In my previous article — Your SOC is the parachute — I wrote about how many security operations centers (SOCs) would fail the moment we pull the ripcord. They’re overloaded, reactive, and often disconnected from how breaches actually happen.
I want to move the discussion forward. If the SOC is the parachute, purple teaming should be the regular practice that keeps it ready to deploy. Yet most organizations still treat purple teaming as a one-off exercise rather than an ongoing discipline.
Purple teaming needs a rethink
Purple teams were designed to bridge the gap between red and blue teams. In theory, it’s about collaboration and continual improvement. In practice, it’s often a transactional service run by penetration testing firms focused on two things: proving they can bypass defences and producing a report that looks good in a board pack.
That mindset doesn’t help with SOC effectiveness. A single purple team engagement doesn’t build real capability, it just creates a false sense of confidence.
Real uplift comes from repetition, rehearsal, and refinement. In aviation, passing a check once is far from being enough. Proficiency is earned and maintained through regular practice. The same principle applies here.
The SOC operates constantly with new threats, tools, and mistakes, so testing must keep pace. That requires a mature, collaborative approach where defenders and testers work together, like scientists experimenting until the model holds.
From adversarial to collaborative
Even though purple teaming is meant to be collaborative, it’s often run like a contest between red and blue teams — who can outsmart whom. That approach misses the point. The real measure of success isn’t how quickly someone breaks in but how well the organization learns to detect, adapt, and improve after the exercise.
A strong uplift program builds partnership, not rivalry. It spreads knowledge across teams, asks “why did this work?” rather than “how did we get in?” and repeats until the right decisions become instinctive.
Reports don’t achieve that. Rehearsal does.
Simplicity is the hardest fix
In my previous article, I argued that simplicity is one of the hardest things to achieve — yet when done well, it’s also the strongest defence.
Too many SOCs chase metrics that don’t matter. I’ve seen teams with 15 key indicators forced to expand to 50 because leadership wanted to match an arbitrary industry benchmark taken from a compliance audit or a peer organization, a number that looked good in a report but had no connection to actual risk. That kind of thinking only creates noise.
Real maturity is subtractive. It means knowing which signals matter and tuning for them. It means removing distractions so analysts can focus on behavior — the odd PowerShell command, the unfamiliar run DLL, the subtle anomaly that signals intent. That’s where early warning lives.
Many security leaders worry that narrowing focus will make them vulnerable. The opposite is true: trying to monitor everything is what creates the blind spots.
Learning from phishing
There’s a similar pattern in phishing awareness. Many organizations quietly lower the sophistication of their simulations so compliance scores look better. But that’s not real progress.
You can’t out-train human fallibility. The better approach is to teach the why, not just the what. When people understand why something feels wrong — when the context ties back to personal safety — retention increases.
The same principle applies to the SOC. Train analysts not only to detect, but to understand. Let them study the anatomy of attacks, the leading indicators, and the behavior chains that matter.
The SOC should be primarily a learning system.
The SOC model, from toolset to project
In an article I wrote about the reasons the SOC is in crisis and steps to fix it, I mentioned the need to integrate testing with operations, build context-aware detection, and establish clear response authorization.
Some of the most effective SOCs I’ve seen recently treat their function like a project instead of a toolset or outsourced service. They even have project managers embedded to drive iteration and coordination.
They’ve also broken the old pyramid hierarchy. Instead of a single “head of SOC” holding all authority, they’ve delegated decision-making to teams who know the environment best. It’s faster, fairer, and a better training ground for emerging analysts.
Most importantly, they’ve shifted from a defensive posture to an inquisitive one. They constantly model how an attack could happen, how it might move laterally, and what artefacts it would leave behind. Then they test those assumptions again and again.
Continuous uplift, not another exercise
We can’t treat purple teaming or SOC uplift as a box to tick. Breaches are now a fact of life. What matters is whether systems and people are ready to respond.
Endless testing is not the answer. Continuous learning is. Running small, focused simulations, observing, adjusting, and practicing until simplicity, speed, and intuition become second nature. Our client engagements demonstrate again and again that purple team exercises enhance SOC effectiveness.
We need to stop measuring success by how complex our defences look and start measuring by how elegantly they work under pressure.
That’s how we go beyond purple teaming. That’s how we turn the SOC from a static service into a living capability.
No Responses