Date: September 26, 2025 (GMT +8)

Time: 15:55

Remember when we thought putting red & blue teams in the same room was revolutionary? Yeah...about that. After spending quite sometime in the trenches implementing purple teams across various sectors, I've collected enough failures and unexpected wins to piece together what actually works. Trust me - it wasn't pretty at first, but those hard lessons led to something valuable. My talk ""50 Shades of Purple"" gets right to the heart of the matter. I'll break down why most ""purple team"" exercises fail to deliver real value (hint: it's not the tools), then walk through the 4-phase methodology I developed through painful trial & error - and more importantly, how we transformed that initial framework into a continuous, integrated process that actually keeps pace with today's threats. We'll explore:

- How we evolved from one-off exercises to a continuous validation ecosystem
- The emergence of ""Continuous Purple Teaming"" as a game-changer
- The good/bad/ugly of manual vs automated testing (& when each makes sense)
- Measuring stuff that executives actually care about
- The path toward Adversarial Exposure Validation (AEV) - Gartner's term for the next evolution in security validation that's transforming how we approach defense

Whether you're struggling with your first purple team exercise or trying to convince leadership why your existing program needs more investment, this talk delivers concrete next steps. No silver bullets or vendor pitches - just honest lessons from someone who's screwed this up enough times to finally get it right.

(P.S. Yes, I know the title is a terrible pun. No, I'm not sorry.)

Speaker

Pengfei BigZaddy Yu
Pengfei is the APJ & SAARC Solutions Architect at Picus Security. Previously, he worked as a Cybersecurity Engineer in GovTech's GCSOC team, where he led the implementation of continuous purple teaming across the Whole-of-Government. Before this role, he served on GovTech's red team, mainly dabbling in VAPT and Adversary Simulation. Pengfei is certified with OSCP, eMAPT, Crest CRT, CCSK V4, etc. He has conducted research on emerging cybersecurity technologies and presented his findings at renowned conferences like Black Hat USA & Asia, DEFCON, SINCON, ROOTCON, etc.

« Back