SCYTHE 5.1 Released  Read More
    Purple Team Exercise Framework V4

    PTEFv4 is built for game day. Not for the slide deck. For the person running the exercise when it's live, the clock is moving, and everything needs to be in one place. That's what this version delivers.  


    What's New In Version 4:  


    The most visible change is also the most practical: quick-reference one-pagers. 10 printable, single-page guides for every critical phase including, exercise checklists, roles and responsibilities, the CTI process, Day-of exercise flow, metrics, and the Purple Team Maturity Model. You pull the one you need, put it on the desk, and stay focused on the exercise.

    Example of guides available
    Everything else in v4 reflects where the threat landscape has moved since v3. AI and machine learning attacks are not a future concern. Adversaries are already targeting ML pipelines, model APIs, and training infrastructure. They are happening now. PTEFv4 covers MITRE ATLAS, the OWASP LLM Top 10, and AI/ML attack surface scoping. If your organization is running AI workloads and your purple team program hasn't addressed them yet, v4 gives you the starting point.

    Cloud and identity coverage got a significant expansion. Modern environments are not purely on-premises anymore, and the scoping process in v4 reflects that. Identity providers and cloud infrastructure are in scope from the beginning of exercise planning, not treated as edge cases.

    Detection engineering gets its own section as it is an integral part of Purple Teaming. V4 covers Detection-as-Code, Sigma rules, CI/CD deployment, and the full detection lifecycle. That coverage separates teams that detect consistently from teams that detect occasionally. The framework takes that seriously.


    For ATT&CK alignment, v4 updates to version 18, including the shift to Detection Strategies and Analytics terminology. If you're building detection coverage against the framework, the updated language matters for your mapping work. (plus a new cheat-sheet that can guide you through mapping in ATT&CK)


    Why This Version Matters

    The PTEF has been through multiple iterations now. Each one reflects the same principle: Build for the person executing, not the person presenting. V1 addressed the internal enterprise use case. V2 expanded to consulting firms and MSSPs. V3 added Operationalized and Dedicated Purple Team models. V4 takes everything built across those versions, the models, the workflows, the hard-won field lessons, and makes it faster to execute when it counts.
    The printable one-pagers are the most valuable change. The structural reorganization of the documentation underneath them is the less visible work, and it's what actually makes v4 easier to navigate under pressure.


    Get Started

    Download the framework and new v4 one-pagers here: https://scythe.io/downloads 

    OR

    Pull the full framework at: https://github.com/scythe-io/purple-team-exercise-framework 

    Purple teaming works best when the methodology is shared and collaborated on. That's been the point since v1. V4 is the best version of that methodology to date. Go out and use it.

    Latest Posts

    Purple Team Exercise Framework V4
    Purple Team Exercise Framework V4
    April 17,2026
    But The AI Said Everything Is Fine..
    But The AI Said Everything Is Fine..
    March 27,2026

    Sign up to our newsletter

    Sign up here to receive news and updates.
    By clicking on Submit, you hereby consent to and acknowledge that you have read Tarabut Gateway's Privacy Policy. You have the right to opt out of these communications at any time.