Building a Continuous Purple Teaming Program with Paul Nieto III

Purple teaming has quickly become one of the most impactful ways to bring red and blue teams together and actually prove whether your security tools and processes work the way you think they do. On a recent PlexTrac Friends Friday Podcast, our founder, Daniel DeCloss, sat down with Paul Nieto III, a seasoned red team operator at Royal Caribbean, to unpack how his organization built and scaled a purple teaming program that runs continuously, not just once a year.

From spreadsheet-driven beginnings to a structured, tool-enabled program, Paul shared the journey, the lessons learned, and what he wishes more teams understood about purple teaming.

Watch the full episode or read the highlights.

 

Starting from Scratch: The Evolution of Purple Teaming at Royal Caribbean

Paul and his colleague, now the team’s manager, began their journey into structured red and purple teaming around 2022. In the early days, everything operated manually—Excel spreadsheets for detections, hand-tracked commands, and ad-hoc testing after each red team action. Fast forward to today, and the program looks entirely different. The team now has a dedicated purple team lead, well-defined processes and playbooks, and clear alignment with cyber threat intelligence. Their workflows are fully integrated into PlexTrac, enabling streamlined collaboration, reporting, and execution, with further automation on the way through planned ServiceNow integrations for SLA-driven remediation. Together, these advancements have transformed their purple teaming efforts into a mature program focused not only on evaluating the blue team, but also on validating tools, uncovering gaps, and strengthening both sides of the security operation.

How They Choose TTPs: Threat Intel–Driven Scoping

Royal Caribbean’s purple team starts with threat intelligence. With insights from their CTI lead (formerly their manager), they select relevant threat actors such as Scattered Spider or various “Panda” groups highlighted by CrowdStrike.

They focus on:

• Actors known to target cruise lines or hospitality organizations
  
• Emerging vulnerabilities (e.g., F5, VMware)
  
• Tools and exploits active in the wild
  

These insights help shape purple team scenarios and ensure exercises remain grounded in operational reality.

Testing the Tools: Purple Teaming as a Security Control Quality Check

One of the most impactful parts of the conversation was Paul’s overview of how purple teaming isn’t just about emulating attackers. It’s also about validating security controls.

Paul shared examples like:

• Running new tools such as Darktrace or CrowdStrike through rigorous testing
  
• Executing realistic attacks to confirm tools detect and block behavior as promised
  
• Identifying weaknesses—such as when a third-party red team bypassed controls with a tool called “Sopound”—and immediately remediating them
  

As Paul said, “You can have all the tools in the world, but if they’re not fine-tuned and configured correctly, they’re not going to stop much.”

Purple teaming closes the loop by ensuring investments actually work.

How Maturity Impacts Purple Teaming (and Whether You Need It)

Paul’s advice: Don’t wait for perfect maturity. Start where you are.

Every organization is different. For Royal Caribbean, they needed their red team to reach a certain baseline capability before they could run meaningful collaborative exercises. But the real key is tailoring, it’s not copying what another company does.

Whether you’re early in your security journey or well-established, purple teaming can offer value by showing where detections work well, highlighting gaps, building collaboration between defensive and offensive roles
, and enabling continuous improvement instead of one-off assessments

And importantly, it shifts the culture. Purple teaming becomes a team sport, not a “red vs. blue” face-off.

Adopting a Continuous Mindset

Originally, Royal Caribbean conducted purple team exercises only for new ship builds. Today, they run at least one engagement per month, with additional tests whenever new tools are deployed.

This has moved them into a truly “continuous validation” mindset of constantly evaluating tools, processes, and team readiness.

As Paul emphasized, the regular cadence builds muscle memory, reinforces collaboration, and helps the team keep pace with evolving attacker techniques.

Real-World Scenarios and Blue Team Impact

Royal Caribbean’s purple team focuses heavily on real-world scenarios that reflect the realities of their distributed call center model and extensive third-party ecosystem. They regularly test social engineering techniques—especially in the wake of the Scattered Spider incident—along with phishing links that originate on personal devices but end up executed on corporate machines, as well as lateral movement and other initial access paths. These exercises mirror behaviors they’ve seen play out in the wild, ensuring the team is assessing what actually happens in their environment rather than relying on hypothetical models.

Paul noted that the blue team embraced this approach from the beginning. The exercises didn’t just expose gaps; they highlighted strengths, gave defenders clearer visibility into attacker behavior, and improved alignment across red, blue, purple, and threat-hunting functions. The collaborative nature of the work has even sparked long-term discussions about standardizing incident response reporting in PlexTrac to further unify operational workflows.

Advice for Anyone Building a Purple Team

Paul wrapped up with practical guidance that underscores the heart of an effective purple team: don’t copy another organization’s model. Every environment is unique. Use others for inspiration, but focus on building a foundation tailored to your own tools, people, and threat landscape. Expect plenty of trial and error, and keep the program truly collaborative; the goal is growth, not blame. Ultimately, purple teaming is most powerful when it’s grounded in real-world threats, continuous validation, and a shared mission between red and blue to understand what works, fix what doesn’t, and strengthen the organization together.

Follow PlexTrac on LinkedIn for more engaging episodes of PlexTrac Friends Friday, featuring leaders across all aspects of the cybersecurity industry. 

PlexTrac Author At PlexTrac, we bring together insights from a diverse range of voices. Our blog features contributions from industry experts, ethical hackers, CTOs, influencers, and PlexTrac team members—all sharing valuable perspectives on cybersecurity, pentesting, and risk management.