Setting scenarios
As shown in the section mentioning variations , it's important to engage your audience. Of course, you can say, "something's vulnerable and there's a flag somewhere; go nuts," but that doesn't represent a proper test or real-life scenario. Let's get them into good habits early. The idea is to provide the testers with a brief that fits the kind you would expect to receive for a test. So, the following should be covered as a minimum:
Scenario: This can be as basic (this is a standard internal infrastructure test) or as far-fetched (you're testing Artemis missile command) as you like. The important thing is to give context to the actions that the users will undertake. You can also then use this to provide flavor to the servers you set up, naming conventions, red herring content, and so on. Ultimately, you need to frame the exercise so that it's relatable for the users.
End goal: Again, this can be stupidly simple or very complicated. I've seen enumerate and report all the...
