performing-purple-team-exercise

Featured

Performs purple team exercises by coordinating red team adversary emulation with blue team detection validation using MITRE ATT&CK-mapped attack scenarios, real-time detection testing, and collaborative gap remediation. Use when SOC teams need to validate detection capabilities, improve analyst skills, and close detection gaps through structured offensive-defensive collaboration.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Purple Team Exercise ## When to Use Use this skill when: - SOC teams need to validate that detection rules actually fire for the threats they target - Red team assessments produced findings that need translation into detection improvements - New detection tools or SIEM migrations require validation of detection coverage - Analyst training requires hands-on experience with real attack techniques and SIEM responses - Quarterly or semi-annual detection validation cycles are scheduled **Do not use** for unannounced red team engagements — purple team exercises require explicit coordination between offensive and defensive teams with real-time collaboration. ## Prerequisites - Red team capability: internal team or contracted purple team operator - Attack simulation tools: Atomic Red Team, MITRE Caldera, or C2 framework (authorized) - SIEM access for real-time alert monitoring during exercise - ATT&CK-mapped detection rule inventory with expected alert names - Isolated test environment or approved production scope with change management approval - Communication channel (Slack/Teams) for real-time red-blue coordination ## Workflow ### Step 1: Define Exercise Scope and Objectives Document exercise parameters: ```yaml purple_team_exercise: exercise_id: PT-2024-Q1 date: 2024-03-20 duration: 8 hours (09:00-17:00 UTC) scope: environment: Production (Finance VLAN, 10.0.5.0/24) systems_in_scope: - WORKSTATION-TEST01 (10.0.5.100) — Test endpoint ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

executing-red-team-exercise

Executes comprehensive red team exercises that simulate real-world adversary operations against an organization's people, processes, and technology. The red team operates with stealth as a primary objective, employing the full attack lifecycle from initial reconnaissance through objective completion while testing the organization's detection and response capabilities. This differs from penetration testing by focusing on adversary emulation rather than vulnerability identification. Activates for requests involving red team exercise, adversary simulation, adversary emulation, or full-scope offensive security assessment.

12,642 Updated today
mukul975
AI & Automation Listed

purple-ops

Purple-team operations — structured detection validation against MITRE ATT&CK through planned emulation, measured coverage gaps, joint red+blue debrief, and tracked closure via D3FEND mapping. Bridge between the pentest bundle and the blue bundle.

4 Updated 1 weeks ago
roodlicht
AI & Automation Featured

performing-soc-tabletop-exercise

Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to test incident response procedures, communication workflows, and decision-making under pressure without impacting production systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident response testing.

12,642 Updated today
mukul975
Testing & QA Featured

performing-purple-team-atomic-testing

Executes Atomic Red Team tests mapped to MITRE ATT&CK techniques, performs coverage gap analysis across the ATT&CK matrix, and runs detection validation loops to measure blue team visibility. Covers Invoke-AtomicRedTeam PowerShell execution, ATT&CK Navigator layer generation for heatmaps, Sigma rule correlation, and continuous atomic testing pipelines. Activates for requests involving purple team exercises, atomic test execution, ATT&CK coverage assessment, detection engineering validation, or adversary emulation testing.

12,642 Updated today
mukul975
AI & Automation Featured

conducting-full-scope-red-team-engagement

Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities.

12,642 Updated today
mukul975