v4 and complete the Maturity Model self-assessment. It takes under 30 minutes and gives you a documented baseline: where your program sits today, which gaps are highest priority, and which template to start with.
02
Scope & Execute
Use the scoping templates and threat intel guidance to select your scenario. Pick one of the three native emulation plans or build from the exercise templates. Execute in your environment, score outcomes on the 0–5 scale, and log gaps by category.
03
Close the Loop
Use the Detection Engineering Lifecycle template to convert findings into production detections. Re-run the Maturity Model after three exercises. Track your program's improvement quarter-over-quarter, and show leadership what the investment is producing.
Take It Further
PTEF gives you the framework. SCYTHE gives you the power to run it at scale.
The framework is free and tool-agnostic by design. When you're ready to operationalize it, with managed services, continuous intelligence, or a platform built for adversary emulation, SCYTHE's services extend what PTEF starts.
SCYTHE Empower
Monthly adversary TTP intelligence, live analyst sessions, and ready-to-run emulation plans, the continuous intelligence layer that keeps your PTEF exercises current with real threat actor activity.
Learn More →Managed Purple Teaming
When you need SCYTHE operators running both sides of the exercise, PTEF provides the methodology, and Managed Purple Teaming provides the expertise to execute it with your team.
Learn More →SCYTHE Platform
The adversary emulation platform built to run PTEF exercises at enterprise scale, automated campaign execution, detection validation, and a shared library of community-contributed emulation content.
Learn More →Act Before You Need to React
Your purple team program needs a framework. This one is free.
PTEF v4. Detection Engineering lifecycle. Maturity Model. Graded scoring. AI/ML coverage. 10 one-pagers, 4 templates, 3 emulation plans. No paid tools. No strings attached.
Download PTEF v4
Adversaries don't wait.
Neither should you.
Get the complete PTEF v4 package — free, open source, and ready to run in your environment. Fill out the form and we'll send you the framework, all 10 one-pager guides, 4 exercise templates, and 3 native emulation plans.
What's in the download
✓ PTEF v4 Full Framework Document
✓ 10 Printable One-Pager Reference Guides
✓ 4 Exercise Templates (scoping through scoring)
✓ Volt Typhoon Native Emulation Plan
✓ PsExec Lateral Movement Emulation Plan
✓ AI Discovery Emulation Plan (MITRE ATLAS mapped)
Free Download
Get PTEF v4
No spam. No vendor lock-in. PTEF is free and open source.
We'll only use your info to send you the download and relevant SCYTHE updates.