“Tour of Duty” rotation programme¶

Building adversarial empathy through immersive cross-team exchanges

Programme overview¶

A structured 4-6 week rotation where security professionals temporarily join opposing teams to:

• Experience real operational challenges first-hand

• Develop mutual understanding between attackers and defenders

• Create direct feedback channels for tool and process improvement

Core objectives¶

1. Break down silos

   • Red team members experience blue team alert fatigue

   • Blue team members understand attacker time pressures

   • Developers witness how security tools perform in real incidents

2. Accelerate learning

   • Replace theoretical knowledge with muscle memory

   • Discover undocumented system behaviours

   • Build institutional knowledge of attack/defence trade-offs

3. Improve tooling

   • Direct developer feedback from frontline users

   • Identify critical workflow pain points

   • Co-create solutions with cross-team input

Rotation structure¶

Pre-rotation preparation (1 week)

• Required reading:

  • For red→blue rotations: IR playbooks and SIEM documentation

  • For blue→red rotations: attack frameworks and tool manuals

• Lab setup:

  • Access to restricted environments (sandboxed production clones)

  • Shadowing sessions with rotation mentors

Core rotation (3-4 weeks)

• Week 1: Observation and assisted tasks

• Week 2-3: Primary role execution with supervision

• Week 4: Independent contribution

Post-rotation (1 week)

• Written lessons learned report

• Presentation to leadership

• Implementation plan for identified improvements

Sample rotations¶

Red team → Blue team

• Tasks:

  • Triage real security alerts

  • Author detection rules

  • Participate in incident response

• Deliverable:

  • Proposal for evading current detection stack

Blue team → Red team

• Tasks:

  • Execute controlled attacks

  • Develop custom tooling

  • Participate in threat modelling

• Deliverable:

  • Gap analysis of defensive coverage

Developers → Frontline teams

• Tasks:

  • Observe tool usage in real investigations

  • Collect usability feedback

  • Debug performance issues

• Deliverable:

  • Roadmap for tool improvements

Success metrics¶

• Quantitative:

  • 30% reduction in false positives (from red team feedback)

  • 25% faster mean time to detect (from blue team insights)

  • 40% increase in tool adoption (from developer rotations)

• Qualitative:

  • Improved cross-team communication

  • More realistic training scenarios

  • Stronger shared mental models

Implementation checklist¶

1. Secure leadership buy-in for time commitments

2. Develop rotation playbooks for each path

3. Establish non-disclosure agreements

4. Create safe-fail environments

5. Schedule regular debrief sessions

Lessons from early adopters¶

• Do:

  • Start with volunteer participants

  • Focus on concrete deliverables

  • Protect rotation time from BAU work

• Avoid:

  • Treating as a punishment detail

  • Overloading with administrative tasks

  • Skipping the post-rotation follow-through

This programme turns “us vs them” mentalities into collaborative security partnerships through structured perspective-taking.

(Framework adapted from Google’s Project Zero and Microsoft’s Cross-Team Rotation initiatives.)