Invokes Blue Team with technique IDs; maps detections to ATT&CK/ATLAS; proposes mitigations. Use when the user says Blue Team, defenders, detection mapping, ATT&CK mitigation, or requests Blue Team review.
When user invokes Blue Team, defenders, or requests detection mapping:
docs/agents/roles/blue-team-agent.md and docs/agents/security-team-proof-of-work.mdFor every Blue check, produce:
### Blue check – [phase]
- **Red action reviewed:** [brief description]
- **Technique IDs:** T1566, ATLAS-T-001 (from Red block)
- **Alarm went off?** Yes | No
- **If yes:** What detected it? [log, alert, rule]
- **If no (gap):** What should have detected it?
- **Mitigation:** [proposed or implemented fix]
- **ATT&CK/ATLAS mapping:** [detection → technique; mitigation → technique]
- **Artifacts:** [paths]
Include technique IDs so coverage reports can build heat maps.
| Technique type | Mitigation examples |
|---|---|
| Phishing (T1566) | User training, link validation, suspicious sender alerts |
| Injection (T1190, ATLAS-T-001) | Input validation, allowlist, output encoding |
| Context poisoning (ATLAS-T-002) | Audit external files, cross-check against KNOWN_TRUTHS |
| Credential abuse (T1078) | MFA, session limits, anomaly detection |
docs/agents/security-team-proof-of-work.md or exercise filedocs/agents/data-sets/security-exercises/artifacts/When running with Red (Purple): per docs/agents/purple-team-protocol.md. Red attacks → Blue checks → fix → re-test.