Purple Teaming in Practice: How Three Police Forces Strengthened Defences
How CyberLab Executed Purple Teaming Attack Simulations with Bedfordshire, Cambridgeshire & Hertfordshire Police
UK policing operates inside one of the most hostile cyber threat environments in the country. Criminal groups, hostile states and politically motivated actors actively target law enforcement to disrupt operations, undermine investigations and erode public trust. For Bedfordshire, Cambridgeshire and Hertfordshire Police (BCH), the question wasn’t whether the right security controls were in place. They were. The question was how effectively those controls, and the teams behind them, would perform against a live, intelligence-led attack.
This success story explores how CyberLab partnered with BCH to deliver an intelligence-led purple teaming exercise, emulating the tactics of a criminal group active in the UK during 2025. The engagement gave BCH’s Security Operations Centre (SOC) and ICT teams an evidence-based view of how their detection and response capabilities perform against real-world adversary behaviour, and a clear, prioritised roadmap for sharpening them.
Why UK Policing Needs Intelligence-Led Purple Teaming
UK police forces sit at the intersection of three things that make them disproportionately attractive to cyber threat actors:
- They hold highly sensitive operational data, including intelligence systems, investigation files and personal information about victims, witnesses and officers.
- They underpin critical frontline services, where disruption has immediate, real-world consequences for communities.
- They operate complex digital estates that blend on-premises legacy systems with modern cloud services, federated identity and partner integrations across police forces and government agencies.
The NCSC has been clear that the threat to UK public sector organisations from both criminal and state-aligned actors continues to intensify. Ransomware groups now target law enforcement directly. Sophisticated phishing campaigns mimic legitimate operational systems. Initial access brokers actively trade credentials for public sector environments on criminal forums.
Against that backdrop, traditional testing models, annual penetration tests, scope-limited vulnerability scans and tabletop walk-throughs, provide assurance but not always insight. They tell you whether a control exists. They don’t tell you how effectively your people, processes and technology perform together when a real adversary is in your environment.
That is where purple teaming changes the picture.
What is Purple Teaming, and How Does it Differ from Red Teaming?
Purple teaming brings offensive and defensive security capabilities together in a single, collaborative exercise. Where a red team engagement tests whether an organisation can be compromised, a purple team exercise tests how effectively defenders detect, investigate and respond when an adversary is in motion.
The key difference is collaboration. In a red team, the defending team is unaware of the engagement and only learns about the activity after the fact. In a purple team, the offensive team works alongside the SOC, ICT and incident response teams in real time. Attacks are run, detections are tested, response actions are reviewed, and the team adapts and learns together throughout the exercise.
For mature security organisations, this collaborative model unlocks a different class of insight:
- Real-time detection validation. Every attack technique is paired with an immediate review of whether and how it was detected.
- Process and playbook testing. Escalation paths, ticketing flows and handoffs between SOC and ICT are stress-tested against live activity.
- Skills development. Defenders investigate genuine adversary behaviour, with the offensive team available to explain what is happening as it happens.
- Actionable, prioritised improvement. Gaps surface in a context teams can act on immediately, not weeks later in a report.
About Bedfordshire, Cambridgeshire and Hertfordshire Police
Bedfordshire, Cambridgeshire and Hertfordshire Police is a collaborative policing alliance serving communities across three counties. The constabularies share operational and corporate services, including a joint approach to information and communications technology, security operations and cyber resilience.
That collaborative model gives BCH scale and reach, but it also creates a complex shared digital estate. Sensitive operational data, intelligence systems and frontline policing services depend on the integrity of that estate every day. The leadership team understands that cyber security is not a back-office concern for UK policing. It is a foundation of public trust and operational resilience.
With established security controls already in place, BCH wanted to move beyond compliance-grade assurance. The team sought a clear, evidence-based view of how those controls, and the people and processes wrapped around them, would perform against the threats currently facing UK law enforcement.
The Business Challenge: Validating Detection and Response Against Real-World Threats
Before the engagement, BCH had a defined set of operational priorities that traditional testing was not fully addressing. The constabularies needed confidence that their existing security technologies, processes and teams could detect and respond to realistic cyber attacks aligned to current adversary behaviour, not generic test scenarios.
The specific challenges included:
- Validating detection and response capabilities against realistic attacker techniques drawn from current threat intelligence.
- Understanding how effectively indicators of compromise were identified, triaged and escalated through SOC workflows.
- Testing collaboration between SOC and ICT teams during live incident scenarios.
- Identifying gaps in incident response playbooks, escalation paths and operational workflows.
- Strengthening a shared understanding of cyber security responsibilities across operational teams.
