{"id":15775,"date":"2026-02-11T08:15:36","date_gmt":"2026-02-11T08:15:36","guid":{"rendered":"https:\/\/newestek.com\/?p=15775"},"modified":"2026-02-11T08:15:36","modified_gmt":"2026-02-11T08:15:36","slug":"the-hard-part-of-purple-teaming-starts-after-detection","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15775","title":{"rendered":"The hard part of purple teaming starts after detection"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

In my recent articles for CSO, I\u2019ve talked about the limits of current SOC models<\/a> and the importance of rehearsal<\/a>. This time, I want to focus on something that\u2019s becoming increasingly clear: purple teaming has lost its depth.<\/p>\n

We\u2019ve turned one of the most powerful tools for resilience into a transactional exercise that feels reassuring but reveals very little about how an organization will cope when the pressure is real.<\/p>\n

Care and attention have become rare assets in our world. Distraction dominates both the consuming and supply sides of cybersecurity. Clients are pulled into complexity and novelty, while services providers are pulled into deadlines and deliverables.<\/p>\n

Meanwhile, attackers \u2014 increasingly powered by AI \u2014 are becoming faster, quieter, and more determined.<\/p>\n

When threats accelerate, surface-level testing is no longer enough.<\/p>\n

The absence of findings is not the absence of risk<\/h2>\n

I\u2019ve seen this pattern everywhere: a purple team engagement<\/a> produces a set of impressive outcomes. The report looks good. Findings correlate with expectations. Leadership feels reassured.<\/p>\n

But a result is often treated as the<\/em> result, as if the absence of findings means the absence of risk. This is a flaw.<\/p>\n

The industry\u2019s default approach is shaped by time pressure, commercial constraints, and scopes that are too narrow. None of this is malicious, it\u2019s simply how the system has evolved. Providers deliver what they\u2019re contracted to deliver, and clients take the report as a sign of depth.<\/p>\n

Omissions, often caused by time pressure or lack of mental space, are invisible. And invisible omissions are the most dangerous kind.<\/p>\n

Two clients who \u201cshouldn\u2019t have been breakable\u201d<\/h2>\n

Recently, we worked with two extremely mature organizations. On paper, both looked close to unbreakable.<\/p>\n

Instead of running a standard purple team, we co-designed the engagement with them. We looked at the problem as a determined attacker would, and we shared tacit knowledge openly, both our own and theirs. Crucially, everyone involved had visibility into the controls in place. It was a genuine cyber security partnership, not an audit.<\/p>\n

And both organisations were compromised \u2014 deeply \u2014 with almost no sign of compromise.<\/p>\n

In one case, there was a single indicator of compromise: \u201cdomain admin.\u201d Nothing about how<\/em> it happened. Nothing about what to do next<\/em>. No instinctive or automated response. Just a light turning red<\/a> with no playbook behind it.<\/p>\n

In the other case, the SOC detected multiple signals but never acted in time. Detection without action is just noise.<\/p>\n

The experience was humbling. And it forced a blunt question: \u201cYou saw us. So what?\u201d<\/p>\n

That\u2019s the real test. Not whether the SOC sees something. Whether it does something<\/em> \u2014 fast enough and accurately enough \u2014 to stop the damage.<\/p>\n

Standard purple teaming can\u2019t get you there<\/h2>\n

Purple teaming should be the discipline that reveals these realities, but the current model rarely does. Service providers tend to focus on the bypass, the exploit, the \u201cwin.\u201d Clients focus on closing tickets, finishing the engagement, and getting the report.<\/p>\n

Neither mindset creates the space needed for deep thinking.<\/p>\n

Had we rushed through our work we would never have found what we did. Time pressure shapes outcomes more than most organizations realize. When testing is constrained by a standard 9\u20135, it limits how far teams can explore the conditions that lead to real compromise.<\/p>\n

Resilience is the \u201cbrake\u201d moment<\/h2>\n

Imagine you\u2019re driving, and you see the car ahead braking suddenly. Awareness helps, but it\u2019s your immediate reaction that avoids the collision. Insurance plans don\u2019t matter at that moment. Nor do compliance reports or dashboards.<\/p>\n

Only vigilance and rehearsal matter.<\/p>\n

Cyber resilience works the same way. You can\u2019t build the instinct required to act by running one simulation a year. You build it through repetition. Through testing how specific scenarios unfold. Through examining not only how adversaries get in, but also how they move, escalate, evade, and exfiltrate.<\/p>\n

This is the heart of real purple teaming<\/a>.<\/p>\n

AI didn\u2019t help either organisation<\/h2>\n

Both clients had AI embedded in their SOCs<\/a>. And it made no difference.<\/p>\n

AI can accelerate analysis, but it can\u2019t replace intuition, design, or the judgment required to act. If the organization hasn\u2019t rehearsed what to do when the signal appears, AI only accelerates the moment when everyone realises they don\u2019t know what happens next.<\/p>\n

This is why so much testing today only addresses opportunistic attacks. It cleans up the low-hanging fruit. But if organized crime wanted these organisations, they would have had them. And that\u2019s not an easy sentence to write.<\/p>\n

A model that creates false confidence<\/h2>\n

The standard testing model traps everyone involved:<\/p>\n