antifragile/antifragile-consulting/core/blue-purple-team-foundation.md

Blue / Purple Team Foundation

"Most organizations own a Ferrari-grade security stack and drive it like a rental car. The tools are not the problem. The team's ability to use them is."

This document defines an engagement model for building sustainable defensive capability—not by selling more tools, but by operationalizing what the client already owns. It is designed for Heads of Security who feel they are not in control despite owning Microsoft Defender, Sentinel, and other advanced security platforms.

The focus is on Defender Exposure Management (formerly Microsoft Defender Threat & Vulnerability Management / Secure Score), Sentinel (if deployed), and the people and processes required to turn telemetry into action.

---

The "Tools-Without-Capability" Trap

Many organizations have purchased or inherited an impressive security stack:

Tool	Typical Ownership State	What the Head of Security Feels
Microsoft Defender for Endpoint (E5)	Installed on 60% of endpoints; ASR rules in audit mode; alerts ignored	"We have EDR but nobody hunts"
Microsoft Sentinel	Log ingestion configured; 47 built-in analytic rules active; 200 alerts/day; 2 analysts	"Sentinel generates noise, not intelligence"
Defender for Office 365	Safe Links enabled; 10,000 quarantined emails/month; no review process	"We catch threats but do not learn from them"
Defender for Cloud / Exposure Management	Secure Score visible; recommendations listed; remediation rate < 20%	"We know what is wrong but cannot fix it fast enough"
Entra ID Identity Protection	Risk detections logged; no automated response; manual review weekly	"We detect risky sign-ins but respond too slowly"

The pattern: They own the tools. They lack the operating rhythm.

• No tiered alert triage (everything is "P1" or nothing is)
• No hunt hypothesis (analysts wait for alerts, they do not seek anomalies)
• No metrics that matter (SOC reports ticket volume, not mean-time-to-contain)
• No purple team culture (offence and defence never talk)
• No continuous improvement loop (findings do not produce structural change)

---

The Engagement Model: From Tool Ownership to Operational Capability

Phase 1: Capability Audit (Week 1-2)

Objective: Assess not the tools, but the team's ability to use them.

Critical distinction for outsourced SOCs: If the client uses an MSSP, the capability audit must assess the MSSP's detection coverage in the client's environment, not just the client's internal team. See Retained Capability for the full MSSP co-management model.

Tool Capability Assessment:

Capability	Maturity Question	Score (1-5)
Alert Triage	Can a Tier-1 analyst correctly prioritize a Defender alert without escalating?
Threat Hunting	Has the team run a proactive hunt in the last 30 days?
Incident Response	Is there a documented, tested IR playbook for M365 compromise?
Vulnerability Management	Is there an SLA for critical vulnerability remediation?
Exposure Management	Is Secure Score reviewed weekly with ownership assignments?
Metrics & Reporting	Does the SOC report mean-time-to-detect and mean-time-to-contain?
Purple Team	Have red and blue teams collaborated in the last 90 days?
Automation	Are repeatable tasks automated (isolation, disable account, enrich alert)?
MSSP Detection Coverage	If using an MSSP: have they detected >70% of emulated TTPs in your environment?

Deliverable: Capability Gap Report

• Current maturity score per capability
• Target maturity score (realistic 12-month goal)
• Priority gaps: which missing capabilities create the most risk?
• Tool utilization heatmap: which purchased features are unused?

The conversation (in-house SOC):

"Your Defender Secure Score is 42 out of 100. But the score itself is not the problem. The problem is that you have 38 open recommendations, 12 of them critical, and no one owns the remediation of any of them. We are not here to raise your score. We are here to build the operating rhythm that keeps your score rising without consultant dependency."

The conversation (outsourced SOC / MSSP):

"Your MSSP generates 200 tickets per month and meets every SLA. But when we emulated five common attack techniques last week, the MSSP detected only two. The other three—lateral movement via RDP, data staging in unusual locations, and exfiltration via personal cloud storage—were invisible to them. Not because they are incompetent, but because their generic rules do not know your environment. We do not replace the MSSP. We build the 1.5-person detection engineering cell that writes custom rules for your environment and makes the MSSP actually effective."

---

Phase 2: Quick Wins & Operating Rhythm (Week 3-6)

Objective: Build the basic operating rhythm that makes the tools useful.

2A: Defender Exposure Management Operationalization

The tool: Defender Exposure Management (formerly TVM / Secure Score) provides:

• Vulnerability inventory across endpoints
• Misconfiguration detection (Secure Score)
• Attack surface reduction recommendations
• Threat analytics and vulnerability exploitation intelligence

What most organizations do: Look at the dashboard once a quarter.

What we implement:

Activity	Frequency	Owner	Output
Secure Score review	Weekly	Security lead + IT owner	3 prioritized remediation actions
Vulnerability prioritization	Weekly	Vuln management analyst	Risk-ranked list: exploitability × asset criticality
Exposure remediation sprint	Bi-weekly	IT + Security	Closed vulnerabilities, validated
Threat intelligence brief	Weekly	Threat intel analyst	New CVEs affecting our estate; hunting hypotheses
ASR rule review	Monthly	Endpoint security admin	Audit-mode hits analyzed; block-mode rules justified

The key discipline: Every open recommendation must have an owner and a due date. No orphaned findings.

2B: Alert Triage & Enrichment

What most organizations do: Alert arrives → analyst reads it → creates ticket → waits for senior analyst.

What we implement:

• Tier-1 triage playbook: Decision tree for common Defender alerts (suspicious PowerShell, credential dumping, lateral movement)
• Automated enrichment: Logic App or Power Automate flow that enriches alerts with user info, device info, recent sign-ins, geo-location
• Auto-response for high-confidence alerts: Isolate device, disable user, block IP for confirmed malicious indicators
• Alert tuning: Disable or suppress noisy rules; customize thresholds per client environment

2C: The First Hunt

What most organizations do: "We would hunt if we had time."

What we implement:

• Hunt hypothesis workshop: 2-hour session where blue team proposes 3 hypotheses based on recent threat intelligence
• Guided first hunt: Consultant and blue team analyst pair on one hypothesis
  • Example: "We believe an adversary might be using living-off-the-land binaries (LOLBin) for reconnaissance. Let us hunt for unusual WMIC, net.exe, or nltest usage."
• Hunt report template: Documented findings, evidence, and structural improvements (not just "found nothing")
• Hunt calendar: Commit to one hunt per month for the next quarter

For MSSP clients: The first hunt often reveals gaps in MSSP detection coverage. These gaps become the first custom detection rules the retained capability cell writes and deploys.

Deliverable: Operating Rhythm Playbook

Tool stack for the operating rhythm: See the Sovereign Tool Stack for the complete open-source SOC architecture. For M365-centric environments, AOC provides audit log intelligence; Wazuh + Sysmon provide endpoint detection; TheHive + Cortex provide case management; Shuffle provides automated response. This stack replaces €200K+/year commercial SOC tooling for clients who prioritise sovereignty.

• Weekly, bi-weekly, and monthly cadence definitions
• RACI matrix for each activity
• Dashboard definitions and data sources
• Automated enrichment and response runbooks

---

Phase 3: Purple Team Foundation (Week 7-10)

Objective: Break the silo between offence and defence. Build collaborative muscle.

The Purple Team Exercise

Unlike a red team (adversarial, stealthy) or a blue team (defensive, reactive), a purple team is collaborative and educational:

Phase	Red Team Action	Blue Team Action	Purple Team Outcome
Plan	Propose 3 TTPs to test	Evaluate detection coverage for each TTP	Agreed scope: which TTPs, which tools, which metrics
Execute	Attempt TTP in controlled manner	Observe and document what their tools see	Real-time comparison: what was expected vs. what was detected
Analyze	Explain technique and evasion methods	Explain detection logic and gaps	Shared understanding of why something was missed
Improve	Suggest additional TTPs for future	Implement detection rules, tuning, or architectural changes	Closed-loop: every missed detection becomes a structural fix

First Purple Team Exercise (Example)

Scope: M365 identity compromise simulation

TTP	Red Team Action	Blue Team Detection Target	Outcome
Password spray	Attempt 50 logins against 10 accounts	Entra ID Identity Protection risky sign-in alert	Did alert fire? Was it tuned? Was response automated?
OAuth consent grant	Create malicious enterprise app; trick user into consent	Defender for Cloud Apps anomaly alert	Is user consent blocked? Is app inventory current?
Mailbox rule manipulation	Create forwarding rule to external address	Defender for Office 365 alert	Is alert enabled? Who responds? How fast?
Lateral movement via Teams	Exfiltrate files via Teams external share	DLP / sharing anomaly alert	Are sharing policies enforced? Is external sharing monitored?

Duration: One day (not a month-long red team) Audience: Blue team analysts, IT admins, security architect Output: Detection gap matrix; prioritized improvements; next exercise scheduled

Building the Purple Team Habit

Cadence	Activity	Participants
Monthly	Purple team exercise (half-day)	1 red teamer + 2-3 blue teamers + observer
Monthly	Threat intel brief + hunt hypothesis	Threat intel + SOC + IT
Quarterly	Tabletop exercise (ransomware, BEC, insider threat)	Security + IT + Legal + Comms + Executive
Quarterly	Detection engineering sprint	SOC + IT + Consultant

Deliverable: Purple Team Charter

• Scope rules (what is in-bounds, what is out-of-bounds)
• Cadence calendar
• Metrics: detection rate, mean-time-to-detect, false positive rate, improvement closure rate

---

Phase 4: Roadmap & Handover (Week 11-12)

Objective: The team owns the capability. The consultant provides advisory oversight only.

Activities:

• 12-month roadmap: Prioritized capability improvements with timelines and resource estimates
  • Month 1-3: Operating rhythm stabilized; weekly Secure Score reviews; monthly hunts
  • Month 4-6: Automated response for tier-1 alerts; SOAR playbooks (or Logic Apps)
  • Month 7-9: Advanced hunting training; custom KQL detection rules
  • Month 10-12: Full purple team program; quarterly adversarial simulation; threat-led penetration testing (DORA)
• Knowledge transfer: Document every custom query, playbook, and tuning decision
• Metrics baseline: Establish the metrics dashboard the team will use to self-assess
• Advisory retainer: Optional monthly 4-hour check-in for escalation support and advanced scenarios

Deliverable: Blue Team Capability Roadmap

• Maturity targets per capability
• Resource requirements (headcount, training, tooling)
• Quarterly milestones and validation criteria
• RACI for ongoing operations

---

Specific Tool Deep-Dives

Defender Exposure Management (Secure Score + TVM)

Current state at most clients: Secure Score is a number they see but do not act on.

Operationalization:

1. Weekly Secure Score standup (15 minutes):

   • What changed since last week?
   • What are the top 3 easiest wins?
   • What is blocked and needs escalation?

2. Vulnerability SLA:

   • Critical (exploited in the wild): 48 hours
   • High (exploit available): 7 days
   • Medium: 30 days
   • Low: 90 days

3. Exposure-based prioritization:

   • Do not patch everything. Patch the vulnerabilities on the assets that are:
     • Internet-facing
     • Privileged access
     • Unprotected by compensating controls

4. Threat analytics integration:

   • Review Defender Threat Analytics weekly
   • Map active threat actor TTPs to your environment
   • Generate hunt hypotheses from threat intelligence

Microsoft Sentinel (If Deployed)

Current state at most clients: Ingesting logs; generating alerts; drowning in noise.

