Security Operations: Three Functions, One Feedback Loop
flowchart TD
TI["Threat Intelligence
feeds all three functions"]:::tiNode Off["OFFENSIVE
Penetration Testing · Red Team
Bug Bounty · Capture the Flag
Threat Modeling"]:::offNode Def["DEFENSIVE
Blue Team · SOC Monitoring
Threat Hunting · Vuln Management
Detection Engineering"]:::defNode Resp["RESPONSE
Incident Response · PICERL
Forensics · Malware Analysis
Lessons Learned"]:::respNode Purple["PURPLE TEAM
integrative practice"]:::purpleNode TI -.->|intel| Off TI -.->|intel| Def TI -.->|intel| Resp Off -->|Findings improve detections| Def Def -->|Alerts trigger investigations| Resp Resp -->|Lessons drive next exercise| Off Off --- Purple Def --- Purple Resp --- Purple classDef tiNode fill:#fff8e1,stroke:#ffa000,stroke-width:2px,color:#5d4037,font-size:14px classDef offNode fill:#1565c0,stroke:#0d47a1,stroke-width:2px,color:#fff,font-size:14px classDef defNode fill:#455a64,stroke:#263238,stroke-width:2px,color:#fff,font-size:14px classDef respNode fill:#ffa000,stroke:#e65100,stroke-width:2px,color:#212529,font-size:14px classDef purpleNode fill:#6a1b9a,stroke:#4a148c,stroke-width:2px,color:#fff,font-size:14px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:13px
feeds all three functions"]:::tiNode Off["OFFENSIVE
Penetration Testing · Red Team
Bug Bounty · Capture the Flag
Threat Modeling"]:::offNode Def["DEFENSIVE
Blue Team · SOC Monitoring
Threat Hunting · Vuln Management
Detection Engineering"]:::defNode Resp["RESPONSE
Incident Response · PICERL
Forensics · Malware Analysis
Lessons Learned"]:::respNode Purple["PURPLE TEAM
integrative practice"]:::purpleNode TI -.->|intel| Off TI -.->|intel| Def TI -.->|intel| Resp Off -->|Findings improve detections| Def Def -->|Alerts trigger investigations| Resp Resp -->|Lessons drive next exercise| Off Off --- Purple Def --- Purple Resp --- Purple classDef tiNode fill:#fff8e1,stroke:#ffa000,stroke-width:2px,color:#5d4037,font-size:14px classDef offNode fill:#1565c0,stroke:#0d47a1,stroke-width:2px,color:#fff,font-size:14px classDef defNode fill:#455a64,stroke:#263238,stroke-width:2px,color:#fff,font-size:14px classDef respNode fill:#ffa000,stroke:#e65100,stroke-width:2px,color:#212529,font-size:14px classDef purpleNode fill:#6a1b9a,stroke:#4a148c,stroke-width:2px,color:#fff,font-size:14px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:13px
Color Key
Offensive (find weaknesses)
Defensive (detect & resist)
Response (contain & learn)
Purple Team (integrate)
Threat Intel (feeds all)
Function Details
Hover or tap any box or flow label to see what that security-operations function does. Notice the three functions form a continuous loop, fed by threat intelligence.
Offense, defense, and response are not three separate teams — they
are one feedback loop. Purple Team makes the loop turn faster.