Standard penetration testing would not deliver this. Neither would a tabletop exercise. BCH needed a live, intelligence-led engagement that placed real adversary behaviour in front of real defenders, in their real environment, and measured what happened.
The CyberLab Approach: Intelligence-Led Purple Teaming
CyberLab was engaged to design and deliver an intelligence-led purple team exercise spanning people, process and technology. Three principles shaped the approach.
Intelligence-Led Scenario Design
Attack scenarios were built around current threat intelligence aligned to a criminal group known to be active in the UK during 2025 and observed targeting public sector and law enforcement environments. The group’s known tactics, techniques and procedures (TTPs) were mapped against the MITRE ATT&CK framework and reflected directly in the exercise design.
This meant BCH was not being tested against generic offensive tradecraft. It was being tested against the behaviour of a specific, relevant adversary. That is the kind of testing that translates directly into operational improvement.
Collaborative, Real-Time Execution
The exercise was delivered alongside BCH’s SOC and ICT teams. Every attack action was paired with a real-time review of detection effectiveness, alert handling and response process. Where a control failed to detect, the team paused, investigated together, and identified the underlying cause. Where a control worked, the team validated whether the alert was reaching the right people, in the right way, with the right context.
Practical, Actionable Findings
CyberLab’s output was not a generic vulnerability list. Findings were contextual to BCH’s environment, mapped to live detections and playbooks, and prioritised so the team could act on them immediately. The objective was not to expose weakness for its own sake but to leave BCH measurably stronger at the end of the engagement than it was at the start.
“Purple teaming earns its place by delivering something traditional testing cannot. The moment a defender sees a real attack technique landing in their environment, and the offensive team is sitting next to them to explain exactly how it worked and what to do about it, that is the kind of insight that changes operational outcomes. For organisations like BCH, where resilience is non-negotiable, that is exactly what we set out to deliver.”
– Wayne Price, Commercial Director, CyberLab
The Outcome: Stronger Detection, Stronger Collaboration, Stronger Operational Readiness
The engagement gave BCH a clear, evidence-based picture of how its security capabilities perform against the threats it actually faces. The key outcomes were:
- Improved visibility into detection effectiveness across BCH’s existing security controls, with clarity on what was working and where coverage needed strengthening.
- Identified gaps in monitoring, alerting and response processes, with practical recommendations the SOC and ICT teams could act on directly.
- Stronger collaboration between SOC and ICT teams during live incident scenarios, with a shared understanding of handoffs, ownership and escalation.
- Insight into where playbooks and escalation processes could be improved, including specific changes to triage, escalation and post-incident review.
- Increased understanding of shared cyber security responsibilities across operational teams.
By focusing on real attacker behaviour and collaborative testing, BCH gained practical insight that translated directly into operational improvement, not a static report destined for a shelf. The full BCH success story is available on the CyberLab website.
Key Takeaways for Public Sector Security Leaders
For CIOs, CISOs and Heads of Information Security across UK policing, central government and the wider public sector, the BCH engagement offers four practical lessons:
- Compliance testing is not operational assurance. Annual penetration tests confirm controls exist. Purple teaming confirms they perform.
- Threat intelligence should shape the scenario. A generic exercise does not reflect how your real adversaries behave. Intelligence-led design changes that.
- Collaboration accelerates improvement. Bringing offensive and defensive teams into the same room compresses the lessons-learned cycle from weeks to minutes.
- Findings should be actionable, not theoretical. Choose a partner whose deliverables map directly to your detections, your playbooks and your team, not a generic report.
How CyberLab Supports UK Policing and the Public Sector
CyberLab works with police forces, NHS Trusts, local authorities, central government departments and public sector institutions across the UK. Our support spans:
- Red teaming and purple team exercises, delivered by our CREST- and CHECK-approved offensive teams.
- Penetration testing across infrastructure, web applications and cloud environments.
- Managed detection and response through Sophos MDR and our Security Operations Centre service.
- Tabletop exercises and incident response planning.
- Strategic cyber security consultancy as an NCSC Cyber Advisor.
We are trusted by over 1,200 UK organisations, including more than 60 NHS Trusts, to protect what matters most. Our approach combines technical rigour with practical, hands-on support, helping public sector organisations build the kind of resilient security operations the modern threat landscape demands.
Ready to Validate Your Detection and Response?
If you lead cyber security in policing, central government, healthcare or another high-stakes public sector environment, the question worth asking is the same one BCH asked. Not “do we have the right controls in place?”, but “how well do those controls actually perform against the threats we face today?”
A purple team exercise answers that question with evidence. CyberLab is a CREST-, CHECK- and NCSC-accredited cyber security partner trusted by over 1,200 UK organisations. We design intelligence-led engagements that fit your environment, run alongside your team, and leave you measurably stronger than you were before.
