What is White Box Purple Test?
I wish Sun Tzu were reborn in the world of modern cybersecurity threats. He would have probably added "Assume the enemy knows everything about you."
When I compared G7 Threat Led Penetration Testing (TLPT) Principles, EU DORA ICT requirements (including TLPT and purple tests), and relevant ICT guidelines of 45 jurisdictions across the world and real life cyber incidents the need for greater rigour was obvious to me. That led to the creation of WBPT. To be clear, the creation of WBPT was driven by my personal views and ambition, and not a regulatory compliance need.
WBPT deviates from traditional TLPT, by making Red Team better equipped (as if they were supported by a rogue insider), while giving the Blue Team the preparation needed to mount a credible defence.
How is it implemented?
Difference from Traditional TLPT
| Aspect | WBPT | Traditional TLPT (DORA) |
|---|---|---|
| Awareness | Purple Test Group | Control Group (excl. Blue Team) |
| CTI phase | Passive + Active | Passive Only |
| CTI sharing | Pre-penetration | Post-penetration |
| Technical Stack knowledge | White Box | Almost none |
| TTP knowledge | Transparent | Shared via the PT Report after the test |
| Red Team Effectiveness | Quality driven | Quality + Luck |
| Blue Team Effectiveness | Real-time | D&R review |
| Role of AI | Recommended for Red and Blue teams | Optional for Red Team |
Advantages of WBPT
Experience of implementation at PracticallyUnhackable.com showed WBPT enhances the quality of TLPT to a level never seen in the last three decades. Key advantages are:
- Active Cyber Threat Intelligence (CTI) is aligned with real life actions of Threat Actors, who may use active scanning to complement OSINT and reconnaissance.
- Pre-sharing of CTI helps the Blue Team to prioritise critical vulnerabilities and removes "low hanging fruits".
- Details of the Technology Stack enable bespoke planning of the penetration test by the Red Team.
- Details of TTPs facilitate comprehensive preparedness by the Blue Team.
- The luck factor (e.g. phishing / spearphishing success) is eliminated.
- The "assisted foothold", when used, will be better informed.
- The use of AI is already on the rise in real life threats.
The spirit of WBPT is fully aligned with Operational Resilience requirements in multiple jurisdictions.
What makes WBPT the most rigorous TLPT variant?
Whether to describe WBPT as "the toughest TLPT" or "a more rigorous TLPT variant" will be a matter of intellectual debate; and that is not the point here. It is the outcome to defend against real life adversaries that matters more than a debate. If you have ever done a TLPT exercise (as TI provider, PT provider, Control Group member or Regulator) you will be familiar with its strengths and limitations. WBPT establishes the toughest TLPT standard by maximising Red Team quality and Blue Team readiness through extreme transparency. This removes luck, forces precise TTP execution, and tests defences under ideal attack conditions. Key hardening contributors are:
- Full white box access to tech stack lets Red Team craft perfect exploits, no guesswork.
- Pre-shared CTI and TTPs mean Blue Team must defend against known, real threats without low-hanging fruit excuses.
- CTI derived by combining active scans and OSINT is more likely to represent resourceful APTs.
- AI use is required for both teams, increasing complexity when defending against automated attacks.
Traditional TLPTs rely on surprise and partial intel, so Blue Teams blame "unknowns" for failures. WBPT eliminates that: Red Team attacks at peak efficiency, Blue Team gets max prep time/info. Success demands flawless execution from both sides, making it harder than standard tests.
Limitations of WBPT
The transparency associated with WBPT lacks the "surprise" element of the traditional TLPT.
The G7 TLPT principles are based on "minimal foreknowledge" by the Blue Team. Given the 24/7/365 exposure to sophisticated cyber attacks, I would question whether the G7 principle still holds.
Therefore, if you prefer "controlled surprise", go for G7 TLPT. If your ambition is to defend against well informed, AI driven adversaries, go for WBPT. Or you can alternate between traditional TLPT and WBPT. You decide.
Caution
You are welcome to hack us. But be aware that your IP may be banned. We suggest you contact us so that we can whitelist your IP address.