{"id":28481,"date":"2025-12-10T16:40:14","date_gmt":"2025-12-10T15:40:14","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=28481"},"modified":"2025-12-10T16:40:16","modified_gmt":"2025-12-10T15:40:16","slug":"purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/","title":{"rendered":"Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset?"},"content":{"rendered":"\n<p><span data-contrast=\"auto\">In our\u00a0previous\u00a0articles of this OT cybersecurity monitoring series\u00a0(<\/span><a href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/cybersecurity-monitoring-for-ot-current-situation-perspectives\/\"><span data-contrast=\"none\">Cybersecurity monitoring\u00a0for OT<\/span><\/a><span data-contrast=\"auto\">\u00a0\/\u00a0<\/span><a href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/10\/cybersecurity-tooling-strategy-for-an-effective-industrial-detection\/\"><span data-contrast=\"none\">Cybersecurity tooling strategy<\/span><\/a><span data-contrast=\"auto\">),\u00a0we explained the current state of OT detection capabilities and discussed the right tooling strategy.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This third article focuses on a key question:\u00a0<\/span><b><span data-contrast=\"auto\">how do you measure the efficiency of your OT detection?<\/span><\/b><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<h1 aria-level=\"1\"><span data-contrast=\"none\">From compliance to efficiency: a KPI\u00a0paradigm shift<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:360,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h1>\n<p><span data-contrast=\"auto\">KPI stands for\u00a0<\/span><i><span data-contrast=\"auto\">Key Performance Indicator.\u00a0<\/span><\/i><span data-contrast=\"auto\">However, we tend to create KPIs\u00a0to\u00a0monitor\u00a0progress\u00a0against\u00a0our\u00a0plans, not\u00a0real\u00a0performance. While\u00a0useful,\u00a0monitoring\u00a0only deployment or coverage\u00a0(number of sites connected\u00a0to the SOC, EDR deployment on OT machines, number of probes registered to the management console)\u00a0<\/span><b><span data-contrast=\"auto\">tells you\u00a0very little\u00a0about the actual ability of your SOC to detect a real attacker.<\/span><\/b><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">So, how confident are you in your detection tools, use cases, and processes?\u00a0The only way to be sure is simple:\u00a0<\/span><b><span data-contrast=\"auto\">test them.\u00a0<\/span><\/b><span data-contrast=\"auto\">And\u00a0the best way to test them is through\u00a0<\/span><b><span data-contrast=\"auto\">Purple Team exercises<\/span><\/b><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<h1 aria-level=\"1\">What is Purple Teaming in OT?\u00a0<\/h1>\n<p><span data-contrast=\"auto\">A Purple Team exercise is a\u00a0<\/span><b><span data-contrast=\"auto\">collaborative mission<\/span><\/b><span data-contrast=\"auto\">\u00a0between the Red Team (attackers) and the Blue Team (defenders).\u00a0Unlike a traditional Red Team assessment, where the defenders are kept in the dark and evaluated afterward,\u00a0<\/span><b><span data-contrast=\"auto\">a Purple Team exercise is an iterative, joint effort<\/span><\/b><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This collaborative approach allows both teams to:<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Share assumptions about the OT environment<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Validate detection logic in real time<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Understand blind spots<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Improve playbooks and detection pipelines<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Align everyone around a realistic threat model<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<h1 aria-level=\"2\">Performing\u00a0a Purple Team Exercise\u00a0<\/h1>\n<p><span data-contrast=\"auto\">A Purple Team operation can be summarized in\u00a0<\/span><b><span data-contrast=\"auto\">three main phases<\/span><\/b><span data-contrast=\"auto\">:<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<h2>1. Preparation<\/h2>\n<p><span data-contrast=\"auto\">The preparation phase is often the most challenging, especially in OT environments, where safety, process continuity, and vendor constraints must be considered.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Depending on the maturity of the organization, preparation can range from basic to highly sophisticated:<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><b><span data-contrast=\"auto\">Unit Tests<\/span><\/b>\u00a0<br \/><span data-contrast=\"auto\">Small, isolated tests of specific detection rules (e.g., \u201cDetect Modbus function code\u00a090\u201d).<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Feared Scenario-based Testing<\/span><\/b>\u00a0<br \/><span data-contrast=\"auto\">Build scenarios around the organization\u2019s crown jewels and failure modes (e.g., \u201cUnauthorized remote program upload on a PLC controlling a critical process\u201d).