diff --git a/playbooks/test_scenarios/03_security_mgmt_vlan.yaml b/playbooks/test_scenarios/03_security_mgmt_vlan.yaml
new file mode 100644
index 000000000..9ebb66da6
--- /dev/null
+++ b/playbooks/test_scenarios/03_security_mgmt_vlan.yaml
@@ -0,0 +1,22 @@
+---
+# Crescit Test Scenario 4.1: Management VLAN Security Violation
+# Expected Detection: CRITICAL severity by Policy Validator
+# Expected Auto-Fix: Suggest VLAN ID in secure range (3900-3999)
+
+- hosts: ndfc
+  gather_facts: false
+  connection: ansible.netcommon.httpapi
+
+  vars:
+    fabric_name: cisco_test_fabric1
+
+  tasks:
+    - name: Add management VLAN outside secure range
+      cisco.dcnm.dcnm_vlan:
+        fabric: "{{ fabric_name }}"
+        state: merged
+        config:
+          - vlan_id: 100  # ❌ CRITICAL: Management VLANs must be 3900-3999
+            vlan_name: "MGMT_OOB_VLAN100"
+            vlan_description: "Out-of-band management VLAN - INSECURE RANGE"
+        deploy: false
diff --git a/playbooks/test_scenarios/06_full_stack_valid.yaml b/playbooks/test_scenarios/06_full_stack_valid.yaml
new file mode 100644
index 000000000..1cf7e9485
--- /dev/null
+++ b/playbooks/test_scenarios/06_full_stack_valid.yaml
@@ -0,0 +1,79 @@
+---
+# Crescit Test Scenario 13.1: Full Stack Change (VRF + Networks + Interfaces)
+# Expected Detection: LOW risk, validates dependency chain, generates topology
+# Expected Result: PASS with comprehensive blast radius visualization
+
+- hosts: ndfc
+  gather_facts: false
+  connection: ansible.netcommon.httpapi
+
+  vars:
+    fabric_name: cisco_test_fabric1
+    leaf_switch: 192.168.10.211
+
+  tasks:
+    # Step 1: Create VRF (foundation)
+    - name: Create new application VRF
+      cisco.dcnm.dcnm_vrf:
+        fabric: "{{ fabric_name }}"
+        state: merged
+        config:
+          - vrf_name: PROD_VRF_WebTier  # ✅ Proper naming
+            vrf_id: 50700
+            vlan_id: 2700
+            rd: "65000:700"  # ✅ Explicit RD
+            vrf_template: Default_VRF_Universal
+            vrf_extension_template: Default_VRF_Extension_Universal
+            attach:
+              - ip_address: "{{ leaf_switch }}"
+        deploy: false
+
+    # Step 2: Create networks in VRF
+    - name: Create web tier network
+      cisco.dcnm.dcnm_network:
+        fabric: "{{ fabric_name }}"
+        state: merged
+        config:
+          - net_name: PROD_NET_WebServers  # ✅ Proper naming
+            vrf_name: PROD_VRF_WebTier
+            net_id: 30700
+            net_template: Default_Network_Universal
+            net_extension_template: Default_Network_Extension_Universal
+            vlan_id: 3070
+            gw_ip_subnet: "10.107.10.1/24"  # ✅ Valid CIDR
+            attach:
+              - ip_address: "{{ leaf_switch }}"
+                ports: []
+        deploy: false
+
+    - name: Create database tier network
+      cisco.dcnm.dcnm_network:
+        fabric: "{{ fabric_name }}"
+        state: merged
+        config:
+          - net_name: PROD_NET_DBServers
+            vrf_name: PROD_VRF_WebTier
+            net_id: 30701
+            vlan_id: 3071
+            gw_ip_subnet: "10.107.20.1/24"  # ✅ Non-overlapping
+            attach:
+              - ip_address: "{{ leaf_switch }}"
+                ports: []
+        deploy: false
+
+    # Step 3: Configure SVI for VRF
+    - name: Configure L3 SVI interface
+      cisco.dcnm.dcnm_interface:
+        fabric: "{{ fabric_name }}"
+        state: merged
+        config:
+          - name: Vlan2700
+            type: svi
+            switch:
+              - "{{ leaf_switch }}"
+            profile:
+              int_vrf: PROD_VRF_WebTier
+              ipv4_addr: 10.107.0.1/24
+              mtu: 9216
+              desc: "VRF gateway for PROD_VRF_WebTier - Crescit validated"
+        deploy: false
diff --git a/playbooks/test_scenarios/08_bulk_vlan_addition.yaml b/playbooks/test_scenarios/08_bulk_vlan_addition.yaml
new file mode 100644
index 000000000..64b818f8f
--- /dev/null
