From Simulation to Strategy: Evolving Your Red and Purple Teaming Approach

May 13, 2025 3 Minute Read

• Red and Purple Teaming: Strategic Evolution - Discover how modern security assurance programs are shifting from one-off simulations to strategic, continuous improvement.
• Real-World Insights from Security Leaders - Learn from Trustwave experts on leveraging red and purple team testing to uncover security gaps and drive programmatic uplift.
• Key Takeaways for Security Maturity - Explore actionable insights on evolving your red and purple teaming approaches to align with your organization's security maturity.

At a recent Sydneyluncheon, Trustwave sat down with a room of senior security leaders to dig into the evolving role of red and purple team testing in a modern technical security assurance program.

The discussion was led by Trustwave's Craig Searle, Director of Consulting & Professional Services in Pacific at Trustwave and TJ Acton, Director of SpiderLabs Testing, Pacific. More than 20 Sydney-area security professionals attended the event at Restaurant Huberts.

Searle and Acton examined how Trustwave uses red and purple team testing to test controls, but also to ask better questions about the state of an organization's security.

Red Teaming Should Ask Questions, Not Just Break Things

Just a quick refresher on red team events. Red team engagements represent full-scale attacks orchestrated by an external security firm or, in some cases, internal teams assuming the role of malicious actors. These attacks simulate real-world scenarios to assess the effectiveness of the client's defense mechanisms.

The exercise's primary focus is to find flaws in the people, processes, and technology the "target" organization has in place. This activity mimics the tactics, techniques, and procedures (TTPs) that cyber gangs or nation-state-sponsored attackers would use during an attack.

With the primary reason behind a red team defined, Searle and Acton discussed how a red team's impact can be increased.

The two noted that these are most effective when designed to answer specific questions - not simply to "get in". Done well, it allows organizations to explore critical assumptions around detection and response.

For example, a successful event will find vulnerable digital and physical entry points, discovering if the infiltration was detected and if so, how, and this would be one, and once inside, what were we able to access. Did we find user permissions, system admins, were we restricted or able to move freely through the system?

However, there's a delicate balance: realistic, open-ended engagements should still reflect the environment they're testing, without being artificially constrained. For teams new to red teaming, it's perfectly fine to start broader, but the long-term goal should be to partner with your provider to evolve toward a more question-led approach.

Red vs Purple Teaming - It's Not Either/Or

A purple team exercise is an initial step for a security provider and its client and should be conducted before a red team event.

Purple teams are positioned between the offensive red and the defensive blue teams and are typically formed by security analysts or senior personnel from either the third-party provider or the client's organization.

These exercises are akin to controlled scrimmages, deliberately putting defenders in disadvantageous positions to see how they react. With oversight from the security vendor's team and client representatives guiding the simulation, the blue team gets a preview of what to expect in a red team exercise or an actual cyberattack.

Searle and Acton discussed how red and purple teaming serve different but complementary purposes. Red teaming simulates real-world attacks and tests resilience under pressure.

Purple teaming, on the other hand, is a collaborative exercise focused on tuning your existing controls - improving detection, shortening response times, and creating shared context between offensive and defensive teams.

While each type delivers an important outcome, it's best practice to put your security team through both.

Actionable Outputs + Blue Team Reflection

Regardless of the method, the output should always be actionable.

Trustwave conducts after-action meetings with all red, purple, and blue team events, but Acton and Searle feel post-engagement workshopping with a blue team is particularly important.

A blue team exercise is a simulated cybersecurity incident or attack scenario designed to evaluate and improve the effectiveness of an organization's defensive security capabilities. The primary goal is to assess how well an internal security team responsible for defending the organization's assets can detect, respond to, and recover from a cyber threat.

During a post-blue team meeting, the client and Trustwave have the time for deeper insight into what is happening and to understand what worked and why.

Did the detection fail due to a missing technical control? Or was it a process gap? Or a success because of a sharp-eyed SOC analyst? These insights can't always be captured in a static report.

Maturity Matters

All these exercises, to use a sports analogy, need to become more difficult and complex over time. Athletes don't just focus on the basics in training; they move on to learn more difficult plays and skills.

Red and purple teaming must evolve with your organization. As your environment matures, these exercises should follow, moving from one-off simulations to continuous improvement cycles that drive a programmatic uplift.

The final takeaway from this event was that red and purple teaming are no longer just tactical exercises - they're strategic tools that help you understand not just if you're secure, but why or why not.

By using these engagements to ask better questions, foster collaboration, and drive continuous improvement, organizations can move beyond checkbox testing and into true security assurance.

Whether you're just starting your journey or looking to refine your approach, the key is to treat every engagement as an opportunity to learn, adapt, and evolve.

Why Offensive Security Is Crucial for Retail Resilience

From Facebook Ad to Near Breach: The Power of Threat Hunting in Modern MDR

UK Cyber Security Survey 2025: Ransomware on the Rise, Phishing Still Reigns