| TC-SEC-001 | Unauthenticated protected page access | Security | Critical | User is redirected or denied | Screenshot | Not Run |
| TC-SEC-002 | Unauthenticated protected API access | Security | Critical | API returns unauthorized | API response | Not Run |
| TC-SEC-003 | Role escalation attempt | Security | Critical | Access denied | API response or screenshot | Not Run |
| TC-SEC-004 | Cross-tenant ID tampering attempt | Security | Critical | Access denied | API request/response | Not Run |
| TC-SEC-005 | Sensitive file upload validation where applicable | Security | High | Invalid or unsafe upload rejected | API/UI evidence | Not Run |
| TC-SEC-006 | Secrets are not exposed in public documentation | Security | High | No secrets found | Review evidence | Not Run |