Purple Teaming in Practice: How Three Police Forces Strengthened Defences
How CyberLab Executed Purple Teaming Attack Simulations with Bedfordshire, Cambridgeshire & Hertfordshire Police
UK policing operates inside one of the most hostile cyber threat environments in the country. Criminal groups, hostile states and politically motivated actors actively target law enforcement to disrupt operations, undermine investigations and erode public trust. For Bedfordshire, Cambridgeshire and Hertfordshire Police (BCH), the question wasn’t whether the right security controls were in place. They were. The question was how effectively those controls, and the teams behind them, would perform against a live, intelligence-led attack.
This success story explores how CyberLab partnered with BCH to deliver an intelligence-led purple teaming exercise, emulating the tactics of a criminal group active in the UK during 2025. The engagement gave BCH’s Security Operations Centre (SOC) and ICT teams an evidence-based view of how their detection and response capabilities perform against real-world adversary behaviour, and a clear, prioritised roadmap for sharpening them.
Why UK Policing Needs Intelligence-Led Purple Teaming
UK police forces sit at the intersection of three things that make them disproportionately attractive to cyber threat actors:
- They hold highly sensitive operational data, including intelligence systems, investigation files and personal information about victims, witnesses and officers.
- They underpin critical frontline services, where disruption has immediate, real-world consequences for communities.
- They operate complex digital estates that blend on-premises legacy systems with modern cloud services, federated identity and partner integrations across police forces and government agencies.
The NCSC has been clear that the threat to UK public sector organisations from both criminal and state-aligned actors continues to intensify. Ransomware groups now target law enforcement directly. Sophisticated phishing campaigns mimic legitimate operational systems. Initial access brokers actively trade credentials for public sector environments on criminal forums.
Against that backdrop, traditional testing models, annual penetration tests, scope-limited vulnerability scans and tabletop walk-throughs, provide assurance but not always insight. They tell you whether a control exists. They don’t tell you how effectively your people, processes and technology perform together when a real adversary is in your environment.
That is where purple teaming changes the picture.
What is Purple Teaming, and How Does it Differ from Red Teaming?
Purple teaming brings offensive and defensive security capabilities together in a single, collaborative exercise. Where a red team engagement tests whether an organisation can be compromised, a purple team exercise tests how effectively defenders detect, investigate and respond when an adversary is in motion.
The key difference is collaboration. In a red team, the defending team is unaware of the engagement and only learns about the activity after the fact. In a purple team, the offensive team works alongside the SOC, ICT and incident response teams in real time. Attacks are run, detections are tested, response actions are reviewed, and the team adapts and learns together throughout the exercise.
For mature security organisations, this collaborative model unlocks a different class of insight:
- Real-time detection validation. Every attack technique is paired with an immediate review of whether and how it was detected.
- Process and playbook testing. Escalation paths, ticketing flows and handoffs between SOC and ICT are stress-tested against live activity.
- Skills development. Defenders investigate genuine adversary behaviour, with the offensive team available to explain what is happening as it happens.
- Actionable, prioritised improvement. Gaps surface in a context teams can act on immediately, not weeks later in a report.
About Bedfordshire, Cambridgeshire and Hertfordshire Police
Bedfordshire, Cambridgeshire and Hertfordshire Police is a collaborative policing alliance serving communities across three counties. The constabularies share operational and corporate services, including a joint approach to information and communications technology, security operations and cyber resilience.
That collaborative model gives BCH scale and reach, but it also creates a complex shared digital estate. Sensitive operational data, intelligence systems and frontline policing services depend on the integrity of that estate every day. The leadership team understands that cyber security is not a back-office concern for UK policing. It is a foundation of public trust and operational resilience.
With established security controls already in place, BCH wanted to move beyond compliance-grade assurance. The team sought a clear, evidence-based view of how those controls, and the people and processes wrapped around them, would perform against the threats currently facing UK law enforcement.
The Business Challenge: Validating Detection and Response Against Real-World Threats
Before the engagement, BCH had a defined set of operational priorities that traditional testing was not fully addressing. The constabularies needed confidence that their existing security technologies, processes and teams could detect and respond to realistic cyber attacks aligned to current adversary behaviour, not generic test scenarios.
The specific challenges included:
- Validating detection and response capabilities against realistic attacker techniques drawn from current threat intelligence.
- Understanding how effectively indicators of compromise were identified, triaged and escalated through SOC workflows.
- Testing collaboration between SOC and ICT teams during live incident scenarios.
- Identifying gaps in incident response playbooks, escalation paths and operational workflows.
- Strengthening a shared understanding of cyber security responsibilities across operational teams.
Standard penetration testing would not deliver this. Neither would a tabletop exercise. BCH needed a live, intelligence-led engagement that placed real adversary behaviour in front of real defenders, in their real environment, and measured what happened.
The CyberLab Approach: Intelligence-Led Purple Teaming
CyberLab was engaged to design and deliver an intelligence-led purple team exercise spanning people, process and technology. Three principles shaped the approach.
Intelligence-Led Scenario Design
Attack scenarios were built around current threat intelligence aligned to a criminal group known to be active in the UK during 2025 and observed targeting public sector and law enforcement environments. The group’s known tactics, techniques and procedures (TTPs) were mapped against the MITRE ATT&CK framework and reflected directly in the exercise design.
This meant BCH was not being tested against generic offensive tradecraft. It was being tested against the behaviour of a specific, relevant adversary. That is the kind of testing that translates directly into operational improvement.
Collaborative, Real-Time Execution
The exercise was delivered alongside BCH’s SOC and ICT teams. Every attack action was paired with a real-time review of detection effectiveness, alert handling and response process. Where a control failed to detect, the team paused, investigated together, and identified the underlying cause. Where a control worked, the team validated whether the alert was reaching the right people, in the right way, with the right context.
Practical, Actionable Findings
CyberLab’s output was not a generic vulnerability list. Findings were contextual to BCH’s environment, mapped to live detections and playbooks, and prioritised so the team could act on them immediately. The objective was not to expose weakness for its own sake but to leave BCH measurably stronger at the end of the engagement than it was at the start.
“Purple teaming earns its place by delivering something traditional testing cannot. The moment a defender sees a real attack technique landing in their environment, and the offensive team is sitting next to them to explain exactly how it worked and what to do about it, that is the kind of insight that changes operational outcomes. For organisations like BCH, where resilience is non-negotiable, that is exactly what we set out to deliver.”
– Wayne Price, Commercial Director, CyberLab
The Outcome: Stronger Detection, Stronger Collaboration, Stronger Operational Readiness
The engagement gave BCH a clear, evidence-based picture of how its security capabilities perform against the threats it actually faces. The key outcomes were:
- Improved visibility into detection effectiveness across BCH’s existing security controls, with clarity on what was working and where coverage needed strengthening.
- Identified gaps in monitoring, alerting and response processes, with practical recommendations the SOC and ICT teams could act on directly.
- Stronger collaboration between SOC and ICT teams during live incident scenarios, with a shared understanding of handoffs, ownership and escalation.
- Insight into where playbooks and escalation processes could be improved, including specific changes to triage, escalation and post-incident review.
- Increased understanding of shared cyber security responsibilities across operational teams.
By focusing on real attacker behaviour and collaborative testing, BCH gained practical insight that translated directly into operational improvement, not a static report destined for a shelf. The full BCH success story is available on the CyberLab website.
Key Takeaways for Public Sector Security Leaders
For CIOs, CISOs and Heads of Information Security across UK policing, central government and the wider public sector, the BCH engagement offers four practical lessons:
- Compliance testing is not operational assurance. Annual penetration tests confirm controls exist. Purple teaming confirms they perform.
- Threat intelligence should shape the scenario. A generic exercise does not reflect how your real adversaries behave. Intelligence-led design changes that.
- Collaboration accelerates improvement. Bringing offensive and defensive teams into the same room compresses the lessons-learned cycle from weeks to minutes.
- Findings should be actionable, not theoretical. Choose a partner whose deliverables map directly to your detections, your playbooks and your team, not a generic report.
