Theos built the engagement around the threat actors targeting our sector in Hong Kong. The findings were structured for HKMA submission and the gaps have since been closed.
Purple Teaming: Know what your defences catch and fix what they miss.
Detection gaps identified and closed within the same exercise.
OVERVIEW
What is purple teaming?
urple teaming is a collaborative security exercise where offensive and defensive teams work together to test, refine, and improve an organisation’s ability to detect and respond to adversary behaviour. Unlike a traditional red team engagement, which is often conducted with limited defender visibility, purple teaming is designed to be transparent and iterative.
In practice, Theos executes selected tactics, techniques, and procedures relevant to your threat landscape, while your blue team monitors, investigates, and responds. Throughout the exercise, both sides review what was detected, what was missed, and where controls, telemetry, or workflows can be improved. The result is measurable uplift in detection capability, validated against real adversary behaviour rather than theoretical coverage.
What Purple Teaming Includes:
-
Theos executes adversary techniques relevant to your industry and threat landscape
-
your blue team monitors and responds in real time
-
gaps are identified and detections refined during the exercise
-
every technique executed and every detection outcome mapped to the framework
-
telemetry gaps, detection logic improvements, and response workflow fixes
-
full record of what was executed, what was detected, and what needs to change
Business Outcome:
Your blue team leaves the exercise knowing exactly what it detects and where coverage gaps exist. Detection gaps are closed during the engagement. Your security investment is validated against real adversary behaviour in your actual environment.
THE CHALLENGE
Detection tooling investment and detection validation are two different things.
Most organisations running SIEM, EDR, and MDR tooling have made a significant investment in detection capability. What they rarely validate is whether that capability catches real adversary behaviour in a real environment.
Alert tuning happens in isolation. Detection rules are written against documentation, not against live technique execution. Coverage maps look complete on paper. But until an adversary executes a technique in your environment and your team responds, the assumption that you would catch it is exactly that: an assumption.
Purple teaming replaces that assumption with evidence. Techniques are executed. Detections are tested. Gaps are identified and fixed while the exercise is still running. The result is a detection programme validated against real adversary behaviour, tested and confirmed. For enterprises across APAC, adversary simulation delivered in a collaborative format produces detection improvement beyond what theoretical coverage mapping can confirm.
What purple teaming surfaces in unvalidated detection programmes:
Telemetry gaps
Logs collected at insufficient fidelity or missing from key sources entirely.
Detection logic gaps
Rules that exist but require tuning to fire against real technique execution.
Alert workflow gaps
Detections that fire but require clearer escalation and response procedures.
Coverage gaps
Technique categories where detection coverage needs to be built.
THEOS APPROACH
Detection and response validation: execute, detect, improve, repeat.
Theos purple team exercises are structured around a simple principle: execute a technique, measure whether your team detects it, identify where detection is missing, fix it, and move to the next technique. The exercise is iterative by design.
Threat-Informed TTP Selection
Theos works with your team to define the scope of the exercise, select the techniques to be executed, and agree the objectives. TTP selection is informed by threat intelligence relevant to your industry and market. The techniques chosen reflect real adversary behaviour, calibrated to your threat environment.
Transparent Execution
Unlike a red team, the purple team exercise is not covert. Theos and your blue team work alongside each other throughout. Each technique is executed, observed, and reviewed in sequence. When a detection fires, both teams analyse what triggered it. When coverage gaps surface, both teams identify the root cause and what needs to change.
In-Exercise Improvement
Detection gaps identified during the exercise are addressed before the session ends. Your blue team updates detection logic, adjusts alert thresholds, and adds telemetry sources in real time, then retests immediately. The exercise ends with a detection programme that is measurably stronger than the one it started with.
MITRE ATT&CK Coverage Mapping
Every technique executed during the exercise is mapped to MITRE ATT&CK. At the conclusion of the engagement, your team has a clear view of your coverage across the framework: what you detect, where gaps exist, and where to focus next.
BENEFITS
What Theos Purple Teaming delivers for your organisation.
Validated detection coverage
Know exactly what your tools and team detect and where coverage gaps exist.
In-exercise improvement
Gaps identified and fixed before the exercise ends.
MITRE ATT&CK coverage map
A clear picture of your detection posture across the framework.
Blue team capability uplift
Your analysts leave the exercise more capable than when they entered.
Evidence for leadership and regulators
Documented proof that your detection programme has been tested against real adversary behaviour.
Programme intelligence
Findings feed directly into MDR tuning, red team planning, and IR playbook development.
HOW IT WORKS
How a Theos purple team exercise works.
1
Scope and TTP Selection
Theos works with your team to define the scope of the exercise, select the techniques to be executed, and agree the objectives. TTP selection is informed by threat intelligence relevant to your industry and market. The techniques chosen reflect real adversary behaviour, calibrated to your threat environment.
2
Environment Baseline
Before execution begins, Theos reviews your current detection coverage to establish a baseline. This confirms which techniques have existing detection logic and which require coverage to be built, so the exercise can focus where it will produce the most improvement.
3
Execute and Observe
Theos executes each technique in sequence. Your blue team monitors their tooling, investigates alerts, and responds. Both teams observe the outcome together: what fired, where coverage gaps surfaced, and what the analyst response looked like.
4
Identify and Fix
For every technique where detection was absent or incomplete, both teams identify the root cause: missing telemetry, a logic gap in the detection rule, an alert threshold requiring adjustment, or a response workflow requiring refinement.
5
Report and MITRE Mapping
At the conclusion of the exercise, Theos delivers a full findings report mapping every technique executed to MITRE ATT&CK, with detection outcomes, gap analysis, and prioritised recommendations for ongoing improvement. An executive summary is included for board and leadership review.
CAPABILITIES
Purple teaming capabilities.
-
TTP execution across the full MITRE ATT&CK framework
-
Initial access simulation: phishing, exploitation, credential-based entry
-
Persistence and privilege escalation techniques
-
Lateral movement and credential harvesting
-
Data exfiltration simulation
-
Detection logic review and tuning during the exercise
-
Telemetry gap identification and remediation guidance
-
Response workflow validation and improvement
-
MITRE ATT&CK coverage mapping and heatmap output
SCOPE COVERAGE
What Theos purple teaming covers.
-
Endpoint
EDR telemetry, detection rules, and analyst response workflows
-
Identity
Active Directory, Azure AD, and privileged access detection coverage
-
Network
east-west traffic, lateral movement, and command and control detection
-
Cloud
AWS, Azure, and GCP configuration and access-based technique execution
-
SIEM and SOAR
rule logic, alert fidelity, and automated response playbook validation
-
Email and collaboration
phishing simulation and response workflow testing
PROOF
What the work produces.
Real-time
Detection Gap Closure During Exercise
MITRE
ATT&CK Coverage Map Delivered
8.9
Client Satisfaction Score
200+
Offensive Engagements Per Year
Hear it from our clients
What outcome accountability
looks like in practice.
THEOS operates across Singapore, Hong Kong, Malaysia, and the Philippines, serving regulated enterprises where the cost of a breach is highest. What our clients describe is not a vendor relationship. It is a security partnership.
“
“
The engagement identified gaps our existing programme had not surfaced. The findings went directly into our regulatory submission and the gaps have since been remediated.
“
Theos engaged credibly at board level and at SOC level in the same programme. The ability to do both simultaneously, and produce documentation that holds up to BNM examination, is what made the difference.
“
We called Theos during an active ransomware incident. Two weeks later the threat was contained. We have not used another security provider since.
METHODOLOGY
How Theos structures a purple team exercise.
Theos purple team exercises are threat-informed and iterative. TTP selection is grounded in threat intelligence. Execution is structured to produce measurable improvement. Every session ends with confirmed fixes, validated before the exercise closes.
Frameworks:
MITRE ATT&CK
foundation for TTP selection, execution, and coverage mapping
Tooling:
Theos selects tooling calibrated to the techniques being executed and the environment being tested. Where relevant, Theos also works with your existing security platforms, including CrowdStrike, Microsoft Sentinel, and Swimlane, to validate detection and response within your actual toolset.
RED TEAMING vs ALTERNATIVES
Purple teaming, red teaming, and VAPT: what is the difference?
Capability
Blue team involved
Detection tested
Gaps fixed during exercise
Objective
Output
Best suited for
Purple Teaming
Yes. Collaborative throughout.
Yes. Primary objective.
Yes. Iterative improvement.
Improve detection and response.
Coverage map, gap analysis, improved detections.
Teams validating and improving detection capability.
Red Teaming
Covert by design.
Yes. Revealed through the engagement outcome.
No. Reported post-engagement.
Achieve undetected access and demonstrate real-world impact.
Full attack narrative with evidence of impact.
Mature security teams testing real-world resilience.
USE CASES
Who Theos Purple Teaming is built for.
Organisations that have invested in detection tooling and want to know it works
If your organisation runs SIEM, EDR, or MDR and has not validated whether those tools catch real adversary techniques, a purple team exercise gives your team a confirmed answer.
Security teams preparing for a red team engagement
A purple team exercise is an effective way to strengthen your detection and response posture before a full red team engagement. Your blue team enters the red team engagement with validated detections and closed gaps.
Organisations following an incident or near-miss
If an adversary progressed further than expected before your team responded, a purple team exercise identifies where the detection and response workflow can be strengthened.
Blue teams that want structured capability development
Purple teaming is one of the most effective development formats for security operations analysts. Working alongside Theos practitioners, your team builds familiarity with real adversary techniques, tunes detection logic in a live environment, and develops response instincts that only live environment experience builds.
Regulated enterprises requiring evidence of detection validation
Regulators and insurers are increasingly asking not just whether detection tooling is in place, but whether it has been tested. Purple team exercise outputs provide documented, structured evidence that your detection programme has been validated against realistic adversary behaviour.
WHEN DO YOU NEED PURPLE TEAMING
When does your organisation need a purple team exercise?
Purple teaming is most valuable when detection capability exists but has not been independently validated. If your organisation has invested in SIEM, EDR, or MDR and has not confirmed whether those tools catch real adversary techniques in your actual environment, a purple team exercise is the direct answer.
After deploying or upgrading detection tooling
New SIEM rules, EDR deployments, and MDR onboarding all come with assumed coverage. A purple team exercise confirms what those tools actually catch before gaps are exposed in a real incident.
Before a red team engagement
Purple teaming strengthens your detection and response posture before a red team engagement begins. Your blue team enters the exercise having already closed known gaps and validated their tooling against real adversary techniques.
After a red team engagement where detection gaps were identified
A red team report that identifies detection failures requires validation that the fixes have worked. A purple team exercise tests the remediation directly, confirming that the gaps identified are now closed.
Following a security incident where response was slow
If an adversary progressed further than expected before your team responded, a purple team exercise identifies where the detection and response workflow can be strengthened. Fixes are validated during the exercise.
When your regulatory framework requires detection validation
MAS TRM in Singapore and HKMA iCAST in Hong Kong both require organisations to validate that detection and response capabilities are effective. BNM RMiT in Malaysia carries equivalent expectations. A purple team exercise produces the documented evidence that those validations have been conducted.
On a recurring improvement cadence
Detection programmes degrade as environments change, tooling is updated, and threat actors evolve their techniques. Purple teaming run on an annual or biannual cadence keeps your detection coverage current and your blue team sharp.
WHY THEOS
Why Theos Purple Teaming
Detection improvement built into every exercise
Theos purple team exercises are structured to produce measurable detection improvement before the engagement ends. Gaps identified in the morning can be fixed and retested in the afternoon. Your detection programme is stronger on the last day of the exercise than it was on the first.
