Teams and roles

The teams are sometimes called “cells”.

  • The purple team includes people from the organisation, and divides into red and blue subteams. Team members may flip roles rather than exclusively focusing on red or blue, helping to keep their skills flexible.

  • The red team simulates the TTP’s of a most likely adversary and tries to get at the crown jewels (usually a flag).

  • The blue team are the defenders, trying to detect the red team and responding to their actions.

  • The white team is the referee between red team activities and blue cell responses. Its people control the engagement environment/network, monitors adherence to the Rules of Engagement, coordinates activities required to achieve engagement goals, and correlates red cell activities with defensive actions. This ensures the engagement is conducted without bias to either side.

  • The green team documents what happens for a better understanding of the unseen logic of the forest, with intent of creating human-readable threat modelling.

More in →

Some typical roles and responsibilities of members of the red team:

  • Planning and organising engagements at a high level. If hierarchically organised, delegates to an assistant lead, and operators engagement assignments.

    • The Assistant Lead assists the team lead in overseeing engagement operations and operators, and can also assist in writing engagement plans and documentation if needed.

    • Operators execute assignments delegated by team leads. Interpret and analyse engagement plans from team leads.

And more agile forms are also possible, of course. It all depends on the TTP’s being simulated. The blue teams roles are those of the organisation, at least to begin with.