Alfie Champion

With a process that began two and a half years ago, I'm very excited to announce that I've written a book with @nostarch! 🎉 "Practical Purple Teaming" tells you all you need to know to get started with collaborative offensive testing. nostarch.com/purple-teaming

New blog post - prioritizing alerts triage with higher-order detection rules elastic.co/security-labs/…

Apple (copied BlockBlock 👀) and added ClickFix protections… but kept the good stuff private 😤 Reversed xprotectd to see how it really works and emerged with enough detail to build your own (kinda)! Read: No Paste for You! objective-see.org/blog/blog_0x87…

Playing with Apple’s latest ESF events took a little bit more work this time around! I’ve written up a post on exploring the new undocumented socket bind events or ES_EVENT_TYPE_RESERVED_3 and _4. phorion.io/blog/reverse-e…

You can now build macOS firewalls/network tools via Endpoint Security - no Network Ext. needed! 🤯 Reversing macOS 24.6’s new ES_EVENT_TYPE_RESERVED_* ES events shows some are network auth/notify hooks Read: “Building a Firewall…via Endpoint Security!?” objective-see.org/blog/blog_0x86…

📢🍏 macOS is now part of the EDR Telemetry Project. After three months of focused work, we’re excited to share a new framework and generator for endpoint visibility on macOS! Huge thank you to everyone who contributed and helped shape this release. Looking forward to what comes next. Read more: edr-telemetry.com/blog/macOS-EDR…

Less copy-paste; more drag-and-drop. In our latest blog, we explore a new variation of ClickFix that makes achieving malicious command execution more streamlined than ever. blog.delivr.to/dragfix-and-yo…

New on Hacking the Cloud: @AI_red_team documents a new method for extracting IAM creds from an AWS Console session. Useful for post-exploitation and evasion tradecraft. I've been meaning to cover this for years. Glad it’s finally live: #extracting-credentials-via-console-service-endpoints" target="_blank" rel="nofollow noopener">hackingthe.cloud/aws/post_explo…

New from @KingOfTheNOPs + @senderend: azureBlob, a Mythic C2 profile that uses Azure Blob Storage as transport.Supported Agents: 🐍 Medusa 🪽 Pegasus (new test agent) ❤️ Your fav agent (with simple integration guide) ghst.ly/3NM0LOR 🧵: 1/2

@ipurple Hope you find it useful! 💜⚔️

New books arrived today for my library! 🔥🔥🔥 @ajpc500

We hacked the AWS JavaScript SDK, a core library powering the entire @AWScloud ecosystem - including the AWS Console itself 🤯 How did we do it? Just two missing characters was all it took. This is the story of #CodeBreach 🧵👇

@_xpn_ Hope you find it useful, dude! 💜

This winters book collection 📚

@_xpn_ 👀👀👀

Phorion Threat Report: a backdoored Cursor extension was used to deploy the Paradox Stealer infostealer into macOS developer workflows. The post breaks down the full infection chain, detection opportunities and why IDE extensions have become a reliable point of initial access. phorion.io/blog/macos-par…

I wrote a thing about some recent dabbling with AppleScripts 0x626c6f67.xyz/posts/hiding-c…

I got a sneak preview of this research and it’s a must-see for anyone attacking or defending macOS environments! 🍎🍪

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

Finally disclosing the critical supply chain attack I've spent the last 6 months preventing: 🧵

I just finished reading my signed early edition of Practical Purple Teaming: The Art of Collaborative Defense by @ajpc500 (Alfie Champion), and it was an excellent read. The book serves as a complete survey of the tactics, tools, and procedures involved in purple teaming. It introduces each concept clearly, then demonstrates it through practical, realistic examples. What stood out most is how balanced it is between the offensive and defensive perspectives. It covers detection strategies using tools like Splunk while also showing how to operate offensive C2 frameworks such as Mythic, exploring how both sides think and interact in a collaborative defense process. The book lays out the entire workflow for running a purple team exercise from scoping and execution to reporting. I appreciated that for each objective, multiple tools are introduced, including MITRE Caldera, Atomic Red Team, and VECTR and ticketing systems. This flexibility mirrors how real-world teams operate and reinforces that there is no single way to conduct a purple team engagement. The author’s experience shows throughout the book, blending technical knowledge with practical insights. Beyond frameworks like the Pyramid of Pain, Champion shares lessons on the human and organizational aspects of purple teaming, such as running workshops and demonstrating value to different stakeholders. The layout follows the familiar No Starch Press structure, divided into three main parts with twelve manageable chapters. Part one, How Purple Teaming Works, introduces the fundamentals, frameworks, and testing methodologies. Chapter one provides a clear overview for readers new to the concept, while later chapters explain the MITRE ATT&CK model, the Pyramid of Pain, and two primary testing approaches: the atomic methodology and the scenario-based methodology. Part two, Attack Emulation and the Detection Lab, is where the book truly shines. It walks the reader through building a Splunk Attack Range environment in AWS, collecting host-level telemetry like Windows Event Logs, and progressing into more advanced topics such as network traffic analysis, event tracing, and memory scanning with YARA and Sigma. Chapters eight through ten form the heart of the book, showing a short attack chain in a purple team context. “Living Off the Land with Atomic Red Team” demonstrates how to emulate LOLBIN techniques and initial access scenarios. “Active Directory Reconnaissance with MITRE Caldera” explores realistic AD enumeration and detection coverage. “Domain Compromise with Mythic” showcases how to perform realistic C2 operations, including techniques like DCSync and other domain compromise methods. Part three, Organizing an Exercise, focuses on the operational and reporting side. It covers how to manage engagements using tools like JIRA for tracking and VECTR for structured reporting. The final chapter, “Implementing a Purple Teaming Function,” dives into the business and cultural aspects of running a purple team, from facilitating workshops to building relationships across teams. It is full of thoughtful, experience-based advice that goes beyond technical execution. The book concludes with an appendix of helpful reference tables, including high-value Windows event IDs and system logs, making it a useful companion during actual exercises. Overall, Alfie Champion did a fantastic job with this book. It helped me mentally assemble my own purple team service offering and see exactly where I can bring unique value to clients. It also showed me which tools I plan to use next, particularly MITRE Caldera and VECTR, which seem ideal for delivering efficient, measurable results. Practical Purple Teaming was published by @nostarch Press in September 2025 and runs 352 pages. It is available directly from the publisher at nostarch.com/purple-teaming. You can purchase the Print Book and FREE Ebook for $59.99, or the Ebook (PDF, Mobi, and ePub) alone for $47.99. Go purple!

@hackerfren Appreciate the great review, and your kind words! I’m glad you found the book so useful! 🙇‍♂️