Review: Practical Purple Teaming
Practical Purple Teaming is a guide to building stronger collaboration between offensive and defensive security teams. The book focuses on how to design and run effective purple team exercises that improve detection and response and strengthen trust between teams.
About the author
Alfie Champion is a Senior Security Analyst at GitHub who has fostered and developed purple team functions over the last decade, both with internal teams and while consulting. Champion has delivered talks and workshops at conferences like BlackHat USA, DEF CON, and RSAC.
Inside the book
The book is divided into three parts. The first part explains the foundations of purple teaming, including how it differs from red teaming and penetration testing. It also introduces common frameworks such as MITRE ATT&CK. This section gives readers the background needed to understand why purple teaming matters and how it fits into a broader security strategy.
The second part is about building and using an attack emulation and detection lab. Champion walks through setting up an environment where teams can safely test attacks and defenses. He covers tools like Atomic Red Team, MITRE Caldera, and Mythic, and shows how to gather logs and telemetry to measure results.
The third part shifts to the process of organizing and scaling a purple team program. This includes reporting, tracking improvements over time, and building a sustainable function within an organization. I appreciated the focus on making purple teaming a regular, integrated activity rather than a one-time event. Champion emphasizes the need for communication and measurable outcomes, which are often missing from traditional red team engagements.
The author strikes a balance between technical detail and process guidance. While there are plenty of examples of tools and techniques, the real value is in the framework he provides for collaboration. He highlights the importance of shared goals between offensive and defensive teams and shows how structured exercises can close detection gaps before attackers exploit them.
A red teamer will find practical advice on how to emulate attacks in a way that benefits defenders, while blue teamers will learn how to interpret results and improve their defenses. Security leaders will gain insight into how to measure progress and justify investment in purple team efforts.
One thing that stood out to me was the emphasis on repeatability. Champion outlines how to move from ad hoc testing to a consistent program that produces ongoing value. This includes automating parts of the process and using open-source resources like Splunk’s Attack Range. The approach feels realistic and scalable, which is important for teams that need to demonstrate improvement over time.
Who is it for?
Practical Purple Teaming serves as a playbook for building a culture of collaboration between offense and defense. It’s well suited for anyone involved in security operations, whether they are running exercises, responding to incidents, or setting strategy. It provides a roadmap for making purple teaming a core part of an organization’s security practice.
For teams that have struggled to connect offensive findings with defensive improvements, this guide offers a practical path forward.