Capstone: run a full kill-chain in the lab and measure detection coverage at every step.
Module overview
This capstone integrates every module into a purple-team exercise inside an isolated range. A red track executes a full ATT&CK-mapped kill chain against intentionally vulnerable targets; a blue track detects, contains, and responds; the exercise ends with an after-action review that produces a detection-coverage matrix and concrete improvements. The objective is measured defensive improvement, not 'winning'.
Lesson 1
Designing the Exercise: Scope, ROE & Coverage Map
Deep explanation
A safe, useful exercise is engineered. Define scope (which lab systems), rules of engagement (no real data, isolated network, time-boxed), success criteria (detection coverage, MTTD/MTTR), and an ATT&CK coverage map listing each planned technique and the detection expected to catch it. Purple-teaming means red and blue collaborate: red runs a technique, blue checks whether telemetry and rules caught it, and gaps are logged for remediation.
PLAN: scope + ROE + success criteria + ATT&CK coverage map
|
red technique --> blue telemetry? --> rule fired? --> log gap if missed
|________________ repeat per technique _______________|
Hands-on lab
Define scope and ROE for your isolated range in writing (systems, network isolation, time box, no real data).
Build an ATT&CK coverage matrix listing 5+ techniques you will exercise and the detection expected for each.
Confirm telemetry exists for each row (Sysmon/Zeek/cloud logs) before starting.
Brief both tracks on objectives and safety rules.
Expected output: A written scope/ROE and a coverage matrix mapping each planned technique to its data source and expected detection, with telemetry confirmed.
What to observe: The value is in the coverage map: it turns a vague 'exercise' into a measurable test of specific detections.
How attackers exploit · how defenders respond
Exploit: (Planning view) The red plan is a sequenced ATT&CK chain, each step chosen to test a specific defense.
Detect & respond: (Planning view) Each technique is pre-mapped to the telemetry and rule that should catch it, so misses are obvious.
Red teamSequence techniques to probe known and suspected gaps; document each step.
Blue teamPre-stage telemetry and rules; verify coverage per technique; log gaps for remediation.
Real-world scenario
Mature programs run recurring purple exercises whose coverage matrices become the backlog for detection engineering — measurable, prioritized defense improvement.
Lesson 2
Running the Chain & After-Action Review
Deep explanation
Execute the chain step by step against the vulnerable lab targets, with blue watching telemetry live: initial access (e.g., web exploit from Module 2) -> execution (encoded PowerShell, Module 4) -> privilege escalation (Module 3) -> credential access -> lateral movement -> collection -> exfiltration. At each step, record whether detection fired, how fast (MTTD), and how blue responded (containment, MTTR). The after-action review converts results into a gap list and prioritized fixes, then re-tests the gaps.
Examples
Initial web exploit was missed (gap) but the follow-on encoded PowerShell fired the Sigma rule — detection 4 minutes in.
Lateral movement via unusual remote execution triggered the PsExec-anomaly rule, enabling containment before exfil.
Commands & tools
# After-action: score each technique and compute metrics
# coverage % = detected_techniques / total_techniques
# MTTD = time(first detection) - time(technique start)
# MTTR = time(contained) - time(detected)
# Output: gap list -> detection-engineering backlog (Sigma rules to add/tune)
# Then RE-TEST the previously-missed techniques to confirm closure
Diagram
recon -> initial access -> execution -> privesc -> cred access -> lateral -> collection -> EXFIL
| |D? |D? |D? |D? |D? |D? |D?
blue records detect/no-detect + MTTD + response at each stage
-> AAR: coverage %, MTTD/MTTR, GAP LIST -> fix -> re-test
Hands-on lab
Execute your planned chain against the vulnerable lab targets, blue monitoring live.
For each technique, record detected/missed, MTTD, and the response taken; keep evidence (logs, alerts).
Run the after-action review: compute coverage %, MTTD/MTTR, and produce a prioritized gap list.
Implement at least one missing detection and re-run that technique to confirm the gap is closed.
Expected output: A completed coverage matrix with detected/missed per technique, MTTD/MTTR metrics, a prioritized gap list, and one gap closed and re-tested successfully.
What to observe: Improvement is the deliverable: a measured before/after where at least one previously-missed technique is now detected.
How attackers exploit · how defenders respond
Exploit: (Exercise view) Red advances the chain only as far as detection allows, exposing exactly where blind spots are.
Detect & respond: Live monitoring per stage with MTTD/MTTR captured; AAR turns misses into a concrete engineering backlog.
Red teamRun the chain, document each step and what evaded detection.
Blue teamDetect/contain per stage, measure MTTD/MTTR, fix gaps, and re-test to prove closure.
Real-world scenario
Organizations that re-test closed gaps after each purple exercise show steadily rising coverage and falling MTTD across cycles — the whole point of the program.
End-of-module assessment
Tap an answer to check it.
1. The primary goal of a red-vs-blue exercise is:
Purple exercises exist to measurably improve defense, not to score points.
2. A detection-coverage matrix maps:
It records, per technique, whether a detection exists and whether it fired.
3. The most important after-action output is:
Gaps must be remediated and re-tested to prove the exercise improved defense.
Key takeaways
Engineer the exercise: scope, ROE, success criteria, and an ATT&CK coverage map up front.
Run the chain stage by stage, measuring detection, MTTD, and MTTR with evidence.
The deliverable is improvement: fix the gaps and re-test to prove coverage rose.
