By interacting with an authentication mechanism, a tester may find it possible to collect a set of valid usernames. Once the valid accounts are identified, it may be possible to brute-force passwords. This recipe explains how Burp Intruder can be used to collect a list of valid usernames.