Operationalization:

1. Alert quality audit:

   • Review last 30 days of alerts
   • Categorize: true positive, false positive, benign positive
   • Target: >70% true positive rate before adding new rules

2. Tiered response model:

   • Tier 1 (L1): Triage, enrichment, initial containment
   • Tier 2 (L2): Investigation, deeper analysis, escalation
   • Tier 3 (L3): Threat hunting, detection engineering, purple team

3. Automation first:

   • Automate enrichment before human sees alert
   • Automate containment for high-confidence indicators
   • Automate closure documentation

4. Custom detection rules:

   • Start with 3-5 high-value custom KQL rules based on your environment
   • Example: "Detect login from impossible travel + sensitive file download"
   • Validate with purple team exercise

---

Talking Points for the Head of Security

When they say: "We have all these tools but I still do not feel in control."

You respond:

"That is because tools do not create control. Operating rhythm creates control. You have a Ferrari but no one taught your team to drive it. I help you build the weekly cadence, the tiered response, the hunt discipline, and the purple team culture that turns telemetry into action. In 12 weeks, your team will not just own the tools. They will own the capability."

When they say: "My analysts are overwhelmed."

You respond:

"Overwhelmed analysts are usually drowning in noise. We tune the alerts, automate the enrichment, and build a triage playbook so your Tier-1 analysts know exactly what to do with the 20 alerts they see each morning. The goal is not fewer alerts. It is more actionable alerts."

When they say: "We cannot afford a 24/7 SOC."

You respond:

"Most organizations do not need a 24/7 SOC. They need a team that can detect, contain, and recover during business hours—and automated response for the hours they are not watching. We design for your reality, not for a Gartner ideal."

When they say: "We have never done threat hunting."

You respond:

"Perfect. We start with one guided hunt. A 4-hour session with a hypothesis, a search, and a finding. Most teams discover something they did not know within the first two hours. Hunting is not magic. It is structured curiosity. We teach the structure."

When they say: "Our red team and blue team do not talk."

You respond:

"That is the norm, and it is destructive. Red team thinks blue team is incompetent. Blue team thinks red team is reckless. Purple team fixes both: red team teaches technique; blue team learns to detect; both improve. We run your first purple team exercise in Week 7. It is usually the most productive security meeting the organization has had all year."

When they say: "Our outsourced SOC underperforms."

You respond:

"Your MSSP is not failing you. You are failing to give them the context and custom detection rules they need to succeed in your environment. They run generic rules for 200 clients. Generic rules catch generic threats. Your adversaries are not generic. We do not fire the MSSP. We build a 2-person detection engineering cell inside your organization that writes custom rules for your environment, audits the MSSP's coverage quarterly, and makes your existing €600K SOC spend actually work. For the cost of one senior analyst, you transform insurance theater into actual protection."

---

Metrics That Prove Capability

Before	After	What It Measures
"We have 200 Sentinel alerts per day"	"We have 12 actionable alerts per day; 88% are true positives"	Alert quality
"Mean time to respond: 4 hours"	"Mean time to contain: 15 minutes for high-confidence alerts"	Response speed
"We have never hunted"	"We run one hunt per month; last hunt found 3 dormant accounts"	Proactive defence
"Secure Score is 42 and falling"	"Secure Score is 72 and rising; remediation SLA is 90%"	Exposure management
"Red team findings sit in a PDF"	"Red team findings become detection rules within 2 weeks"	Closed-loop improvement
"Analyst turnover is high"	"Analysts report higher satisfaction; they feel effective"	Team health

---

Integration With Modular Engagements

This module naturally connects to technical hardening and validation:

Module 3 (M365 Security Hardening) or Module 6 (On-Premise AD Hardening)
              ↓ Tools deployed but underutilized
Module 12 (Blue/Purple Team Foundation)
              ↓ Team learns to operationalize tools; builds sustainable capability
Module 10 (Red Team & Validation)
              ↓ Independent validation proves the capability works

It can also follow endpoint management:

Module 1 (Endpoint Management)
              ↓ Devices visible and compliant
Module 12 (Blue/Purple Team Foundation)
              ↓ EDR alerts now actionable; hunt on endpoint telemetry

---

For the modular engagement menu, see Modular Engagements. For embedded process assurance, see Embedded Quality & Process Assurance. For organizational structure transformation, see Organizational Resilience.