The CISO’s Guide to Purple Teaming

Download the CISO’s Guide to Purple Teaming

Blue and red security teams typically live in separate organizational silos. This is partially a matter of organizational structure and partially a reflection of each group’s intent. Blue teams are the guardians of the corporate network; they are focused on defending key terrain, meeting regulatory requirements, and ensuring cybersecurity effectiveness. By contrast, red teams are, essentially, tasked with conflict. Their purpose is to lay the groundwork for a threat-informed defense, which entails developing a deep understanding of attackers’ “tradecraft and technology.”1

What Is Purple Teaming?

Although the name implies the elimination of blue and red teams as distinct entities, purple teaming does not typically involve integrating those groups on the organizational chart. Instead, red and blue teams continue to operate independently. A shift to purple teaming means that the still-distinct red and blue teams develop highly communicative, supportive, and cooperative relationships across the functional boundary.

“Purple teaming” is a relatively new security team structure in which members of blue and red teams work together collaboratively. They align processes, cycles, and information flows — and as a result, they overcome the competitive or even adversarial dynamic of the traditional siloed security approach.

Through four simple steps, this guide shows how purple teaming allows security teams to break down barriers between teams and increase operational effectiveness. Look inside for how to bring red and blue teams together in a purple team construct, incorporate automated testing in your operations, and make the most of scarce security resources.


1Focal Points: Threat-Informed Defense,” The MITRE Corporation, accessed February 17, 2021.

By submitting this form you indicate that you have read and agree to the terms of our Privacy Policy.