Sign In
Purple Teaming

For Blue Team Practitioners Validating Detection Coverage Across Microsoft and Open-Source SIEMs

Purple Team Operations

Run the attack. Watch the detection. Fix what is broken. Prove it works.

Validate your detection coverage by walking 61 ATT&CK techniques end-to-end across Windows, Active Directory, Microsoft 365, and Linux. Execute real attack commands in your own lab, observe the telemetry, write or tune the Sigma rule that catches each technique, and document the result across three SIEMs.

Start Free — No Account Needed See Pricing
What you'll deploy
61 ATT&CK techniques walked end-to-end across 4 environments
Sigma detection rules for every technique, convertible to KQL, SPL, and Elastic
Atomic Red Team + Caldera execution framework in your own lab
VECTR tracking for detection coverage measurement
ATT&CK Navigator heatmaps showing your validated coverage
Purple team program framework you can run quarterly
PURPLE TEAMING — ATT&CK COVERAGE MAP CREDENTIAL ACCESS 8 techniques · LSASS, DCSync, Kerberoasting, browsers Largest module — credential dumping has many distinct attacker variants PERSISTENCE 7 techniques · scheduled tasks, services, OAuth, registry Cross-environment — Windows, AD, M365, Linux all have persistence surfaces DEFENSE EVASION 6 techniques · LOLBins, AMSI bypass, audit log tampering Detection-difficulty rich — where rule design actually matters LATERAL MOVEMENT 6 techniques · RDP, WMI, PsExec, Pass-the-Hash, M365 Chain-aware — Module 9 introduces multi-step emulation DISCOVERY + C2 + EXFIL + IMPACT 16 more techniques across remaining tactics Full kill chain coverage from initial access through impact CAPSTONE — CHAIN-HARVEST Full purple-team report on AiTM credential phishing Multi-stage chain · all techniques · coverage report deliverable 61 techniques 15 modules 3 SIEMs 4 environments From "we have rules" → "I ran the attack and the rule fired"
View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Execute 61 ATT&CK techniques end-to-end in a controlled lab environment
Validate detection rules by firing the attack and verifying the alert
Write and tune Sigma rules from observed attack telemetry
Detect across Sentinel, Defender XDR, and Splunk or Elastic simultaneously
Run a continuous purple-team program with measurable coverage metrics
Specialist tier | 15 modules | 61 ATT&CK techniques | 40 CPE credits | 2 free modules — no account needed | 3 SIEMs · 4 environments | Updated May 2026
Course Agenda View all 16 modules

Free Phase 1 — Foundations and Lab Build (Free)

PT0
Course Introduction
 PT1
Building Your Purple-Team Lab

Phase 2 — Walking the ATT&CK Kill Chain

PT2
Initial Access — How Attackers Get In
 PT3
Execution — How Attackers Run Code
 PT4
Persistence — How Attackers Stay
 PT5
Privilege Escalation — How Attackers Elevate
 PT6
Defense Evasion — How Attackers Break Your Detections
 PT7
Credential Access — How Attackers Harvest Authentication Material
 PT8
Discovery — How Attackers Map the Environment Before Moving
 PT9
Lateral Movement — How Attackers Convert Access into Reach
 PT10
Collection — How Attackers Harvest What They Came For
 PT11
Command and Control — How Attackers Maintain Their Lifeline
 PT12
Exfiltration — How Attackers Get the Data Out
 PT13
Impact — How Attackers Deliver the Final Blow

Phase 3 — Capstone

PT14
Capstone — CHAIN-HARVEST Full-Chain Purple-Team Exercise

Resources

Purple Teaming for Blue Teams — Operational Reference

Who this course is for

“We have detection rules but we've never tested if they actually fire.” You deployed Sentinel analytics rules and Defender XDR custom detections, but you've never run the attack technique to see if the rule catches it. This course changes “we have a rule for that” to “I ran the attack and the rule fired in 4 seconds.”

“I want to write Sigma rules but I don't know the attack side well enough.” You can't write a detection rule for a technique you've never seen execute. Each module walks the attack command, shows the telemetry it produces, and then builds the Sigma rule that catches it — with KQL, SPL, and Elastic conversions.

“My CISO asked for an ATT&CK coverage report and I don't have one.” The ATT&CK Navigator heatmap builds throughout the course. By the capstone you have a validated coverage map: green for techniques you've tested and detected, yellow for partial coverage, red for gaps. That's the board-level artifact your CISO needs.

“I'm a blue teamer who's never used Atomic Red Team or Caldera.” You build the lab and learn the tooling: Atomic Red Team for individual technique execution, Caldera for adversary emulation chains. Both running in your own environment, controlled by you.

“We only run Sentinel. Everything I find assumes Splunk or Elastic.” Every technique includes Sigma rules with native KQL conversion for Sentinel and Defender XDR. Splunk and Elastic conversions are included too — so you can hand the same rule to a multi-SIEM team or take it to your next job.

“I need to run purple team exercises for my organization, not just learn the concept.” The capstone CHAIN-HARVEST is a complete purple team engagement: multi-stage AiTM credential phishing attack chain, full detection validation, VECTR tracking, and the final report. It's the template for every quarterly exercise you run afterward.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

You have 40 detection rules and you believe they work because they fire occasionally. You've never run the attack they're supposed to catch to confirm.

Your ATT&CK coverage is a spreadsheet someone filled in based on “I think we have a rule for that.” No technique was actually executed to validate.

You write detection rules for KQL only. When the team uses Splunk or the next job uses Elastic, you start over.

The pentest report lists 15 findings but you don't know how to turn them into repeatable detection validation exercises.

After

61 techniques executed, telemetry observed, rules validated. You know which rules fire, which miss, and why — because you tested each one against the real technique.

Your ATT&CK Navigator heatmap is evidence-backed. Every green cell means you ran the attack and confirmed detection. Every red cell is a documented gap with a remediation plan.

You write Sigma rules that convert to KQL, SPL, and Elastic. One rule, three SIEMs. Platform-portable detection engineering.

Pentest findings become purple team exercises. You take every finding, build the Atomic test, validate the detection, and track the result in VECTR. The next quarterly exercise runs the same tests and measures improvement.

How the course works

Every technique follows the same four-step purple team cycle. You execute, observe, detect, and document — 61 times across 12 ATT&CK tactics:

Execute
Run the Attack

Atomic Red Team or Caldera fires the real technique in your lab. LSASS dump, Kerberoasting, scheduled task persistence, C2 beaconing — the actual command, not a simulation.

Observe
Watch the Telemetry

Sysmon, Windows Event Log, Defender telemetry, Sentinel ingestion. You see exactly what evidence the attack produces and where it lands.

Detect
Write the Sigma Rule

Build the detection from the telemetry you just observed. Sigma rule with field-level mapping, converted to KQL for Sentinel, SPL for Splunk, and Elastic query language.

Document
Track in VECTR

Log the result: detected, partially detected, or missed. ATT&CK Navigator updates. MTTD measured. The coverage report builds itself as you work through the course.

What the content looks like

This is the Sigma rule you write after executing T1003.001 (LSASS credential dumping). You've already seen the attack telemetry — now you build the detection that catches it across all three SIEMs.

Sigma — From Module 7: Credential Access Detection
title: LSASS Memory Access via Non-Standard Process
status: production
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|contains:
            - '0x1010'   # PROCESS_VM_READ + PROCESS_QUERY_INFO
            - '0x1FFFFF' # PROCESS_ALL_ACCESS
    filter_legitimate:
        SourceImage|endswith:
            - '\MsMpEng.exe'
            - '\csrss.exe'
    condition: selection and not filter_legitimate
level: high

The module doesn't just give you the rule. You run the LSASS dump first, observe GrantedAccess 0x1010 in Sysmon Event 10, understand why that access mask matters, build the filter for legitimate processes, then deploy the Sigma rule to all three SIEMs. You know it works because you just tested it.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy Sigma rules, KQL queries, and detection configurations in your production environment. You may not redistribute course content or share account credentials.

Attack techniques: All attack execution is in your own isolated lab. Do not execute techniques against systems you do not own or have explicit written authorization to test.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: April 2026

April 2026 — v1.0: Course complete. 15 modules (PT0–PT14). 61 ATT&CK techniques across 12 tactics. Full kill chain from initial access through impact. Capstone CHAIN-HARVEST. Three-SIEM detection track throughout.

This course is actively maintained. Techniques and detections are updated as ATT&CK evolves and new attack patterns emerge.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.