Purple teaming¶

Two people at adjacent workstations, one running an attack simulation, the other watching the detection dashboard in real time. They are talking. The screen between them shows a timeline of events with some highlighted in red and some in green.

Purple teaming is not a third team. It is a way of working in which offensive and defensive practice happen in the same loop, with shared context, real-time communication, and explicit attention to what is being learned. Done well, it reveals what defences actually detect rather than what they are hoped to detect, and it closes the gap between the vulnerability finding and the organisational capability to act on it.

The Weinberg and Satir work is directly applicable here. Most purple teaming fails not because the technical execution is poor but because the conditions for learning and change are not optimal (being diplomatic here): the emotional layer is not accounted for (teams are defensive, findings feel like blame), the political layer is not addressed (no one has authority to act on the systemic findings), and the model layer is wrong (the exercise tests the environment as it was assumed to be rather than as it is). The Montessori framing applies too: a purple team exercise is a prepared environment for experiential learning, and it produces durable capability only if the reflection and facilitation conditions are right.

The practical work of building a purple team programme, including how to structure the team, how to choose between coordination modes, and how to assess readiness, is covered in the making-of section.

What purple teaming is and how it works:

Red, blue, and the work between them:

Collaborative practice:

Start the learning loop