Adaptive Purple Teaming: Collaborative Red and Blue Operations

Mike Small · 111:23 · 2025 · Track 1

red-teamblue-teampanel

Mike Small on adaptive purple teaming. A Track 1 session from Simply CyberCon 2025.

Open this segment on YouTube ↗ · jumps to 3:21:27 in the Track 1 livestream

Purple Teaming Is Whatever Your Org Actually Needs

Mike Small and Anthony Jirishek (AJ) run the See Suite Cyber Podcast and have spent years rotating between red, blue, and purple. Their core argument cuts through the marketing noise: purple teaming is not a fixed thing. It is a collaborative posture that adapts to your org's maturity, headcount, and budget. There is no template. There is your team, your gaps, and what you can sustain.

When You Actually Need Purple

The symptoms are recognizable. Red is constantly owning blue and the blue team feels disenfranchised. Operations are siloed because of legal sensitivity around offensive ops, so blue cannot build detections for what they cannot see. Analysts are reactive — working tickets and never hunting. There is no shared learning loop, so the same finding shows up in three years of red team reports. AJ's pet peeve here is sharp: do your analysts work the alert, or do they perform an investigation? He has watched analysts refuse to pivot or expand a time window because that would be "hunting" and "out of scope."

Four Models, Pick the One You Can Sustain

Mike and AJ break purple into four flavors: external (hire in for an engagement, low maturity / low headcount), ad hoc campaign-based (hey Bob and Sally, work together on this one), embedded (a cross-disciplinary team operating as a unit), and dedicated continuous (a standing purple team — what Mike and AJ built at the bank). The point is not to chase the most mature option. The point is to match the model to budget and headcount, because anything beyond what you can support fails culturally.

Adapting: Custom Malware, Required Exercises, and the Same Test for Every Analyst

Mike built custom malware for exercises so the team could test in-memory versus on-disk detection paths, vary the loader (reflective, side-load, string changes), and find where techniques actually surface in the security stack rather than where you assume they should. AJ pushed required, repeatable exercises that every analyst ran — same starting point, same flags to identify — which produced an honest baseline of where each analyst stood. Junior analysts who never see real investigations finally got reps. The exercises also doubled as performance management input and as A/B tests for new tooling.

What They Actually Found

The wins were not the breach narratives. They were the gaps. Tools assumed to be working were dropping logs. EDRs catching on-disk variants of a technique completely missed the in-memory version. Zoom logs had better geo data than the corporate VPN, which kept resolving Canadian users to Israel or Pakistan. CTI delivered spreadsheets of indicators when what purple needed was tactical TTPs. And the political win — tracking gaps identified rather than tickets closed — meant their value did not depend on another team's remediation cycle. Some problems took two years to fix; staying close and noisy got them fixed.

Who Should Watch

SOC leads thinking about standing up purple, red teamers tired of finding the same things and getting nothing fixed, blue analysts who want a path from tickets to investigations, and security leaders trying to justify the program to a board that wants ticket counts. AJ's line summarizes it: KPIs are mostly trash if they are quantity-based. Move to quality outcomes — net new detections, gaps closed, real-world wins traced back to training reps.