Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

The colors of cybersecurity

Leverage managed services to continually improve your security posture

Using Red and Purple teaming to go beyond traditional pen testing

The frequency of penetration tests and an effective remediation program often correlate with a reduction in identified vulnerabilities. Typically, organizations will perform annual testing based on industry leading practices and regulatory requirements. This approach can be effective, but it can also cause a false sense of security. An annual testing approach is often point-in-time, and only leverages traditional network and application testing techniques. Many organizations have faced major incidents from attack vectors that simply cannot be accounted for in traditional testing. For example, consider these real-world scenarios in which bad actors have:

  • Compromised a cloud or on-premise web app, discovering privileged credentials that then allowed lateral movement across the network.
  • Compromised operator credentials via social engineering, gaining access to the internal network through the VPN.
  • Compromised servers by deploying remote access—and maintaining it through C2 persistence.
  • Mapped the internal network, exploiting systems and escalating privileges to domain administrator role.
  • Conducted activities on financial systems, exfiltrating sensitive information.

Traditional testing attempts to capture some of these activities, but threat actors are not constrained to vulnerability scans, scope limitations, testing windows, or rules of engagement. Is there a more effective approach? KPMG believes so!

Red Teaming

One way to take a more effective stances against bad actors is with “Red Team” testing, in which teams of cybersecurity professionals pose as hackers to test an organization’s defenses by any means necessary. These Red Team tests take a “gloves off” approach and perform scenario-based testing to emulate abstract attack vectors that attackers use in the wild. This can be useful but is still point in time testing and often results in a similar outcome to traditional penetration testing; namely, an after-action report. To overcome this, leading cybersecurity providers are building on these practices with a more collaborative approach called “Purple Team”.

Purple Team 

The Purple Team moniker arises from the two teams who partner to make this approach possible: the offensive Red Team, and the defensive Blue Team. While the Red team launches attacks, the Blue Team learns from the Red Team in real time to bolster their ability to detect and respond to attack. This approach involves active collaboration between the Red and Blue teams, with the Red Team constantly feeding successful attack methods to the Blue Team, which makes on-the-fly adjustments to improve the security posture. The goal of this type of engagement is real-time improvement of the Blue Teams’ security operations across people, processes, and technology. A successful Purple Team will result in significant improvements to Blue Team processes and is best suited for organizations seeking to improve their defensive operations. Threats addressed could range from weak passwords and protocols to unpatched systems, man-in-the-middle attacks, privilege escalation, flaws in personnel security training, and/or holes in detection mechanisms. 

Continually improving the security posture 

Advanced persistent threats and nation-state actors do not stick to traditional offensive security methods, and they certainly don’t restrict themselves to expected tactics, techniques and procedures. That’s why progressive companies are increasingly engaging offensive security managed services providers to emulate these adversaries through ongoing testing, while continually honing defenses.

How KPMG can help

KPMG offers extensive security testing as an outcome-based managed service, helping organizations consistently validate controls while minimizing remediation efforts. That’s because business transformation is not a fixed destination; it’s an ongoing journey. With Managed Services, we help to continually evolve your business functions to keep up with ever-changing targets, while driving outcomes like cost reduction, resilience, and stakeholder trust.

Meet our team

Image of Evan Rowell
Evan Rowell
Managing Director, Advisory, KPMG US
Read bio
Image of Evan Rowell
Evan Rowell
Managing Director, Advisory, KPMG US
Read bio

Explore other services tailored to your business

Service
Managed Services: Cyber
Read more
Service
KPMG Managed Services
Read more
Service
Managed Application Security Testing
Read more

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline