Session Description (Abstract)
Purple testing is powerful.
It helps us validate detections, simulate attacker behavior, and expose where our defenses break. It gives us truth about our controls.
But there’s a problem.
Most teams stop at validation.
We test.
We validate.
We generate findings.
And then… we move on.
The same gaps show up again later—not because we didn’t find them, but because we didn’t ensure they were actually fixed. Over time, this creates what I call “validation theater”—a cycle where teams continuously prove weaknesses without reducing real exposure.
From an attacker’s perspective, that’s not a weakness.
It’s reliability.
This talk focuses on closing that gap.
Drawing from 12 years of incident response experience and 6 years running continuous validation programs, I’ll show how to move from “we tested it” to “we fixed it—and proved it stays fixed.”
We’ll break down where purple testing delivers value—and where it falls short—and introduce Continuous Threat Exposure Management (CTEM) as the missing operational layer that connects validation to ownership, prioritization, and remediation.
Attendees will learn how to operationalize a practical CTEM loop:
Scoping → Discovery → Prioritization → Validation → Mobilization
And more importantly, how to:
- Assign clear ownership across teams
- Prioritize remediation based on real risk
- Build a repeatable process for closing gaps
- Measure whether exposure is actually decreasing over time
This session is designed for blue team practitioners, detection engineers, and security leaders who want a practical, actionable approach to improving security effectiveness.
Because testing is not protection.
Detection is not protection.
Closure is.
It’s about building a repeatable system that ensures what you find… actually gets fixed.
Because if the same gaps keep coming back—so will attackers.
