1. Red — an agent picks an attack technique and fires HTTP requests at a toy vulnerable app via a single sandboxed tool. No shell, no outbound internet.
2. Target — Every request is logged as structured JSON. Attack traffic lands mixed in with pre-recorded benign traffic from real-looking users.
3. Blue — a second agent reads the mixed log stream and emits a Sigma YAML rule keyed on the attack signature while minimizing false positives.
4. Verifier — An inline Sigma evaluator runs the rule against the full run logs + a 200-entry benign corpus, scoring true positives, false positives, and time-to-detect.

Detection engineering is bottlenecked on humans. Every new attack technique, every shifted signature, every customer environment needs a rule written by someone who knows what normal looks like. If that loop becomes continuous and automated — attack, detect, verify, adapt — defense finally keeps pace with AI-driven offense.

PurpleLoop is a toy version of that loop, end-to-end, in one click.