# Blue / Purple Team Foundation > *"Most organizations own a Ferrari-grade security stack and drive it like a rental car. The tools are not the problem. The team's ability to use them is."* This document defines an engagement model for building **sustainable defensive capability**—not by selling more tools, but by operationalizing what the client already owns. It is designed for Heads of Security who feel they are not in control despite owning Microsoft Defender, Sentinel, and other advanced security platforms. The focus is on **Defender Exposure Management** (formerly Microsoft Defender Threat & Vulnerability Management / Secure Score), **Sentinel** (if deployed), and the **people and processes** required to turn telemetry into action. --- ## The "Tools-Without-Capability" Trap Many organizations have purchased or inherited an impressive security stack: | Tool | Typical Ownership State | What the Head of Security Feels | |------|------------------------|--------------------------------| | **Microsoft Defender for Endpoint** (E5) | Installed on 60% of endpoints; ASR rules in audit mode; alerts ignored | "We have EDR but nobody hunts" | | **Microsoft Sentinel** | Log ingestion configured; 47 built-in analytic rules active; 200 alerts/day; 2 analysts | "Sentinel generates noise, not intelligence" | | **Defender for Office 365** | Safe Links enabled; 10,000 quarantined emails/month; no review process | "We catch threats but do not learn from them" | | **Defender for Cloud / Exposure Management** | Secure Score visible; recommendations listed; remediation rate < 20% | "We know what is wrong but cannot fix it fast enough" | | **Entra ID Identity Protection** | Risk detections logged; no automated response; manual review weekly | "We detect risky sign-ins but respond too slowly" | **The pattern**: They own the tools. They lack the **operating rhythm**. - No tiered alert triage (everything is "P1" or nothing is) - No hunt hypothesis (analysts wait for alerts, they do not seek anomalies) - No metrics that matter (SOC reports ticket volume, not mean-time-to-contain) - No purple team culture (offence and defence never talk) - No continuous improvement loop (findings do not produce structural change) --- ## The Engagement Model: From Tool Ownership to Operational Capability ### Phase 1: Capability Audit (Week 1-2) **Objective**: Assess not the tools, but the **team's ability to use them**. > **Critical distinction for outsourced SOCs**: If the client uses an MSSP, the capability audit must assess the **MSSP's detection coverage in the client's environment**, not just the client's internal team. See [Retained Capability](retained-capability.md) for the full MSSP co-management model. **Tool Capability Assessment**: | Capability | Maturity Question | Score (1-5) | |-----------|-------------------|-------------| | **Alert Triage** | Can a Tier-1 analyst correctly prioritize a Defender alert without escalating? | | | **Threat Hunting** | Has the team run a proactive hunt in the last 30 days? | | | **Incident Response** | Is there a documented, tested IR playbook for M365 compromise? | | | **Vulnerability Management** | Is there an SLA for critical vulnerability remediation? | | | **Exposure Management** | Is Secure Score reviewed weekly with ownership assignments? | | | **Metrics & Reporting** | Does the SOC report mean-time-to-detect and mean-time-to-contain? | | | **Purple Team** | Have red and blue teams collaborated in the last 90 days? | | | **Automation** | Are repeatable tasks automated (isolation, disable account, enrich alert)? | | | **MSSP Detection Coverage** | If using an MSSP: have they detected >70% of emulated TTPs in your environment? | | **Deliverable**: Capability Gap Report - Current maturity score per capability - Target maturity score (realistic 12-month goal) - Priority gaps: which missing capabilities create the most risk? - Tool utilization heatmap: which purchased features are unused? **The conversation (in-house SOC)**: > *"Your Defender Secure Score is 42 out of 100. But the score itself is not the problem. The problem is that you have 38 open recommendations, 12 of them critical, and no one owns the remediation of any of them. We are not here to raise your score. We are here to build the operating rhythm that keeps your score rising without consultant dependency."* **The conversation (outsourced SOC / MSSP)**: > *"Your MSSP generates 200 tickets per month and meets every SLA. But when we emulated five common attack techniques last week, the MSSP detected only two. The other three—lateral movement via RDP, data staging in unusual locations, and exfiltration via personal cloud storage—were invisible to them. Not because they are incompetent, but because their generic rules do not know your environment. We do not replace the MSSP. We build the 1.5-person detection engineering cell that writes custom rules for your environment and makes the MSSP actually effective."* --- ### Phase 2: Quick Wins & Operating Rhythm (Week 3-6) **Objective**: Build the basic operating rhythm that makes the tools useful. #### 2A: Defender Exposure Management Operationalization **The tool**: Defender Exposure Management (formerly TVM / Secure Score) provides: - Vulnerability inventory across endpoints - Misconfiguration detection (Secure Score) - Attack surface reduction recommendations - Threat analytics and vulnerability exploitation intelligence **What most organizations do**: Look at the dashboard once a quarter. **What we implement**: | Activity | Frequency | Owner | Output | |----------|-----------|-------|--------| | Secure Score review | Weekly | Security lead + IT owner | 3 prioritized remediation actions | | Vulnerability prioritization | Weekly | Vuln management analyst | Risk-ranked list: exploitability × asset criticality | | Exposure remediation sprint | Bi-weekly | IT + Security | Closed vulnerabilities, validated | | Threat intelligence brief | Weekly | Threat intel analyst | New CVEs affecting our estate; hunting hypotheses | | ASR rule review | Monthly | Endpoint security admin | Audit-mode hits analyzed; block-mode rules justified | **The key discipline**: Every open recommendation must have an owner and a due date. No orphaned findings. #### 2B: Alert Triage & Enrichment **What most organizations do**: Alert arrives → analyst reads it → creates ticket → waits for senior analyst. **What we implement**: - **Tier-1 triage playbook**: Decision tree for common Defender alerts (suspicious PowerShell, credential dumping, lateral movement) - **Automated enrichment**: Logic App or Power Automate flow that enriches alerts with user info, device info, recent sign-ins, geo-location - **Auto-response for high-confidence alerts**: Isolate device, disable user, block IP for confirmed malicious indicators - **Alert tuning**: Disable or suppress noisy rules; customize thresholds per client environment #### 2C: The First Hunt **What most organizations do**: "We would hunt if we had time." **What we implement**: - **Hunt hypothesis workshop**: 2-hour session where blue team proposes 3 hypotheses based on recent threat intelligence - **Guided first hunt**: Consultant and blue team analyst pair on one hypothesis - Example: "We believe an adversary might be using living-off-the-land binaries (LOLBin) for reconnaissance. Let us hunt for unusual WMIC, net.exe, or nltest usage." - **Hunt report template**: Documented findings, evidence, and structural improvements (not just "found nothing") - **Hunt calendar**: Commit to one hunt per month for the next quarter **For MSSP clients**: The first hunt often reveals gaps in MSSP detection coverage. These gaps become the first custom detection rules the retained capability cell writes and deploys. **Deliverable**: Operating Rhythm Playbook **Tool stack for the operating rhythm**: See the [Sovereign Tool Stack](../playbooks/sovereign-tool-stack.md) for the complete open-source SOC architecture. For M365-centric environments, AOC provides audit log intelligence; Wazuh + Sysmon provide endpoint detection; TheHive + Cortex provide case management; Shuffle provides automated response. This stack replaces €200K+/year commercial SOC tooling for clients who prioritise sovereignty. - Weekly, bi-weekly, and monthly cadence definitions - RACI matrix for each activity - Dashboard definitions and data sources - Automated enrichment and response runbooks --- ### Phase 3: Purple Team Foundation (Week 7-10) **Objective**: Break the silo between offence and defence. Build collaborative muscle. #### The Purple Team Exercise Unlike a red team (adversarial, stealthy) or a blue team (defensive, reactive), a purple team is **collaborative and educational**: | Phase | Red Team Action | Blue Team Action | Purple Team Outcome | |-------|---------------|------------------|---------------------| | **Plan** | Propose 3 TTPs to test | Evaluate detection coverage for each TTP | Agreed scope: which TTPs, which tools, which metrics | | **Execute** | Attempt TTP in controlled manner | Observe and document what their tools see | Real-time comparison: what was expected vs. what was detected | | **Analyze** | Explain technique and evasion methods | Explain detection logic and gaps | Shared understanding of why something was missed | | **Improve** | Suggest additional TTPs for future | Implement detection rules, tuning, or architectural changes | Closed-loop: every missed detection becomes a structural fix | #### First Purple Team Exercise (Example) **Scope**: M365 identity compromise simulation | TTP | Red Team Action | Blue Team Detection Target | Outcome | |-----|---------------|---------------------------|---------| | Password spray | Attempt 50 logins against 10 accounts | Entra ID Identity Protection risky sign-in alert | Did alert fire? Was it tuned? Was response automated? | | OAuth consent grant | Create malicious enterprise app; trick user into consent | Defender for Cloud Apps anomaly alert | Is user consent blocked? Is app inventory current? | | Mailbox rule manipulation | Create forwarding rule to external address | Defender for Office 365 alert | Is alert enabled? Who responds? How fast? | | Lateral movement via Teams | Exfiltrate files via Teams external share | DLP / sharing anomaly alert | Are sharing policies enforced? Is external sharing monitored? | **Duration**: One day (not a month-long red team) **Audience**: Blue team analysts, IT admins, security architect **Output**: Detection gap matrix; prioritized improvements; next exercise scheduled #### Building the Purple Team Habit | Cadence | Activity | Participants | |---------|----------|--------------| | Monthly | Purple team exercise (half-day) | 1 red teamer + 2-3 blue teamers + observer | | Monthly | Threat intel brief + hunt hypothesis | Threat intel + SOC + IT | | Quarterly | Tabletop exercise (ransomware, BEC, insider threat) | Security + IT + Legal + Comms + Executive | | Quarterly | Detection engineering sprint | SOC + IT + Consultant | **Deliverable**: Purple Team Charter - Scope rules (what is in-bounds, what is out-of-bounds) - Cadence calendar - Metrics: detection rate, mean-time-to-detect, false positive rate, improvement closure rate --- ### Phase 4: Roadmap & Handover (Week 11-12) **Objective**: The team owns the capability. The consultant provides advisory oversight only. **Activities**: - **12-month roadmap**: Prioritized capability improvements with timelines and resource estimates - Month 1-3: Operating rhythm stabilized; weekly Secure Score reviews; monthly hunts - Month 4-6: Automated response for tier-1 alerts; SOAR playbooks (or Logic Apps) - Month 7-9: Advanced hunting training; custom KQL detection rules - Month 10-12: Full purple team program; quarterly adversarial simulation; threat-led penetration testing (DORA) - **Knowledge transfer**: Document every custom query, playbook, and tuning decision - **Metrics baseline**: Establish the metrics dashboard the team will use to self-assess - **Advisory retainer**: Optional monthly 4-hour check-in for escalation support and advanced scenarios **Deliverable**: Blue Team Capability Roadmap - Maturity targets per capability - Resource requirements (headcount, training, tooling) - Quarterly milestones and validation criteria - RACI for ongoing operations --- ## Specific Tool Deep-Dives ### Defender Exposure Management (Secure Score + TVM) **Current state at most clients**: Secure Score is a number they see but do not act on. **Operationalization**: 1. **Weekly Secure Score standup** (15 minutes): - What changed since last week? - What are the top 3 easiest wins? - What is blocked and needs escalation? 2. **Vulnerability SLA**: - Critical (exploited in the wild): 48 hours - High (exploit available): 7 days - Medium: 30 days - Low: 90 days 3. **Exposure-based prioritization**: - Do not patch everything. Patch the vulnerabilities on the assets that are: - Internet-facing - Privileged access - Unprotected by compensating controls 4. **Threat analytics integration**: - Review Defender Threat Analytics weekly - Map active threat actor TTPs to your environment - Generate hunt hypotheses from threat intelligence ### Microsoft Sentinel (If Deployed) **Current state at most clients**: Ingesting logs; generating alerts; drowning in noise. **Operationalization**: 1. **Alert quality audit**: - Review last 30 days of alerts - Categorize: true positive, false positive, benign positive - Target: >70% true positive rate before adding new rules 2. **Tiered response model**: - Tier 1 (L1): Triage, enrichment, initial containment - Tier 2 (L2): Investigation, deeper analysis, escalation - Tier 3 (L3): Threat hunting, detection engineering, purple team 3. **Automation first**: - Automate enrichment before human sees alert - Automate containment for high-confidence indicators - Automate closure documentation 4. **Custom detection rules**: - Start with 3-5 high-value custom KQL rules based on your environment - Example: "Detect login from impossible travel + sensitive file download" - Validate with purple team exercise --- ## Talking Points for the Head of Security **When they say**: *"We have all these tools but I still do not feel in control."