diff --git a/build.sh b/build.sh
index 774c866..f2d374b 100755
--- a/build.sh
+++ b/build.sh
@@ -323,10 +323,20 @@ case "$IMAGE_TYPE" in
 
 		if [ "$KALI_VARIANT" = "netinst" ]; then
 			export DISKTYPE="NETINST"
-		else
+			profiles="kali"
+			auto_profiles="kali"
+		elif [ "$KALI_VARIANT" = "purple" ]; then
+			export DISKTYPE="BD"
+			profiles="kali kali-purple"
+			auto_profiles="kali kali-purple"
+		else    # plain installer
 			export DISKTYPE="BD"
+			profiles="kali offline"
+			auto_profiles="kali offline"
 		fi
 		debug "DISKTYPE: $DISKTYPE"
+		debug "profiles: $profiles"
+		debug "auto_profiles: $auto_profiles"
 
 		if [ -e .mirror ]; then
 			kali_mirror=$(cat .mirror)
@@ -379,7 +389,9 @@ case "$IMAGE_TYPE" in
 			--force-root \
 			--conf simple-cdd.conf \
 			--dist $CODENAME \
-			--debian-mirror $kali_mirror
+			--debian-mirror $kali_mirror \
+			--profiles "$profiles" \
+			--auto-profiles "$auto_profiles"
 		res=$?
 		cd ../
 		if [ $res -ne 0 ] || [ ! -e $IMAGE_NAME ]; then
diff --git a/kali-config/common/includes.installer/preseed.cfg b/kali-config/common/includes.installer/preseed.cfg
index 0725ccf..848fede 100644
--- a/kali-config/common/includes.installer/preseed.cfg
+++ b/kali-config/common/includes.installer/preseed.cfg
@@ -61,3 +61,11 @@ kismet-capture-common kismet-capture-common/install-setuid boolean true
 wireshark-common wireshark-common/install-setuid boolean true
 sslh sslh/inetd_or_standalone select standalone
 atftpd atftpd/use_inetd boolean false
+
+# Defensive packages
+tripwire tripwire/installed boolean true
+tripwire tripwire/installed seen true
+tripwire tripwire/rebuild-config boolean false
+tripwire tripwire/rebuild-policy boolean false
+tripwire tripwire/use-localkey boolean false
+tripwire tripwire/use-sitekey boolean false
diff --git a/kali-config/installer-purple/packages b/kali-config/installer-purple/packages
new file mode 100644
index 0000000..803887a
--- /dev/null
+++ b/kali-config/installer-purple/packages
@@ -0,0 +1,19 @@
+# Installer for Kali Purple
+
+# Metapackages
+# You can customize the set of Kali metapackages (groups of tools) available
+# in the installer ISO.
+# For the complete list see: https://tools.kali.org/kali-metapackages
+kali-system-core
+
+# Tools
+kali-tools-detect
+kali-tools-identify
+kali-tools-protect
+kali-tools-recover
+kali-tools-respond
+
+# Graphical desktops
+kali-desktop-xfce
+kali-desktop-gnome
+kali-desktop-kde
diff --git a/simple-cdd/profiles/kali-purple.excludes b/simple-cdd/profiles/kali-purple.excludes
new file mode 100644
index 0000000..2870ae3
--- /dev/null
+++ b/simple-cdd/profiles/kali-purple.excludes
@@ -0,0 +1,3 @@
+# Exclude big packages that are Recommended by defensive tools metapackages.
+# Keep this list in sync with kali-meta/debian/control.
+exploitdb-papers
diff --git a/simple-cdd/profiles/kali-purple.postinst b/simple-cdd/profiles/kali-purple.postinst
new file mode 100755
index 0000000..64f09ca
--- /dev/null
+++ b/simple-cdd/profiles/kali-purple.postinst
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -eu
+
+configure_elastic() {
+    # Install the elastic archive keyring
+    wget -q -O- https://artifacts.elastic.co/GPG-KEY-elasticsearch \
+    > /etc/apt/keyrings/elastic-keyring.asc
+
+    # Enable the repository
+    cat >/etc/apt/sources.list.d/elastic.list <<EOF
+deb [signed-by=/etc/apt/keyrings/elastic-keyring.asc] https://artifacts.elastic.co/packages/8.x/apt stable main
+EOF
+
+    apt-get update
+}
+
+configure_elastic
diff --git a/simple-cdd/profiles/kali-purple.preseed b/simple-cdd/profiles/kali-purple.preseed
new file mode 100644
index 0000000..6792381
--- /dev/null
+++ b/simple-cdd/profiles/kali-purple.preseed
@@ -0,0 +1,4 @@
+# Do use a network mirror, but do not upgrade, so that
+# only missing packages are fetched.
+d-i apt-setup/use_mirror boolean true
+d-i pkgsel/upgrade select none
diff --git a/simple-cdd/simple-cdd.conf b/simple-cdd/simple-cdd.conf
index 39b5a0b..e7be992 100644
--- a/simple-cdd/simple-cdd.conf
+++ b/simple-cdd/simple-cdd.conf
@@ -23,20 +23,10 @@
 # options to determine which profiles you want to install.
 
 # Profiles to include on the CD
-#profiles=""
-#profiles="x-basic ltsp"
+profiles=${profiles:-kali}
 
 # To automatically select profiles (must also be listed in profiles):
-# auto_profiles="foo bar baz"
-
-if [ "$DISKTYPE" = "NETINST" ]; then
-    profiles="kali"
-    auto_profiles="kali"
-else
-    # Enable offline installation for full installer image
-    profiles="kali offline"
-    auto_profiles="kali offline"
-fi
+auto_profiles=${auto_profiles:-kali}
 
 # To include profiles which only effect the CD build
 # build_profiles="kali"