Talk: Letthemin: Facilitating High-Value Purple Teams Using an Assumed Compromise Approach

12:00-12:30 PDT Sunday | Aug 10^th 2025
DEF CON Creator Stage 1 (Room 233) | Las Vegas Convention Center
Purple Teaming

Purple Teaming has become a critical component of modern cybersecurity programs, but its definition and application vary widely across organizations. This presentation introduces a refined, regimented, and repeatable methodology for running Purple Team engagements, developed and battle-tested for over a decade.

As the term 'Purple Team' means different things to different people— a methodology, a team of people, a program, an assessment, or even a state of mind—and as Purple Team engagements themselves come in all shapes and sizes, the speaker will begin by aligning recommended definitions and applications of common Purple Team terminology.

The presentation will explain how to apply an Assumed Compromise approach to Purple Teams. Any organization can be vulnerable at any point in time. This style of Purple Team testing follows the adversary through the entire life cycle of an attack, from Initial Access to Impact, assuming vulnerabilities exist to instead focus on the visibility of security tools. This is a powerful method of identifying ways to improve detection and prevention capabilities at each layer of an organization’s defense in depth. The speaker will include real world examples and specific instructions.

The presentation will conclude with broader applications of this style of Purple Team. This will include how to collect and analyze the engagement results and apply these results to drive improvement to an organization’s resilience to common threats.

This talk is ideal for security professionals, both Red and Blue Team, who are looking to elevate the way they perform Purple Team engagements.

Detailed talk outline :

1. Introduction (5 minutes)
   • Introduce the speaker and their experience in Purple Teaming.
   • Define the purpose of the presentation: to share the optimal methodology for performing Purple Team engagements.
   • Provide an overview of the session agenda.
2. Defining Purple Team Terminology (5 minutes)
   • Define the term "Purple Team" in the scope of this presentation. This includes Purple Teams both as a collection of people as well as an engagement type.
   • Highlight the role of Purple Teams in fostering collaboration between Red and Blue Teams and enhancing overall security programs.
3. Applying the Assumed Compromise Approach (10 minutes)
   • Introduce the Assumed Compromise methodology.
   • Walk through the specifics of how to apply this approach to Purple Teams
   • Highlight the benefits of this methodology, including identifying gaps in detection and prevention controls.
   • Provide real-world examples to highlight how this approach differs from common Purple Teaming approaches and the resulting improved outputs from the engagement.
4. Collecting and Analyzing Results (5 minutes)
   • Discuss methods for gathering results during Purple Team engagements.
   • Explain how to analyze results to identify gaps and trends, prioritize remediation efforts and improve security posture.
   • Explain how continuous Purple Teaming can improve resilience to evolving threats.
5. Conclusion and Q&A (5 minutes)
   • Summarize key takeaways from the presentation.
   • Provide actionable next steps for attendees to implement the methodology in their organizations.
   • Open the floor for audience questions.