Quarterly purple-team exercises
Demonstrate that the organization conducts quarterly collaborative offensive-defensive security exercises that test detection and response capabilities against realistic attack scenarios, and that findings drive measurable improvements to security controls.
Description
What this control does
Quarterly purple-team exercises involve coordinated engagements where offensive security professionals (red team) execute realistic attack scenarios while defensive teams (blue team) detect and respond, with both sides collaborating in real-time to identify gaps. Unlike standalone penetration tests, purple teaming emphasizes knowledge transfer, defensive visibility improvement, and iterative feedback loops. These exercises validate detection capabilities, response procedures, and cross-functional coordination under simulated adversary conditions, ensuring security controls perform as designed against current threat actor tradecraft.
Control objective
What auditing this proves
Demonstrate that the organization conducts quarterly collaborative offensive-defensive security exercises that test detection and response capabilities against realistic attack scenarios, and that findings drive measurable improvements to security controls.
Associated risks
Risks this control addresses
- Undetected adversary persistence techniques bypassing monitoring tools due to untested detection rules and blind spots in telemetry collection
- Incident response procedures failing under realistic attack conditions due to lack of practice with coordinated multi-stage threats
- Security tool misconfiguration or coverage gaps remaining unidentified until an actual breach occurs
- Defensive team skill atrophy and unfamiliarity with current attacker techniques, tactics, and procedures (TTPs) documented in frameworks like MITRE ATT&CK
- Excessive alert fatigue and tuning errors causing critical security events to be missed or deprioritized during active attacks
- Lateral movement and privilege escalation paths exploited by attackers that were never validated through adversarial testing
- Lack of evidence demonstrating security investment effectiveness and return on defensive capability improvements
Testing procedure
How an auditor verifies this control
- Obtain the purple-team exercise schedule and verify exercises occur at least quarterly for the audit period under review.
- Review scoping documentation for each exercise including targeted systems, attack scenarios selected, MITRE ATT&CK techniques covered, and participating personnel from both offensive and defensive teams.
- Examine pre-exercise planning materials including threat intelligence briefings, scenario objectives, rules of engagement, and escalation procedures.
- Select a sample of completed purple-team exercises and obtain full after-action reports documenting attack paths executed, detections triggered, gaps identified, and blue team response timelines.
- Verify that exercises tested specific detection capabilities mapped to critical assets and high-priority threat scenarios relevant to the organization's risk profile.
- Review evidence of real-time collaboration during exercises such as communications logs, joint debriefs, or synchronized attack-and-detect documentation showing knowledge transfer occurred.
- Trace identified gaps from exercise findings to remediation activities including detection rule updates, response playbook modifications, tool configuration changes, or training initiatives with completion dates.
- Interview security operations and engineering staff to validate that purple-team feedback has been integrated into ongoing security improvements and operational practices.
Where this control is tested