Do We Need a Purple Team?

Understanding Purple Teams

solution Do We Need a Purple Team?

October 4, 2019

A good way to think of Purple Teams is that they are a mixture of Red or sword, and Blue or shield teams in pentesting processes. They are professional hackers that simulate attacks and protect an organization’s information.


In cybersecurity, organizations should understand that a Purple Team is a communication bridge that allows Blue and Red Teams to work together in a simulated cyberattack. The main goal is to help improve organization security posture. In other words, they can help coordinate and increase the effectiveness of both teams. We have to be careful with the implementation and execution of a Purple team [1], as Julian Arango [2] says:

In some cases, this interaction can propitiate malfunctions inside the organizations, especially when the affected parties are biased by their interest and can manipulate or conduct the results of a pentest.

What does a Purple Team do?

Important features are [3]:

  1. Analyze: They analyze the behavior and interactions between the Red and Blue Teams. Throughout the process, they can also generate recommendations, suggestions, and improvements for both parties. However in practice, if there are not well-defined cybersecurity objectives [4] and there are personal interests regarding the test outcome, it is likely that there will be a conflict of interest. The organization can then encounter a variety of problems including tampering of pentesting outcomes and lack of blindspot detection [5], among others.

  2. Detection: How the Red Team can bypass the detection capabilities of the Blue Team.

  3. Remedial Actions:: They can suggest fixes to avoid vulnerabilities.

  4. Transfer: Ultimately a company derives the maximum value from a Purple Team exercise by applying the new knowledge it acquires, while at the same time, ensuring stronger defenses to guard its information.

When does an organization need a Purple Team?

When Red and Blue Teams get out of sync with each other and/or have cooperation issues, it’s time to consider using a Purple Team. Some common causes that signal the need for a Purple Team are [6]:

  1. Bad Politics: Bad organizational politics does not encourage a good flow of internal information within an organization. An organization may evaluate the success of the Red Team by the amount of failed controls from the Blue Team, while the success of the Blue Team may be evaluated by the number of alerts. Therefore, partners may not be motivated to share information.

  2. Slow Feedback Loop: Needed information moves too slowly between the Red and Blue Teams or, in some cases, does not even move at all. There is poor communication between the teams.

  3. Mindset: Each team works separately to obtain its objectives. For instance, the Red Team enhances offensive exploit. The Blue Team enhances defensive findings. This mindset can weaken and damage the overall security system of an organization.

  4. Arrogance: Each team believes they are superior to the other team, and therefore, neither team recognizes the need to share information between them.

  5. Restricted: The Red Team is pulled inside the organization and becomes restricted, ultimately resulting in a catastrophic reduction in its effectiveness.

  6. Bad Design: The Red Team and Blue Team are not designed to interact with each other continuously, as a matter of course. Therefore, lessons learned on each side remain within each team but are effectively lost to the other.

  7. Separate Efforts: Information security management does not see the Red and Blue Teams as cooperating partners within the same work project. There are no shared metrics between them.

"Red vs Blue"

Figure 1. Red vs Blue, source: Photo by Samuel Zeller on Unsplash.

If your organization has one or more of these issues, a Purple Team could be your solution. Rather than considering it as a separate group of people, organizations should consider a Purple Team as a bridge facilitating maximum effective communication between Red and Blue partners.

What is not the solution?

It is not, under any circumstances, recommended that an organization use a permanent and separate Purple Team as intermediaries between the Red and Blue Teams. This would not solve the underlying problem, which is a breakdown in communication and collaboration between these teams.

So what are the possible solutions?

We need to improve communication and cooperation between teams. The following techniques can be used to accomplish both of these.

  • Team Engagement: A third party analyzes how the Red and Blue teams regularly communicate and cooperate. Based on this analysis, the third-party makes recommendations. This measure is momentary and finite. The main goal of this technique is [7]: to make the communication process smoother and to ease knowledge transfer.

    1. Team Exercise: Both teams are monitored in real-time to see how they work. The main goal of this technique is [8]: to evaluate your security controls and ability to detect attacks, to compromise, for lateral movement, to command and to control communications, and data exfiltration. This technique enriches and validates the detection mechanisms used in situ and helps to identify and reduce cyber attack paths.

    2. Team Meetings: Periodically, Red and Blue Teams meet to share knowledge and give feedback about attacks and defenses used in the pentest process.

The benefits of appropriate implementation

Appropriate implementation will create a better flow of information between Red and Blue Teams which means, Red Team will learn how Blue Team is detecting and mitigating their offenses, and Blue Team will understand how Red Team is bypassing their defenses. This loop of enhanced communication and knowledge sharing between teams improves the organization’s security posture.


A Purple Team should be understood as a temporary intermediary facilitating communication and collaboration between Red and Blue Teams, allowing information to flow in a continuous loop which enhances the abilities of both teams. Under no circumstances should it be used as a permanent group to mediate the relationship between a Red and Blue Team.



Subscribe to our blog

Sign up for Fluid Attacks’ weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Saketh Upadhya on Unsplash

Get an overview of vulnerability assessment

Photo by Anchor Lee on Unsplash

Benefits of continuous over point-in-time pentesting

Photo by Nik Shuliahin on Unsplash

For which security standards is pentesting a must-have?

Photo by Thomas Griggs on Unsplash

Pentesting is a system-agnostic approach to security

Photo by Dmitry Ratushny on Unsplash

Differences between these security testing approaches

Photo by Kostiantyn Li on Unsplash

Our CLI is an approved AST tool to secure cloud apps

Photo by Jeff Lemond on Unsplash

How BAS solutions work, their importance and benefits

Photo by Hunters Race on Unsplash

Disclosure rules proposed by SEC may soon take effect

Start your 21-day free trial

Discover benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial