EU1.0

TIBER-EU Purple Teaming Guidance

European Central Bank (ECB)

Updated Jan 1, 2025

v1.0

Abstract

Guidance issued under the TIBER-EU framework describing requirements, roles, processes, and best practices for conducting purple teaming activities during threat-led penetration testing, including limited purple teaming during testing phases and structured exercises in closure phases to maximise learning outcomes, improve detection and response capabilities, and support remediation planning.

Key Takeaways

✓
Defines purple teaming as a collaborative activity between red and blue teams to improve detection, response, and remediation within TIBER-EU tests.
✓
Distinguishes between limited purple teaming during active testing and structured purple teaming exercises in the closure phase.
✓
Specifies requirements, roles, and responsibilities of stakeholders including the control team, test manager, threat intelligence provider, red team testers, and blue team.
✓
Provides operational guidance on planning, communication, risk controls, and documentation of purple teaming activities.
✓
Describes multiple types of purple teaming approaches such as catch-and-release, collaborative proof-of-concept, war games, tabletop discussions, and technical re-exploration of scenarios.

Keywords

TIBER-EUpurple teamingthreat-led penetration testingTLPTred teamblue teamoperational resilienceECB guidancecyber resilience

Need DORA-Aligned AI Architecture?

We build AI systems that satisfy DORA requirements from day one. Audit trails, governance, exit readiness - built in, not bolted on.

Schedule Architecture Reviewviktor@intellectumlab.com | Response within 24 hours