purple-opslisted

# Purple Team Ops > **Bridge skill**: this is a both-blue-and-pentest category. The actual work is collaboration — red simulates a TTP, blue tries to detect it, both learn at the same time. No surprise engagements ("see if we catch them without warning"); that is red team. Purple is planned, measured, and aimed at gap closure. ## When to use A SOC can write endless rules without ever knowing if they cover the right TTPs. A red team can run endless engagements without the defensive side learning more than "we got owned again". Purple ops is the discipline between the two: ATT&CK-mapped, repeatable, measured. Triggers on: - A question like "set up a purple-team cycle", "which TTPs are we not detecting", "ATT&CK coverage measurement", "validate detection rule X against real emulation", "post-pentest debrief with the SOC". - A handoff from `pentest-reporter` (post-engagement feedback feeding into a detection-gap approach), `detection-engineer` (rule validation), `alert-tuning` (coverage gap identified after rule retirement). - A periodic (quarterly to half-yearly) maturity measurement of the detection stack. - Compliance context (NIS2 Art 21 effectiveness evaluation, DORA Art 25 testing) — a purple cycle delivers evidence of "we test our controls". ### When NOT (handoff) - Surprise red-team engagement without blue informed in advance → pentest skills (`recon-agent`, `c2-hygiene`, `post-exploit`, `pentest-reporter`). - Writing detection rules → `detection-engineer`. - Alert