The difference between the red, blue and purple teams

Original author: Daniel Miessler
  • Transfer
Hello colleagues. We remind you that not so long ago we had two cool classic books about hacking and malware analysis . And also on the way a great book about the Kali Linux distribution . Nevertheless, we still believe that the topic of computer security is not fully covered by us and we would like to ask your opinion about the book by Yuri Diogenes and Erdal Ozkaya about the interaction between Red Team and Blue Team when checking information security in the enterprise.

Under the cut, we offer an article describing the differences in the work of the Red and Blue teams and making it possible to understand what the duties of the Purple teams are.

By the way, we recommend programmer and non-programmer blog articles. today's author is interesting there!

In the field of information security, there is some confusion in the definitions of the Red, Blue and Purple teams. Below I will present my own point of view and tell you what phenomena I associate with these definitions.


The red team is a third-party organization tasked with testing performance:

  • Security programs operating in the company. For this, the actions and techniques of the likely attacking enemy are reproduced in the most realistic way possible. This practice resembles penetration testing, but is not identical to it; the red team has one or several goals at work.
  • The blue team is an internal corporate security team that protects the company from both intruders and the Red Teams. Blue teams should be distinguished from standard computer security specialists working in most organizations, since most full-time security specialists are not set up to work in a permanent watch mode in anticipation of an attack — namely, this Blue Team should act and relate to the situation.
  • Purple teams are ideally redundant groups whose task is to ensure and maximize the efficiency of the Red and Blue teams. This is done by incorporating the defensive techniques and techniques of the Blue Teams, examining the threats and vulnerabilities found by the Red Teams in a single context that ensures the maximum benefit from the work of both parties. With the right approach, 1 + 1 gives 3, but it should be so, because this is the meaning of the interaction between the Red and Blue teams.

The purpose of the Red team is to find ways to improve the work of the Blue team, so Violet teams are not required in organizations where the interaction between the Red and Blue teams is good.

Incorrect use of purple commands: analogies

Let me give you a few visual analogies that I usually use if I am told about the wrong use of purple commands: that is, to force the red teams to interact with the blue.

1. Waiters who do not bring orders: In one restaurant it is impossible to force the waiters to pick up dishes from the kitchen and deliver them to guests. Solution: we will hire "kitchen-dining coordinators", professionally delivering orders to the table. When the manager is asked: why extra employees were hired for this job, but not assigned to the waiters - the manager answers: The

waiters say it is not their job.

2. Elite chefs who keep the dishes in the kitchen: the restaurant invites an expert who has to find out: why does the restaurant suffer losses if it has such a high-class talented chef. Obviously, because the guests have to wait a long time for the ordered dishes, and sometimes these dishes do not bring them at all. Having appeared in the kitchen, the controller discovers there, near the ovens, whole racks of excellently served plates. He asks the cook why he did not send these dishes to the guests who ordered them, and the chef replies:

“I know much better about food than these stupid waiters and stupid guests. Do you know how much I learned to cook such dishes? Even if I allowed them to eat, they would not understand them, but I would not feel it. So I keep my dishes here. ”

Excellent: we have waiters who refuse to carry dishes to the tables, and a chef who does not allow to take out their dishes from the kitchen.

This is the Red team, which refuses to interact with the blue.

If you have such a problem, you need to dynamically correct the interaction of the Red and Blue teams, rather than hiring another group of people, assigning them part of the work of the Reds and the Blue.

Concepts and philosophy

The Red and Blue teams work perfectly in complete harmony with each other - just like two palms with cotton.

Like Yin and Yang Attacks and Defenses, the Red and Blue teams are completely opposite to each other from a tactical and behavioral point of view, but it is precisely because of these differences that they form a healthy and effective whole.

Red attack, Blue defended, but their main goal in common: to improve safety performance in the organization.

Here are some common problems encountered when working with the Red and Blue teams:

  • The Reds consider themselves too cool by the elite to share information with the Blue
  • The red team is dragged into an organization where they neutralize, restrict and demoralize, as a result of which its effectiveness drops dramatically
  • Red and Blue teams are not adapted to interact with each other on an ongoing basis, in the order of things, so the lessons learned from the example of opponents are actually lost.
  • Apparently, information security managers do not perceive the Red and Blue teams as participants in the same project, so there is no exchange of information, measurement results, and practices among them.

