Purple teams are like the unicorns of cybersecurity, mixing the best of offense and defense. Think of them as the all-stars who play both sides of the game, finding the weak spots and beefing up the security where it counts. But let’s be real — not everyone’s got the big bucks to put together the perfect dream team. So, what about the smaller departments and organizations? How do they build one that fits their needs, budget, and personnel? Whether you’re a small business or just tight on funds, we’re going to dive into how you can build your own purple team, no matter the budget you have to spend on tools and training — not including full time salaries.
1. The bootstrap approach: no budget, single person, open source ($0)
For the cybersecurity equivalent of a one-man band, open-source and ingenuity are key. Here’s how to make it work:
Roles and responsibilities: The solo security champion must juggle identifying threats, simulating attacks, and patching vulnerabilities. Therefore, it is ideal if this person is a tenured defender with some training and exposure in exploitation. Or an offensive security individual with access to the investigation and incident response tools and platforms to threat hunt themselves.
Open-source tools: Utilize powerful open-source tools like OWASP ZAP, Snort, DeRF (Detection Replay Framework), Zeek or Security Onion for vulnerability detection, RITA (Real Intelligence Threat Analytics) for CTI, and BURP, Metasploit, or Atomic Red Team for penetration testing. BURP Community Edition is the free one and this will mostly be a toll useful in web application pentesting. Metasploit by the same people who brought Darknet Diaries (Rapid7 is free on its own and also a part of the open-source Kali Linux OS and great for network pivot exploits.
Community engagement: Engage with online security forums and communities for the latest threat intelligence, scripts, and testing ideas. Atomic Red Team by Red Canary is a favorite amongst new purple teamers because it is a large repository of pre-scripted exploits in PowerShell for a good chunk of the MITRE ATT&CK tactics, techniques and procedures (TTPs). Many are well-known and signature-based so they should be easily prevented or detected and if not, definitely start there. Good news is once you clear these, the sophistication can start. For reporting, VECTR and DETT&CT will be your best friends. DETT&CT stands for detect tactics, techniques and combat threats and is an open-source tool that will take an XML ingest from a custom schema and output a JSON-formatted ATT&CK Navigator layer you can use to host and produce visual heat maps of various TTP coverage. VECTR is also open source and will let you upload runbooks of exploits and tie specific TTPs to campaigns or operations and track their risk and remediation by metrics that reach over a period or a specific engagement.
Training: Dedicate time to free online courses and webinars to stay abreast of the latest security trends and techniques. The Pay-What-You-Can offerings and Antisiphon Training are phenomenal at breaking both exploits and threat hunting for indicators of compromise (IoC) down to step-by-step in an enclosed, safe to practice in environment. If you have $30 to spare, TCM Academy puts out practical cyber skills training so good that they went from being a pentesting firm who trains to more of a training company who pentests. If you follow their company or employees on social media, they generally offer codes to get these courses even cheaper or free if you’re a student, veteran, single parent, or heck just because it’s a Tuesday. For both companies, their top-notch, world-renowned testers build and teach their courses so it’s directly from the experts’ mouth training.
While stretched thin, a skilled individual leveraging robust tools can still make significant strides in identifying and addressing security gaps. You may see slower detections and mitigations or smaller batches if you’re running a one-person shop, but slow progress is better than no progress. But rest assured if there is any budget spent, it will address a valid gap and be well worth the remediation ROI.
2. The cost-effective duo: some budget, two people, one paid tool (~$5,000 – $25,000)
Expanding to a duo allows for specialization and a more effective division of labor as one focuses on attack simulation (red) and the other on detection and response (blue). The benefit here is increased expediency. One person can do both but it’s a lot slower to plan, execute, and self-mitigate than the two-person approach.
