Two Sides of the Same Problem
Every organization has a blue team, whether they call it that or not. If you have security tools deployed, a SOC (even if it is one person checking alerts), incident response procedures or monitoring dashboards, you have a blue team capability.
Far fewer organizations have a red team capability. Most do not employ internal offensive security testers. Many have never engaged an external red team. Some have never even had a basic penetration test.
This asymmetry creates a fundamental problem: your defenses are untested. You have a blue team that has never faced a red team. That is like having a goalkeeper who has never faced a shot.
What the Blue Team Does
The blue team is responsible for the defensive side of security operations. In practice, this includes:
- Security tool deployment and management: NDR platforms like Darktrace, EDR tools like CrowdStrike, SIEM platforms like Microsoft Sentinel, firewalls, web application firewalls and email security gateways
- Security Operations Center (SOC): Monitoring alerts, triaging events, investigating potential incidents and escalating confirmed threats
- Incident response: Containing confirmed incidents, performing forensic investigation, coordinating remediation and managing communication
- Vulnerability management: Scanning for known vulnerabilities, prioritizing patches and tracking remediation progress
- Security architecture: Designing network segmentation, access controls, encryption standards and security infrastructure
The blue team's strength is continuous monitoring. They watch the network around the clock. They build detection rules. They tune alert thresholds. They investigate anomalies. When an incident occurs, they are the first responders.
The blue team's weakness is perspective. They can only detect attacks they anticipate. They build detection for techniques they know about, using tools configured according to vendor recommendations. They test their tools using vendor-provided test cases. They rarely face real adversary behavior.
What the Red Team Does
The red team is responsible for the offensive side of security testing. In practice, this includes:
- Penetration testing: Systematic testing of networks, applications and infrastructure for exploitable vulnerabilities
- Adversary simulation: Emulating the techniques, tactics and procedures of real threat actors to test detection and response capabilities
- ShadowTap validation: Testing internal network defenses using a preconfigured hardware device that enables full internal testing remotely
- Social engineering: Testing human defenses through phishing campaigns, pretexting and physical security assessments
- Detection validation: Measuring whether security tools and SOC processes actually detect real attack techniques
The red team's strength is an adversary's perspective. They think like attackers. They look for the gaps between security controls. They find the paths that the blue team did not anticipate. They test assumptions.
The red team's weakness is point-in-time assessment. A penetration test or red team engagement covers a specific scope during a specific period. It does not provide continuous monitoring. It reveals the state of security at the time of testing, not on an ongoing basis.
Why You Need Both
Blue team without red team means untested defenses. You deploy tools and configure alerts, but you never validate that they catch real attacks. You spend six figures on Darktrace and trust the dashboard. You assume AI detection covers everything.
Red team without blue team means findings without follow-through. A penetration test identifies critical vulnerabilities, but without a security team to remediate, monitor for recurrence and improve controls, the findings collect dust in a PDF.
The combination is what creates actual security improvement. The blue team builds the defenses. The red team tests them. The blue team improves based on what the red team found. The red team tests again. Each cycle makes both sides stronger.
The Purple Team Approach
Traditional red team engagements are adversarial. The red team operates secretly, attempting to compromise systems without the blue team's knowledge. The blue team tries to detect and stop them. At the end, the red team delivers a report documenting what they found.
The purple team approach changes this dynamic. Instead of working against each other, the red and blue teams work together. The red team executes techniques. The blue team observes detection in real time. Both teams collaborate to understand why certain techniques were detected and others were not.
This is the approach Sherlock Forensics uses for ShadowTap validation. We execute controlled adversary techniques while your security team monitors their detection tools. After each phase, we review together: here is what we did, here is what you saw, here is what you missed. Then we discuss how to close the gaps.
The purple team approach produces better outcomes for several reasons:
- Real-time learning: The blue team sees how attacks look in their tools as they happen, not weeks later in a report
- Context-rich findings: Each finding includes the exact technique used, the detection tool's response and the gap that allowed it, giving the blue team actionable intelligence
- Collaborative improvement: Both teams contribute expertise. The red team brings offensive knowledge. The blue team brings environmental context. Together, they develop better detection strategies than either could alone.
- Reduced friction: Adversarial engagements create tension between teams. Collaborative engagements build trust and shared understanding
What This Looks Like in Practice
A typical purple team engagement with ShadowTap follows this pattern:
Day 1-2: The ShadowTap device connects to the internal network. Passive reconnaissance begins. The blue team confirms they see the new device in their monitoring tools. If they do not, that is the first finding.
Day 3-5: Active scanning and enumeration. The red team maps the internal network, identifies services and catalogs attack surface. The blue team monitors for scanning alerts. After this phase, both teams review detection results together.
Day 6-10: Controlled exploitation and lateral movement. The red team executes Active Directory attacks, credential harvesting, lateral movement and privilege escalation techniques. The blue team monitors detection tools and response processes. Daily checkpoints keep both teams aligned.
Day 11-15: Evasion technique testing. The red team tests encrypted tunnels, DNS exfiltration, identity rotation and other advanced evasion techniques. The blue team attempts to detect activity that is specifically designed to evade their tools. This phase identifies the boundary between detectable and undetectable behavior.
Day 16-20: Joint review, reporting and recommendations. Both teams walk through the complete timeline of techniques and detections. The final report includes detection rates, alert latency, coverage gaps, configuration recommendations and compensating controls.
For Organizations Without a Formal Security Team
Not every organization has a dedicated blue team or SOC. Many mid-sized businesses rely on an IT team that handles security as a secondary responsibility, or an MSSP (managed security services provider) that monitors alerts remotely.
ShadowTap validation works for these organizations too. We coordinate with whoever manages your security tools, whether that is an internal team, an MSSP or the vendor themselves. The methodology adapts to your operational structure.
The result is the same: you learn exactly what your security tools detect and what they miss. That knowledge is valuable regardless of who manages the tools day-to-day.
At Sherlock Forensics, our background in both defensive and offensive security makes us a natural fit for purple team engagements. We have spent years on both sides. We understand what blue teams need to see and what red teams need to test.