{"id":30227,"date":"2026-06-24T09:53:31","date_gmt":"2026-06-24T08:53:31","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=30227"},"modified":"2026-06-24T11:32:25","modified_gmt":"2026-06-24T10:32:25","slug":"automated-cti-powered-purple-teams","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/automated-cti-powered-purple-teams\/","title":{"rendered":"Automated CTI-powered Purple Teams"},"content":{"rendered":"\n

Purple Teaming<\/strong> has become a key practice for organizations looking to assess and improve their detection and response capabilities. By bringing together offensive and defensive teams<\/strong>, Purple Team exercises help validate security controls, identify detection gaps, and strengthen incident response processes<\/strong>.<\/p>\n

However, traditional Purple Team exercises<\/strong> provide only a snapshot of an organization’s security posture at a given time. In rapidly evolving environments, where infrastructure, applications, security controls, and threats continuously evolve<\/strong>, assessment results can quickly become outdated<\/strong>. Consequently, organizations are left with a critical question: are the detections that worked yesterday still effective today? <\/strong>To answer that question, Purple Teaming must evolve from a periodic exercise into a continuous validation capability<\/strong>.<\/p>\n

This article presents a modular workflow we developed to<\/strong> transform threat intelligence into automated adversary simulations<\/strong>. The workflow combines Caldera<\/strong> for attack orchestration, Mythic<\/strong> for realistic Command & Control simulation, and VECTR<\/strong> for measurable Security Operation Center (SOC) assessments: an automated workflow that only needs to be configured once and can be executed whenever needed<\/strong>.<\/p>\n

\"Automated
Automated Purple Team overview<\/figcaption><\/figure>\n

\u00a0<\/p>\n

Wavestone\u2019s Purple Team vision and expertise<\/h2>\n

At Wavestone, we have been performing Purple Team exercises for several years<\/strong> to help our clients ensure that their detection methodologies<\/strong> are not only theoretically sound but truly functional in practice.<\/strong><\/p>\n

The primary objective of our Purple Team approach is to identify technical attack scenarios that go undetected by current security controls<\/strong>, and to identify tailored detection methods that close those gaps<\/strong>. Rather than simply simulating attacks, we systematically evaluate detection across three critical criteria: is the activity logged, has an alert been generated on those logs, and finally, has the alert been properly handled by the SOC team<\/strong>.<\/p>\n

With the help of the Blue Team through regular meetings, this structured assessment allows us to identify quick wins (fast, high-impact improvements) and major projects<\/strong> that require deeper architectural changes or long-term investment, all of which are tailored for our client\u2019s environment<\/strong>.<\/p>\n

To do so, our Purple Team operations rely on multiple complementary approaches<\/strong>, each with its own strengths and limitations<\/strong>.<\/p>\n

\u00a0<\/p>\n

Unit Testing<\/h3>\n

Unit testing is the foundational approach focused on testing specific, isolated TTPs to validate the effectiveness of individual detection rules<\/strong>. By playing these attacks without context or environmental adaptation, security teams can verify that specific log sources, correlations, and alerts are correctly configured and generated as expected<\/strong>. While highly effective for validating individual controls, unit testing provides a restricted view<\/strong> of an organization’s global defensive posture: success against a single, isolated technique does not guarantee the ability to detect and respond to a complex, multi-stage attack chain<\/strong>.<\/p>\n

In addition, unit testing introduces several important biases<\/strong> that can distort the realism<\/strong> of detection assessments. First, it requires collaboration with a Blue Team accomplice<\/strong> that provides the required assistance and prevents escalation from becoming too severe<\/strong>. This prevents the identification of some incident response gaps and greatly limits the secrecy of the operation<\/strong>.<\/p>\n

Furthermore, once the SOC knows a Purple Team operation is underway<\/strong>, the incident response becomes biased<\/strong>, often for the worse. Since the surprise factor and the pressure of a real incident are absent<\/strong>, these tests do not accurately measure how the SOC would perform under the stress and ambiguity of a genuine, ongoing intrusion<\/strong>.<\/p>\n

\u00a0<\/p>\n

Trophy-Driven Engagements<\/h3>\n

Our second approach, trophy-driven engagements, allows us to assess detection through a more realistic scenario<\/strong>. These operations are designed for mature organizations<\/strong>, aiming to evaluate and elevate advanced detection processes and threat hunting capabilities<\/strong> rather than simply validating automated rules.<\/p>\n

Similar to a Red Team<\/strong> operation<\/strong>, the offensive team executes a full-scale attack on the information system<\/strong>, not following a pre-defined test list but pursuing predefined trophies<\/strong>. An advantage of this approach is the ability to identify end-to-end scenarios<\/strong>.<\/p>\n

Specifically, our trophy-driven engagements often follow the Red to Purple approach<\/strong>: while the Red Team has not been detected<\/strong>, the Blue Team is unaware of the operation <\/strong>which forces genuine and unscripted response. It provides a unique opportunity to evaluate the actual reactions of the security team, effectively<\/strong> bridging the gap between theoretical procedure and real incident response<\/strong>.<\/p>\n

However, unlike the unit tests approach, these engagements are not exhaustive<\/strong>: they do not aim to map every specific unit rule on the environment, but rather to test the organization\u2019s overall resilience against a defined adversary blending the detection rules, the escalation processes, the threat hunting and the correlation capability of the team<\/strong>.<\/p>\n

Ultimately, trophy-driven engagements represent the final evolution in the Purple Team lifecycle, shifting the focus from \u201cWhat are our detection flaws?\u201d <\/strong>to \u201cWould a real attacker actually be detected?\u201d<\/strong><\/p>\n

\u00a0<\/p>\n

SOC Assessments<\/h3>\n

SOC assessments focus on evaluating the operational readiness and performance of the SOC<\/strong>. Unlike the previous approaches, which validate detection, this approach measures the human and procedural capacity to detect, qualify, investigate, and remediate threats<\/strong>. It serves to validate that standard operation procedures and playbooks are effectively followed by analysts<\/strong>, while simultaneously identifying visibility gaps in logging and telemetry across the attack lifecycle<\/strong>.<\/p>\n

However, SOC assessments often rely on structured scenarios that create a sense of artificiality<\/strong>. The engagement is still a trigger-and-response exercise<\/strong> sugarcoated with procedural validation and human factor evaluation.<\/p>\n

Because these tests are centered on known, pre-planned triggers<\/strong>, they fail to force analysts to perform deep, investigative log correlation or to detect anomalous patterns across multiple, seemingly benign events\u00a0: this test is still designed to \u00ab\u00a0evaluate what is working today\u00a0\u00bb and not \u00ab\u00a0what must work tomorrow\u00a0\u00bb<\/strong>.<\/p>\n

Finally, this scripted nature leaves no room for genuine Threat Hunting<\/strong>. Indeed, the SOC is never pushed to proactively<\/strong> uncover the plan of the adversary in the long run. By focusing on reactive playbook execution<\/strong> rather than the ambiguity of an evolving campaign<\/strong>, these assessments miss an important aspect of the human factor evaluation: the inability to detect a sophisticated threat that does not trigger a predefined, “noisy” alert<\/strong>.<\/p>\n

\u00a0<\/p>\n

The “T-Time Trap”<\/h3>\n

Despite their differences, all three approaches suffer from the same fundamental limitation: they evaluate an organization’s security posture at a specific point in time<\/strong>.<\/p>\n

Modern information systems are constantly evolving<\/strong>. Infrastructure migrations, cloud transformations, software deployments, and changes to security tooling can all affect the effectiveness of detection and response capabilities<\/strong>. A detection rule validated during a Purple Team exercise may no longer function as expected<\/strong> following a routine infrastructure change.<\/p>\n

At the same time, threat actors continuously adapt their tactics, techniques, and procedures<\/strong>. With the<\/strong> development of AI augmented attacks<\/strong>, the defensive profile is constantly evolving: what was secured yesterday can be obsolete today.<\/p>\n

Consequently, organizations must regularly reassess their defensive capabilities<\/strong> to ensure they remain aligned with the evolving threat landscape<\/strong>.<\/p>\n

Yet the cost, complexity, and manual effort<\/strong> associated with traditional Purple Team engagements often prevent organizations from performing assessments at the required frequency<\/strong>. This creates a gap between security validation and operational reality<\/strong>, leaving defenders with only a periodic view of their true defensive readiness<\/strong>.<\/p>\n

\u00a0<\/p>\n

Empowering the Defense: Self-Service & CTI-Driven Automation<\/h2>\n

The limitations of traditional Purple Teaming raise an important question: how can organizations validate their defensive capabilities more frequently without significantly increasing costs and operational overhead?<\/strong><\/p>\n

The answer lies in shifting from consultant-driven assessments to defender-driven validation<\/strong>. Rather than waiting for periodic Purple Team engagements, security teams should be able to continuously assess their detection and response capabilities whenever needed<\/strong>.<\/p>\n

\u00a0<\/p>\n

CTI as the Engine of the workflow<\/h3>\n

Cyber Threat Intelligence (CTI)<\/strong> provides a valuable source of information on how threat actors operate. By documenting adversaries’ tactics, techniques, and procedures (TTPs)<\/strong>, CTI enables organizations to move beyond generic attack simulations and focus on realistic threat scenarios relevant to their environment<\/strong>.<\/p>\n