* **You respond**: > *"That is because tools do not create control. Operating rhythm creates control. You have a Ferrari but no one taught your team to drive it. I help you build the weekly cadence, the tiered response, the hunt discipline, and the purple team culture that turns telemetry into action. In 12 weeks, your team will not just own the tools. They will own the capability."* **When they say**: *"My analysts are overwhelmed."* **You respond**: > *"Overwhelmed analysts are usually drowning in noise. We tune the alerts, automate the enrichment, and build a triage playbook so your Tier-1 analysts know exactly what to do with the 20 alerts they see each morning. The goal is not fewer alerts. It is more actionable alerts."* **When they say**: *"We cannot afford a 24/7 SOC."* **You respond**: > *"Most organizations do not need a 24/7 SOC. They need a team that can detect, contain, and recover during business hours—and automated response for the hours they are not watching. We design for your reality, not for a Gartner ideal."* **When they say**: *"We have never done threat hunting."* **You respond**: > *"Perfect. We start with one guided hunt. A 4-hour session with a hypothesis, a search, and a finding. Most teams discover something they did not know within the first two hours. Hunting is not magic. It is structured curiosity. We teach the structure."* **When they say**: *"Our red team and blue team do not talk."* **You respond**: > *"That is the norm, and it is destructive. Red team thinks blue team is incompetent. Blue team thinks red team is reckless. Purple team fixes both: red team teaches technique; blue team learns to detect; both improve. We run your first purple team exercise in Week 7. It is usually the most productive security meeting the organization has had all year."* **When they say**: *"Our outsourced SOC underperforms."* **You respond**: > *"Your MSSP is not failing you. You are failing to give them the context and custom detection rules they need to succeed in your environment. They run generic rules for 200 clients. Generic rules catch generic threats. Your adversaries are not generic. We do not fire the MSSP. We build a 2-person detection engineering cell inside your organization that writes custom rules for your environment, audits the MSSP's coverage quarterly, and makes your existing €600K SOC spend actually work. For the cost of one senior analyst, you transform insurance theater into actual protection."* --- ## Metrics That Prove Capability | Before | After | What It Measures | |--------|-------|-----------------| | "We have 200 Sentinel alerts per day" | "We have 12 actionable alerts per day; 88% are true positives" | Alert quality | | "Mean time to respond: 4 hours" | "Mean time to contain: 15 minutes for high-confidence alerts" | Response speed | | "We have never hunted" | "We run one hunt per month; last hunt found 3 dormant accounts" | Proactive defence | | "Secure Score is 42 and falling" | "Secure Score is 72 and rising; remediation SLA is 90%" | Exposure management | | "Red team findings sit in a PDF" | "Red team findings become detection rules within 2 weeks" | Closed-loop improvement | | "Analyst turnover is high" | "Analysts report higher satisfaction; they feel effective" | Team health | --- ## Integration With Modular Engagements This module naturally connects to technical hardening and validation: ``` Module 3 (M365 Security Hardening) or Module 6 (On-Premise AD Hardening) ↓ Tools deployed but underutilized Module 12 (Blue/Purple Team Foundation) ↓ Team learns to operationalize tools; builds sustainable capability Module 10 (Red Team & Validation) ↓ Independent validation proves the capability works ``` It can also follow endpoint management: ``` Module 1 (Endpoint Management) ↓ Devices visible and compliant Module 12 (Blue/Purple Team Foundation) ↓ EDR alerts now actionable; hunt on endpoint telemetry ``` --- *For the modular engagement menu, see [Modular Engagements](modular-engagements.md).* *For embedded process assurance, see [Embedded Quality & Process Assurance](quality-management-engagement.md).* *For organizational structure transformation, see [Organizational Resilience](organizational-resilience.md).*