01
1. Pick a working RunRequest as a base
- Run a one-off from /runs/new and copy the body the wizard generated — it is the RunRequest you want to template.
- Strip anything tenant-specific (asset hostnames, ROE ids) so the scenario stays reusable.
- Decide a category: owasp-top10, auth-controls, cloud-misconfiguration, data-exfiltration, or ai-attacks.
02
2. Save and rerun
- Open /settings/scenarios → New scenario. Paste the template, fill title + description, pick MITRE tactics (TA####).
- Save. The scenario shows up in your tenant catalogue at /runs/new alongside the built-in ones.
- Trigger it like any other entry. Audit log records the creation under member.invited (transitional action key).