This document proposes a new methodology for web application testing that involves testing a system administrator's ability to detect an attack. It suggests conducting a staged test with increasing levels of noise or detection to see when the admin is able to identify an attack. The document also provides examples of how attackers hide connections and clear logs to avoid detection by discussing typical behaviors checked by incident response teams. The goal is to test both the security of the application and the security of the admin's knowledge to help admins learn new ways that attacks can be hidden and to improve security overall.