# 67 Purple-team / adversary emulation

> v0.0.1 · role: Assure · [policy: #21 · #12](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

A periodic adversary-emulation exercise: the attacks these controls claim to stop are actually run against the tenant, and three questions are answered — was it blocked, was it detected, and did anyone act on the alert. Its output is the evidence that the controls you deployed actually fire; without it, every claim they make is untested.

## Caveats

- It has no Admin Console screen and changes no setting — the deliverable is the evidence, so an exercise nobody writes up buys nothing.
- It tests only what you thought to emulate — a clean report bounds the attacks you imagined, not the ones you did not.

_Process control — carried out offline; no Admin Console walkthrough._

## Ongoing maintenance

- **[requires a human]** Per interval: run the exercise and write findings with owners.

## How to verify

1. Check the most recent exercise report exists, is within the agreed interval, and each finding has an owner and a remediation state.
