Cognitive Purple Teaming: Autonomous Attack Simulation
Traditional purple teaming exercises are resource-intensive, requiring coordination between red team operators and blue team defenders. VANGUARD introduces a cognitive architecture that automates this process — an LLM-driven agent that generates attack chains, executes them against target infrastructure, observes defensive telemetry, and synthesizes detection rules in a closed feedback loop.
The Tripartite Architecture
VANGUARD's reasoning engine decomposes into three interconnected modules: Strategist (attack planning via kill chain traversal), Executor (tool invocation and command generation), and Analyst (telemetry interpretation and rule synthesis). Each module operates as a ReAct agent — reasoning about the current state, selecting actions, and observing outcomes through a structured JSON protocol over Server-Sent Events (SSE).
# Agent reasoning loop
class VanguardAgent:
async def run(self, target: str, objective: str):
context = AttackContext(target=target, objective=objective)
while not context.objective_achieved:
# Reasoning phase
thought = await self.strategist.think(context)
# Action selection
action = await self.select_action(thought, context)
# Execution
observation = await self.executor.run(action)
# Analysis and rule generation
detection = await self.analyst.analyze(observation)
if detection.should_alert:
rule = await self.analyst.generate_kql(detection)
await self.deploy_defense(rule)
context.update(thought, action, observation)
yield context.to_sse_event()Attack Chain Generation
The Strategist module maintains an internal kill chain state machine progressing through Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives. At each phase, the LLM reasons about available TTPs based on target reconnaissance data, selecting tools from an integrated arsenal: Nmap for port scanning, ffuf for directory enumeration, SQLMap for injection testing, and custom exploit modules for known CVEs.
"In controlled experiments against a simulated enterprise environment, VANGUARD achieved 94% kill chain completion rates while evading detection on 87% of attack phases. Defender blue teams were only alerted to 3 of 23 simulated intrusions."
Autonomous Defense Synthesis
The Analyst module's breakthrough capability is generating detection rules from observed attack telemetry. When the Executor successfully exploits a vulnerability, the Analyst receives structured logs and generates KQL (Kusto Query Language) rules targeting the specific TTP. For example, a successful SQL injection attempt produces a rule detecting similar payload patterns in URL query parameters, while a lateral movement via PSExec generates a rule flagging abnormal SMB pipe usage.
# Auto-generated KQL detection rule
let suspicious_patterns = dynamic([
"' OR '1'='1", "1=1--", "UNION SELECT",
"../../etc/passwd", "$(whoami)", "system("
]);
DeviceNetworkEvents
| where RemoteUrl contains_any (suspicious_patterns)
| where ActionType == "ConnectionSuccess"
| summarize Attempts = count() by DeviceId, RemoteUrl, bin(Timestamp, 5m)
| where Attempts > 3
| extend AlertSeverity = "High"
| extend Description = "Potential injection attack pattern detected"SOC Detection Metrics
Measuring purple team effectiveness requires quantifying detection gaps. We track: Time-to-Detection (TTD) from initial compromise to first alert, Mean-Time-to-Response (MTTR) from alert to analyst acknowledgment, and Detection Coverage Ratio (detected phases / total phases). Current benchmarks show enterprise SOCs average TTD of 287 days for sophisticated attacks — VANGUARD's goal is reducing this to under 24 hours through continuous automated testing.
The system is deployed on Docker with Ollama for local LLM inference, ensuring sensitive attack data never leaves the environment. SOC teams integrate VANGUARD via REST API and SSE streams for real-time kill chain visualization. The complete framework is published as open-source research with academic citation protocols available.