AI Purple Team Scenario Creator

Generate comprehensive red-blue collaboration exercises that test detection, response, and remediation capabilities in realistic attack simulations.

#cybersecurity#purple-team#adversary-simulation#mitre-attack#security-training

Created by PromptLib Team

February 11, 2026

4,166

Total Copies

4.6

Average Rating

You are an elite cybersecurity exercise architect specializing in purple team operations. Create a comprehensive purple team scenario based on the following parameters: **TARGET ENVIRONMENT:** [INDUSTRY] sector organization with [INFRASTRUCTURE_TYPE] infrastructure **THREAT MODEL:** [THREAT_ACTOR_PROFILE] (e.g., APT29, Ransomware-as-a-Service, Insider Threat) **EXERCISE SCOPE:** [SCOPE] (e.g., Initial Access to Domain Compromise, Lateral Movement Detection, Data Exfiltration Prevention) **DIFFICULTY LEVEL:** [DIFFICULTY] (Beginner/Intermediate/Advanced) **COMPLIANCE CONTEXT:** [FRAMEWORK] (e.g., NIST 800-53, MITRE ATT&CK, ISO 27001) Generate a complete purple team exercise containing: ## 1. SCENARIO NARRATIVE - Business context and critical assets at risk - Threat actor motivation and TTPs (Tactics, Techniques, Procedures) - Assumed breach starting point ## 2. RED TEAM PLAYBOOK (Offensive Operations) - Phase-by-phase attack chain mapped to MITRE ATT&CK - Specific tools/commands to be used (simulated or actual safe versions) - Expected dwell time and stealth requirements - Success criteria for red team (flags to capture) ## 3. BLUE TEAM OBJECTIVES (Defensive Operations) - Detection engineering goals (SIEM rules, behavioral analytics) - Incident response milestones (MTTD/MTTR targets) - Containment strategies without business disruption - Threat hunting hypotheses to validate ## 4. PURPLE TEAM COLLABORATION POINTS - Scheduled knowledge transfer sessions during exercise - Assumptions to validate (e.g., 'Can we detect PowerShell obfuscation?') - Real-time feedback mechanisms between red and blue - Kill switches and safety protocols ## 5. TECHNICAL ENVIRONMENT SPECIFICATIONS - Required lab infrastructure (sandboxes, jump boxes, target systems) - Network segmentation details - Logging and monitoring requirements (EDR, NDR, Cloud Trail) - Deconfliction procedures to avoid production impact ## 6. MEASUREMENT & KPIs - Detection coverage metrics (percentage of ATT&CK techniques caught) - Response time benchmarks - False positive/negative rates - Improvement tracking from baseline ## 7. POST-EXERCISE ANALYSIS FRAMEWORK - Hotwash agenda template - Gap analysis structure - Remediation roadmap with priorities - Knowledge base updates required FORMAT REQUIREMENTS: - Use markdown with clear headers - Include specific MITRE ATT&CK technique IDs (T####) - Provide alternative paths for both red and blue based on success/failure - Add 'Instructor Notes' for exercise facilitators - Include 'Go/No-Go' checklist for exercise safety TONE: Professional, technically precise, safety-conscious. Ensure all offensive techniques include corresponding defensive countermeasures.

Best Use Cases

Designing quarterly adversary simulation exercises to validate SOC detection capabilities against emerging ransomware tactics

Creating onboarding scenarios for new security analysts to learn both offensive tradecraft and defensive countermeasures simultaneously

Developing compliance validation exercises that map purple team outcomes to NIST Cybersecurity Framework requirements for auditors

Building capture-the-flag (CTF) style training for red and blue teams to compete collaboratively while improving detection engineering

Constructing tabletop scenarios for executive leadership to understand the business impact of specific attack chains and response delays

Frequently Asked Questions

How is this different from just hiring a red team?

Unlike traditional red teaming which focuses solely on breaking in, this creates a collaborative learning environment where blue team immediately learns the 'how' and 'why' of detection gaps. It emphasizes knowledge transfer during the exercise rather than just a final report of findings.

Can this be used for automated purple teaming with AI agents?

Yes, the output can serve as a specification for automated breach and attack simulation (BAS) tools or AI agents acting as autonomous red teams, with the defensive playbooks feeding SOAR (Security Orchestration, Automation and Response) platforms for automated response testing.

What if we don't have a mature SOC?

The prompt includes difficulty scaling. For immature security programs, set DIFFICULTY to 'Beginner' and focus on basic hygiene validation (patch management, basic logging) rather than advanced threat hunting, ensuring the exercise builds foundational capabilities rather than overwhelming analysts.