Home / Blog / The Differences Between Respective SOC Team Types within Security Today…

The Differences Between Respective SOC Team Types within Security Today…

The Differences Between Respective SOC Team Types within Security Today…

There is some confusion about the definitions of Red, Blue, and Purple teams within Information Security. Today, CyberSponse wants to help the clear the air so that we’re all on the same page as we move into the RSA conference.


  • Red Teams are external entities brought in to test the quality of a security program. This is completed by emulating the behaviors and techniques of likely attackers in the most realistic way possible.
  • Blue Teams refer to the internal security team that defends against both real attackers and Red Teams. Blue Teams should be easy to notice from standard security teams in most organizations, as most SOC teams do not have a mentality of constant vigilance against attack, which is the mission and perspective of a true Blue Team.
  • Purple Teams exist to ensure and maximize the effectiveness of the Red and Blue teams. They do this by integrating the defensive tactics and controls from the Blue Team with the threats and vulnerabilities found by the Red Team into a single objective is to ensure the efforts of each Blue and Red are utilized to their maximum.



Red and Blue teams ideally need to work in perfect harmony,like offense and defense, Red and Blue teams could not be more different in their tactics and behaviors, but these differences are precisely what make them part of a healthy and productive whole.

Red Teams attack, and Blue Teams defend, but the primary goal is shared between them: improve the security posture of the organization.

Purple Teams are an artificial addition to this pairing. They exist to ensure that observations and lessons from both teams make it to the other so that continuous improvement can occur. Without this crucial bridge, each team discovers key insights but doesn’t share them with the other.

For example, the Red Team might learn ways they could have been stopped but not share this knowledge with the Blue Team. Or the Blue Team may be aware of gaps in their controls but not share them with the Red Team.

Some of the obvious problems with Red and Blue team cooperation include:

  • The Red Team thinks itself as high standard to share information with the Blue Team[
  • The Red Team is pulled inside the organization and becomes neutered and demoralized, ultimately resulting in a catastrophic reduction in their effectiveness
  • The Red Team and Blue Team are not coded to interact with each other on an ongoing basis, so lessons learned on each side are effectively lost
  • Information Security management does not see the Red and Blue team as part of the same effort, and there is no shared management or metrics shared between them

A business that suffers from one or more of these problems is most likely to need a Purple Team to solve them.

A key point in the understanding of Purple Teams is that it should be thought of as a function, or a concept, more than as a separate entity. This can come in the form of an actual, named team that performs this function, or it could be part of the Red/Blue teams’ management organization that ensures that the feedback loop between them is continuous and healthy.

This wraps up our discussion but if you need more information on Playbook development, go to www.IncidentResponse.com. Don’t forget to check back at www.CyberSponse.com for more updates on where our SOC based automation technology is moving in 2017.