$400 Amazon Gift Card with OnDemand Training through March 10 - Learn More!


To attend this webcast, login to your SANS Account or create your Account.

Tech Tuesday Workshop - Building Out a Hands-On Purple Team Stack

  • Tuesday, February 02, 2021 at 10:00 AM EST (2021-02-02 15:00:00 UTC)
  • Erik Van Buggenhout

You can now attend the webcast using your mobile device!



We will start the workshop by laying the foundations that are required to perform successful adversary emulation and purple teaming. We will explain core concepts and tooling required to start doing purple teaming.  In true purple team fashion, this includes both tools aimed at blue and red teaming;

  • Elastic and SIGMA for detection and visibility
  • Covenant as a C2 tool
  • Caldera as an automated adversary emulation tool
  • VECTR as a purple team tracking tool

Once the introduction is done, we will “get our hands dirty” and spin up an environment to run through some practical exercises using the above tools!

Prerequisites: Familiarity with Linux and Windows is mandatory.

System Requirements: Prior to the workshop participants should prepare the following –

  • Download and install the workshop VM: https://sansurl.com/purple-team-stack-workshop-vm
  • Installed 64-bit host operating systems (Windows is recommended)
  • Download and install VM Workstation Pro 15.5 or higher, VMware Fusion 11.5 or higher, or VMware Workstation Player 15.5 or higher versions on your system prior to the start of the workshop
  • Adobe Acrobat or other PDF reader application
  • IMPORTANT! An AWS account is required to do hands-on exercises during the workshop. The AWS account must be created prior to the workshop.
    • A credit card should be linked to the AWS account that was created. Estimated usage costs for the AWS account during the workshop are a maximum of $10.
    • For detailed instructions on these preparation steps, please refer to the following URL: https://sansurl.com/purple-team-stack-workshop-readme

*Please note that this WILL NOT be recorded. Due to the nature of these workshops, many have a capacity limit and will not be made available for archive. To help us offer this opportunity to as many people as possible, we are asking that you please only register if you plan to attend live.

Speaker Bio

Erik Van Buggenhout

Erik Van Buggenhout is the lead author of SEC599 - Defeating Advanced Adversaries and SEC699 - Purple Team Tactics. In addition to SEC599 and SEC699, Erik teaches SEC560 - Network Penetration Testing & Ethical Hacking and SEC542 - Web Application Penetration Testing & Ethical Hacking. In addition to his work with SANS, Erik is the co-founder of Belgian cyber security firm NVISO. Together with his team of 70+ technical experts, Erik delivers a wide array of technical security services, including penetration testing, security monitoring & incident response.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.