Red? Blue? Purple! Why Collaboration Between Defense and Attack Teams is Essential

Red, blue, purple – what is it all about? We’re not talking about color theory here, but about the cybersecurity approach needed to withstand and protect an organization from increasingly sophisticated threats. 

The "color palette"

Depending on how mature a company is in terms of security, the “color palette” can vary. Companies that have security somewhere on their agenda typically have a blue team. Those that take security and cyber threats seriously also have a red team. And companies that view security as an integral part of their processes and mentality have these two teams working together. This collaboration is so essential that one could almost consider them a single team. It is this “purple” team that makes an organisation more protected and resilient to cyber threats. 

Understanding red and blue teams

For those not familiar with the terminology, the blue team is a technical security team responsible for taking measures to protect an organization from cyber threats. This includes segmentation, segregation, detection, monitoring, responding to security incidents, and essentially everything that helps build a defense against cyber threats. 

In contrast, the red team is tasked with simulating attacks to identify vulnerabilities and weaknesses in an organization’s defenses. Think of it as an in-house hacking team that helps identify risks before they can be exploited by criminals. Red team activities can include phishing simulations, penetration testing, and other exercises designed to uncover weak spots in an organization’s infrastructure. 

Purple teaming for proactive cybersecurity

In fact, both teams are critical to an organization’s security strategyWhile blue teams are more common, red teams are often deployed from an external company to conduct annual security testing. Although third-party assessments are beneficial, having a red team embedded within the organization provides much deeper insights on a continuous basis. This also means a company can simulate a scenario of a persistent attack when hackers try for weeks or months to break through security defenses.  

Integrating both teams into the organization’s security strategy is a good first step. However, many companies view these teams as working towards opposite goals. When this happens, the teams work completely separately and only report to each other as necessary. It’s a common mistake that doesn’t harness the full potential of these teams to develop a robust defense system.  

In reality, their goals are the same. Blue teams aim to bolster security and red teams work to break down those defenses. And yet, both must ensure an organization can withstand the constantly evolving landscape of cyber threats. As such, the ideal approach is one that closely aligns blue and red teams – also known as a purple team with one common goal. 

Getting to a "purple" team

For many companies, getting these teams to work together is easier said than done. At Levi9, however, we have made it work, and any company can achieve this by following certain steps:

The benefits of collaboration

Companies that successfully transition from separate red and blue teams to a unified “purple” team gain numerous benefits. Here are just a few: 

The downsides of teams working together

What about the downsides? External penetration tests might become too routine with fewer findings, and the adrenaline rush from real incidents would be a rare experience. However, these are trade-offs one can likely accept. 


So, start with “blue,” add “red,” and aim for “purple.” It requires effort and passion, but in return, you get a highly motivated, continuously growing professional team and a better-protected, more resilient company. 

In this article:

Related posts