<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">CTI-Infused Testing<\/span><\/b>\u00a0<br \/><span data-contrast=\"auto\">Integrate threat intelligence: test techniques used by real OT-focused attackers (e.g.\u00a0TTPs from Volt Typhoon, Sandworm, Xenotime, or ransomware groups targeting industrial environments).<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">To structure the preparation phase, two elements are essential:<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><b><span data-contrast=\"auto\">A\u00a0good knowledge of your OT environment<\/span><\/b>\u00a0<br \/><span data-contrast=\"auto\">Planning an\u00a0exercise that will be relevant to\u00a0both\u00a0the business risks\u00a0&amp;\u00a0OT\u00a0detection without\u00a0impacting\u00a0the process\u00a0requires\u00a0a\u00a0deep\u00a0knowledge of the\u00a0site and its automation.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Mapping to the\u00a0<\/span><\/b><a href=\"https:\/\/attack.mitre.org\/matrices\/ics\/\"><b><span data-contrast=\"none\">MITRE ATT&amp;CK for ICS matrix<\/span><\/b><\/a>\u00a0<br \/><span data-contrast=\"auto\">Mapping your tests to the ATT&amp;CK matrix allows you to have a common language with the detection teams.\u00a0This allows you to select relevant techniques, avoid blind spots, and ensure coverage across multiple layers: OT workstations, PLCs, network interactions, engineering actions\u2026<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2>2. D-day (Execution)<\/h2>\n<p><span data-contrast=\"auto\">Execution is performed jointly:<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">The Red Team launches controlled and authorized actions<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The Blue Team\u00a0monitors\u00a0detections in real time<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Both teams adjust, document, and\u00a0validate\u00a0findings as the exercise unfolds<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">Depending on the scope and complexity of the tests, the Purple Team operation can last from a few hours to a few days.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<h3 aria-level=\"4\"><i><span data-contrast=\"none\">Ensuring Reproducibility with Caldera<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">To ensure repeatability and consistency across Purple Team exercises, automation becomes key.\u00a0\u00a0<\/span><a href=\"https:\/\/www.mitre.org\/resources\/caldera-ot\"><b><span data-contrast=\"none\">Caldera<\/span><\/b><\/a><span data-contrast=\"auto\">, an open-source Breach &amp; Attack Simulation (BAS) framework developed by MITRE, is a powerful tool for this.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">As a former\u00a0pentester,\u00a0I\u2019ve\u00a0always disliked the term \u201cautomated\u00a0pentest\u201d\u2014but BAS tools are the closest thing we\u00a0have to\u00a0repeatable, safe attack execution.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<h3 aria-level=\"5\"><em>Why use Caldera instead of performing tests manually?\u00a0<\/em><\/h3>\n<p><span data-contrast=\"auto\">Caldera enables you to:<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Prepare and\u00a0validate\u00a0a controlled list of tests on a controlled list of assets<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Ensure only authorized actions are executed<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Guarantee reproducibility across environments<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Replay the exact same actions to measure improvements after configuration changes<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">Some OT-specific plugins already exist in the\u00a0<\/span><b><span data-contrast=\"auto\">Caldera-OT<\/span><\/b><span data-contrast=\"auto\">\u00a0module, supporting Modbus,\u00a0Profinet, DNP3, and others.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Recently, Wavestone released two\u00a0additional\u00a0OT plugins:<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><b><span data-contrast=\"auto\">Siemens S7 protocol support<\/span><\/b><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">OPC-UA communications actions<\/span><\/b><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<h3 aria-level=\"5\"><em>Caldera\u00a0in a nutshell\u00a0<\/em><\/h3>\n<p><span data-contrast=\"auto\">Caldera usage relies on:<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><b><span data-contrast=\"auto\">Abilities<\/span><\/b><span data-contrast=\"auto\">: atomic technical actions (e.g., reading coils, writing tags, scanning a PLC)<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Adversaries<\/span><\/b><span data-contrast=\"auto\">: collections of abilities that form a scenario<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Operations<\/span><\/b><span data-contrast=\"auto\">: real-time execution of those adversaries against a target<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><b><span data-contrast=\"auto\">Fact\u00a0sources<\/span><\/b><span data-contrast=\"auto\">: parameters provided for an operation; you can launch the same operations against different environments by just changing the fact source.