← Docs
Recipe: Purple-team exercise plan
A structured 4-hour session blueprint for red and blue teams to validate detection coverage against real injection techniques.
Objectives
- Exercise manual-map injection detection rules
- Validate ETW consumer alert pipeline latency
- Confirm anti-tamper self-verification survives staged tampering
- Produce a joint after-action report within 48 hours
Schedule (4 hours)
| Block | Duration | Activity |
|---|---|---|
| 00:00 | 15m | Kickoff & rules of engagement |
| 00:15 | 45m | Red: deploy manual-map injector against staging endpoint |
| 01:00 | 30m | Blue: triage ETW alerts, classify true/false positives |
| 01:30 | 60m | Joint: tune detection rules, adjust thresholds |
| 02:30 | 30m | Break |
| 03:00 | 45m | Red: tamper with loader integrity, trigger anti-tamper |
| 03:45 | 15m | Hotwash & assign AAR sections |
Artifacts
- Red team injector binary (signed, time-bombed)
- Blue team SIEM query pack
- Joint AAR template in docs repo
Success criteria
- All injection attempts detected within 90 seconds
- Zero false-positive alerts on benign baseline traffic
- Anti-tamper circuit breaker trips within 500ms of tamper
- AAR published and reviewed within 48 hours