Application security

Improving web application security with purple teams

Howard Poston
January 5, 2021 by
Howard Poston

What is the purple team in cyber security?

The cybersecurity industry - and especially the area of security assessments - is very fond of color-based terms.  Organizations can undergo whitebox or blackbox assessments involving teams of a variety of different colors.  While some of the more common team colors (such as the red and blue team) are more widely known, the purple team is also an important concept in cybersecurity.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

Red team vs blue team vs purple team

In cybersecurity, different teams participating in cybersecurity assessments are assigned colors based upon their role in the engagement.  While a number of different team colors have been defined, only three are widely used:

  • Red Team: The red team performs offensive operations against a target network or system simulating the activities of a real attacker.
  • Blue Team: The blue team defends a network or system against real or simulated attacks.
  • Purple Team: A purple team consists of a red and blue team working together to test an organization’s ability to defend against different types of attacks.

It is important to note that, with a purple team, the red and blue teams are actively working together throughout the entire process.  It is also possible to have red and blue teams operating independently during an engagement, which is not purple teaming.

What is a purple team exercise?

In cybersecurity, a purple team exercise is a collaboration between one or more red and blue teams that with the goal of assessing a network or system’s ability to defend itself against certain types of attacks.  Unlike independent red and blue teams, the purple team members will collaborate and coordinate their activities throughout the entire exercise.

This collaboration and coordination makes it possible to achieve a deep level of visibility into a network or system’s visibility into and defenses against certain types of attacks.  Under normal circumstances, an organization’s security team may miss the signs of an attack due to the sheer amount of alert information that they are receiving.

In a purple team security assessment, on the other hand, purple team members know exactly what they should be looking for.  This enables them to conclusively determine whether or not they have adequate visibility into an attack, and, if so, if existing detection and mitigation solutions are effective.

If so, the purple team can move on to testing other attack vectors with the knowledge that this particular one is adequately defended.  If not, the purple team can iterate to test and improve the threat detection and response capabilities until they are effective at identifying and responding to the attack.

How can purple team exercises improve web application security?

Purple team exercises are designed to identify previously unknown vulnerabilities and security gaps within a system.  This is accomplished by combining the offensive capabilities of the red team with the internal visibility and defensive knowledge of the blue team.

This type of approach is applicable to web application security as well.  The complexity of modern web applications means that they contain a large number of unknown vulnerabilities.  In many cases, these vulnerabilities are contained within third-party dependencies (which are not included in the code created and directly visible to developers).  Additionally, the complexity and rapid evolution of web applications means that an organization’s visibility and defenses may not be able to keep up with the current state of the application.

Purple team assessments can help an organization to identify vulnerabilities and visibility and defensive gaps within their applications.  Working together, red and blue teams can perform guided searches that focus on the areas of a web application where an organization has lower visibility or weaker security.  This helps to identify the “low-hanging fruit” that an attacker may target and ensure that a web application is protected against the most likely attack vectors.

Inside a purple team web application security assessment

Performing an effective purple team security assessment requires an individual or a team with experience in both the offensive and defensive sides of cybersecurity. It also requires an array of tools designed to both attack and defend a web application.

For example, on the defender’s side a web application may be protected by a web application firewall (WAF) or runtime application self-protection (RASP).  These solutions are designed to identify potential attacks against the application and either block them or alert defenders so that they could take action.

During a purple team engagement, the blue team’s responsibility would be to monitor these solutions and take action to refine the rules in use to better detect true attacks and to ignore false positive detections.

An attacker doesn’t require any special tools to test a web application’s security since the app has a public-facing user interface.  However, offensive tools can help to make an engagement more rapid and effective.

A red teamer in an assessment of web application security will likely use some automated tools like fuzzers and a vulnerability scanner (like Nessus or OpenVAS) to identify and potentially exploit vulnerabilities within the web app.  These automated tools can be complemented with ones designed for manual analysis, such as a web proxy that enables the attacker to view and modify requests and responses between the browser and the server.  This combination of tools and techniques should enable an attacker to identify any potential vulnerabilities within a target web application.

However, what makes this a purple team assessment is the retrospective at the end of the engagement (or periodically throughout).  Both the red and blue teams should come into this with knowledge of the exact attacks performed or detected, their effectiveness, etc.  Based on this information, defensive rules, policies, and procedures can be created, tuned, or discarded to improve security effectiveness.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

Learning more about purple teaming and web applications

Purple team assessments can help to dramatically improve the defenses of web applications.  Targeted, coordinated offensive and defensive operations can provide valuable information on the effectiveness of current defenses and how to improve them.

To learn more about performing purple team assessments for web applications, check out this project from Infosec Skills.



Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at