<\/span><span data-ccp-props=\"{&quot;335559685&quot;:720}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The following video\u00a0(French with English subtitles)\u00a0will\u00a0walk\u00a0you\u00a0through a demonstration of\u00a0Caldera on our small ICS demo setup:<\/span>\u00a0<\/p>\n<div align=\"center\"><iframe loading=\"lazy\" title=\"YouTube video player\" src=\"\/\/www.youtube.com\/embed\/wq8BMagjhwE\" width=\"800\" height=\"450\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<div align=\"center\">\u00a0<\/div>\n<h2>3. Debriefing<\/h2>\n<p><span data-contrast=\"auto\">The debrief is where most of the value is extracted.\u00a0The following types\u00a0of\u00a0<\/span><i><span data-contrast=\"auto\">Key Performance Indicators<\/span><\/i><span data-contrast=\"auto\">\u00a0might be used:<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><b><span data-contrast=\"auto\">Detection Coverage<\/span><\/b><span data-contrast=\"auto\">\u00a0\u2013 what percentage of executed stimuli were detected?<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Alert Quality<\/span><\/b><span data-contrast=\"auto\">\u00a0\u2013\u00a0were\u00a0alerts actionable, precise, and intelligible?<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Reaction Time<\/span><\/b><span data-contrast=\"auto\">\u00a0\u2013 how long before an alert is raised and acknowledged?<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Playbook Efficiency<\/span><\/b><span data-contrast=\"auto\">\u00a0\u2013 were the right actions taken\u00a0in the expected\u00a0time frame?<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">These might\u00a0phase results in:<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Updated detection rules<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Improved SIEM\/SOC playbooks<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Better monitoring architecture<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Training material for analysts and engineers<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<h1 aria-level=\"1\"><span data-contrast=\"none\">Start Testing Now!<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:360,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h1>\n<p><span data-contrast=\"auto\">Purple Team testing brings value\u00a0immediately, no\u00a0matter what\u00a0your current maturity level\u00a0is:<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">It\u00a0validates\u00a0your tools in real-world conditions<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">It trains your SOC and OT teams<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">It reveals blind spots early in the program<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">It provides quantitative KPIs to drive detection improvements<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">And yes,\u00a0<\/span><b><span data-contrast=\"auto\">it is possible,\u00a0in\u00a0most\u00a0production environments,\u00a0under the following conditions<\/span><\/b><span data-contrast=\"auto\">:<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Strictly controlled scope<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Vendor-approved actions<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">No disruptive functions executed<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Involvement of operations and safety teams<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Continuous monitoring of system behavior during testing<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">In short:\u00a0<\/span><b><span data-contrast=\"auto\">start small, stay safe, and iterate.<\/span><\/b><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Do\u00a0not wait for your OT security program to be \u201cfinished\u201d before you start testing\u00a0its effectiveness!<\/span><\/b><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In our\u00a0previous\u00a0articles of this OT cybersecurity monitoring series\u00a0(Cybersecurity monitoring\u00a0for OT\u00a0\/\u00a0Cybersecurity tooling strategy),\u00a0we explained the current state of OT detection capabilities and discussed the right tooling strategy.\u00a0 This third article focuses on a key question:\u00a0how do you measure the efficiency of&#8230;<\/p>\n","protected":false},"author":20,"featured_media":28488,"comment_status":"open","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2777,3922,3275],"tags":[],"coauthors":[780,4526],"class_list":["post-28481","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-digital-trust","category-deep-dive-en","category-iot-consumer-goods-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset? - RiskInsight<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset? - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"In our\u00a0previous\u00a0articles of this OT cybersecurity monitoring series\u00a0(Cybersecurity monitoring\u00a0for OT\u00a0\/\u00a0Cybersecurity tooling strategy),\u00a0we explained the current state of OT detection capabilities and discussed the right tooling strategy.