I work as a security engineer in a corporate Red Team position. What most people imagine is "people who hack systems in flashy ways,” but the reality of working inside a company is much more complex. Is a corporate Red Team truly able to operate as a Red Team? To be blunt, I don’t think so. Today, I’d like to share my thoughts on the relationship between Red, Blue, and Purple Teams, and the struggles that come with it.
Red, Blue, Purple
Red, Blue, and Purple are the most common categories used in cybersecurity. Teams that perform penetration testing or offensive operations are called Red Teams. Departments responsible for defense, like CERT or internal monitoring, are called Blue Teams. When these two collaborate closely, the result is the concept of a Purple Team. Some also expand this idea into Yellow, Green, or Orange Teams to define other security functions.
I belong to a Red Team, but within the boundaries of a company, it’s not easy to operate in a truly "Red” way.
Red Team in Company
The purpose of having a security team in a company is ultimately to strengthen security. Naturally, this tends to lean toward Blue objectives. Even when we use offensive techniques, the end result looks more Purple—or even closer to Indigo.
For example, even if we find a vulnerability, it doesn’t just end with "This can be exploited.” We have to write reports, suggest mitigations tailored to the service, and even discuss architectural adjustments. Before long, this work feels closer to that of a general security engineer rather than a pure Red Teamer. That’s why I think it’s difficult to maintain a truly pure Red Team in a corporate environment.
From Red to Indigo
Our skills may be Red, but the environment pushes us toward Purple, and eventually into Indigo. Red Team members—Offensive Security Engineers—are faced with this reality. If we simply adapt, we’ll gradually become more Blue, but it’s possible to maintain balance. On a personal level, that means consistently researching and studying to avoid losing touch with offensive skills. On an organizational or cultural level, it means creating opportunities to do more genuinely "Red” work.
Recently, due to various security incidents in Korea, Red Teams are receiving more recognition. Some companies are even creating positions dedicated to genuine Red Team functions. I see this as a positive sign.
Go Purple?
By default, security engineers within a company inevitably lean toward the Blue Team side. In that situation, aiming for Purple often feels like heading further into Indigo. That’s why I believe that "to truly become a Purple Teamer, you first need to go deeper into Red." A solid Red foundation is the only way to create a proper Purple balance.
After more than 10 years in this field, I feel that the offensive side of my work has gradually been shrinking each year. Of course, my ability to find vulnerabilities and my penetration skills have improved compared to before—but still, something feels lacking.
I have plenty to do until the end of the year (mostly development work, of course), but these thoughts will probably stay with me. There isn’t a simple answer, but for me, it comes down to one thing: never letting go of Red.
Red, Blue, Purple by Gemini