Red team engagements are usually treated as audits. Treat them as a controlled collection source instead and your CTI program gains ground truth that no feed can match.
A red team engagement usually ends with a report, a remediation list, and a presentation to leadership. The findings get tracked in a remediation ticket queue. Six months later the next engagement starts from scratch.
What the program loses in that cycle is intelligence. A red team engagement is the cleanest controlled collection source a CTI program will ever have. The actor is internal. The tradecraft is documented. The timing is known. The infrastructure is reusable. Every detection gap, every control failure, every behavioral signature observed in the engagement is ground truth that no external feed can produce.
A purple team practice that treats red team findings as intelligence rather than audit findings turns each engagement into a multiplier on the CTI program's quality.
The intelligence framing
The shift starts with how the engagement is scoped. A traditional red team brief reads like a list of objectives. Gain domain admin. Reach the crown jewels. Demonstrate impact. The CTI framing adds a second set of objectives. Each one tied to an active intelligence priority.
Test whether our detections fire for the specific tradecraft we attribute to the actors most likely to target our sector this quarter. Test whether our identity controls hold up to the consent grant abuse pattern we wrote a PIR about last quarter. Test whether our exfiltration detections trigger on the staging pattern we observed in the leaked operator playbook.
This second list of objectives turns the engagement from a generic audit into a targeted experiment. The red team is now running the actor's playbook on your environment, with your awareness, in a controlled time window. The findings answer questions the CTI team wrote in advance.
What to capture during the engagement
A purple team workflow captures a richer set of artifacts than a pure red team engagement does.
The operator's actual command line and tool invocation, captured at the source. Not the summary in the report. The raw command history. This is the most valuable behavioral artifact a CTI team can have. It is exactly what an external actor would generate.
The endpoint telemetry that did or did not capture each action. The Sysmon events, the EDR alerts, the Windows event logs. Captured by host, by user, and by minute. The telemetry is the answer key for which detections work and which do not.
The network telemetry around the same events. The proxy logs, the DNS, the firewall, the netflow. With time correlation back to the command history. The same answer key, at the network layer.
The identity telemetry. The authentication events, the OAuth grants, the conditional access decisions. With time correlation. The third answer key.
The detection result. For each red team action, the alert that fired, when it fired, what queue it landed in, what the analyst made of it, and how long the response took if any. This is the operational outcome, not just the technical outcome.
This level of capture requires planning. The CTI lead and the red team lead agree in advance on what will be captured, how it will be stored, and who has access. It is not extra work for the operator. It is the operator's normal log output plus a deliberate decision to keep it.
The replay and the second engagement
The most underused asset in a purple team practice is the replay. Once an engagement is complete, the operator's command history is essentially a script. The script can be replayed in a controlled environment any number of times, with different detection configurations.
The replay is the laboratory in which detection engineering happens. Run the script. Watch which detections fire. Tune the detection. Rerun. The cycle that previously required a fresh engagement now requires an hour of operator time.
Two replays are particularly valuable.
The pre engagement replay. Before the next red team engagement begins, the team replays the previous engagement's script and confirms that every detection that was deployed since the last engagement actually fires on the previous behavior. This is regression testing for detections. Detections rot. They are tuned down, broken by data source changes, or silently filtered. The replay surfaces the rot before the next engagement is wasted on rediscovering it.
The hypothesis replay. When the CTI team writes a new detection rule based on intelligence, the team replays the most relevant red team script against the new rule before deploying it to production. The replay confirms that the rule would fire on the closest behavioral analog the team has actually observed. It is a precision check.
How findings flow into the CTI program
A traditional red team finding becomes a remediation ticket. A purple team intelligence finding fans out into several artifacts.
A detection rule, when the gap is a missing or insufficient detection. The rule includes a reference back to the engagement, the script segment that motivated it, and the data sources required.
A PIR or PIR refinement, when the engagement revealed a category of risk the program had not previously tracked. The new PIR triggers collection planning, intelligence reporting, and downstream detection requirements.
A control change, when the gap is at the preventative layer. The control change ticket includes the script segment that bypassed the control, so the implementer knows exactly what the new configuration has to defeat.
An incident response runbook update, when the engagement revealed that the response process had a gap, even if the detection fired correctly. Many engagements show that the alert fired and the SOC closed the alert prematurely. The runbook update addresses the triage step, not the detection.
A piece of training material, when the gap is human. The training is built around the specific operator tradecraft used in the engagement. Not a generic phishing course. A targeted exercise on the specific lure or pretext used.
Each artifact has an owner. Each artifact has a deadline. Each artifact closes when verified, not when reported.
A useful cadence
A program that has matured to this shape often runs three engagement types in rotation.
Quarterly purple team replays. Two days. The red team replays the prior engagement script, the CTI team and detection engineering validate that controls and detections still hold up, and gaps are tracked.
Semiannual targeted engagements. Two to three weeks. Scoped against the top three PIRs of the period. Produces the multi artifact findings above.
Annual full engagement. Four to eight weeks. Broader scope. Closer to a traditional red team engagement but with the intelligence capture in place from the start.
The pattern produces continuous intelligence rather than a single yearly event. It also produces a small backlog of replay scripts that the program can run on demand when new detections need precision testing.
Cultural conditions for it to work
Purple team intelligence requires a specific cultural setup.
The red team has to be willing to be observed in real time. Some traditional red team cultures resist this because the value they sell is the surprise. The shift is to sell the value of the replay instead.
The detection engineering team has to be willing to fail in front of the red team. The first replay against a new detection often fails. That is the point of the replay.
The SOC has to be willing to be tested without notice on the engagement window. The triage failures that the engagement surfaces are the ones the program most needs to fix.
The CTI team has to be willing to write specific hypotheses in advance and to be wrong about them. A purple team engagement that confirms or refutes a hypothesis is more valuable than one that produces general findings.
All four cultural shifts are real. None is impossible. The team that wants to operate this way usually has to convert the program manager first, then build a small successful run, then expand the model.
The point
Red team findings are the highest fidelity collection source a CTI program will ever have. Treat them that way. Scope engagements against intelligence priorities. Capture command history, multilayer telemetry, and detection outcomes. Replay the scripts as a regression test and as a precision check. Fan findings out into rules, PIRs, controls, runbooks, and training. Run a cadence that produces continuous intelligence rather than annual surprises. The result is a CTI program with ground truth instead of secondhand analysis, and a red team that compounds across engagements instead of starting over.