Penetration tests are great methods to identify vulnerabilities in your network and show the risk associated with them. What happens when you have implemented your remediations? It’s time to start thinking about a red or purple team exercise.

A red team exercise emulates an adversary that may attack your organization and sees whether your controls prevent the adversary from achieving their objective, such as obtaining proprietary information or personally identifiable information. It can challenge the assumption that your enterprise and extended detection and response (EDR or XDR) capabilities will mitigate the threat and tests whether your network defenders can identify and respond to a breach.

A purple team exercise is a collaborative exercise in which the attackers collaborate with your network defenders to understand your network and the controls you have in place. The red team will define a set of tests to make sure your controls are working as anticipated and make sure your network defenders can identify the red team’s malicious activity.

Next steps

  • Evaluate the state of your network security program: A red and purple team exercise is not for every organization and is best suited for those that have a mature cybersecurity program. Some questions to help you evaluate whether a red or purple team exercise is right for you: Have you conducted a recent penetration test? Do you have an EDR or XDR solution? Do you have an incident response plan?
  • Assess whether you need a penetration test versus a red team/purple team exercise: What is the end goal of the engagement? Do you want to see whether there are vulnerabilities in your network? If so, a penetration test may be right for you. Do you want to see if your cybersecurity controls can detect and respond to an intrusion? In that case, a red or purple team exercise may be right for you.
  • Conduct a red team or purple team exercise: A red team exercise is less collaborative and provides a test for your network defenders and your EDR or XDR capabilities, as the organization may or may not choose to disclose the red team exercise to their security personnel. A purple team exercise makes sure your network defenders can see the attacks happening in real time or your EDR or XDR capabilities can detect and prevent malicious activity.