Services Approach About Contact LinkedIn Get in Touch →

Build detections that actually catch threats.

Purple Shell Security is a detection engineering firm. We design, build, and deploy detection programs that reflect how adversaries actually operate in your environment.

Start a Conversation → View Services
detection-audit.sh
$ ./detection-audit.sh --env prod
→ Loading detection library... 312 rules
→ Mapping to MITRE ATT&CK... done
→ Coverage analysis:
  ✓ Initial Access 82%
  ✓ Privilege Escalation 74%
  ⚠ Lateral Movement 41%
  ⚠ Defense Evasion 29%
 
→ Generating gap report...
$
What We Do

Services

We focus on four core engagements. Because depth beats breadth when it comes to detection.

[01]

Detection-as-a-Service

A subscription model for continuous detection rule development, tuning, and lifecycle management. We act as an embedded detection engineer, without the full-time headcount cost.

Splunk Sentinel Chronicle Elastic
[02]

Detection Library Buildouts

A structured engagement to build your detection catalog from the ground up or close critical gaps. Mapped to MITRE ATT&CK and tailored to your environment and threat model.

MITRE ATT&CK Sigma YARA
[03]

Purple Team Exercises

Simulated adversary activity combined with real-time detection validation. We attack and defend simultaneously, exposing coverage gaps you can actually act on.

Adversary Simulation Detection Validation
[04]

SIEM / EDR Tuning

If your team is drowning in alerts, we fix that. We reduce noise, surface what matters, and make your analysts' lives measurably better.

CrowdStrike SentinelOne Microsoft Defender Splunk
How We Work

Our Approach

We don't deliver generic rule packs. Every engagement starts with understanding your environment, your adversaries, and your team's real capabilities.

01.

Threat Model Alignment

Before we write a single detection, we map your environment's attack surface: who's targeting your industry, how they get in, and what they go after. That's what shapes everything we build.

02.

Coverage Gap Analysis

We map your existing detections against MITRE ATT&CK and your threat model to produce a gap report with clear prioritization.

03.

Detect, Test, Deploy

Every rule we write is tested against real attack simulation before it hits production. No untested detections.

04.

Maintain & Iterate

Threats evolve. We keep your detections current, retire stale rules, and continuously validate coverage as your environment changes.

Adversary Lab is our detection content library — the same methodology we deploy for clients, packaged for practitioners building on their own.

See the library →
The Engineer
Charles Garrett — Purple Shell Security

Built by a Detection Engineer. For teams that need it done right.

I've watched organizations spend millions on security tools and still get breached. Not because the tools failed. Because nobody built the right detections.

That's the gap I fill.

I'm Charles Garrett. Years spent in financial services environments where the adversaries are sophisticated, the data is sensitive, and getting it wrong isn't an option. Cloud-native. Multi-platform. Production-grade.

That's what you get with Purple Shell Security.

Our Values
Signal over noise
Every detection we write has a clear purpose. We don't pad rule counts. We build things that fire when they should.
Threat-informed, always
Detections without a threat model are guesswork. We tie everything back to realistic adversary behavior.
Transparent
You'll always know exactly what we built, why we built it, and how to maintain it when we're gone.
Practical outcomes
Everything ties back to reducing real risk. Not optics, not compliance theater, not checkbox exercises.
Get in Touch

Let's Talk

If your team is drowning in alerts or you're not confident your detections would catch the threats targeting you. That's where we start.

Tell us what you're dealing with. We'll tell you what we can do about it.

Or email Charles directly at
charles@purpleshellsecurity.com

Response time: within one business day.

Book a Scoping Call →