Enterprises have spent a decade buying detection and response tools. Group-IB’s new Purple Teaming service starts from an uncomfortable premise: most of them have no idea whether any of it works.
Announced this week, the offering puts Group-IB’s offensive specialists and a client’s own defenders in the same engagement, at the same time. The red team runs adversary scenarios live while the blue team watches, responds and tunes its detection rules on the spot — a feedback loop compressed into a single exercise rather than stretched across a quarter.
Not another pentest report
That distinction is the entire pitch. Traditional penetration testing ends with a PDF that lands weeks after the attack simulation is over, by which point the findings have gone stale and the defenders who needed the lesson never saw it happen. Purple teaming collapses the gap: defenders learn while the attack is still running.
Every scenario is mapped to the MITRE ATT&CK framework and drawn from Group-IB’s own threat intelligence. Engagements can cover ransomware simulations, Active Directory attacks, supply chain compromise and data exfiltration, all run without disrupting production systems. Duration ranges from one to eight weeks, delivered on-site, remotely or hybrid.
The company says its scenario library draws on more than 1,600 high-tech cybercrime investigations conducted since it was founded in 2003 — the argument being that a client gets simulations of the threat actors actually targeting its industry and geography, rather than a generic attack playbook applied uniformly.
The accountability question
“Organisations today face a fundamental accountability question: they have invested heavily in detection and response capabilities, but many have never tested whether those capabilities actually work when it matters,” said Dmitry Volkov, CEO of Group-IB. “Purple Teaming answers that question honestly. It is not a checkbox exercise.”
Konstantin Damotsev, who heads the company’s red teaming practice, makes the sharper version of the case: the value is not the offensive toolkit but the intelligence behind each scenario. Defenders, he argues, should be trained against the adversaries attributed in real incidents, not a theoretical composite.
Worth a raised eyebrow
Purple teaming is not a Group-IB invention. Mandiant, CrowdStrike, SANS and a long tail of boutique consultancies all sell some version of collaborative adversary emulation, and the term has been drifting toward buzzword territory for years. What Group-IB is really monetising is its intelligence archive, which is a genuine differentiator only if the scenarios stay current.
There is also the awkward incentive structure common to every vendor that both finds the gaps and sells the products that fill them. Group-IB positions Purple Teaming alongside its Threat Intelligence, Managed XDR and Incident Response lines. An exercise that reliably concluded “your defences are fine” would be a strange thing for the company to sell.
None of which makes the underlying observation wrong. Security budgets have grown faster than the evidence that they buy operational readiness, and an exercise that produces a defender who has practiced under pressure is worth more than another dashboard. The service is available globally through Group-IB’s network of Digital Crime Resistance Centers.
