Defensive Go back to all


PurpleLabs in the nutshell from end user perspective

- By Leszek Miś

PurpleLABS is a dedicated Cyber Range Playground virtual infrastructure for conducting detection and analysis of attackers' behavior in terms of used techniques, tactics, procedures, and offensive tools. The environment has been created to serve the constant improvement of competences in the field of threat hunting (threat hunting) and learning about current trends of offensive actions (red teaming) vs direct detection (blue teaming).

PurpleLabs guarantees full visibility across many critical security data sources. By default, it has been powered by a combination of different adversary emulation hands-on exercises that include advanced enumeration, network exfiltration, post-exploitation, and lateral movement scenarios. You can use PurpleLABS as a custom, advanced R&D environment for your own network security research needs or as a part of "Attack vs Detection" cyber security polygon where you will study labs that we have carefully prepared for you.

A lot of people ask questions. I thought I would prepare a short post that hopefully includes all the answers. Long story short, here is a PurpleLabs in the nutshell from end user perspective:

  • It's a stable Cyber Range Playground available on demand with no need to set up or deploy on the user's side. The environment has been scaled to max 20 active student_X users per 2 physical hosts (AMD Ryzen 9 3900 12-Core Processor, 128GB RAM each, SSD) This approach guarantees stability and accountability of the service. If necessary, the environment can be cloned or extended. Mostly there are around 100-110 VMs running, so it's a perfect place for playing with and detecting lateral movement, pivoting, etc.
  • Every STUDENT_X gets private access to WIN10_X connected to AD2016, CentOS7 PRD_X, CentOS8 DEV_X, KALI_X and external VPS_X      
  • Analytical components like HELK, Splunk, Moloch, OSquery, Graylog, MISP, Sandfly, Wazuh, theHive, Velociraptor, Jupyter, Elastiflow and others () are shared between these 20 users per PurpleLabs installation.
  • You will need SSH and RDP clients, web browsers and Wireguard VPN client to get access to PurpleLabs. We focus on real hands-on experiences, so get ready for challenges.
  • You haven't used PurpleLabs for a couple of weeks? No problem, your systems are waiting for you exactly how you left them. With your data.
  • If you are looking for blue / purple certification and exam paths, go ahead and try different offers. Really, the cyber security training market has just blown up in 2021, so you have plenty to choose from. We could assist you with choosing the best available training option for you. One day you will get back to us.
  • Once again, our focus is hands-on approach with saying "NO" to exams, certifications, quizzes, offline analysis, gamifications, coins, etc. Pure learning experience and only hands-on content is what we care about. In PurpleLabs everything is dynamic, so we will dynamically extend your knowledge in red, blue and purple colors. Not familiar with these colors? Read this great material:
  • There is an official PurpleLabs Slack channel. We use it during live training sessions, or just for R&D needs and fun.
  • We don't use any public cloud providers. We use Hetzner for ordering bare metal HW and we love it! As a result, the cost of maintaining one PurpleLabs user is significantly reduced while maintaining constant, stable access fueled by the library of hands-on, step-by-step lab scenarios.
  • Recently we have added some additional components like Sandfly Linux Intrusion Detection & Incident Response or Vectr. More official news is already waiting in the queue, but this is gonna be an awesome new scope!
  • Virtually every component of PurpleLabs corresponds to the real cyber security needs of modern companies. In addition to education services we are here to actively support your Security Operation Center development process. The list of available services is here:
  • PurpleLabs LITE access will be added soon, guaranteeing access to the full components of PurpleLabs, but without lab manuals / instructions. This will be a cheaper option designed for self learners, ongoing research or just for other trainer’s needs.
  • Two books appeared in the last year that confirmed the correctness of the chosen PurpleLabs direction: Practical Threat Intelligence and Data-Driven Threat Hunting and Adversarial Tradecraft in Cybersecurity The combination of knowledge from these books + PurpleLabs Hands-on = brain overflow, but it's so recommend! Trust me, you will learn a lot.
  • In 2021, over 200 people used the PurpleLabs platform actively. So little? No worries. Remember: small step approach. Always:) In most cases, the offer included weekly training sessions over Zoom with Slack support. I admit that I felt proud when we could discuss and practice the very fresh topics from that time during the live sessions like HAFNIUM APT, PrintNightMare, newest DFIR reports, or Tracee for Linux Syscall Filtering vs sudo exploitation even before the tool went to the official Defcon 2021 Workshop agenda. These were the moments where I felt very happy saying to myself: "Yeah, keep pushing Leszek, this is a good path!"

Sounds interesting? Ping me.