Do we need a SOC for this to work?

You need a SIEM + analysts (in-house or MSSP-provided). If you're early-stage, our SOC Setup or MSS engagement makes more sense first; purple teaming is the validate-and-tune step that comes after you have a SOC running.

How long does a typical engagement run?

5–15 working days. Focused scope (email phishing + AD lateral, for example) is 5 days. Full estate (cloud + endpoint + identity + email) is 10–15. Quote within 48 hours of scoping.

Can you run this against our MSSP?

Yes — we run purple teaming against client-operated SOCs, MSSP-operated SOCs and hybrid setups. We're tone-neutral about who operates blue; the goal is to leave your detection coverage measurably better.

Red + Blue · MITRE ATT&CK · Detection Validation

Purple Team Exercises

Collaborative red + blue team exercises that validate your detection and response capability against real adversary TTPs — running side-by-side with your SOC analysts so every missed alert becomes a tuned rule before the engagement closes.

Request a quote See methodology

Download sample pentest report

CERT-In format · anonymised

Engagement at a glance

Quote SLA48 hours
Typical engagement5–15 working days
RetestFree within 30 days
Reporting formatCERT-In + ISO + SOC 2 ready
Team100% in-house · OSCP / OSWE / OSEP

What this actually looks like

A Purple Team engagement, in plain language.

Most red team reports tell you what got missed. A purple team engagement makes sure it stops getting missed. Macksofy red operators execute a MITRE ATT&CK-aligned playbook in agreed phases — initial access, persistence, lateral movement, exfiltration — with your SOC watching live. When a technique slips past detection, we pause, write the rule together, replay, and confirm the alert fires. The output is a tuned SIEM, a measurably hardened MITRE coverage map, and SOC analysts who have seen the attacker's actual tradecraft.

Business impact

Convert red team findings into shipped detection rules — not next-quarter remediation tickets
Measurable MITRE ATT&CK coverage improvement (baseline → target) with evidence
Train Tier-1 and Tier-2 SOC analysts on real adversary tradecraft, not vendor demos
Build the executive evidence pack: '92 ATT&CK techniques tested, 78 detected, 14 hardened'

Methodology

Phased delivery — every step documented.

Interactive walkthrough of how we run a Purple Team engagement — tap a phase to expand its activities.

Methodology · slide 1 of 5

Auto-advancing

Phase 01 / 5

3 activities

1 · Pre-engagement

Threat-model intake: industry-relevant APTs and ransomware families
MITRE ATT&CK baseline assessment of current detection coverage
Joint engagement charter signed by red + blue + IT leads

Tooling

Industry-standard + custom.

We use the same tooling top BFSI red teams operate — combined with Macksofy in-house extensions and proprietary scripts where commercial tools fall short.

Tools we operate

MITRE CalderaAtomic Red TeamPrelude OperatorCobalt Strike (RoE-permitting)Covenant + SliverBloodHoundCustom EDR-evasion toolingSigma · Splunk SPL · KQL · Wazuh rule editor

Industries served

Sectors we operate in

Banking & Financial ServicesFintech & PaymentsInsurance & InsurTechSaaS & Product CompaniesGovernment & PSUHealthcare & HealthTechTelecom

Deliverables

What you get

MITRE ATT&CK coverage heatmap (before / after)
Per-technique evidence pack (red PoC + blue detection rule shipped)
Tuned Sigma / Splunk / Sentinel / Wazuh rule set
Detection engineering runbook + future-cadence recommendation
Free 30-day retest of the hardened rule set
Executive coverage delta report

Case studies

Anonymized engagement snapshots.

Listed Bank (Mumbai BKC)

Scope · 5-day on-site purple team across AD + endpoint + email gateway

Finding: Lifted ATT&CK coverage from 47% to 71% across 18 techniques; shipped 14 new SIEM rules during the engagement

Material — passed RBI System Audit detection-control test on the same quarter

Risk severity · High

LMHC

Fintech Lending Platform (Bengaluru)

Scope · Phishing → lateral → exfil scenario with managed SOC live in the loop

Finding: Discovered that EDR detected the technique but the alert never reached the SOC queue (broken connector) — fixed mid-engagement

Critical — silent detection-pipeline failure that would have hidden a real ransomware precursor

Risk severity · Critical

LMHC

Indicative pricing · INR

Transparent tiers. No surprises at quote time.

Indicative price ranges based on typical Indian engagements. Final fixed-price quote within 72 hours of the discovery call.

Free 30-day retest · CERT-In format reports

Tier 01

Focused

₹2.5L–₹5L

Single asset or app

Manual + tooled testing
CERT-In format report
Free 30-day retest

Request a fixed-price quote

Tier 02

Stack

₹6L–₹12L

Multi-asset engagement

Everything in Focused
Web + API + mobile coverage
Executive + technical briefings

Request a fixed-price quote

Tier 03

Programme

Starts at ₹15L

Quarterly retainer · large estate

Everything in Stack
Quarterly cycles + post-release retests
Same consultants throughout

Request a fixed-price quote

Note · Indicative pricing in INR. Final quote depends on scope, asset count and engagement window. Fixed-price proposal within 72 hours.

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things people ask before signing.

A red team runs covert and reports at the end. A purple team runs collaboratively — red executes a technique, blue tries to detect, we pause and tune together, then replay. The deliverable is shipped detection rules + a hardened MITRE map, not just a list of what got missed.

Related services

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements

Purple Team Exercises

A Purple Team engagement, in plain language.

Phased delivery — every step documented.

1 · Pre-engagement

Industry-standard + custom.

Sectors we operate in

What you get

Anonymized engagement snapshots.

Scope · 5-day on-site purple team across AD + endpoint + email gateway

Scope · Phishing → lateral → exfil scenario with managed SOC live in the loop

Transparent tiers. No surprises at quote time.

Focused

Stack

Programme

Rated 4.9 ★ from 612 client reviews.

Things people ask before signing.

Often paired with this engagement.

Penetration Testing

Vulnerability Assessment & Penetration Testing (VAPT)

Web Application Security Testing

Get a fixed-price proposal in 48 hours.