Threat intelligence that reflects this region
TTP selection is grounded in threat intelligence specific to your industry and operating markets. The techniques Theos executes reflect what relevant adversaries use in APAC, calibrated to the threats that matter most to your organisation.
Offensive depth that your blue team can learn from
Theos purple team practitioners carry the same depth as our red team. Your blue team works alongside practitioners who understand how adversaries operate at the level required to build detection coverage that holds. That practitioner depth is what makes the exercise findings specific and immediately actionable.
Connected to your full security programme
use casPurple team findings feed directly into MDR detection tuning, red team planning, and IR playbook development. For organisations working with Theos across multiple service lines, the intelligence compounds. Detection gaps found in a purple team become detection rules in MDR. Coverage weaknesses identified in a purple team shape the scope of the next red team.
GET PROTECTED TODAY
Security is not a product you buy. It is an outcome you earn.
Theos purple teaming confirms whether your detection programme performs against real adversary behaviour. Real techniques executed in your environment, with gaps fixed before the exercise ends.
We deliver outcomes.
FAQ
Frequently Asked Questions
The questions regulated enterprises ask most often before commissioning a purple team exercise.
What is purple teaming and how does it work?
Purple teaming is a collaborative security exercise where offensive and defensive teams work together to test and improve detection and response capabilities. Unlike red teaming, it is transparent and iterative, with both teams working alongside each other throughout.
Theos executes tactics, techniques, and procedures relevant to your threat landscape while your blue team monitors, investigates, and responds. What was detected, what was missed, and what needs to change is reviewed together in real time. The result is measurable detection uplift validated against real adversary behaviour.
Theos executes tactics, techniques, and procedures relevant to your threat landscape while your blue team monitors, investigates, and responds. What was detected, what was missed, and what needs to change is reviewed together in real time. The result is measurable detection uplift validated against real adversary behaviour.
Do we need a mature internal security team for purple teaming to be valuable?
Purple teaming delivers value at every level of security maturity. The engagement is designed to meet your team where they are.
Theos acts as the red team and works directly with your blue team throughout. The exercise identifies visibility gaps, prioritises detection improvements, and strengthens response processes regardless of current maturity. Complexity is tailored to your team’s capabilities and objectives.
Theos acts as the red team and works directly with your blue team throughout. The exercise identifies visibility gaps, prioritises detection improvements, and strengthens response processes regardless of current maturity. Complexity is tailored to your team’s capabilities and objectives.
How does purple teaming improve our detection capabilities?
Purple teaming improves detection by testing your blue team’s visibility and response against real adversary behaviour executed by Theos in your environment. The exercise surfaces missing telemetry, detection logic gaps, alerting weaknesses, and process issues.
Because the exercise is collaborative, your blue team refines detections and validates improvements during the engagement. The results are immediately actionable, addressed during the engagement itself.
Because the exercise is collaborative, your blue team refines detections and validates improvements during the engagement. The results are immediately actionable, addressed during the engagement itself.
What is the output of a purple team exercise?
The output is a practical findings set showing how your blue team performed against the adversary behaviours Theos executed, and where detection and response can be strengthened.
This includes the TTPs tested, what your team detected, where visibility gaps exist, and prioritised recommendations to improve detections, telemetry, and response workflows. MITRE ATT&CK mappings are included across every technique executed.
This includes the TTPs tested, what your team detected, where visibility gaps exist, and prioritised recommendations to improve detections, telemetry, and response workflows. MITRE ATT&CK mappings are included across every technique executed.
How often should we run purple team exercises?
Purple team exercises are most effective on a recurring cadence, particularly as your environment, tooling, and threat landscape evolve. The right frequency depends on your security maturity and how quickly your defensive capabilities are changing.
Run as part of an ongoing improvement cycle, purple teaming keeps your detection coverage current and your blue team sharp against realistic adversary behaviour.
Run as part of an ongoing improvement cycle, purple teaming keeps your detection coverage current and your blue team sharp against realistic adversary behaviour.