Practical Purple Teaming

The Art of Collaborative Defense by Alfie Champion by Alfie Champion

I just finished reading my signed early edition of Practical Purple Teaming: The Art of Collaborative Defense by Alfie Champion, and it was an excellent read. The book serves as a complete survey of the tactics, tools, and procedures involved in purple teaming. It introduces each concept clearly, then demonstrates it through practical, realistic examples. What stood out most is how balanced it is between the offensive and defensive perspectives. It covers detection strategies using tools like Splunk while also showing how to operate offensive C2 frameworks such as Mythic, exploring how both sides think and interact in a collaborative defense process. The book lays out the entire workflow for running a purple team exercise from scoping and execution to reporting. I appreciated that for each objective, multiple tools are introduced, including MITRE Caldera, Atomic Red Team, and VECTR and ticketing systems. This flexibility mirrors how real-world teams operate and reinforces that there is no single way to conduct a purple team engagement. The author’s experience shows throughout the book, blending technical knowledge with practical insights. Beyond frameworks like the Pyramid of Pain, Champion shares lessons on the human and organizational aspects of purple teaming, such as running workshops and demonstrating value to different stakeholders. The layout follows the familiar No Starch Press structure, divided into three main parts with twelve manageable chapters. Part one, How Purple Teaming Works, introduces the fundamentals, frameworks, and testing methodologies. Chapter one provides a clear overview for readers new to the concept, while later chapters explain the MITRE ATT&CK model, the Pyramid of Pain, and two primary testing approaches: the atomic methodology and the scenario-based methodology.

Part two, Attack Emulation and the Detection Lab, is where the book truly shines. It walks the reader through building a Splunk Attack Range environment in AWS, collecting host-level telemetry like Windows Event Logs, and progressing into more advanced topics such as network traffic analysis, event tracing, and memory scanning with YARA and Sigma. Chapters eight through ten form the heart of the book, showing a short attack chain in a purple team context. “Living Off the Land with Atomic Red Team” demonstrates how to emulate LOLBIN techniques and initial access scenarios. “Active Directory Reconnaissance with MITRE Caldera” explores realistic AD enumeration and detection coverage. “Domain Compromise with Mythic” showcases how to perform realistic C2 operations, including techniques like DCSync and other domain compromise methods. Part three, Organizing an Exercise, focuses on the operational and reporting side. It covers how to manage engagements using tools like JIRA for tracking and VECTR for structured reporting. The final chapter, “Implementing a Purple Teaming Function,” dives into the business and cultural aspects of running a purple team, from facilitating workshops to building relationships across teams. It is full of thoughtful, experience-based advice that goes beyond technical execution. The book concludes with an appendix of helpful reference tables, including high-value Windows event IDs and system logs, making it a useful companion during actual exercises. Overall, Alfie Champion did a fantastic job with this book. It helped me mentally assemble my own purple team service offering and see exactly where I can bring unique value to clients. It also showed me which tools I plan to use next, particularly MITRE Caldera and VECTR, which seem ideal for delivering efficient, measurable results. Practical Purple Teaming was published by nostarch Press in September 2025 and runs 352 pages. It is available directly from the publisher at https://nostarch.com/purple-teaming. You can purchase the Print Book and FREE Ebook for $59.99, or the Ebook (PDF, Mobi, and ePub) alone for $47.99. Go purple!