Purple Shell Security is a detection engineering firm — AI-accelerated, human-validated. We design, build, and deploy detection programs, and the agents that triage what they surface, so your analysts see signal, not noise.
We focus on four core engagements. Because depth beats breadth when it comes to detection.
A subscription model for continuous detection rule development, tuning, and lifecycle management. We act as an embedded detection engineer, without the full-time headcount cost. Monthly engagement, no long-term lock-in.
A structured engagement to build your detection catalog from the ground up or close critical gaps. Mapped to MITRE ATT&CK and tailored to your environment and threat model.
Simulated adversary activity combined with real-time detection validation. We attack and defend simultaneously, exposing coverage gaps you can actually act on.
If your team is drowning in alerts, we fix that. We tune out the junk and surface what matters, so your analysts spend their time on real threats, not chasing noise.
We don't deliver generic rule packs. Every engagement starts with understanding your environment, your adversaries, and your team's real capabilities.
Before we write a single detection, we map your environment's attack surface: who's targeting your industry, how they get in, and what they go after. That's what shapes everything we build.
We map your existing detections against MITRE ATT&CK and your threat model to produce a gap report with clear prioritization.
Every rule we write is tested against real attack simulation before it hits production. No untested detections.
Threats evolve. We keep your detections current, retire stale rules, and continuously validate coverage as your environment changes.
The engineer who trains other detection engineers. Adversary Lab is our detection engineering training program — the exact methodology above, taught to practitioners. Same standards we deploy for clients.
See the program →The top of this page says alert fatigue is a detection problem. Here's me solving it in the open. Read-only by design, tested against live attack simulations, and honest about the limits. No client logos to parade yet — so instead of a pitch, here's the actual work.
A read-only AI agent that triages GuardDuty findings across IAM, EKS, and EC2. It pulls CloudTrail, EKS audit, and VPC-flow logs for context, reasons on Bedrock, and drops a structured verdict on a queue for your SIEM. It never touches your account — it advises, a human acts.
View on GitHub →Give it a user or a service principal; it pulls their sign-in, directory, and resource activity from Log Analytics and returns an analyst-style writeup with schema-validated findings. Managed identity — no keys. Comes with a full writeup of the Azure logging quirks most people get wrong.
View on GitHub →The Sentinel-native version of the GuardDuty agent — same read-only, evidence-first approach, built on Microsoft's stack. In progress.
In developmentI've watched organizations spend millions on security tools and still get breached. Not because the tools failed. Because nobody built the right detections.
That's the gap I fill.
I'm Charles Garrett. Years spent in financial services environments where the adversaries are sophisticated, the data is sensitive, and getting it wrong isn't an option. Cloud-native. Multi-platform. Every detection tested against attack simulation before it ships.
That's what you get with Purple Shell Security.
If your team is drowning in alerts or you're not confident your detections would catch the threats targeting you, that's where we start. Tell us what you're dealing with. We'll tell you what we can do about it.
Or email Charles directly at
charles@purpleshellsecurity.com
Response time: within one business day.
Every engagement starts with a fixed-fee Detection Gap Assessment: a prioritized coverage report mapped to MITRE ATT&CK and the threats targeting you. No long-term commitment to see the value — ongoing work is month-to-month.