Purple Team Assessments


Do you ever worry about your organization’s ability to detect and/or prevent a threat actor? Would you like to know how your team and toolsets react to a battery of offensive tests that range from the most basic tactics to the latest and greatest advanced persistent threat techniques? Have you ever discovered a new attack technique and wondered, “How many more are there?” or “Which ones should I be worried about?” Are you curious about testing a particular exploit or lateral movement activity in your network, but aren’t sure where to start?

If you answered “yes” to any of those questions, perhaps a Purple Team exercise is exactly what you need. A Schneider Downs Purple Team exercise brings together our red teamers and blue teamers, onsite, to work alongside your team to learn how to prevent and detect specific offensive techniques from the MITRE ATTACK framework and other hacker tools, techniques and procedures.

As part of a Purple Team exercise, our goal is to provide the hacker toolsets and mentality of our red team experts along with the incident responder and defensive thinking of our blue team experts in a way that encourages, engages and sparks knowledge transfer.


To maximize the effectiveness of a Purple Team exercise, our team must first gain a strong understanding of your environment. During this process, we’ll become familiar with your current alerting/detection capabilities, as well as your network architecture and various other pertinent details. We believe the more we understand about your environment, the more valuable the exercise will be.

Threat Mapping

By leveraging every category of the MITRE ATT&CK framework, we’ll work collaboratively with you to map a custom set of tactics and techniques that are risk-based, industry-appropriate and meaningful to your organization. This selection process is highly flexible and can steer the exercise toward a specific theme of offensive techniques or it can ensure a well-balanced exercise for a stronger baseline. Ultimately, the scope and variety of the exercise is entirely up to you. Additionally, we will cross-reference your threat intel against the framework’s data to identify which threat actors youâre most likely facing in the wild, and then use our understanding of their typical behavior to further shape your organization’s custom threat map. This enables us to anticipate additional attack vectors of concern and provide an authentic attack scenario within the collaborative process.


Once threat mapping is complete, the offensive experts of our red team will execute each of the techniques in a transparent environment. This process encourages an “over-the-shoulder” element, in which your security can observe, learn and even get hands-on assisting in the execution of a variety of typical hacker activities like enumeration, exploitation, lateral movement, post-exploitation and exfiltration, et al. Throughout this process, our red team will serve as an expert resource to transfer valuable knowledge regarding modern offensive strategies, and offer insights into the mind of a hacker.

Impact Analysis

The success or failure of each technique is closely monitored to ensure complete understanding of its impact within the environment. The best-case scenario is for controls to prevent the execution or deny the intended result, in which case we may attempt several other methods of execution. If a technique is successful, we analyze the results to determine its full impact and identify additional mitigating factors. With the understanding that it’s not always possible to prevent every technique, impact analysis for successful techniques allows for appropriate prioritization and accurate decision-making.


As our red teamers execute offensive techniques, our blue teamers are alongside your team simultaneously monitoring your logs and systems. If a technique is successful, we’ll help your team leverage current capabilities to prevent/detect each technique. If current capabilities are insufficient, we’ll help your team develop a plan for new capabilities. Throughout this process, our blue team will serve as an expert resource to transfer valuable knowledge regarding modern defensive strategies and offer insights into their real-world threat actor encounters.


After the exercise, your team will receive a full report that will include a detailed threat map of each technique’s execution status and analysis from both our red and blue teams, as well as a detailed guide for the implementation of any defensive items that were not fully addressed during the exercise.

View our Purple Team Assessment service overview for more information or download our whitepaper, Benefits of a Purple Team Assessment, to learn more about the impact the assessment can have for your organization.

View our additional IT Risk Advisory services and capabilities


Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.