Test login for credential stuffing resistance - Check for default credentials on non-production systems - Test password reset flows for account takeover - Check IDOR by manipulating object references (user IDs, document IDs, order IDs) - Test horizontal and vertical privilege escalation - Check for