\u00a0 This third article focuses on a key question:\u00a0how do you measure the efficiency of...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-10T15:40:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-10T15:40:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/purple_team.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Arnaud Soulli\u00e9, Juliette BARBIER\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Arnaud Soulli\u00e9, Juliette BARBIER\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/\"},\"author\":{\"name\":\"Arnaud Soulli\u00e9\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79\"},\"headline\":\"Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset?\",\"datePublished\":\"2025-12-10T15:40:14+00:00\",\"dateModified\":\"2025-12-10T15:40:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/\"},\"wordCount\":937,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/purple_team.png\",\"articleSection\":[\"Cybersecurity &amp; Digital Trust\",\"Deep-dive\",\"IoT &amp; Consumer goods\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/\",\"name\":\"Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset? - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/purple_team.png\",\"datePublished\":\"2025-12-10T15:40:14+00:00\",\"dateModified\":\"2025-12-10T15:40:16+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/purple_team.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/purple_team.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79\",\"name\":\"Arnaud Soulli\u00e9\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/arnaud-soullie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset? - RiskInsight","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/","og_locale":"en_US","og_type":"article","og_title":"Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset? - RiskInsight","og_description":"In our\u00a0previous\u00a0articles of this OT cybersecurity monitoring series\u00a0(Cybersecurity monitoring\u00a0for OT\u00a0\/\u00a0Cybersecurity tooling strategy),\u00a0we explained the current state of OT detection capabilities and discussed the right tooling strategy.\u00a0 This third article focuses on a key question:\u00a0how do you measure the efficiency of...","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/","og_site_name":"RiskInsight","article_published_time":"2025-12-10T15:40:14+00:00","article_modified_time":"2025-12-10T15:40:16+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/purple_team.png","type":"image\/png"}],"author":"Arnaud Soulli\u00e9, Juliette BARBIER","twitter_misc":{"Written by":"Arnaud Soulli\u00e9, Juliette BARBIER","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/"},"author":{"name":"Arnaud Soulli\u00e9","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79"},"headline":"Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset?","datePublished":"2025-12-10T15:40:14+00:00","dateModified":"2025-12-10T15:40:16+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/"},"wordCount":937,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/purple_team.png","articleSection":["Cybersecurity &amp; Digital Trust","Deep-dive","IoT &amp; Consumer goods"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/","name":"Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset? - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/purple_team.png","datePublished":"2025-12-10T15:40:14+00:00","dateModified":"2025-12-10T15:40:16+00:00","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/purple_team.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/purple_team.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/purple-teaming-for-ot-how-to-switch-from-a-compliance-to-a-performance-mindset\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Purple Teaming for OT:\u00a0\u00a0How to switch from\u00a0a compliance\u00a0to a\u00a0performance\u00a0mindset?"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79","name":"Arnaud Soulli\u00e9","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/arnaud-soullie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/28481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=28481"}],"version-history":[{"count":3,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/28481\/revisions"}],"predecessor-version":[{"id":28608,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/28481\/revisions\/28608"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/28488"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=28481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=28481"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=28481"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=28481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}