Measuring early success¶

How do you know purple teaming is working?

Qualitative indicators¶

Improved communication: Red and blue teams talk regularly, share information, collaborate on priorities.

Learning mindset: Teams view gaps as opportunities rather than failures. Psychological safety enables honest assessment.

Faster improvement: Time between discovering gaps and implementing fixes decreases.

Shared understanding: Teams use common language (MITRE ATT&CK, TTP terminology, etc.) and agree on priorities.

Quantitative indicators¶

Detection coverage: Percentage of tested ATT&CK techniques that generate alerts increases.

Detection speed: Mean time to detect (MTTD) for simulated attacks decreases.

Response effectiveness: Mean time to respond (MTTR) and quality of response improve.

Remediation rate: Findings from exercises get fixed before next exercise. Gap backlog decreases rather than grows.