SCYTHE provides Purple Team Exercises to US-based organizations seeking to understand what an adversary campaign might look like on your systems and whether you can successfully detect and respond against particular adversaries.

Unicorn Trio Cropped
global team

Purple Team exercises effectively and efficiently train and improve your people, processes, and technology. Red Teams and Blue Teams collaborate in a live, production environment; emulating a selected adversary that has the capability, intent, and opportunity to attack your organization. We execute emulation plans carefully constructed by our team of Cyber Threat Intelligence experts to faithfully represent relevant adversaries and how they would behave on your network. 

Purple Team exercises are ‘hands-on keyboard’ exercises where Red and Blue teams work together with an open discussion about each attack procedure. We don't just execute an attack and leave you to figure it out; we directly educate and assist you to detect, alert, and respond against it.

At a high level, a Purple Team Exercise is executed with the following flow:


Present adversary, TTPs, and technical details 

Table-top discussion of security controls and expectations for TTP execution
Emulate the TTP while sharing the screen so everyone sees and learns what an attack looks like

Follow process to detect and respond to TTPs, share screen to confirm identification of artifacts 


Can any adjustments or tuning to security controls and/or logging be made to increase visibility


Repeat procedure and record new results, move to next TTP


Preparation is time-consuming, but key.

Choosing the Tactic, Techniques, and Procedures (TTPs) of a purple team exercise is the first challenge as it requires relevant Cyber Threat Intelligence to pick an adversary that has the capability, opportunity, and intent to attack your organization. Each adversary has a number of TTPs that have been observed in the wild. If your organization does not have an understanding of the detective and preventive controls of those TTPs, then choosing which ones to use will be even more difficult.


Choosing the correct TTPs to emulate.

The TTPs that will be used during the Purple Team exercise should be test cases that the Blue Team have detective controls against. If the TTP is prevented, it will offer little value. If there is no visibility to the TTP, it will educate the rest of the team but not offer the most value. The ideal TTPs are those that are detected, logged, or alert so teams can learn to identify, escalate, and contain.

Emulating the TTPs consistently.

The next step is for the Red Team to understand and document how to emulate the TTP. Prior to launching campaigns with SCYTHE, Red Teams would need to document every command that would be executed for every TTP that was being emulated in the Purple Team exercise. Even then, some commands would not execute exactly the same (no consistency). Inconsistent TTP execution leads to inconsistent results.


Extensive emulation library improves efficiency.

SCYTHE makes the Cyber Threat Intelligence function more efficient with its Threat Catalog. Select the adversary and it will automatically create an adversary campaign with TTPs. This allows for more efficient preparation: you don’t have to manually analyze third party cyber threat intelligence reports and everything is already mapped to MITRE ATT&CK.


Payloads created ahead of exercise save time.

Instead of documenting each command that needs to be typed to emulate each TTP, the payload is created ahead of time using SCYTHE. The payload execution can be tested by the Red Team beforehand to ensure the TTPs trigger successfully. No wasted time with open source, manual, and inconsistent tools. 

Repeatable tests by Red Team allow Blue Team to tune defenses.

Consistent executions ensure the same TTPs, artifacts, and Indicators of Compromise (IoCs) are executed on the production environment allowing for the focus to be on Blue Teams activities: SOC looking at alerts, Hunt Team looking at EDR and logs, and incident responders doing forensics for each TTP.


Valuable use of everyone's time.

In normal Purple Team exercises, the red team is burdened to craft emulation procedures, document every single command, test them to ensure they may be executed consistently, and then must manually execute them every time the defenders need to see the attack in action. SCYTHE comes prepared with a library of automated emulation plans that may be run quickly, repeatedly, and consistently at any time by us or by you, saving you time and ensuring reliable execution. We bring this capability to our Purple Team Exercises along with the expertise to help you understand the attack, engineer detections, and improve your response.

Consistent execution of TTPs.

Test procedures are documented, automated when possible, and designed to be repeated. No mistakes or unintended consequences. And we save you time by providing specific guidance and expectations for detections.

Improvement of people, process, and technology.

Collaboration of Red and Blue teams ensures that everyone is on the same page and understands how to detect and respond to their attacker's procedures.

A SCYTHE Purple Team Exercise enables CISOs and cybersecurity professionals to:

  • Test, measure, and improve people, process, and technology

  • See how an attack looks like on your organization’s network to understand the risk before incurring the damage or costs of an actual breach

  • Train your team to attack, detect, and respond

  • Use the SCYTHE platform to continue to improve your organization’s security posture

  • More confidently respond to “could this attack happen to us?”

  • Prioritize security budget spending to address identified gaps

Copy of Copy of unicorn trio poses-03 (1)

Want to run a Purple Team exercise? We'll help you through it! Our Professional Services team will be there every step of the way with training, consulting, and custom threat emulation.

Request a Purple Team Exercise.