CyberWire Daily - Purple teaming in the modern enterprise. [CyberWire-X]
Episode Date: May 25, 2025In large enterprise software companies, Red and Blue Teams collaborate through Purple Teaming to proactively detect, respond to, and mitigate advanced threats. In this episode of CyberWire-X, N2K's Da...ve Bittner is joined by Adobe’s Justin Tiplitsky, Director of Red Team and Ivan Koshkin, Senior Detection Engineer to discuss how their teams work together daily to strengthen Adobe’s security ecosystem. They share real-world insights on how this essential collaboration enhances threat detection, refines security controls, and improves overall cyber resilience. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Welcome to CyberWireX where we unpack the critical conversations shaping cybersecurity today.
I'm Dave Bittner.
In this sponsored episode,
we're diving into the world of purple teaming,
where offense meets defense
to strengthen enterprise security.
At the heart of this strategy are red and blue teams.
One simulates real world attacks,
the other defends against them.
But the real magic happens when they team up.
Joining us today are two leaders from Adobe's security organization, Justin Tiplitsky, director
of Red Team, and Ivan Koshkin, senior detection engineer.
They'll share how Adobe's Red and Blue teams collaborate every day, not just to test
and defend, but to learn, adapt, and outpace evolving threats.
From real-world examples to practical advice, this conversation sheds light on how purple
teaming can refine controls, boost detection, and make enterprise security more resilient.
Let's jump in.
Well, to kick things off, I'd really love each of you to introduce yourselves and your roles at Adobe and how you came to be a part of this red and blue collaboration.
Ivan, will you start for us, please?
Yeah. collaboration. Ivan, will you start for us please? Yeah, so I've been working at Adobe for the last almost four years now and
started within the kind of standard SOC development team doing a lot of triage
kind of transition into more of a detection engineer role. And over time as
we're maturing that program kind of a natural evolution of the whole process
is trying to collaborate more with adversarial emulation
teams, especially the Red Team.
So over time, we've kind of developed a relationship
and identified how to improve our collaboration.
And it's grown into something that's become very fruitful.
Justin, how about you?
Yeah, so I joined Adobe in 2021 with the intention
of building the Red Team from the ground up.
So previous to that, I had been into it I joined Adobe in 2021 with the intention of building the red team from the ground up.
So previous to that, I had been into it and had the opportunity to be one of the first red teamers there.
And then I spent about five years leading and doing red team operations for Microsoft.
So now here I am. We're basically building up this program continuously year over year and seeking improvement at the defense side. And that's where the red blue collaboration comes together.
And we've had some really good purple teamwork that we've done.
So Justin, for folks who might not be familiar, what exactly does purple teaming
mean and how does it differ from red and blue team operations?
Yeah, definitely.
So purple is something that's being embraced a little bit more in the industry
now, because it's an opportunity to strengthen the blue team side.
So you make the blue team aware a little bit different, you know, from red teaming that you are going to be exercising some attack simulations.
In some cases, they are also making the request to exercise a very particular thing or run certain techniques. So that provides us the opportunity to run our attack simulation and immediately get
feedback from the blue side and also share the details of what we're doing.
So when we do that in collaboration and we go back and forth, we're giving the blue team
that opportunity to build that muscle stronger.
Ivan, any additional insights there from your point of view?
Yeah, Justin basically hit the nail on the head.
It's basically, the way I like to describe it is we use Red Team as like a practice squad
for real-time adversaries.
So it's extremely valuable to have a team internally that's able to emulate the real-life
threat before we actually have to experience some kind of interaction with that real-time
threat so we're more prepared and are able to respond and detect more effectively.
Well, Ivan, tell me how do your teams at Adobe collaborate day to day?
Is this more like an ongoing partnership or is this a series of planned engagements?
Yeah, definitely. So it's a continual partnership.
It's actually both of those really. So Red Team has kind has kind of a adjust and go into more detail on this so they have a continuous.
On set of engagements that they go through and as they go through those engagements they collaborate with our team on the blue side to ensure that.
We're tracking what they're doing how effective our detection is how effective our responses are measuring a bunch of different things that we're doing on our end. And at the same time, we're taking their emulation
and basically adjusting how we're doing our operations
to improve them, using those operations as basically,
like I was saying, like the practice to the real thing.
So it's a continuous thing.
We have regular meetings and collaborations
that we work with together to make sure
that we're all on the same page
and we're tracking what each other's team is doing.
Justin, can you add to that?
Yeah, so the comparison that he said about the practice squad is actually a truly good comparison because
similar to in sports where there's a practice squad,
they are trying to run through all of their plays and ensure that there's lessons that they learn not on game day,
but when they're in practice, right?
So if they're able to strengthen up the plays,
learn where there's weaknesses,
and determine how they can effectively execute the play
and reach the objective that they want,
that when there is actually a real game day
or in cybersecurity, when there's an actual incident,
they're not spending that time,
that extra time learning those lessons.
They are just executing effectively and reaching their goal
and then getting that touchdown or home run or whatever it is they're trying to achieve.
Yeah that's practice like you play right?
Practice like you play yes definitely a great quote I'm going to hold on to that one.
Okay so Justin can you walk us through an example like a real world purple team scenario
at Adobe that helped you all improve your security posture?
Yeah, I'll give you a specific example.
So sometimes we will choose some particular asset
that we find valuable and that we would like to protect.
And we will determine if we can make some kind of attack path
towards reaching that asset.
So what we'll do is we'll go and we'll plan out an attack path
and we'll have
conversations with the blue team ahead of time to determine like if there's any particular things that we want to test and
they will also you know give us sometimes some parameters and and limited
Feedback to help us go execute that then we'll go execute
Our attack path and determine to walk step by step through
An attack path that would normally be pulled off by a real attacker.
So we're using attack techniques
that are used by real attackers,
and those are being tracked in the wild,
and also those are being tracked by threat intel.
And then we'll go forth and we'll execute that.
So once we complete that or step by step,
depending on how we wanna do it,
we end up learning a lot about where we can, you know, harden
things in the steps so that, you know, it makes it more difficult to reach that asset
and where detections need to be added so that we can get as early of an alarm as possible
if an actual adversary is attempting to do that same attack chain.
And Yvonne, what does that look like from your team's point of view?
Yeah, so from our team's point of view?
Yeah, so from our team's point of view, kind of the flip side of that coin is we're looking for any detections at fire during the red team's operation, or at least the SOC slash operations team is looking for that behavior.
And as we identify that behavior, we're doing the conflictions to ensure that red team is being captured.
What did we miss as they performed their operations?
And we're taking notes from the detection engineering side
along this whole path to ensure that we are basically
doing the lessons learned following that operation
to better detect those attack chains like Joseph mentioned
in the future.
So there's a lot that goes into it when we actually
break it down because they submit a lot of requests into our queue to
Basically improve detections and things on the blue side and the operations last, you know, sometimes
Months and on and so that entire time we're working together and making sure that we can improve our detection capabilities and response capabilities
What kinds of tools or platforms or?
Environments do you all use to simulate these threats and
test out the defenses?
Yeah, so for us, we have a completely custom tool chain.
So we have custom exploits that we build.
Obviously, we spend a lot of time researching Adobe products.
And then also we have a command and control framework that we've built from the ground
up so that we can execute safely and ethically within the environment and be able to do
the exercises that are going to emulate and simulate the attackers to the best
of our ability. We also have post exploitation modules that are developed
from the ground up and having all three of those things and additional tools is
what makes us have a completely custom attack tool chain.
You know, red and blue teams don't always see eye to eye.
Um, has there ever been any tension that you all have had to, to deal with when, when goals or priorities conflict?
How do you come at that, you know, as, as leaders yourselves, uh, to make sure,
you know, everybody gets to the same end goal?
Yeah, I could touch on that a little bit. There's definitely conflicting priorities sometimes,
and that's kind of the maturation process that we go through as we're developing both sides,
the red and blue side teams. So when we started, there was a lot of, you know, what do we work on
first? There's so much coming in because the red team was spinning things up all the time. And
obviously, there's lots of stuff that we can constantly improve on.
So as we mature, we're kind of identifying and creating
a model that we use to identify which things that we should
prioritize first based on a set of parameters
that we've developed over time within our team.
And I think Red Team also has a similar thing,
and Justin is going to speak to that,
where they've kind of developed a model to identify what things we should prioritize
to emulate within Adobe's environment.
Yeah, Justin?
Yeah, really, I like to call it more of like a friendly
competition in some senses. But for the most part, we are doing
work to collaborate with the Blue Team. I like to say
sometimes like we work for the Blue Team because we are like
their gym partner, we're spotting them when they're lifting weights and getting their muscles strong and the defense and response capabilities
So it creates an opportunity for us to really spend most of our time strengthening them
And then the rest of our time, you know testing to make sure that the things that we implemented are actually working effectively
and are actually working effectively. We'll be right back.
For folks who might be setting up their own Purple Team, are there any early lessons or
maybe even mistakes that you all made when you were setting up your Purple Team engagements
at Adobe and any words of wisdom to share for folks who might be not as far along the
journey as you all are, Justin?
Yeah, I think communication is probably one of the key things that I
learned as a leader in these past couple of years. You need to make sure that
you're sharing information all the way down to things that are as simple as
using the same terminology. So we have shared chat channels and shared email
distribution lists and stuff like that to make sure that we can, you know,
communicate clearly and interact with each other.
So a lot of that stuff when it comes to that space is really important because if you're
not speaking the same language and you're not using the same terminology, then there
could be miscommunications.
If they are just starting out in the Purple Team space, obviously they're going to want
to have an effective Red Team.
There's industry standards for that, such as a red team maturity model that can help you start understanding
how to build from square one and have some low level attack
simulation exercises.
And then you step it up little by little.
On the blue side, it definitely varies.
I'll let Ivan speak more to that.
But the capabilities of the blue team, obviously,
are most likely being built up prior to a red team
in most situations.
Yeah, Ivan?
Yeah, so Justin made a great point about the communication side of things.
That's something that we've definitely improved over the years.
Exactly, I have mentioned lots of channels, not lots of channels,
but specific channels that we use to keep each other up to date,
make sure everything critical is communicated,
and feedback is shared, I think, is critical.
Alongside of that, a big part of the communication is regular readouts.
So that's something that we've enjoyed from the blue team side is having a readout following
an operation where we can basically digest and have an opportunity to ask questions and
provide feedback to the red team instead of them submitting something to our ticket queue
for another detection and us having to interpret that ourselves.
So something like that, I think, has been super helpful.
The other thing I think that's been super helpful for
the blue side as we're spinning this up is adding
some way to prioritize the red team tickets and show how we
have tangible value that we've
generated as a result of their operations.
So in the beginning, it was a little bit overwhelming.
There was a lot of stuff happening
and a ton of opportunity, but we just
weren't sure what to hit first.
And we weren't sure how to provide that,
show the value that we've been generating to leadership.
So one thing that we've started doing
is marking red team deliverables to our queue
as kind of more of a critical priority,
because it's something that's been basically
emulated and demonstrated as something that's feasible
for an attacker to perform within our environment.
So we can basically stage that in a way
where we can assign a critical priority to that content
that needs to be developed for the blue team
and then essentially be able to deliver that content
in a more shorter period of time
as well as provide that value
of what we're doing to leadership.
Justin, that really leads me to my next question,
which is how do you measure success in purple teaming?
Are there qualitative indicators
or quantitative indicators that signal effective progress?
Yeah, definitely.
So that's something I was actually
going to pivot off what Ivan was saying.
But setting clear and achievable goals in the very beginning
is important.
So once you have your red team established,
once you have your purple team established,
you're going to want to determine what is actually
important to the business and what you plant to test.
And usually, you're going to want
to get some sort of agreement that if we execute
this exercise and we have this outcome, that will be something meaningful to the business.
Example, they may take into consideration
if the red team goes out and scans the external attack
surface, which are the publicly available servers and machines,
is there some way for them to gain an initial foothold
into that environment?
And if we discover that and are able to patch
those critical vulnerabilities, us as technical people and also leadership will consider that very valuable. So that's like a
specific example of that. But when you set those clear goals, like I said, you can operate while
also knowing that you're going to deliver value back to the business. You mentioned sort of a
friendly competitiveness between the two teams. How do you ensure that that competitiveness
doesn't inadvertently become adversarial?
That there isn't just a low level resentment
that the two of you are pushing
and pulling against each other.
I think the way that we achieve that
is we all have the same goal.
The goal is to secure Adobe.
And when we think about it that way,
and we really try to put aside any minor slight
miscommunications that could potentially happen
and really think about that outcome,
it really helps us avoid that and know that even if we hit
bumps in the row or even if we have minor disagreements,
that in the end, we are going to wind up
with a more secure Adobe.
Ivan, any thoughts there?
Yeah, and I think I could speak for a lot of blue teams in general,
where, you know, we've all experienced like pen tests or some kind of emulations
where it's not it's made our job a little bit more difficult. Right.
But the way that we kind of look at it at Adobe is like Justin said,
we're all on the same team.
And not only is Red Team making our jobs easier because because we can more easily identify the actual adversaries once they perform their
emulations, but it's also providing us a ton of collaboration opportunity where we can
display how are we extending our efforts across different teams and organizations and breaking
down silos at Adobe.
That's a really interesting insight. Yeah, I'm curious for companies who are new to purple teaming.
What's your advice on how they should begin? What are some
foundational practices or approaches that you all have found to be valuable in your own journeys? Let me start with you Ivan.
Yeah, so as far as what I've experienced in the past with working with adversary emulation
and pen testing teams is, I think something that we've improved upon the traditional framework
of that at Adobe is, I think some things that we've already kind of mentioned is having
that collaborative spirit between the red and blue teams, I think is essential and not
looking at other teams as kind of like an adversary, but more of like a practice
squad.
You're both on the same team.
This is just a separate part of the team,
and it's helping you practice against the actual adversary.
So I think it's a kind of a mindset shift at the core
that you have to instill within your new team organization.
But once you kind of start collaborating with the red team
and understanding that their goal is the same as yours, which is protecting the organization, you kind of develop that rapport.
And eventually, it's really natural to collaborate with red as well as any other blue teams.
Yeah, you're all making each other stronger.
Exactly.
Yeah. Justin, your thoughts there?
Yeah, somebody is just starting a purple team program
Obviously you're gonna want to have your blue team already strongly established depending on the size of that
It can be you know limited size all the way down to a small medium company
But obviously at a large scale you're probably gonna have already one already implemented
Um, I have seen examples of red team starting with one to two people. It's not ideal,
but you can start to do some attack simulation and some attack emulation at that level and begin
to get a little bit of signal back that you can measure. So like back to your previous question
about is there a way to measure this? Yeah, I definitely think there is. I am developing some
red team metrics that I consider to be simple and effective in communicating to the business. And they can also be introduced very early on
so that you can get a bit of a clear measurement
of how effective your exercises are
and what business outcomes you're having.
You know, the threats are always evolving
and you know, dare I mention AI.
As these threats grow and change,
how do you see purple teaming changing over the next few years?
Yeah, it's definitely an interesting capability that has been introduced to red teams.
And obviously, if it's been introduced to red teams, it's been introduced to real adversaries.
And that is the use of AI. I have a term that I say, which is like accelerated attack chain,
where you take information in very rapidly from inside the business to push an attack chain forward,
because that's not the particular section of it
that you're most interested in.
So you're just going to push that part forward.
With AI, every step can be accelerated.
So what took a long time before is now becoming a lot short
of a process.
Example, I recently read an article
about how somebody was able to develop a full proof of concept exploit
before any exploit came out,
before any details about the bug came out,
and they were able to do it rapidly in like under four hours.
So it's definitely gonna change the landscape.
So if one word could describe that, it's speed.
The attackers are gonna get much faster,
and that means that the response capabilities
are gonna have to get faster
and most likely leverage AI themselves
What's your outlook Ivan?
Yeah, I think just to piggyback off Justin's answer is the best way I could describe it is it's a force multiplier
So as we're trying to adapt to attackers using these newer tools and and capabilities
It's kind of a parallel approach
So not only are attackers improving their capabilities
and they're becoming faster and more effective at executing
on their objectives, the blue team has to match that, right?
So we have to be as aggressive as possible to match those
capabilities on our end, too.
So I think in the future, you're going to see, especially
detection engineering, which is a relatively new discipline,
a lot of our maturation models are going to be matching,
implementing these AI capabilities to
force multiply what we're capable of doing.
Stepping up to a higher level,
I'm sure there are some folks in our audience
who look at the two of you and find inspiration that you
have these interesting positions at a very well-known
and high-level respected organization.
Any words of wisdom or tips to folks who are just coming up in the industry and see the
kinds of things that you all are doing as inspirational or perhaps a future goal for
themselves?
Ivan?
Yeah.
I mean, personally, I just don't, I don't think I'm doing anything special. perhaps a future goal for themselves. Ivan? Yeah.
I mean, personally, I just don't,
I don't think I'm doing anything special.
It's really just a matter of, you know,
find something you're interested in and go all in on it.
So I think curiosity is kind of your best friend.
So if you're, if something that you kind of dabble in,
whether you're working in a SOC,
if you're starting out in a security engineering,
interact with a few other disciplines
within your organization and see what they're up to.
And if something looks interesting,
spend some time investigating on it,
jump on a five minute call with them
and see what they're up to.
And I think having that interaction with external teams
kind of helps you develop more knowledge
with how overall as a security organization
you should function and what other disciplines
you should be implementing into your workflows. How about you, Justin? Yeah, I would say at this
point in cybersecurity, it's starting to mature and there's a lot of depth in each individual
piece of it. So I would say probably specialize at this point, really narrow in on what you're
trying to, what career you're trying to have.
And I always say, I said this in a previous
Adobe based blog post, but find the job
that looks exciting and interesting to you
and kind of reverse engineer the expectations
and responsibilities of that job
to determine what you should spend time on.
That leads into, I think hands-on
is one of the best approaches.
Really it's a very hands-on job.
So like you're not going to be able to get everything you need to do to perform the job
just by reading or just by collecting information. You're really going to need to spend that
time, like Ivan said, tinkering and playing around with the technology so you're comfortable
with it.
And that is a wrap on this edition of CyberWireX. A big thanks to Justin
Tablitsky and Ivan Koshkin for taking us behind the scenes of Adobe's Purple
Teaming efforts. Their insights highlight the power of collaboration where
offensive creativity meets defensive depth to create smarter, faster, and more
resilient security strategies. If you're thinking about building or leveling up your own purple teaming program,
take a cue from Adobe.
Start with trust, align goals, and make learning a shared mission.
Thanks for listening.
Don't forget to follow, rate, and share if you found this episode helpful.
We'll catch up with you next time.
I'm Dave Bittner.
Thanks for listening.