Maturity progression¶
Purple team capability matures over time. Understand where you are and plan progression.
Level 1: Ad-hoc testing (Initial)¶
Characteristics:
Occasional one-off security tests
No structured approach
Limited documentation
Minimal coordination between red and blue
Capabilities:
Basic vulnerability scanning
Penetration testing reports
Reactive security improvements
Next steps:
Establish regular testing cadence
Document objectives and scope
Begin red/blue collaboration
Level 2: Structured exercises (Developing)¶
Characteristics:
Quarterly or semi-annual purple team exercises
Defined objectives and scope
Post-exercise debriefs
Tracked improvement items
Capabilities:
MITRE ATT&CK aligned testing
Detection coverage mapping
Documented playbooks
Measurement of basic metrics
Next steps:
Increase exercise frequency
Automate common tests
Build detection engineering capability
Level 3: Continuous validation (Managed)¶
Characteristics:
Monthly exercises or continuous testing
Automated TTP validation
Regular detection tuning
Integrated with change management
Capabilities:
Automated adversary simulation
Continuous detection coverage monitoring
SOAR-driven response automation
Threat intelligence integration
Next steps:
Predictive defence based on intel
Advanced adversary emulation
Full defensive program integration
Level 4: Automated adversary emulation (Optimised)¶
Characteristics:
Continuous automated testing
Real-time defensive tuning
Predictive threat modelling
Purple team embedded in all security activities
Capabilities:
Autonomous detection and response
Proactive threat hunting
Custom adversary emulation
Security as code practices
Roadmap for progression:
Build visibility and logging (Months 1-3)
Establish purple team exercises (Months 3-6)
Increase frequency and automation (Months 6-12)
Continuous validation (Year 2)
Advanced automation (Year 2+)