How CyberLab Supports UK Policing and the Public Sector
CyberLab works with police forces, NHS Trusts, local authorities, central government departments and public sector institutions across the UK. Our support spans:
- Red teaming and purple team exercises, delivered by our CREST- and CHECK-approved offensive teams.
- Penetration testing across infrastructure, web applications and cloud environments.
- Managed detection and response through Sophos MDR and our Security Operations Centre service.
- Tabletop exercises and incident response planning.
- Strategic cyber security consultancy as an NCSC Cyber Advisor.
We are trusted by over 1,200 UK organisations, including more than 60 NHS Trusts, to protect what matters most. Our approach combines technical rigour with practical, hands-on support, helping public sector organisations build the kind of resilient security operations the modern threat landscape demands.
Ready to Validate Your Detection and Response?
If you lead cyber security in policing, central government, healthcare or another high-stakes public sector environment, the question worth asking is the same one BCH asked. Not “do we have the right controls in place?”, but “how well do those controls actually perform against the threats we face today?”
A purple team exercise answers that question with evidence. CyberLab is a CREST-, CHECK- and NCSC-accredited cyber security partner trusted by over 1,200 UK organisations. We design intelligence-led engagements that fit your environment, run alongside your team, and leave you measurably stronger than you were before.
Strengthening Cyber Resilience in Fashion AI Technology
A Delvify Success Story
Digital innovation is transforming every industry, and fashion is no exception. Delvify, a UK-headquartered fashion-tech company, is leading the charge – leveraging AI to help brands and suppliers collaborate more sustainably.
But as the company scaled its operations across Singapore, Hong Kong, and Japan, it faced a growing challenge: how to protect sensitive data in an increasingly hostile cyber threat landscape. According to the Sophos State of Ransomware 2025 report, 50% of ransomware attacks resulted in data encryption – down from 70% the previous year, but still a significant risk for organisations handling sensitive data.
“CyberLab’s team thoroughly and efficiently supported us in bringing best practice to our security processes. With a consultative approach, they guided us to modify and improve our existing processes to make Delvify a more robust and more secure organisation.”
– Charles Allard, Founder of Delvify
The Cyber Threat Landscape for Fashion Tech
Fashion-tech companies like Delvify sit at the intersection of creativity, data, and global collaboration. Their platforms are built to be agile, decentralised, and fast-moving – qualities that are essential for innovation but can also introduce significant cyber risk.
Remote-first teams, diverse operating systems, and a reliance on cloud-based collaboration tools mean that the attack surface is constantly shifting. Cyber criminals are increasingly targeting organisations that handle large volumes of sensitive data, and the fashion sector is no exception. The consequences of a breach extend far beyond financial loss; they can disrupt supply chains, erode brand reputation, and undermine the trust that partners and customers place in digital platforms.
The Sophos State of Ransomware 2025 report highlights that exploited vulnerabilities remain the most common technical root cause of ransomware attacks, accounting for 32% of incidents. For fashion-tech businesses, this means that even a single overlooked weakness can have cascading effects across global operations. As Delvify expanded its reach, the leadership team recognised that proactive cyber security was not just a technical requirement – it was a strategic imperative for long-term growth and resilience.
Why Cyber Essentials Was the Right Fit
Delvify recognised that cyber security couldn’t be an afterthought – it had to be embedded into the company’s DNA. That’s why they turned to CyberLab, an IASME-approved assessor, to guide them through the Cyber Essentials certification process.
Cyber Essentials is a UK government-backed standard that helps organisations protect themselves against the most common cyber threats. For Delvify, it offered a clear, structured framework to assess and improve their security posture – without slowing down their pace of innovation.
The certification process provided Delvify with a roadmap for strengthening its defences, covering everything from firewalls and secure configuration to user access control, malware protection, and patch management. CyberLab’s expertise ensured that every step was tailored to Delvify’s unique environment, addressing the specific risks associated with remote work, device diversity, and rapid product development.
By aligning with Cyber Essentials, Delvify was able to demonstrate its commitment to best practices, reassure stakeholders, and position itself as a trusted partner in the fashion-tech ecosystem.
A Tailored Approach to a Complex Environment
CyberLab’s consultative approach began with a deep dive into Delvify’s existing security practices. From there, the team provided tailored guidance to address platform-specific risks, implement best practices, and align controls with Cyber Essentials requirements.
This wasn’t a one-size-fits-all engagement. CyberLab worked closely with Delvify to ensure that security improvements supported the company’s operational agility. From device management and access control to patching and malware protection, every recommendation was designed to strengthen resilience without compromising flexibility.
The partnership was characterised by open communication and a shared commitment to continuous improvement. CyberLab helped Delvify identify gaps in its defences, prioritise remediation efforts, and foster a culture of accountability across technical and operational teams.
The result was a security posture that not only met regulatory requirements but also empowered Delvify to innovate with confidence, knowing that its data and systems were protected against emerging threats.
“We run different operating systems on a variety of machines including Linux on MacBooks, as well as our proprietary AI platform. CyberLab was able to identify threats and suggest appropriate fixes to secure our remote teams.”
– Aleksei Bochkov, Chief Engineer at Delvify
More Than a Certificate: A Cultural Shift
Achieving Cyber Essentials certification was a milestone, but for Delvify, it was just the beginning. The process sparked a broader cultural shift within the organisation, encouraging cross-functional collaboration and a shared sense of accountability for cyber resilience.
Security controls were not only implemented, they were embedded into daily operations. Teams became more aware of cyber risks, more proactive in addressing them, and more aligned in their commitment to protecting the company’s data, clients, and reputation.
This cultural transformation extended beyond the IT department, reaching every corner of the business. Employees at all levels were engaged in cyber security training, incident response planning, and ongoing risk assessments.
The certification journey fostered a spirit of collaboration, transparency, and shared responsibility, ensuring that cyber resilience became a core value rather than a checkbox exercise. As Delvify continues to grow, this foundation will support both compliance and innovation, enabling the company to adapt to new challenges and opportunities with agility and confidence.
Final Thoughts
Delvify’s journey with CyberLab demonstrates how proactive cyber security isn’t just about compliance, it’s about building a foundation for trust, innovation, and sustainable growth.
By embedding best practices and achieving Cyber Essentials certification, Delvify has strengthened its resilience, enhanced its credibility with partners, and empowered its teams to collaborate securely across borders.
In a digital economy where threats are constantly evolving, Delvify’s commitment to cyber security sets a new standard for the fashion-tech sector, proving that resilience and agility can go hand in hand.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
Protecting Automotive Manufacturing from Cyber Threats
A Futaba Manufacturing Success Story
The automotive industry is built on precision, efficiency, and reliability. However, as manufacturing processes become more interconnected and reliant on digital systems, the risk of cyber threats continues to grow. A single cyber attack can lead to production downtime, supply chain disruptions, and reputational damage – posing significant risks to operational continuity.
The Challenge: Securing Critical Manufacturing Operations
As a leading supplier of automotive parts, Futaba Manufacturing UK (FMUK) faced growing concerns about cyber threats targeting their critical manufacturing operations. With an expanding network of IoT devices, a single cyber attack could bring production to a halt, causing financial loss and reputation damage. Futaba needed a robust cyber security solution to safeguard sensitive data, ensure operational continuity, and protect their valuable intellectual property.
“CyberLab’s managed services have been a game-changer for us. They’ve allowed me to focus on the bigger picture while knowing our operations are secure around the clock. Their proactive approach and tailored solutions have provided us with the peace of mind to continue delivering excellence to our customers.”
– Matt Cooper, IT Manager, FMUK
The Growing Cyber Threat Landscape
Manufacturing businesses are increasingly vulnerable to cyber threats such as ransomware and data breaches, with cyber criminals targeting industrial control systems, supply chains, and sensitive data. According to recent industry reports, manufacturers have become prime targets for cyber-attacks, and a significant breach could compromise production lines, erode customer trust, and lead to significant financial repercussions.