Organizations suffering from one or more of these misfortunes logically assume that they need the Violet team to solve the problems. However, the "purple" should be understood as a function or concept, and not as a separate team working on an ongoing basis. And this concept consists in cooperation and mutual benefit for both teams on the way to a common goal.

Perhaps the possible involvementViolet team in the work, when an outsider examines how the interaction between your main teams, Red and Blue, is established, and recommends what amendments to make. Perhaps the exercise with the participation of the Purple team, when someone watches both teams in real time. Or a meeting with the participation of the Violet team, when both teams unite, discuss stories from practice and talk about various attacks and ways to protect against them.

The point is this: you need to force the Blue and Red team to formulate a common goal related to the optimization of work in the organization, and not to introduce unnecessary entities into this system.

Violet team can be compared with a family consultant. It is good when there is a person who is able to establish contact between the spouses, but in no case should one allow the husband and wife to communicate at some point only through an intermediary.


  1. Red teams imitate tactics of intruders to find gaps in the protection of the organization for which they work.
  2. The blue team is protected from attackers and are working on the constant optimization of protective equipment used in the organization.
  3. When the work of the Red and Blue teams is normally set up in the company, the regular exchange of knowledge is established between them, constantly benefiting both.
  4. Violet teams are often used to stimulate continuous integration between the two groups, and the key problem of the Blue and Red teams is not solved: the difficult exchange of information between them.
  5. The purple team can be conceptualized as a collaboration function or point of interaction, and not as a sublime and ideally redundant object.
  6. In the organization, the sole purpose of the Red team is to increase the effectiveness of the Blue team. Therefore, the value of the Violet team should naturally flow from their interaction, and not be imposed on purpose.


  1. All of these provisions apply to any security operations, but in this article I placed the emphasis with an eye to information security.
  2. The Tiger team is a phenomenon that resembles the Red team, but is not identical to it. The 1964 article “Tigr” was defined as “a team of untamed and unlimited security specialists selected for their experience, energy and imagination, who are charged with unswervingly tracking all possible cases of failure of certain subsystems of spacecraft.” Today, this term and the “Red Team” are used as synonyms.
  3. It is important that the Red team keeps a certain distance from the organizations being tested, and this is what gives it the necessary overview and allows you to see the problem from the point of view of the attacker, whom it mimics. The organizations that form the Red team inside, within the framework of their own security department, usually (with rare exceptions) gradually deprive the Red team of authority, authority and freedom in general, because of which it loses the ability to act as a real attacker. Over time (it happens that in a matter of months), the Red teams, which at the beginning of their work were a real elite and worked efficiently, turn into constrained, rigid and, ultimately, incapable groups.
  4. The purple team not only acts as an intermediary, helping the organization not only to set up not quite mature programs, but also to accustom managers to the actions of the attacker, who at first can simply frighten the specialists of many organizations.
  5. Another aspect, due to which the efficiency of the work of the intracorporate Red teams is gradually eroding, is that representatives of the Red teams are usually poorly acclimatized in the culture of such companies that are trying to hire them. In other words, in a company that can afford a real Red team, usually there is such a culture that the members of the elite Red team are not able to get along with. Often, the members of the internal Red team because of this strongly burn out.
  6. It is technically possible to achieve efficiency from the intra-Red team; it is simply extremely unlikely that this team will be able to be protected and be able to count on support at a high management level. All this usually leads to destruction, frustration and burnout.
  7. A common trap in which intracorporate Red teams fall is the restriction of powers and areas of permitted actions up to complete inefficiency. At this very moment, the management attracts consultants to the work, who enjoy full support and provide a lot of interesting finds to the company. Then the authorities exclaim: “Wow! How cool they are! Guys, why couldn't you do the same? ” Usually after such a conversation, people go on LinkedIn.
  8. Other analogies of the Red team, which is not ready to cooperate: professional footballers who can only hit the ball but are not able to pass; professional clakers trying to applaud with one hand, professional auditors who do not write reports, professional teachers who are not contacting students. I think you understand me.

Only registered users can participate in the survey. Sign in , please.

Do we need a proposed book about the interaction of the Red and Blue teams translated into Russian?

Also popular now: