The AVP – Purple Team Lead owns and leads the enterprise Purple Team program, delivering continuous MITRE ATT&CK–aligned purple teaming with hands‑on experience in cloud‑native SOAR design, deployment, and operations.The role bridges Red Team (offensive) and Blue Team (defensive) capabilities to continuously validate detection, response, and cyber resilience within the Cyber Defense Center.It ensures real‑world adversary simulations translate into measurable improvements in security visibility, detection engineering, and incident response effectiveness.The position drives collaboration across SOC, threat intelligence, and security engineering teams to identify and close detection gaps. Through structured exercises, metrics, and reporting, the role provides executive insight into defensive maturity, preparedness, and control effectiveness.Key Result AreasPurple Team Strategy, Governance, and RoadmapDefine and govern the enterprise Purple Team strategy and roadmap, ensuring alignment with cybersecurity objectives, regulatory expectations, and risk appetite, with strong reliance on cloud‑based SOAR platforms to enable scalability and automation.Continuous Adversary‑Driven Purple Team ExercisesPlan and execute continuous purple team scenarios mapped to real‑world threat actors and MITRE ATT&CK techniques. Validate defensive readiness across the full attack lifecycle relevant to the financial services threat landscape.Cross‑Functional Collaboration and EnablementDrive collaboration between Red Team, Blue Team, SOC, Threat Intelligence, and Security Engineering teams, embedding cloud‑native SOAR workflows into daily SOC operations for faster learning and response.Detection Engineering and Defensive Maturity ImprovementConvert purple team findings into actionable improvements across cloud‑native SIEM, SOAR, UEBA, and response workflows, enabling measurable reductions in detection gaps, MTTD, and MTTR.Purple Team Playbooks, Standards, and ReusabilityOwn and maintain reusable purple team playbooks, scenarios, and operating standards. Ensure playbooks remain current, auditable, and aligned with evolving threats and technologies.Metrics, Reporting, and Executive VisibilityDefine and report meaningful purple team metrics to senior leadership. Provide risk‑focused insights demonstrating defensive effectiveness, resilience, and return on security investment.Key Principles Adversary‑Driven Defense: Anchor defensive capabilities in real‑world attacker behavior by continuously validating security controls against MITRE ATT&CK–aligned tactics, techniques, and procedures, leveraging cloud‑based SOAR platforms to orchestrate detection validation and response.Continuous Improvement over Point‑in‑Time Testing: Promote continuous purple teaming as an operational discipline supported by cloud‑native SOAR automation, enabling systematic identification, measurement, and remediation of detection and response gaps rather than isolated assessments.Collaboration and Transparency: Foster effective collaboration between offensive and defensive teams by integrating cloud‑based SOAR workflows into SOC operations, enabling shared learning, transparent findings, and collective accountability for security outcomes.Measurable Cyber Resilience: Drive data‑driven improvements using clear metrics such as detection coverage, MTTD, MTTR, and response effectiveness, supported by SOAR‑driven automation and orchestration metrics to demonstrate defensive maturity and return on investment.Risk‑Focused Executive Communication: Translate technical and SOAR‑enabled operational outcomes into business‑ and risk‑relevant insights for senior leadership, supporting informed decisions on security posture, priorities, and investment strategy.Operating Environment, Framework and Boundaries, Working RelationshipsInformation Security Regulations, Frameworks, and Best Practices: Operate in alignment with information security and cybersecurity regulations, industry best practices, and defensible frameworks, with hands‑on application of primarily cloud‑based SOAR solutions to ensure compliant, auditable, and automated detection and response processes.Enterprise and Regulatory Stakeholders: Engage closely with Head Office (HO), Local CISOs, regulators, and supervisory bodies across the bank, providing assurance on defensive effectiveness supported by cloud‑native SOAR automation, evidence, and metrics.Cross‑LOB and Lines of Defense