Instead of being treated as static reports consumed once and archived, CTI can serve as the foundation for repeatable defensive assessments<\/strong>. Every newly identified technique, campaign, or threat actor profile can become an opportunity to validate existing security controls and identify detection gaps<\/strong>.<\/p>\n

\u00a0<\/p>\n

Translating TTPs into Automated Scenarios<\/h3>\n

While CTI identifies what adversaries do, organizations still need a way to reproduce those behaviors in a controlled and repeatable manner<\/strong>.<\/p>\n

By translating documented TTPs into automated attack scenarios<\/strong>, security teams can continuously test their ability to detect and investigate activities<\/strong> associated with specific threat actors. While this translation effort must be performed once<\/strong>, the resulting scenarios can be executed repeatedly with minimal overhead<\/strong>, allowing organizations to validate their defenses whenever needed.<\/p>\n

This approach significantly reduces the manual effort traditionally required to prepare and execute Purple Team exercises<\/strong> while ensuring consistency across assessments.<\/p>\n

\u00a0<\/p>\n

Enabling Autonomous Defensive Assessments<\/h3>\n

Automation empowers the Blue Team to operate more autonomously<\/strong>. Instead of depending on external engagements or dedicated Red Team resources, defenders can execute assessments themselves<\/strong> whenever operational changes occur.<\/p>\n

For example, assessments can be triggered<\/strong> following major infrastructure migrations, the deployment of new security controls, or the publication of threat intelligence<\/strong> related to a relevant adversary.<\/p>\n

This self-service approach enables organizations to validate their defensive posture at the required frequency<\/strong>, ensuring that detection capabilities remain aligned with both infrastructure changes and the evolving threat landscape<\/strong>.<\/p>\n

\u00a0<\/p>\n

Overcoming Market Automation Limits: The Caldera & Mythic Integration<\/h2>\n

While attack orchestration frameworks already exist, they often come with operational limitations. For instance, Caldera<\/strong> relies on generic agents that do not implement advanced Command and Control (C2) capabilities <\/strong>such as in-memory PowerShell execution, Inline Assembly execution, or Beacon Object Files (BOFs)<\/strong>. As a result, while Caldera<\/strong> excels at automating adversary emulation scenarios, it may not accurately reproduce the tradecraft employed by sophisticated threat actors<\/strong>. Furthermore, in environments where realism is a key objective<\/strong>, the presence and behavior of the Caldera agent<\/strong> may allow defenders to quickly identify the exercise<\/strong>, limiting the fidelity of the assessment.<\/strong><\/p>\n

Conversely, modern Command and Control frameworks<\/strong> such as Mythic<\/strong> provide realistic adversary simulation capabilities and advanced execution methods, but they lack the orchestration and automation features<\/strong> required to perform repeatable Purple Team assessments at scale<\/strong>.<\/p>\n

To bridge this gap, we developed<\/strong> the<\/strong> Mythic plugin for Caldera<\/strong>, which integrates directly with the Mythic C2 framework<\/strong>. The objective was to combine Caldera’s automation and orchestration capabilities with Mythic’s realistic Command and Control capabilities<\/strong>. Within this architecture, Caldera<\/strong> remains responsible for orchestrating CTI-driven attack scenarios<\/strong>, while Mythic provides the execution layer<\/strong> used to simulate advanced adversary tradecraft.<\/p>\n

This integration enables organizations to automate complex attack chains<\/strong> while maintaining a level of realism closer to that of real-world intrusions<\/strong>.<\/p>\n

\u00a0<\/p>\n

Mythic Caldera plugin: Adversary Emulation Library<\/h3>\n

The plugin extends Caldera<\/strong> by integrating Mythic C2<\/strong> and providing custom adversary profiles, fact sources, payloads and parsers<\/strong>. Together, these components enable operators to quickly turn threat intelligence into automated adversary emulation scenarios<\/strong> while<\/strong> significantly reducing the need for manual configuration<\/strong>.<\/p>\n

\"Mythic
Mythic CALDERA plugin<\/figcaption><\/figure>\n

The plugin includes 5 custom adversary profiles<\/strong>, each designed to emulate a distinct threat model<\/strong> and associated attacker tradecraft:<\/p>\n