Tool selection: Invest in a comprehensive tool that serves both red and blue purposes, like a security incidents and events manager (SIEM) product or a multi-functional security platform. SIEM greatly accelerate the ability to threat hunt and chain IoC. It can be done with logs alone but then the correlation is manual. The SIEM will be the first major step from the no-tool approach to cutting out the biggest manual lift. Additionally, more robust pentesting tools like BURP Enterprise edition (web app) or Cobalt Strike (network C2) will aid in more sophisticated exploits and more attack vectors being identified and remediated. There are also dedicated purple team tools at this level including PlexTrac and Scythe— both big names in the purple space. The idea is to take what VECTR does and not only provide that offensive/runbook capability but combine it with reporting and let the managers, stakeholders and blue teamers feed themselves. Relieving red teamers of the dread “retest hamster wheel.”
Training: Allocate a small budget for ongoing training to ensure both team members are at the cutting edge of cybersecurity practices. Once the free resources are exhausted, individual bootcamps and SANS certifications can quickly exhaust the little budget that is left. But membership options like INE or PluralSight cover more than one skill and can be used throughout the year. I know PluralSight specifically covers many verticals: compliance; offensive; defensive; cloud architecture as well as soft skills capabilities.
Collaborative exercises: Relying on one person to know the ins and outs of the defenses, detective technology, and exploit it themselves is possible, but we can do better. Instead, having one person who is an expert in capabilities, behaviors, and mindsets of the offensive point of view, and another dedicated to the flow, procedures, and competencies of the defensive, will drive more value. This is the initial echelons of the collaborative nature in purple teaming. The more specialties and experts we bring together, the better the outcomes and impacts. Even just these two professionals can learn and build off each other.
With a bit more financial breathing room, a two-person team can implement a more proactive security posture, reacting more quickly to new threats.
On the downside, a potential risk is siloed expertise. Only having one representative from a vast array of “defender” teams encompassing everything from detection engineering to SOC analysts, CTI analysts to enterprise risk to BCP personnel means one view is winning out in the exercises more than the other. The same goes for the offensive expertise. Chances are that a pentester specializes in one niche more than the others and so one area of testing will be well covered like web app or network and the others may be lacking.
3. The dedicated team: more budget, structured team, multiple tools (~$25,000 – $100,000)
A more substantial budget allows for a dedicated team with specialized tools.
Team structure: Although a one-person team can perform the job, that means it would take a lot longer to perform a task than if done by a team of professionals. Aim for a handful of professionals with diverse skills in ethical hacking, incident response, cyber threat intelligence, and digital forensics. Ideally with a purple lead or technical project manager as an operations manager and liaison. For offensive, this means a niche expertise in cloud pivot and escalate, web app pentesting, network command and control (C2) which are the basic pentesting swim lanes. One person can learn all of this, but it requires a budget to send them to the training and they will be a generalist, not a specialist. The same can be said for defensive verticals. We listed a number previously: detection engineering to SOC analysts, CTI analysts, BCP personnel. It’s good to include as many capabilities on the purple team as possible but depending on company and department structure, many of these could be encompassed by one person. Ideally at this stage though, a good rule of thumb is more defenders to offenders, or a 3:2 ratio.
Premium tool suite: Invest in a suite of specialized tools, such as customized intrusion detection systems (IDS), advanced penetration testing software including AttackIQ, Safebreach or SnapAttack that integrates into multiple tech stacks and other solutions. A demo of SnapAttack showed it can run sophisticated exploits and report on them, it will sync with your SIEM and write the rule that tool needs to prevent or alert on said malicious activity. It’ll write, send, test, close, and report on the TTP for you. You’ll also want threat intelligence platforms. Anomali and Recorded Future are favorites of mine for their tried-and-true resilience as well as their use cases. If you can afford a fringe technology for a gap you haven’t thought of yet- look into ZeroFox for typosquatting and domain protection (you know, those nuisance reconnaissance TTPs in the MITRE matrix everyone says “we have no control over”) and Human for those pesky bot accounts and fraudulent activity masquerading as valid users. They actually write comics about their more notable botnet take-downs, so I highly recommend a look into them.
These tools will work better if your team has elite red teamers that can get into reverse malware engineering and custom exploit development, and detection engineers who can write rules in more than just Splunk — think Security Data Lake (SDL) level crunching capabilities.
