Hands-On Purple Team Exercises

November 19th @ 18:00 - 21:00 (GMT +4) // Track 3 @ HITB Labs


Skill Level


max capacity






In this two hour hands-on workshop you will play the role of both the red team and the blue team. We have set up an isolated environment for each attendee to go through a Purple Team Exercise. Attendees will be able to create adversary emulation campaigns with SCYTHE and run them in a small environment consisting of a domain controller, member server, and a Linux system. While the attendee is the red team operator, they will also play the role of the blue team looking for Indicators of Compromise and adversary behavior mapped to MITRE ATT&CK Tactics, Techniques, and Procedures. Attendees will learn the basics of adversary emulation (powered by SCYTHE) and blue team tools such as Sysmon, WireShark, and others. It will be a fun two hours of hands-on learning!

A purple team is a virtual, functional team where teams work together to measure and improve defensive security posture (people, process, and technology):

  • CTI provides threat actor with capability, intent, and opportunity to attack
  • Red Team creates adversary emulation plan
  • Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses
  • Emulation of each adversary behavior (TTPs)
  • Blue Team looks for indicators of behavior and/or improvement opportunities
  • Red and Blue work together to create remediation action plan
  • Repeat for next set of TTPs


This workshop will cover a hands-on walkthrough of the free Purple Team Exercise Framework: https://github.com/scythe-io/purple-team-exercise-framework/blob/master/PurpleTeamExerciseFramework.pdf While we have held non-hands-on workshops, this one is full hands on. As a pre-req we would prefer attendees watch the non-hands-on walkthrough or at least review the PTEF document. The non-hands-on is here: https://vimeo.com/446501220

Ready To HACK?

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on whatsapp


Chief Technology Officer of SCYTHE / Co-Creator of the C2 Matrix Project

Jorge Orchilles

Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense. He is a Fellow at the Information Systems Security Association (ISSA) and National Security Institute. Prior, Jorge led the offensive security team at Citi for over 10 years.

He also co-authored Common Vulnerability Scoring System (CVSS) and A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry, and author of Microsoft Windows 7 Administrator’s Reference. Jorge holds post-graduate degrees from Stanford and Florida International University in Advanced Computer Security & Master of Science. Jorge speaks English, Spanish, and Portuguese, in decreasing levels of fluency. When he’s not hacking, teaching, or writing, you’ll find him watching and playing soccer.


The underlying infrastructure is VMware learning platform and the every user gets credentials to log into their own environment for the 2 hours. The environment consists of the following:

  • UnicornDC1 – Domain Controller that user attacks
  • Unicorn – Member server the user get console access and web access to various tools. This is both management and victim host.
  • Ubuntu – victim system that we will have Splunk and ELK on for the blue team.
  • Slingshot – Free distribution with multiple C2 frameworks and VECTR