Hybrid AD as Code: A Purple Team Playground

By: Jordi Gerritsen & Tom Kluter

Security teams rely on Active Directory labs to simulate attacks and develop detections but these environments are often fragile, undocumented, and impossible to reproduce consistently.

What if your entire AD attack lab could be destroyed and rebuilt with a single command?

This session explores how to transform GOAD into a fully automated hybrid Active Directory playground using Proxmox, Packer, Terraform, and Ansible while explaining not just how to build it, but why we are doing this.

We’ll discuss:

• Why giving red teamers a safe, realistic AD environment improves offensive tradecraft
• Extending the lab into a hybrid setup using a dedicated Microsoft Entra ID tenant to simulate modern enterprise identity
• Testing cloud-to-on-prem attack paths and validating detection coverage across identity boundaries
• Why SOC teams need access to the same infrastructure to validate detections
• The value of integrating SIEM and EDR tooling into lab environments
• How realistic telemetry enables meaningful purple team collaboration
• Why disposable infrastructure allows us to safely test insecure configurations and attack paths

We’ll explain the purpose behind each layer from virtualization to automation, and how disposable infrastructure allows teams to test attacks, measure visibility, and rebuild environments on demand.

By connecting intentionally vulnerable infrastructure, both on-prem and hybrid, to logging and detection platforms, the lab becomes more than a playground for attackers. It becomes a controlled platform for detection engineering, SOC training, and adversary simulation as well.

This approach turns an AD lab into a shared platform supporting pentesters, purple teams, and SOC analysts alike. A great way to improve technical skills and collaboration efforts across an organization.