According to the Sophos State of Ransomware in Manufacturing and Production 2024 report, 65% of manufacturing and production organisations were hit by ransomware last year – a sharp rise from 56% in 2023 and 55% in 2022, marking a 41% increase since 2020.
Futaba Manufacturing, with its critical role in the automotive sector, understood that protecting their operations against cyber threats was a necessity – not just a priority. To safeguard their systems and future-proof their operations, they turned to CyberLab for a comprehensive and tailored cyber security solution.
Identifying Vulnerabilities and Securing Operations
CyberLab’s first step was to conduct an in-depth penetration test, beginning with an assessment of Futaba’s external infrastructure. This process uncovered potential vulnerabilities in their network and critical systems. By simulating real-world attack scenarios, CyberLab identified the risks that could be exploited by cyber criminals looking to disrupt manufacturing processes.
A Multi-Layered Security Approach
To combat evolving threats, CyberLab implemented a multi-layered security strategy for Futaba Manufacturing, with advanced detection systems, robust access control, and proactive monitoring.
The strategy included:
- Sophos Managed Detection & Response (MDR): This 24/7 monitoring service helped Futaba detect and mitigate threats in real time, giving their IT team the ability to focus on high-priority tasks while CyberLab’s experts managed their security operations.
- IoT Device Security: Given the increasing use of connected devices in Futaba’s manufacturing processes, CyberLab placed special focus on securing their IoT infrastructure, ensuring that all endpoints were protected from potential vulnerabilities.
Strengthening Internal Defences and Employee Awareness
A major part of Futaba’s defence strategy involved strengthening internal security. CyberLab conducted user awareness training across the company to ensure that employees were aware of phishing scams and social engineering tactics. By fostering a culture of security, Futaba empowered its staff to act as the first line of defence against cyber threats.
Additionally, CyberLab deployed advanced endpoint protection and email security to minimise the risk of malware or phishing entering the organisation through vulnerable communication channels.
The Results: Securing the Manufacturing Future
The implementation of CyberLab’s security solutions has significantly strengthened Futaba Manufacturing’s cyber resilience. With 24/7 threat monitoring, advanced IoT security, and comprehensive training for employees, the risk of cyber incidents and production downtime has been drastically reduced.
As a result, Futaba can now operate with confidence, knowing that their systems, data, and intellectual property are protected. The company’s commitment to proactive security enables them to stay ahead of cyber threats while maintaining a reputation as a reliable partner within the automotive industry.
“As a business committed to delivering exceptional quality and reliability to our customers, ensuring the continuity of our operations is paramount. CyberLab’s expertise in safeguarding our organisation against evolving cyber threats has been instrumental in protecting our reputation and maintaining our competitive edge. Their tailored solutions give us the confidence to focus on growth, innovation, and excellence.”
– Phil Ord, Managing Director, FMUK
A Trusted Cyber Security Partnership
Futaba’s partnership with CyberLab allowed them to take a proactive approach to cyber security, with continuous support and tailored consultancy. The collaborative relationship ensured that Futaba could keep their defences up-to-date and adapt quickly to emerging threats in the rapidly evolving cyber landscape.
Conclusion: Embracing a Secure Future for Manufacturing
Futaba Manufacturing’s collaboration with CyberLab has provided them with the tools and expertise needed to navigate the increasingly complex cyber threat landscape. With a strong cyber security framework in place, Futaba is well-positioned to grow while ensuring operational continuity and protecting sensitive data.
As manufacturing businesses continue to face heightened cyber risks, it’s crucial for companies like Futaba to adopt a proactive, multi-layered security strategy. The success of this partnership serves as a powerful reminder of how robust cyber security measures can protect against evolving threats, ensuring that businesses can thrive in an interconnected, digital world.
Protecting E-Commerce Operations from Cyber Threats
A Sealey Tools Success Story
E-commerce has become the backbone of modern retail, offering convenience and accessibility to customers worldwide.
However, with this digital shift comes an increasing risk of cyber threats that can compromise business continuity, customer trust, and financial security. For Sealey Group, a leading provider of professional tools and workshop equipment, safeguarding their online operations was not just a priority – it was a necessity.
The Growing Cyber Threat Landscape
Cyber threats such as ransomware and phishing attacks have become a persistent challenge for online retailers. According to the Sophos State of Ransomware Report 2024, 45% of omnichannel retailers faced ransomware attacks last year alone. These threats put businesses at risk of data breaches, operational downtime, and reputational damage.
As a company with over 13,000 product lines and a strong e-commerce presence, Sealey Group required a robust cyber security strategy to ensure their platform and payment systems remained secure. A single cyber attack could disrupt sales, erode customer confidence, and result in financial losses. To fortify their defences, Sealey Group turned to CyberLab for a comprehensive cyber security solution.
“Working with CyberLab has greatly enhanced our cyber security posture. Their proactive approach and tailored solutions have strengthened our defences, ensuring our customer data and operations remain secure. The 24/7 support and expert guidance from their team have been invaluable, allowing us to focus on serving our customers with confidence and peace of mind.”
– Tim Thompson, Operations Director, Sealey Group
Identifying the Vulnerabilities
CyberLab’s first step was to conduct a thorough penetration test, beginning with an external infrastructure assessment. This process would help uncover vulnerabilities in Sealey Group’s publicly accessible systems. To simulate real-world attack scenarios, an on-site assessment was also performed within their corporate network. These evaluations provided critical insights into potential weaknesses that cyber criminals could exploit.
A Multi-Layered Security Approach
Understanding the sophistication of modern cyber threats, CyberLab implemented a layered security strategy to reinforce Sealey Group’s resilience. This strategy included advanced threat detection, robust email security, and endpoint defences, ensuring that multiple barriers were in place against potential attacks.
One of the key components of the security framework was Sophos Managed Detection & Response (MDR), which offered 24/7 expert-led threat hunting. This proactive approach allowed CyberLab’s security analysts to identify and neutralise threats before they could cause harm. Sophos MDR’s automation capabilities handled most security incidents, enabling analysts to focus on detecting more advanced, stealthy attacks.
Strengthening Email Security and Data Protection
Email remains one of the most common entry points for cyber threats, making it crucial for Sealey Group to strengthen their defences. In collaboration with Mimecast, CyberLab implemented an advanced email security system that protected both internal and external communications. This measure provided targeted threat protection and rapid remediation against phishing attempts and other email-based attacks.
To further enhance data protection, a Microsoft Teams archive was introduced to securely store customer information. Additionally, a secure file-sharing service and 24/7 telephone support were integrated to ensure seamless communication and business continuity.
A Trusted Cyber Security Partnership
Sealey Group’s long-standing partnership with CyberLab played a vital role in tailoring the security solutions to their specific needs. Through dedicated account management and expert consultancy, CyberLab provided a proactive approach to cyber security, ensuring Sealey Group remained ahead of emerging threats.
The Results: A Resilient E-Commerce Platform
The implementation of CyberLab’s security measures has significantly bolstered Sealey Group’s cyber defences. With round-the-clock threat monitoring and advanced email protection, the risk of downtime and data breaches has been drastically reduced. This has not only safeguarded customer trust but also ensured the smooth operation of Sealey Group’s omnichannel business.
By adopting a proactive approach to cyber security, Sealey Group has set a strong foundation for continued growth and operational integrity. Their commitment to resilience serves as a testament to how businesses can thrive in an evolving cyber landscape when equipped with the right defences.
Conclusion: Navigating the Digital Future with Confidence
For over six years, Sealey Group and CyberLab have worked together to navigate the complex and ever-changing world of cyber security. This partnership has ensured that Sealey Group remains well-equipped to counter emerging threats, maintain business continuity, and uphold its reputation as a trusted retailer.
As cyber threats continue to evolve, businesses must remain vigilant and proactive in their security strategies. Sealey Group’s success story highlights the importance of a comprehensive cyber security framework, demonstrating that with the right measures in place, businesses can confidently operate in the digital landscape, secure in the knowledge that their operations and customer data are protected.