diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
index 588c5ca2a6..3c4deac0bb 100644
--- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
@@ -23,7 +23,9 @@ ms.date: 28/02/2018
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-## Preparations
+You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response.
+
+## Before you begin
 
 To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure-windows-defender-advanced-threat-protection.md). 
 
@@ -31,7 +33,13 @@ Read the walkthrough document provided with each attack scenario. Each document
 
 ## Run a simulation
 
-1. In **Help** > **Simulations & tutorials**, select the attack scenario you would like to simulate.
+1. In **Help** > **Simulations & tutorials**, select which of the available attack scenario you would like to simulate:
+
+  - **Scenario 1: Document drops backdoor** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity.
+
+  - **Scenario 2: PowerShell script in fileless attack** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
+    
+  - **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
 
 2. Download and read the corresponding walkthrough document provided with your selected scenario.
 
@@ -39,6 +47,9 @@ Read the walkthrough document provided with each attack scenario. Each document
 
 4. Run the simulation file or script on the test machine as instructed in the walkthrough document.
 
+>[!NOTE]
+>Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise to your test machine.
+
 ## Related topics
 - [Onboard and set up Windows Defender ATP](onboard-configure-windows-defender-advanced-threat-protection.md)
 - [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
\ No newline at end of file