Collaboration: Work across all business units and Lines of Defense (LOD 1–3), including LOD1 (Business, DPP, Technology), LOD2 (Group Compliance, Fraud Prevention, Risk Management), and LOD3 (Internal Audit), integrating cloud‑based SOAR workflows to enable consistent response, traceability, and governance.Problem SolvingDetection & Response Gap Identification: Identify systemic detection and response gaps through collaborative purple team attack simulations across people, process, and technology, with a strong focus on cloud‑native SOAR‑enabled detection and response workflows.Root Cause Analysis: Perform structured root cause analysis to pinpoint failures in telemetry, analytics, workflows, or skills across cloud and hybrid environments, leveraging cloud‑based SOAR telemetry, audit data, and execution logs to drive targeted remediation.Detection & Automation Optimization: Improve detection logic, response processes, and automation across cloud‑native SIEM, primarily cloud‑based SOAR, and UEBA platforms, translating purple team findings into orchestrated, repeatable response actions.Operational Efficiency Improvement: Reduce manual effort and response delays by enabling cloud‑based SOAR automation, enrichment, and streamlined investigation workflows that accelerate triage and containment at scale.Measurable Outcome Delivery: Drive continuous, measurable improvement in MTTD, MTTR, detection coverage, and response effectiveness, using SOAR‑driven metrics and automation performance indicators to demonstrate operational maturity.Decision Making Authority & ResponsibilityEvaluation and Proof of Concept: Participate in evaluating and conducting PoCs for new security solutions and technologies.Security Metrics Monitoring: Track and analyze key security metrics across IT platforms to ensure they align with security standards.Security Architecture and Policy Development: Contribute to the development of Security Reference Architecture and assist in policy creation, including scope and control decisions.Collaboration and Autonomy: Work with minimal supervision, collaborating with senior management and vendor personnel to achieve security objectives.Knowledge, Skills, and ExperienceEducational Background: Graduate/Postgraduate degree in Science, Engineering, or IT.Certifications: Minimum of 2 Professional certifications from CISSP, CISM, CRISC, CISA, or equivalent.Experience:Cyber Defense & Purple Team Experience: 15+ years of experience across Cyber Defense, SOC, Red Team, Blue Team, or Purple Team roles, operating in complex, enterprise‑scale environments spanning both cloud and on‑prem infrastructure.Cloud & On‑Prem SIEM / SOAR Expertise: Strong hands‑on experience with cloud‑native and hybrid SIEM and SOAR platforms (e.g., Microsoft Sentinel, cloud‑based SOAR, and hybrid SOC architectures), including automation, orchestration, and case management across cloud workloads, identities, and traditional on‑prem systems.Detection Engineering, UEBA & Threat Intelligence: Proven expertise in detection engineering, UEBA, and threat integration to improve visibility, prioritize alerts, and enable adversary‑focused purple team exercises across cloud and on Prem telemetry.Adversary Emulation & Security Frameworks: Strong knowledge of MITRE ATT&CK, cyber kill chain methodologies, and adversary emulation techniques, with experience mapping real‑world threat actors to detection and response coverage.Leadership & Certifications: Strong leadership, facilitation, and executive communication skills. Relevant certifications such as CISSP, CISM, CRTO, and/or cloud security certifications (Azure, AWS, or equivalent).Expertise in DevSecOps practices and firsthand integration of Security control of CI/CD pipelines, enabling Secure-by-design development and automated compliance checks.- Strong expertise in container security processes including image scanning, runtime protection, Kubernetes hardening, and policy enforcement across hybrid deployments.- Advanced ability to interpret and correlate cloud security ecosystem logs (Azure, AWS, GCP) with on‑prem infrastructure telemetry to identify cross‑environment threats in hybrid environments.Skills:Proficiency in Cloud SOAR design and implementation.Ability to collaborate with various teams to enhance security awareness.Strong documentation and report writing skills.Knowledge of the banking environment is advantageous.
Job Title
AVP -Purple Team Lead