A major energy company, despite significant investments in security infrastructure, including a multi-million dollar Security Operations Center (SOC), faced critical gaps in their threat detection capabilities.
What began as routine security assessments evolved into a multi-year partnership that transformed their security posture through innovative purple teaming exercises.
The context
Over the years, Chaleit and the client built a strategic partnership that systematically enhanced security maturity.
The journey began with standard compliance and penetration testing, progressed to strengthening operational technology (OT) infrastructure, and evolved into sophisticated red team exercises.
It was during these red team scenarios in year three that a critical reality emerged: attacks could persist undetected within their systems for days, with no response from their expensive SOC investment.
The challenge
The red team exercises revealed a concerning reality: the company's detection capabilities were severely lacking.
During one particularly revealing exercise, the red team maintained system access for over 10 days without detection and could simultaneously run four different attack scenarios without correlation or response.
Key issues included:
Zero detection of basic attack scenarios
Inability to correlate multiple concurrent attacks
Long dwell time for unauthorised access
Limited visibility across both IT and OT environments
Significant gaps between security investment and actual protection
After witnessing the significant findings of the red team exercise, the client expressed astonishment at the intensity of the results. They recognised the importance of a structured approach to resolve the discovered security issues.
Rather than pursuing a traditional consulting approach of identifying problems and leaving the client to solve them, Chaleit proposed a comprehensive purple teaming program that emphasised collaboration and systematic improvement.
We structured the solution in two main phases:
Phase 1 - Preparation and tuning
We worked closely with the SOC team to identify gaps in their detection and response capabilities.
We helped configure their Security Information and Event Management (SIEM) tool to improve log collection and alert generation.
We conducted live simulations of various attack scenarios to familiarise the SOC team with potential threat patterns.
Phase 2 - Blind testing
Without prior notification to the SOC team, we emulated real-world attacks, including phishing campaigns, credential harvesting, and lateral movement within the network.
We escalated our activities gradually, starting with basic noise generation and progressing to more sophisticated attack techniques.
We closely monitored the SOC's response time and effectiveness at all times.
Throughout the process, we maintained open communication channels with both the client's management and the SOC team. We provided regular updates and conducted knowledge-sharing sessions to ensure all parties understood the implications of our findings and the improvements being made.
A Chaleit team member described the approach as "taking your SOC to the gym. We're not trying to put down the blue team or the SOC team. We're just trying to help the organisation as a whole."
The program took a measured pace, avoiding a rushed checklist approach. This allowed for thorough testing of each security control and facilitated crucial knowledge transfer to the SOC team.
As improvements were implemented, each change could be properly validated, and real-world attack simulations confirmed their effectiveness.
The steady, iterative process ensured sustainable improvement rather than quick fixes.
The outcome and aftermath
The transformation yielded remarkable improvements across various areas.
Detection and response
Reduced attack dwell time from 10+ days to minutes
Achieved near real-time detection of unauthorised access attempts
Implemented geographic-based access controls
Established immediate response protocols for security events
Infrastructure protection
Prevented malicious emails from reaching inboxes
Enhanced OT infrastructure segregation
Improved EDR configuration and alerting
Strengthened overall security architecture
Organisational impact
Transformed SOC from a passive to a proactive security stance
Enhanced collaboration between security teams
Improved user security awareness
Demonstrated clear ROI on security investments
"Now, they're hyper-vigilant, with rapid detection and response times. They act on every suspicious activity, even before it triggers an alert. They have become rehearsed and resilient," noted the Chaleit expert who was able to breach their systems initially.
Key takeaways
- Traditional security assessments often fail to uncover systemic detection issues.
- Successful security transformation requires sustained, systematic improvement.
- Purple teaming effectiveness depends on true collaboration between offensive and defensive teams.
- Meaningful security improvements can be achieved within existing security budgets through strategic focus.
- Partnership-based security programs yield better results than transactional engagements.
- Return on cyber investment was realised and drove material risk reduction.
Rather than following the classic approach of conducting purple teaming exercises and presenting a mountain of problems to solve, we respected the client's tacit knowledge and enabled them to bring that expertise to the table.
Chaleit's collaborative mindset allowed our experts to unlock access to the right teams, think creatively together, and explore more nuanced attack vectors that would typically be out of scope.
The combination of the client's deep organisational knowledge and our security expertise created real ROI on their cyber security investment. If you're looking to achieve similar outcomes, let’s talk. Not ready for a partnership yet? Start with a security health check and test our expertise.
