In my recent CSO articles, I talked about the limitations of current SOC models and the importance of iteration. This time, I want to focus on something that is becoming increasingly clear: the purple team has lost its depth.
We’ve turned one of the most powerful resilience tools into a commercial exercise that sounds reassuring but reveals very little about how the organization will cope when the pressure is real.
Care and attention have become rare inheritances in our world. Disruption dominates both the security and supply side of cybersecurity. Clients are drawn to complexity and innovation, while service providers are drawn to deadlines and deliverables.
Meanwhile, attackers — increasingly empowered by AI — are getting faster, quieter, and more determined.
If the threats are fast, high-level testing is no longer enough.
The absence of findings is not the absence of risk
I’ve seen this pattern all over the place: purple teamwork produces an impressive set of results. The report looks good. The findings are consistent with expectations. Leadership feels validated.
But the result is often treated as i result, as if the absence of findings means the absence of risk. This is a mistake.
The industry’s automation approach is shaped by time pressure, commercial constraints, and a very narrow scope. None of this is malicious, it’s just how the show came about. Suppliers deliver what they are contracted to deliver, and clients take the report as a sign of depth.
Omissions, often due to time constraints or lack of mental space, are invisible. And invisible discharge is the most dangerous type.
Two “must not break” customers
Recently, we worked with two extremely mature organizations. On paper, the two appear to be close and unbreakable.
Instead of using the standard purple team, we designed it in collaboration with them. We look at the problem the way a determined attacker would, and we share confidential information freely, ours and theirs. Most importantly, everyone involved had visibility into the controls in place. It was a real cyber security partnership, not an experiment.
And both organizations were compromised – deeply – with almost no sign of compromise.
In one case, there was only one compromise indicator: “domain manager.” There is nothing How it happened. There is nothing what to do next. There is no natural or automatic response. Just a light turning red without a playbook behind you.
On the other hand, SOC received many signals but did not act on time. Discovery without action is just noise.
The experience humbled us. And it forced a blunt question: “You saw us.
That’s the real test. Not that the SOC sees anything. Even thought you do something — fast enough and precisely enough — to stop the damage.
A regular purple team can’t get you there
The purple team should be the discipline that expresses these facts, but the current model rarely does. Service providers tend to focus on throughput, exploitation, and efficiency. Clients focus on closing tickets, completing engagements, and receiving feedback.
No way of thinking creates the necessary space for critical thinking.
If we had rushed into our work, we would never have found out what we did. Time pressure shapes results more than most organizations realize. When exploration is restricted by the standard 9–5, it limits how far teams can explore situations that lead to real consensus.
The intensity of the “brake” moment.
Imagine you are driving, and you see the car in front suddenly brake. Awareness helps, but it’s your quick reaction that avoids conflict. Insurance plans don’t matter at that point. And compliance reports or dashboards.
Only vigilance and repetition are important.
Cyber resilience works the same way. You can’t build the momentum you need to do it by launching one simulation a year. You build by repetition. By examining how certain situations occur. By examining not only how enemies enter, but also how they move, grow, escape, and exit.
This is the heart of the true purple group.
AI has not helped any organization
Both clients had AI embedded in their SOCs. And it made no difference.
AI can accelerate analysis, but it cannot replace the intuition, design, or judgment required to execute it. If the organization hasn’t practiced what to do when the signal appears, AI only accelerates the time when everyone realizes they don’t know what happens next.
This is why so many tests today only deal with opportunistic attacks. Cleans up the low hanging fruit. But if organized crime wanted these organizations, they would have them. And that’s not an easy sentence to write.
A model that creates false confidence
A typical assessment model involves everyone involved:
- One test creates false confidence.
- The thought of limitation.
- Time pressure kills depth.
- Commercial buildings do not encourage collaboration.
- Tooling gives the illusion of skill.
- Compliance promotes the appearance of strength instead of its reality.
That’s why the purple encounter is often “jump out, stabilize, pull the chute, roll over when you land. But what about difficult situations? What about part shipments? What about complex failures? That’s where resilience is built.”
And today, durability is the only metric that makes sense.
A new mindset: slow, consistent, engaged, result-driven
In my experience, an effective purple team needs:
- Co-ownership of equipment.
- Confidential information is shared on both sides.
- Full visibility to controls.
- Conditions designed, not purchased.
- Repetition and repetition.
- Space for imagination.
- Ease of orientation.
- Focus on the “how,” not the how.
This is systems thinking. Engineering. Psychology. By all accounts, it’s a tougher job than a regular model.
But what seems impossible happens when both sides push each other, and when the goal is not to produce a report but to reveal the truth.
The purple team is all about fitting in, really. But also about what happens after that. Without a different approach, focused on consistency and results, organizations will continue to pass tests while failing in performance.
