Adversary Emulation and Purple Team Operations
RCCE students will learn how offensive and defensive teams work together to validate detections, test assumptions, improve controls, and measure defensive readiness using realistic adversary behaviors. RCCE students will learn to plan emulation exercises, align activities to threat intelligence and ATT&CK, capture lessons learned, improve detections, and turn exercise results into concrete defensive improvement plans. The course covers practical scenarios ranging from exercise design to execution, analysis, and remediation. RCCE students will learn to analyze complex systems and think like an attacker to better defend the organization. This comprehensive course delivers practical knowledge applicable to real-world cybersecurity operations. Starting from foundational concepts, RCCE students will learn through a combination of concept explanation, practical demonstration, and hands-on exercises.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Adversary Emulation and Purple Team Operations
- Execute hands-on tasks for purple team operations
- Execute hands-on tasks for offensive skills
- Execute hands-on tasks for defensive skills — covering Plan adversary emulation exercises, detection coverage gaps.
- Execute hands-on tasks for what is adversary emulation? — covering Replicating real-world threat actor TTPs.
- Execute hands-on tasks for key differentiators
- Execute hands-on tasks for not adversary emulation — covering Uses threat intelligence as input.
- Execute hands-on tasks for red team — covering Blue Team.
- Execute hands-on tasks for purple team vs red team vs blue team — covering Red Team.
- Design a scalable privilege management architecture with policy and enforcement
- Design a scalable privilege management architecture with policy and enforcement, including One-off exercises on request, and Quarterly or monthly exercises.
| Module 01 | Purple Team Operations |
| Module 02 | Offensive Skills |
| Module 03 | Defensive Skills |
| Module 04 | What Is Adversary Emulation? |
| Module 05 | Key Differentiators |
| Module 06 | Not Adversary Emulation |
| Module 07 | Red Team |
| Module 08 | Purple Team vs Red Team vs Blue Team |
| Module 09 | Purple Team Operating Models |
| Module 10 | Ad-Hoc Model |
| Module 11 | Periodic Model |
| Module 12 | Continuous Model |
| Module 13 | Threat Intelligence-Driven Emulation Planning |
| Module 14 | Collect Intel |
All hands-on labs run on Rocheston Rose X OS. Students practice adversary emulation and purple team operations by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for purple team operations
- Lab 2: Execute hands-on tasks for offensive skills
- Lab 3: Execute hands-on tasks for defensive skills
- Lab 4: Execute hands-on tasks for what is adversary emulation?
- Lab 5: Execute hands-on tasks for key differentiators
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Adversary Emulation and Purple Team Operations, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI