Services Approach Proof About Contact LinkedIn Book a Gap Assessment →

Alert fatigue isn't a SIEM problem. It's a detection problem.

Purple Shell Security is a detection engineering firm — AI-accelerated, human-validated. We design, build, and deploy detection programs, and the agents that triage what they surface, so your analysts see signal, not noise.

detection-audit.sh
$ ./detection-audit.sh --env prod
→ Loading detection library... 312 rules
→ Mapping to MITRE ATT&CK... done
→ Coverage analysis:
  ✓ Initial Access 82%
  ✓ Privilege Escalation 74%
  ⚠ Lateral Movement 41%
  ⚠ Defense Evasion 29%
 
→ Generating gap report...
$

Services

We focus on four core engagements. Because depth beats breadth when it comes to detection.

[01]

Detection-as-a-Service

A subscription model for continuous detection rule development, tuning, and lifecycle management. We act as an embedded detection engineer, without the full-time headcount cost. Monthly engagement, no long-term lock-in.

Splunk Sentinel Chronicle Elastic
[02]

Detection Library Buildouts

A structured engagement to build your detection catalog from the ground up or close critical gaps. Mapped to MITRE ATT&CK and tailored to your environment and threat model.

MITRE ATT&CK Sigma YARA
[03]

Purple Team Exercises

Simulated adversary activity combined with real-time detection validation. We attack and defend simultaneously, exposing coverage gaps you can actually act on.

Adversary Simulation Detection Validation
[04]

SIEM / EDR Tuning

If your team is drowning in alerts, we fix that. We tune out the junk and surface what matters, so your analysts spend their time on real threats, not chasing noise.

CrowdStrike SentinelOne Microsoft Defender Splunk

Our Approach

We don't deliver generic rule packs. Every engagement starts with understanding your environment, your adversaries, and your team's real capabilities.

01.

Threat Model Alignment

Before we write a single detection, we map your environment's attack surface: who's targeting your industry, how they get in, and what they go after. That's what shapes everything we build.

02.

Coverage Gap Analysis

We map your existing detections against MITRE ATT&CK and your threat model to produce a gap report with clear prioritization.

03.

Detect, Test, Deploy

Every rule we write is tested against real attack simulation before it hits production. No untested detections.

04.

Maintain & Iterate

Threats evolve. We keep your detections current, retire stale rules, and continuously validate coverage as your environment changes.

The engineer who trains other detection engineers. Adversary Lab is our detection engineering training program — the exact methodology above, taught to practitioners. Same standards we deploy for clients.

See the program →

Don't take my word for it. Read the code.

The top of this page says alert fatigue is a detection problem. Here's me solving it in the open. Read-only by design, tested against live attack simulations, and honest about the limits. No client logos to parade yet — so instead of a pitch, here's the actual work.

AWS

GuardDuty Triage Agent

A read-only AI agent that triages GuardDuty findings across IAM, EKS, and EC2. It pulls CloudTrail, EKS audit, and VPC-flow logs for context, reasons on Bedrock, and drops a structured verdict on a queue for your SIEM. It never touches your account — it advises, a human acts.

View on GitHub
Azure

Principal Activity Analyzer

Give it a user or a service principal; it pulls their sign-in, directory, and resource activity from Log Analytics and returns an analyst-style writeup with schema-validated findings. Managed identity — no keys. Comes with a full writeup of the Azure logging quirks most people get wrong.

View on GitHub
Microsoft Sentinel

Sentinel Triage Agent

The Sentinel-native version of the GuardDuty agent — same read-only, evidence-first approach, built on Microsoft's stack. In progress.

In development
Charles Garrett — Purple Shell Security

Built by a Principal Detection Engineer. For teams that need it done right.

I've watched organizations spend millions on security tools and still get breached. Not because the tools failed. Because nobody built the right detections.

That's the gap I fill.

I'm Charles Garrett. Years spent in financial services environments where the adversaries are sophisticated, the data is sensitive, and getting it wrong isn't an option. Cloud-native. Multi-platform. Every detection tested against attack simulation before it ships.

That's what you get with Purple Shell Security.

Signal over noise
Every detection we write has a clear purpose. We don't pad rule counts. We build things that fire when they should.
Threat-informed, always
Detections without a threat model are guesswork. We tie everything back to realistic adversary behavior.
Transparent
You'll always know exactly what we built, why we built it, and how to maintain it when we're gone.
Practical outcomes
Everything ties back to reducing real risk. Not optics, not compliance theater, not checkbox exercises.

Let's Talk

If your team is drowning in alerts or you're not confident your detections would catch the threats targeting you, that's where we start. Tell us what you're dealing with. We'll tell you what we can do about it.

Or email Charles directly at
charles@purpleshellsecurity.com

Response time: within one business day.

Every engagement starts with a fixed-fee Detection Gap Assessment: a prioritized coverage report mapped to MITRE ATT&CK and the threats targeting you. No long-term commitment to see the value — ongoing work is month-to-month.