Continuous Purple Teaming: Turning Red-Blue Rivalry into Real Defense

By Sila Ozeren Hacioglu, Security Research Engineer at Picus Security.

In many organizations, red and blue teams still work in silos, usually pitted against each other, with the offense priding itself on breaking in and the defense doing what they can to hold the line.

However, too often, their efforts don’t meet in the middle, creating noise. The red team runs an exercise, publishes findings, and moves on, while the blue team is flooded with a sea of unvalidated vulnerability alerts and rules. It may seem like progress, but it’s not. The offense identifies gaps once; the defense fights, essentially blind, day in and day out.

Purple teaming rewrites this equation. It brings red and blue together, not to compete, but to collaborate, turning testing into a shared process and validation into measurable evidence.

The key to making this collaboration far more valuable is Breach and Attack Simulation (BAS), which enables real-time, ongoing, continuous validation. 

Because the truth is this: attackers evolve faster than defenses can coordinate, and only through continuous validation can we close the gap.

Purple Teaming Isn’t a Color Wheel, It’s the Key to Real Cyber Defense

Purple teaming isn’t “friendlier red teaming.” It’s a fundamentally more effective workflow, continuously turning every offensive run into a defensive improvement. The workflow goes like this:

• Red attacks. They emulate adversaries with precision, revealing where defenses hold or give way.

• Blue responds. They trace which controls fire, which stay silent, and why.

• Then both go again, fixing, rerunning, and refining until the gaps close.

That loop, not the color, is what makes a team truly purple.

As Chris Dale, Principal Instructor at SANS, put it during our recent BAS Summit:

“I want to see less of this red versus blue. I want convergence. I want us making one another good.”

Purple teaming makes that convergence real.

Replacing rivalry with collaboration, purple teaming turns testing into an ongoing cycle of validation and improvement. In a field where the stakes are this high and speed and precision can define survival, this isn’t just a better mindset; it’s the only logical way forward.

Manual No More: How BAS Powers Continuous Purple Teaming

Manual purple teaming is slow.

Each new adversary campaign takes hours of scripting, staging, and tuning. By the time a kill chain is ready, new campaigns may already be underway, and your organization might already appear in public reporting.

Now you can eliminate that lag, automating the manual tasks that traditionally slow down or stop progress. BAS:

• Continuously simulates real-world adversaries using TTPs mapped to the MITRE ATT&CK framework

• Safely executes simulated payloads against live controls, and 

• Instantly scores your prevention, detection, and response effectiveness.

Here, automation doesn’t replace human creativity; it amplifies it, enabling faster, more accurate validation.

As Picus Co-Founder & CTO Volkan Ertürk stressed in the BAS Summit, “BAS is the voltage test of modern security, the current you run through your stack to see what holds.”

With BAS, purple teaming stops being a one-off event and becomes a productive rhythm. Attack. Observe. Fix. Validate. Repeat.

Pick a Fight That Matters

Don’t lead with a compliance checklist. Start with what will actually burn you. 

Focus on realistic, high-impact attack paths an adversary would use to gain access to your crown jewels:

• internal recon → privilege escalation → lateral movement (WMI, PsExec) → persistence (registry, scheduled tasks) → data exfiltration → encryption & backup tampering (e.g., shadow-copy deletion).

Scope that attack chain to the controls meant to stop or detect it, firewalls, WAFs, email gateways, IPS/IDS, EDR/XDR, and run the scenario in BAS safely to measure prevention, detection, and response.

Watch the stack:

• What fired? — Those controls worked.

• What stayed silent? — Make this your top remediation priority.

• What alerted on signatures rather than behavior/technique? — This is noise; retune so detections map to technique.

Close the Loop Based on Validated Prioritization

Every attack simulation run by BAS generates evidence, and allows you to immediately act on the gaps it’s uncovered. 

This way, you can prioritize what slipped through both prevention and detection; these are the real risks that your defenses failed to block or detect.

Similarly, you can then deprioritize vulnerabilities that your existing controls already mitigate; not every CVSS-critical vulnerability needs to be patched, especially if compensating controls are already in place and actively preventing exploitation.

Examine every remaining gap and assess it using three factors:

• Impact: How significant would the damage be if exploited?

• Detectability: How easy is it to detect with existing tools?

• Business Context: Where does this exposure sit in your environment, and what assets would it affect if exploited?

In today’s complicated environments, fixing everything at once is impractical, if not impossible. Focus on the most critical gaps first: the highest-impact and least-detectable ones that can lead to an actual breach.

This process shortens the loop between exposure and response.

Measure Reality, Not Volume

Focus on what has truly improved:

• Time-to-detect before vs. after the implementation of BAS.

• Mean time to validate a fix and confirm its effectiveness.

• Percentage of TTPs (Tactics, Techniques, and Procedures) that are detected and prevented.

These metrics will show you whether red and blue team collaboration is truly driving progress or if you're simply going through the motions.

As Jaime Rodriguez, Offensive Security & Threat Intelligence Leader at Sutter Health, put it: "It's a continuous loop of validation we can run anytime, anywhere."

The goal isn’t just to run attacks for the sake of it. It’s to close the gap between exposure and assurance, ensuring that your actual defenses are continuously validated and aligned with your security objectives.

Leverage AI, Carefully

AI can now quickly read a threat report and generate a complete emulation plan in minutes.

While this is a major leap forward, it comes with significant risks. Volkan Ertürk warned, “Ask a large model (LLM) to build your payloads and you might find yourself simulating the wrong thing, for real.”

A smarter approach is to:

• Use AI to parse threat intelligence and map it to TTPs. 

• Maintain and update payloads in a curated BAS library for safety and quality. 

• Always have your team review the plans before execution.

AI should assist, not replace, human judgment. It can draft the plan, but your security team needs to decide what’s safe to run.

By doing so, AI eliminates the need for the traditional 48-hour mapping cycle, where security teams manually map out the threats they’ll include..

Rethink Success

If your red team still measures “domain admin achieved,” congratulations, you’re stuck in 2015.
If your blue team still celebrates 'alerts fired,' you're also living dangerously in the past.

Today, success is measured by continuous proof derived from each sprint:

• Which TTPs were emulated?

• Which detections were tuned?

• Which fixes were re-validated?

Security maturity isn’t how many tools you’ve deployed; it’s how often you verify they work.

The Payoff: Continuous Confidence

After months of BAS-powered purple teaming, we see some fundamental, dramatic changes:

• Teams aren’t debating hypothetical risks.

• Executives aren’t requesting assurance reports because they already have the data they need.

• Every patch, every mitigation, every rule has a concrete reason: tested, validated, and proven.

At this point, continuous validation becomes second nature, marking a fundamental shift in your teams’ security mindset.

Chris Dale’s keynote left a powerful statement: “Security doesn’t fail at the breach; it fails at the point of impact.”

BAS-driven purple teaming is built to prevent that impact, not through assumptions or hope, but by rigorously testing your defenses, uncovering the truth, and empowering your team to act.

Request your demo now to adopt threat-centric purple teaming and validate your readiness against realistic adversary behaviors and closing the loop between exposure and assurance.

Sponsored and written by Picus Security.