A
purple team exercise runs red team attacks while blue team monitors — red shares exact TTP details immediately so blue can tune detections and verify they work in real time.
Exercise structure: red executes specific ATT&CK technique → blue checks if detection fired → if not, tune together → document coverage. More cost-effective than pure red team (faster learning loop). ATT&CK-mapped exercises systematically improve detection coverage across the entire matrix.