Purple teaming at scale requires structure. When you're running roughly 15 tests per month across a large enterprise, you can't afford to wing it — but you also can't let process kill the creativity that makes testing valuable.
Here's the framework I've developed for high-volume purple team cycles at a Tier 1 financial institution.
The four-phase cycle
Each test follows a lightweight but consistent structure: scope, execute, validate, report. The key is keeping each phase tight enough that you can run multiple tests per week without burning out either the red or blue team.
TTP selection
I pull from a curated backlog mapped to MITRE ATT&CK, prioritized by threat intelligence relevance, detection coverage gaps, and upcoming compliance requirements. The CTI team feeds me real-world campaign data; I translate it into executable test plans.
Collaboration with blue team
The relationship with detection engineering is everything. I've found that giving the blue team a 24-hour heads-up on the general technique category (without specifics) produces the best outcomes — they're primed to look but not handed the answer.
More details coming soon — this is a placeholder post.