The philosophy of purple: Behind the rise of red + blue

It’s not often that we talk about Irish playwrights at Black Hat MEA. In fact, this might be the first time ever. But we’ll do it anyway; because we read this line from George Bernard Shaw’s 1903 play Man and Superman, and it immediately triggered our cybersecurity brains: 

“A learned man is an idler who kills time with study. Beware of his false knowledge: it is more dangerous than ignorance.”

This line appears in an appendix to the play, titled The Revolutionist’s Handbook and Pocket Companion. The appendix was Shaw’s way of inserting his own (sometimes contrarian) views into the play; and the aim was to jolt readers out of unconditional faith in institutional knowledge, and push them to think for themselves. 

We think the rise of the purple team in cyber serves the same purpose. Purple shakes things up – forcing both red and blue to step out of their comfort zone and acknowledge that they don’t (and never will) know everything. 

Red and blue haven’t always worked well together. Red teamers might have thought blue teamers were naive, while blue teamers might’ve seen red teamers as reckless. One broke things to prove something, and the other patched things up to keep the lights on. 

But the truth is that neither side wins on their own. 

Shaw’s warning about false knowledge lands neatly in modern cybersecurity. Purple teaming was born from the realisation that confidence without collaboration is its own form of ignorance.

When red meets blue

For years, red team exercises were the closest most companies came to real-world combat. Ethical hackers would mimic adversaries, breach a network, and hand over a slick report filled with CVE numbers and colourful kill chains. Then the blue team would scramble to patch, tighten configurations, and tune detections.

Organisations would repeat this cycle; but the actual learning that came from it was limited. 

And the problem was a lack of connection. As researchers at GuidePoint Security note in a 2025 report that makes a case for purple teaming, red team and blue team engagements “test, evaluate, and improve an organisation’s security posture,” but only when they work as a collaborative engagement rather than sequential audits. In isolation, each side sees just half the fight.

That’s where the philosophy of purple begins: as a mindset.

A bridge between skill sets and knowledge bases 

A purple team isn’t a new department, and it doesn’t aim to merge red and blue into one entity. It’s the connective tissue between attacker logic and defender discipline.

The term started to surface in military cyber circles around a decade ago, but it’s matured into something more strategic: a mechanism for continuous feedback. Rapid7’s overview of what a purple team really is explains that purple teams enable red and blue to “share information, correlate findings, and leverage subsequent insights” to harden attack surface defences.

Think of it as DevOps for security: collapsing the hand-off between offence and defence, and replacing one-off reports with an ongoing conversation.

What the data says

Philosophy aside, this kind of collaboration is backed by measurable progress. CyberCX’s Insights from 100 Purple Teams (2024) reviewed a hundred joint exercises across sectors and found a clear pattern. Organisations that ran purple-team simulations identified gaps that would have gone unseen in siloed testing – detection logic that looked strong on paper but failed under live adversarial conditions, and red team tactics that defenders could quickly neutralise once they saw them in real time.

But the biggest benefit was the cultural discovery. Both sides built empathy for how the other works. The red team learned which alerts matter most to the SOC; the blue team learned how subtle real-world evasion looks. The result, according to CyberCX, was faster remediation and more durable defensive control design.

From exercises to ecosystems

Purple teaming is increasingly moving from event-based testing into the everyday muscle of security operations. Modern SOCs now borrow red team tactics to validate detections as part of their threat-hunting cadence. And offensive security teams build detections as they break in.

In some enterprises, the philosophy goes further: they codify purple workflows into their SIEM or SOAR pipelines, so that every red team technique automatically becomes a blue team validation rule. It’s an iterative cycle of shared learning, where each offensive insight feeds directly into defensive readiness.

The purple philosophy

At its heart, purple is a reminder that cybersecurity is a dialogue, not a duel.

Attackers don’t work in silos, and neither should we.

The rise of the purple team marks a shift from adversarial exercises to cooperative learning. It’s about blending the creative chaos of offence with the disciplined engineering of defence – using each to sharpen the other.

Because the threat landscape no longer gives defenders the luxury of time, and it no longer gives red teams the satisfaction of theoretical victories. Every test, every detection, every shared lesson feeds the same outcome: resilience.

It all fits with George Bernard Shaw’s caution against trusting false knowledge. In cyber, that false knowledge might be the illusion of safety without testing, or the arrogance of siloed expertise. Purple teams exist to challenge that illusion – and in doing so, they keep us open to the reality that we never know everything.