Regular red/blue exercises: Implement routine red team exercises and blue team defenses, followed by thorough debriefings to share insights and strategies. Ideally by now, the red team should have its own cadence of operations and each of these can be followed up by a purple team exercise to focus on and close those TTPs to the best of their ability. Purple Team can also intake its own testing objectives and should be included much sooner than the go live pentest in the SDLC. Use the purple team to validate sophisticated threat models and punctuate security gaps. Use the influence of recent breaches and CTI to ensure those same conditions do not exist in your systems. Begin to ask yourself not just “what does the adversary do, and does that apply to us?” but instead, “what is the most harmful or easily done thing that applies to our most critical systems and have we defended against that?” By now, you might also have abandoned solely open-book exercises and begun face-off style exercises.
Training and certifications: Budget for industry-recognized certifications and advanced training for team members. Start shelling out for SANS courses and GAIC certifications because that’s where the higher echelons of tradecraft are being taught. Also, train the defenders. Send them to learn the advanced coding, SDLC, AppSec, DevOps, and tool-specific skills they lack to unleash the full potential of that jazzy enterprise suite you spent so much money on. Stop relying on vendors to teach you how to use their tools fully and effectively.
This budget range allows for a robust purple team that can keep pace with complex threat landscapes and advanced attack vectors. Dedicating the FTE hours and resources to conducting regular attack-and-defend simulations, allows each member to learn from the other’s methodologies and procedures. Have them explain why and how each side acts and reacts and get a dialogue going. One of the most beneficial exercises I was ever a part of I saw my red teamers in a side chat saying: “So, if they detect x they have to go investigate it this far and we know it takes them that long. If we theoretically set off decoy callbacks over here to keep them occupied, we could inject here, here, and here and they wouldn’t know for weeks.” Boom.
The risk here is that you’re going to find a lot more than you bargained for and it won’t make everybody happy. But they’re growing pains you’ll be happy to endure when you can prove due diligence to get cybersecurity insurance coverage for another year.
4. The comprehensive force: larger budget, full team, extensive toolkit ($100,000+)
With a larger budget, an organization can afford a comprehensive purple team with different areas of focus.
Specialized roles: The purple team is a mix of specialists, including penetration testers, security analysts, incident responders, and cyber threat intelligence analysts. Even dedicated IaaC developers for custom tooling and social engineers to take phishing and physical tests to the next level.
Enterprise-level solutions: Deploy enterprise-level solutions like advanced persistent threat simulation, automated incident response systems, and integrated threat management ecosystems. You should have a fully equipped team of architects ensuring smooth input/output across tooling and teams, and infrastructure engineers to make their wildest custom dreams come true.
Catch me if you can ‘testing’: By now each team should have enough moxy to face unannounced, truly clandestine style testing. Red teams shouldn’t be a slam dunk every time and have to get really creative with their pivoting to be successful, and blue teams should stand a fighting chance against them. If this is not the case, go back a few steps and revisit some regression testing. By now, the purple team operators could leverage the ISSOs, architects, and infrastructure personnel to create automated custom pipelines of testing and TTPs not published to the world, but relevant, known, and tracked only to your organization. This is the ultimate peak of collaborative security and proactive resilience.
Continuous improvement programs: Regular training, industry conferences, and workshops to keep skills sharp and knowledge current.
Strategic partnerships: Look into partnerships with cybersecurity firms for external audits and threat hunting services.
This well-funded purple team is a formidable force, capable of not only defending against but also predicting and preventing potential breaches. And should the zero-day happen, all the team will be well-versed in working with each other and can readily and seamlessly rely on each other’s strengths to identify, contain, and eradicate the problem before an incident becomes a breach. Well, in an ideal world anyway.
By assessing needs, allocating resources wisely, and focusing on continuous improvement, even the most budget-conscious departments and teams can craft a purple team that provides a significant return on investment. It is often these limitations and needs that makes building a purple team such a customized and organization-specific effort. But, while they are not one-size fits all, there certainly can be proactive resilience and purple teaming for all.