    \n
  • Insider<\/strong>: Simulates an internal attacker<\/strong>, such as a Windows Administrator, with TTPs implemented exclusively using Windows living-off-the-land binaries (LOLBins)<\/strong>.<\/li>\n
  • Cybercrime<\/strong>: Simulates an opportunistic attacker<\/strong> leveraging publicly available offensive tools <\/strong>and remote attack techniques<\/strong> conducted through the Mythic SOCKS5 proxy infrastructure<\/strong>.<\/li>\n
  • APT<\/strong>: Simulates a sophisticated threat actor<\/strong> using advanced tradecraft, including low-level Windows API calls, Apollo built-in commands<\/strong>, and in-memory payload execution techniques<\/strong>.<\/li>\n
  • Linux – Insider<\/strong>: Simulates an internal attacker<\/strong>, such as a Linux Administrator, with TTPs implemented exclusively using native Linux commands and utilities<\/strong>.<\/li>\n
  • Linux- Cybercrime<\/strong>: Simulates an opportunistic attacker<\/strong> targeting Linux environments, with TTPs implemented using common open-source offensive tools<\/strong>.<\/li>\n<\/ul>\n

    To improve reusability, the plugin leverages Caldera fact sources<\/strong> to dynamically parameterize abilities<\/strong>. Instead of hardcoding environment-specific values, facts such as domain names, IP addresses, credentials, payloads, or operational parameters are injected at runtime<\/strong>. This approach allows the same adversary profile to be<\/strong> reused across multiple environments with minimal modifications<\/strong>.<\/p>\n

    \"Example
    Example of a Fact Source<\/figcaption><\/figure>\n

    The library also includes a collection of payloads and parsers<\/strong> used to support advanced attack simulations. Payloads are automatically synchronized with Mythic<\/strong> and can be leveraged by abilities during operation execution, while parsers dynamically extract information from command outputs<\/strong> and transform it into facts that can be consumed by subsequent abilities<\/strong>.<\/p>\n

    Finally, the plugin provides a growing library of more than 180 reusable abilities<\/strong> covering a wide range of ATT&CK techniques<\/strong>. These abilities can be combined into adversary profiles or executed individually <\/strong>to validate specific detections and response procedures.<\/p>\n

    \"Examples
    Examples of Included Abilities<\/figcaption><\/figure>\n

    \u00a0<\/p>\n

    Mythic Caldera plugin: Caldera-Mythic Integration<\/h3>\n

    At the core of the integration are two command-line interfaces (CLIs): apollo_exec.py<\/strong> and athena_exec.py<\/strong>. These CLIs interface with the Mythic API<\/strong> and are used by the Caldera agent Sandcat<\/strong> to programmatically task Apollo (Windows) and Athena (Linux) agents<\/strong> .<\/p>\n

    For example, The Apollo CLI <\/strong>takes a Mythic callback ID<\/strong>, a command<\/strong>, and optional arguments<\/strong>, and supports additional options to extend execution behavior:<\/p>\n

    \"Apollo
    Apollo CLI<\/figcaption><\/figure>\n
      \n
    • -uploads<\/strong>: upload files before execution<\/li>\n
    • -downloads<\/strong>: download files after execution<\/li>\n
    • -deletes<\/strong>: remove files after execution<\/li>\n
    • -ps<\/strong>: import a PowerShell script in-memory before execution<\/li>\n
    • -pid<\/strong>: specify a target process ID for process injection<\/li>\n<\/ul>\n

      To streamline the interaction between Caldera<\/strong> and Mythic<\/strong>, the plugin implements two core functionalities:<\/p>\n

        \n
      • Connect C2<\/strong>: generates the apollo_exec.py<\/strong> and the athena_exec.py CLIs<\/strong> based on the provided Mythic C2 configuration parameters to enable communication with the Mythic API<\/strong>.<\/li>\n
      • Sync Payloads<\/strong>: automatically registers the payloads required by Caldera<\/strong> operations on Mythic<\/strong>, including .NET assemblies, DLLs, executables, and Beacon Object Files (BOFs)<\/strong>.<\/li>\n<\/ul>\n

        \u00a0<\/p>\n

        Mythic Caldera plugin: Execution Workflow<\/h3>\n

        Within our workflow, MITRE Caldera<\/strong> is used as an orchestration platform<\/strong> rather than a traditional Command and Control (C2) server. The Caldera agent (Sandcat)<\/strong> is deployed on the same host as the Caldera server and is responsible for coordinating the execution of attack scenarios<\/strong>. Instead of executing abilities directly, it delegates their execution to the Mythic C2 infrastructure<\/strong>.<\/p>\n

        \"Automated
        Automated execution workflow<\/figcaption><\/figure>\n

        Depending on the nature of the technique being executed, TTPs are handled through one of two execution paths<\/strong>:<\/p>\n

          \n
        • Network-based attacks<\/strong>: network-oriented TTPs, such as lateral movement or remote service interactions<\/strong>, are executed by the Caldera agent through a SOCKS5 proxy<\/strong> exposed by Mythic. Traffic is routed through the Apollo agent<\/strong> using tools such as proxychains<\/strong>.<\/li>\n<\/ul>\n
          \"Network-based
          Network-based ability example<\/figcaption><\/figure>\n
            \n
          • System execution attacks<\/strong>: Host-based TTPs are executed directly on compromised systems through Mythic agents<\/strong>. In this scenario, the Caldera agent<\/strong> leverages the apollo_exec.py<\/strong> CLI<\/strong> to interact with the Mythic API<\/strong>, tasking the Apollo agent<\/strong> to perform the requested action.<\/li>\n<\/ul>\n
            \"System
            System execution ability example<\/figcaption><\/figure>\n

            \u00a0<\/p>\n

            Objective Measurement: Assessing SOC Progress Using VECTR<\/h2>\n

            A major limitation of tools such as Caldera<\/strong> is their Red-Team-centric design<\/strong>. While they excel at orchestrating and executing attacks, they<\/strong> do not provide a user-friendly interface for Blue Team analysts<\/strong> to review, enrich, and track assessment results<\/strong>. Consequently, accessing and interpreting the outcome of Purple Team exercises can become tedious<\/strong>, particularly when multiple operations are conducted over time.<\/p>\n

            To address this challenge, we integrated VECTR<\/strong> into our workflow. VECTR<\/strong> is a Purple Team platform designed to<\/strong> centralize attack and detection data<\/strong>, providing a common operational picture for both Red and Blue Teams<\/strong>. By correlating adversary actions with defensive observations, it enables organizations to objectively measure detection capabilities and track their evolution over time<\/strong>.<\/p>\n

            To streamline this process, we developed the<\/strong> VECTR plugin for Caldera<\/strong>. Once triggered by the operator, the plugin automatically exports completed operations to VECTR as campaigns<\/strong>, enabling the automatic<\/strong> generation of attack graphs and MITRE ATT&CK heatmaps<\/strong> while eliminating hours of manual reporting effort.<\/p>\n

            \u00a0<\/p>\n

            Vectr Caldera plugin: Campaign Creation<\/h3>\n

            The plugin extends Caldera by exporting completed operations as VECTR campaigns<\/strong>. During the export process, the plugin transfers operation steps, execution status, executed commands, MITRE ATT&CK technique mappings, timestamps, and command outputs (stdout\/stderr).<\/p>\n

            \"Vectr
            Vectr CALDERA plugin<\/figcaption><\/figure>\n

            The plugin displays available<\/strong> Caldera operations along with their execution status<\/strong>. Once an operation is completed, the operator can trigger the export with a single click<\/strong> after providing the VECTR connection parameters. The export process is performed asynchronously<\/strong> to avoid blocking the Caldera execution thread.<\/p>\n

            \"Vectr
            Vectr Campaign<\/figcaption><\/figure>\n

            Once exported, the operation appears as a campaign in VECTR<\/strong>. To maintain traceability between both platforms and ensure campaign uniqueness<\/strong>, the campaign name is composed of the Caldera operation name followed by the first 8 characters of the corresponding operation identifier<\/strong>.<\/p>\n

            \u00a0<\/p>\n

            Vectr Caldera plugin: Campaign Enrichment<\/h3>\n

            Each ability included in a Caldera operation is mapped to a corresponding test case within the VECTR campaign<\/strong>. As a result, every test case is automatically enriched with relevant Red Team information<\/strong>, including the associated ATT&CK technique, execution status, timestamps, commands, and operational metadata:<\/p>\n

            \"Vectr
            Vectr Test Case<\/figcaption><\/figure>\n

            For abilities that were executed, command outputs (stdout\/stderr)<\/strong> are exported to VECTR<\/strong> and attached as Red Team logs<\/strong>. These logs provide analysts with detailed visibility into the actions performed during the assessment <\/strong>and can be reviewed to better understand the execution flow<\/strong> and investigate detection opportunities.<\/p>\n

            \"Vectr
            Vectr Red team logs<\/figcaption><\/figure>\n

            \u00a0<\/p>\n

            Bringing It All Together: End-to-End Demonstration<\/h2>\n

            The following video brings together all components presented throughout this article, illustrating an end-to-end automated Purple Team assessment workflow<\/strong>, from automated adversary emulation with Caldera<\/strong> and Mythic<\/strong> to the visualization of adversary activities and operational results within VECTR<\/strong>.<\/p>\n

            \u00a0<\/p>\n