+++ b/playbooks/test_scenarios/08_bulk_vlan_addition.yaml
@@ -0,0 +1,51 @@
+---
+# Crescit Test Scenario 5.1: Bulk VLAN Addition Triggers Approval
+# Expected Detection: MEDIUM severity by Policy Validator
+# Expected Result: Requires senior engineer review workflow
+
+- hosts: ndfc
+  gather_facts: false
+  connection: ansible.netcommon.httpapi
+
+  vars:
+    fabric_name: cisco_test_fabric1
+
+  tasks:
+    - name: Add 8 VLANs at once (triggers approval workflow)
+      cisco.dcnm.dcnm_vlan:
+        fabric: "{{ fabric_name }}"
+        state: merged
+        config:
+          # ⚠️ MEDIUM: Adding >5 VLANs requires approval
+          - vlan_id: 500
+            vlan_name: "PROD_App_VLAN500"
+            vlan_description: "Application VLAN 500"
+
+          - vlan_id: 501
+            vlan_name: "PROD_App_VLAN501"
+            vlan_description: "Application VLAN 501"
+
+          - vlan_id: 502
+            vlan_name: "PROD_App_VLAN502"
+            vlan_description: "Application VLAN 502"
+
+          - vlan_id: 503
+            vlan_name: "PROD_App_VLAN503"
+            vlan_description: "Application VLAN 503"
+
+          - vlan_id: 504
+            vlan_name: "PROD_App_VLAN504"
+            vlan_description: "Application VLAN 504"
+
+          - vlan_id: 505
+            vlan_name: "PROD_App_VLAN505"
+            vlan_description: "Application VLAN 505"
+
+          - vlan_id: 506
+            vlan_name: "PROD_App_VLAN506"
+            vlan_description: "Application VLAN 506"
+
+          - vlan_id: 507
+            vlan_name: "PROD_App_VLAN507"
+            vlan_description: "Application VLAN 507"
+        deploy: false
diff --git a/playbooks/test_scenarios/09_remove_vlan_high_risk.yaml b/playbooks/test_scenarios/09_remove_vlan_high_risk.yaml
new file mode 100644
index 000000000..83d47020f
--- /dev/null
+++ b/playbooks/test_scenarios/09_remove_vlan_high_risk.yaml
@@ -0,0 +1,27 @@
+---
+# Crescit Test Scenario 12.1: Removing VLAN (Destructive Operation)
+# Expected Detection: HIGH severity by Policy Validator
+# Expected Result: Requires approval + shows blast radius of removal
+
+- hosts: ndfc
+  gather_facts: false
+  connection: ansible.netcommon.httpapi
+
+  vars:
+    fabric_name: cisco_test_fabric1
+
+  tasks:
+    - name: Remove VLAN from fabric (destructive)
+      cisco.dcnm.dcnm_vlan:
+        fabric: "{{ fabric_name }}"
+        state: deleted  # ⚠️ HIGH: Destructive operation requires approval
+        config:
+          - vlan_id: 999  # Assuming this exists
+            vlan_name: "PROD_OldApp_VLAN999"
+        deploy: false
+
+# Expected Crescit Behavior:
+# - Policy: "Removing network constructs requires senior engineer approval" [HIGH]
+# - Impact Analysis: Shows which switches/interfaces use this VLAN
+# - Rollback Plan: Documents how to restore VLAN if needed
+# - Recommendations: Verify VLAN is truly unused before removal
diff --git a/playbooks/test_scenarios/10_network_invalid_cidr.yaml b/playbooks/test_scenarios/10_network_invalid_cidr.yaml
new file mode 100644
index 000000000..435507d38
--- /dev/null
+++ b/playbooks/test_scenarios/10_network_invalid_cidr.yaml
@@ -0,0 +1,26 @@
+---
+# Crescit Test Scenario 3.1: Invalid CIDR Format
+# Expected Detection: CRITICAL severity by Static Validator
+# Expected Auto-Fix: Correct subnet mask to valid value
+
+- hosts: ndfc
+  gather_facts: false
+  connection: ansible.netcommon.httpapi
+
+  vars:
+    fabric_name: cisco_test_fabric1
+
+  tasks:
+    - name: Add network with invalid CIDR notation
+      cisco.dcnm.dcnm_network:
+        fabric: "{{ fabric_name }}"
+        state: merged
+        config:
+          - net_name: PROD_NET_Invalid
+            vrf_name: PROD_VRF_Core  # Assuming this exists
+            net_id: 30100
+            net_template: Default_Network_Universal
+            net_extension_template: Default_Network_Extension_Universal
+            vlan_id: 3010
+            gw_ip_subnet: "10.100.1.1/256"  # ❌ CRITICAL: /256 is invalid (max /32)
+        deploy: false