In 2024 Security Risk Advisors delivered over 170 Purple Teams to our clients. Supporting the technical execution of our Purple Teams, we use strong project management techniques that not only make high-volume service delivery efficient, but also quite manageable. Our approach to Purple Team project management is straightforward: every Purple Team is treated as a structured project. Each follows a defined project workflow but is flexible for planning tailored to each of our clients. I will be highlighting the three key project management mechanisms we use at SRA to deliver our Purple Teams:

• Intentional Scheduling
• Functional Milestones
• Consistent Tracking

Before we dive deeper, here are some metrics to illustrate the scale at which we operate:

• From start to finish, each Purple Team project takes about one month to complete.
• Each Purple Team is staffed with 3-4 operators.
• We execute 2-4 Purple Team projects per week.
• We track 8-12 Purple Team reports per week.
• Each Purple Team involves 9 scheduled meetings between internal and external stakeholders.

You’re probably thinking, “That’s a lotta Purple Teams!” And you’d be correct. This is just a small picture of the Purple Teams program here at SRA. Now let’s look at how we manage it all.

Intentional Scheduling

Our approach to scheduling Purple Teams is both detailed and client focused. We begin by discussing scheduling in-depth with our clients, checking and double-checking agreed engagement dates based on their feedback. We always want to align with what is happening in the client environment when we discuss Purple Teams scheduling. Some examples of things to consider when scheduling a Purple Team exercise are:

• Is a new tool or service being deployed that needs to be tested with a Purple Team?
• Has the client recently switched to a new cloud platform or a new SOC provider?

For new clients, we start with an introductory call to discuss the ideal scope for testing and determine the best timeframe that aligns with their security goals. For our existing clients, we review the previous Purple Teams report, which outlines all observations and accompanying remediation recommendations. This allows us to plan the right amount of time to evaluate progress against their improvement goals.

We cross-check all these factors with the availability of our team to verify that operators with the necessary skills are in place for testing. From there, we offer our clients a selection of engagement timeframes to choose from.

Functional Milestones

If you’re familiar with project management, you know that milestones are essential for tracking progress, managing risks, and verifying quality assurance. When delivering a high volume of Purple Teams, every meeting must have a clear purpose and a trackable outcome. If we lose sight of tracking milestones, things can slip through the cracks with ripple effects.

Internally, beyond what the clients see in meetings and communications, we have established a structured project delivery framework. This framework includes a series of prescriptive and repeatable checkpoints, which function more like a series of working sessions rather than a status update. Each of these internal milestones has a documented output that is shared with our internal stakeholders. These milestones are specifically timed to account for communication delays, technical troubleshooting, prep work, scheduling changes, and reporting. This approach allows room for escalation or intervention when necessary. Aside from preparing for hiccups, we are also making room to adjust for client feedback and unique testing requirements. By laying the groundwork with milestones that are more than just arbitrary dates or deadlines, we are getting more work done and collaborating more consistently with our internal and external project teams.

Consistent Tracking

Now for the fun part if you’re a project manager (or a bit of a masochist): tracking. This is where some of those stereotypes may be true. Yes, I am constantly asking my teams for updates, or if they have a few minutes to brief me on a call, and yes, it often feels like wrangling kittens. “Is it done yet? Has this been resolved? When will this be completed?” But hey, someone has to do it. Kitten wrangling becomes a bit easier when you’re following a structured workflow, which I will outline below. Each Purple Team project is tracked through four phases:

Phase 1 – Scoping

• This is where we discuss scheduling, client environments, and testing requirements.
• Once all the details are finalized, we confirm a set of testing dates and book the Purple Team.

Phase 2 – Planning

• In this phase, we introduce our team of Operators to our clients and the prep work begins.
• Accounts are created, change orders are submitted, calls are scheduled, and collaboration between teams becomes more frequent.

Phase 3 – Testing

• This is where the Red Team and the Blue Team become a Purple Team. One of our skilled MCs (yes, Master of Ceremonies) will guide the team through each campaign.
• On the last scheduled day of testing, the Operators from the SRA team, along with client stakeholders, will meet for a Blue Team Workshop to discuss, in an open book style, all the observations from the previous days of testing.

Phase 4 – Reporting

• The SRA team will then compile a comprehensive report outlining all the observations from testing, along with recommendations for remediation and a prioritized project plan for our clients.
• Once a readout is completed with our client, the reporting phase is complete, and the Purple Team is closed out.

At first glance, this may seem daunting, especially considering that in any given week, there are over 30 clients simultaneously in different phases of project delivery. So, what’s the secret to successful project delivery at this scale? It would be pretty cool, and very techy, if I told you I had some magic automation to track all these tasks or that I had trained a team of robots to do my job for me by now. While we do utilize some project management software and automations to support our efforts (shout out to Monday.com), the core of what makes these processes work is quite simple: consistent communication, lots of note-taking, and frequent check-ins. Prep, debrief, and reporting check-ins happen every single week, where I and other internal SRA stakeholders touch base with our project teams. These check-ins are supported by published status updates, frequent reminders, and change logs. While automation is handy, I have found the most success in our program through face-to-face conversations. Both our project teams and our clients know exactly who to reach out to when they need assistance, so that every single Purple Team project is tailored and delivered to meet each of our clients’ individual needs.

Conclusion:

By carefully planning our schedules, setting clear milestones, and closely monitoring progress, we keep a large volume of Purple Team engagements running smoothly. We maintain constant communication and keep detailed notes, enabling us to manage numerous projects efficiently. This approach allows us to deliver exceptional value and insightful security advice. As we continue to refine our methods and integrate the strengths of our team with client feedback, we’re dedicated to being the industry leaders in Purple Teaming.

SRA Can Help You:

If you would like SRA to help you develop a Purple Team program at your organization, complete the form below:

Ashley Layson