The primary goal of PurpleLABS is to show and teach you how to generate offensive attack events/symptoms that you will detect in the next phase by using Open Source SOC stack powered by Sigma Rules - the open standard event description ruleset - and the rest of the dedicated, Open Source security solutions in use.

  • Detection as Code vs Adversary Simulations
    Use “Detection as Code vs Adversary Simulations” unique approach and increase your level of knowledge in Red / Blue / Purple scope
  • Attack events
    Generate APT/offensive attack events and detect them by using Open Source SOC stack powered by Sigma rules - a generic Signature Format for SIEM Systems
  • Flip mode
    Learn detection through the attack in an attractive, standardized format driven by the Open Source Security community. 
  • Visibility and accounting
    Improve the detection capability of your SOC teams and achieve better visibility, accounting, and resistance to attacks
  • Open Source for detection and hunting

    Find how to use the greatest Open Source projects for your Security Operation Center by playing on the real network with Wazuh, Graylog, HELK, ElastAlert, Falco, OSQuery, Velociraptor, Zeek, Suricata, theHive, and MISP.

Key Features

Virtual infrastructure

Dedicated virtual infrastructure for conducting detection and analysis of modern adversary's tactics, techniques, and procedures.

Analytical interfaces

Analytical interfaces for all-important host, network and application data sources useful during DFIR activities.

Learning abilities

Allows for learning about current trends of offensive actions (red-teaming) vs detection points (blue-teaming).

Hunting friendly

Provides an alternative approach to dealing wich cyber-attacks by pro-active searching across security data in a standardized approach.

Hunting Components


Hunting ELK (HELK) is an open source hunting platform with advanced data shipping, parsing, transforming and analytics capabilities.


Splunk is a software for searching, monitoring, and analyzing data. It captures, indexes, and correlates real-time data and can generate graphs, reports, alerts, dashboards, and visualizations.

Moloch FPC

Moloch is a large scale indexed packet capture and search system. It stores and indexes network traffic in PCAP format, providing fast access to data over ES.


ElastiFlow provides network flow data collection and visualization using the Elastic Stack. It supports Netflow v5/v9, sFlow and IPFIX flow types.

Wazuh HIDS

Wazuh is an Open Source Security HIDS Platform. It helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.


Graylog is a free and open source log management that allows for collecting, indexing, and analyzing both structured and unstructured data from almost any source.


Kolide Fleet is a flexible control server for OSQuery fleets that allows for effective management of multi-node OSQuery infrastructure.

Velociraptor DFIR

Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries. It's a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform.


MISP is a solution for collecting, storing, distributing and sharing cyber security indicators and threats about incidents analysis. TheHive is a security incident response platform designed to make life easier for SOCs, CSIRTs, CERTs dealing with security incidents.

Our Customers & Recommendations

Contact Us

If you have any question, please use the form below: