homepage
Open menu
Talk with an expert

SANS Purple Team

Purple Team Training and Certification
Purple Team Course FAQ Offensive Operations
Featured ContentCoursesCertificationsFree ResourcesSANS.edu ProgramInstructorsAbout
Webcast Mastering Adversary Emulation with Caldera: A Practical Guide

Watch this in-depth presentation covering topics from understanding the fundamentals of adversary emulation and Caldera's architecture to configuring the platform, running campaigns, and interpreting results. Complete with companion article!

View the Webcast
SEC598: Security Automation for Offense, Defense, and Cloud

SEC598: Security Automation for Offense, Defense, and Cloud

This course will provide you with:

  • Methodology for evaluating real-world scenarios within a combination of on-premise and cloud environments using a reference framework that can be immediately used and implemented in your organization
  • Cloud security automation in AWS and Azure
  • Skills to properly engineer your environment to apply security automation

  • Experience in automating secure configurations and seting a desired-state configuration using tools like Terraform, Ansible, CHEF Puppet, and many more to deploy infrastructure as code in different environments

Course Syllabus
570x410_Purple_599.jpeg

SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses

This course will provide you with:

  • An understanding of how recent high-profile attacks are delivered and how they could have been stopped
  • How to implement security controls throughout all phases of the Cyber Kill Chain, utilizing the MITRE ATT&CK framework, to prevent, detect, and respond to attacks
  • Full preparation for the GIAC Defending Advanced Threats (GDAT) certification

Course Syllabus
570x410_Purple_699.jpeg

SEC699: Advanced Purple Teaming - Adversary Emulation & Detection Engineering

You will be able to:

  • Build and deploy a full multi-domain enterprise environment
  • Implement realistic adversary emulation plans to bolster breach prevention and detection
  • Develop custom tools and plugins for existing tools to fine-tune your red and purple teaming activities
  • Deliver advanced attacks including application whitelisting bypasses, cross-forest attacks, and stealth persistence strategies
  • Build SIGMA rules to detect advanced adversary techniques
  • Build a purple team for your organization
Course Syllabus
Landing_Page_Cert.jpg

GIAC Defending Advanced Threats (GDAT)

The GIAC GDAT certification is unique in how it covers both offensive and defensive security topics in-depth. Holders of the GDAT certification have demonstrated advanced knowledge of how adversaries are penetrating networks, and what security controls are effective to stop them.

View Certification

Running Your First Purple Team Exercise - An Intro to Purple Teaming

Understanding how to consume Cyber Threat Intelligence, emulate attacks, and use detection engineering to ensure your organization (people, process, and technology) can detect and respond to an attack when it inevitably occurs is the cornerstone of purple teaming. In this video, SANS Purple Team Ambassador, Jorge Orchilles, defines Purple Team, then lays out the steps necessary to running your first Purple Team exercise.

Offense informs defense and defense informs offense.

470x382_PurpleConcepts-thumb.jpeg

NEW Digital Poster: Purple Concepts

Packed with resources, references, & examples on Purple Team, this digital poster has tips and tricks for emulation plans covering FIN6, APT28, & APT33, plus tons of info on Red Team and Blue Team tools. Check out our Emulation Star Map and easily jump from concept to content.

Download Here

Purple Team Resources

Webcast
white-1px.png
What is Purple Team?
After seeing so many blue teamers take a penetration course, authors Stephen Sims and Erik Van Buggenhout created SANS first Purple Team course. But what is Purple Teaming? Does 1+1=3 here?
View Now
Webcast
Webcast_PurpleTeam_Persistence_Strategies_9_15_22_4.jpg
Purple Team - Kill Chain Defenses, DO NOT USE Purple Team
Common Persistence Strategies - Emulating, Preventing, and Detecting
In this follow-up webcast we review the most commonly used persistence mechanisms and provide some examples on how they are used by attackers, as well as how they try to prevent detections by combining tactics.
View Now
Blog
Offensive Operations, Pen Testing, and Red Teaming, Purple Team, Digital Forensics, Incident Response & Threat Hunting
Cyber Kill Chain, MITRE ATT&CK, and Purple Team
Understanding how attacks work is critical for defense. It's a common theme in SANS Purple Team courses: offense informs defense and defense informs.
370x370_Jorge-Orchilles.jpg
Jorge Orchilles
read more
Webcast
white-1px.png
Purple Team Tactics: A Technical Look at Windows 10 Exploit Mitigations
Defense and offense both need to understand exploit mitigations running on modern operating systems, but from different perspectives. In this webcast we attempt to demystify some controls and look at some of the latest Windows 10 mitigations.
View Now
Webcast
white-1px.png
Adversary Emulation and the C2 Matrix
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
View Now
Blog
Purple Team, Offensive Operations, Pen Testing, and Red Teaming
Purple Teaming and Threat-Informed Detection Engineering
In the first two webcasts of this Purple Team series, we covered how to run your first Purple Team Exercise and how to Operationalize your Purple Team. You may have noticed that a common process in Purple Teaming is detection engineering. In this blog, we go into the items discussed in our third...
370x370_Jorge-Orchilles.jpg
Jorge Orchilles
read more
Blog
Purple Team, Offensive Operations, Pen Testing, and Red Teaming
Building an Internal Red Team? Go Purple First
If you are asked to build an internal red team program today, start with a Purple Team Exercise to foster collaboration across stakeholders early on.
370x370_Jorge-Orchilles.jpg
Jorge Orchilles
read more
    Graduate Certificate Program in Purple Team Operations

    Graduate Certificate Program in Purple Team Operations

    Designed for working information security professionals, the graduate certificate in Purple Team Operations is a highly technical 15-credit-hour program focused on merging the applied concepts, skills, and technologies used by blue teams (digital defenders) and red teams (digital attackers) - so you can effectively operate and lead at the intersection of those domains, in the current best practice known as purple operations or purple teams.

    Learn More

    Purple People

    View All Instructors Become an Instructor

    About Purple Team

    Whether your focus area is Red Team, Blue Team, Cyber Threat Intelligence, Detection and Response, or any other facet of security, organizations need trained professionals who can work efficiently, together as a Purple Team.

    SANS Purple Team Curriculum will teach you how to bring your teams together to test, measure, and improve your security posture. Security professionals are most effective when they understand both offense and defense: offense informs defense and defense informs offense. That balanced understanding of attack and defense is the focus of the SANS Purple Team Curriculum.