diff --git a/README.md b/README.md
index 7fd6f27a..5da40d51 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,24 @@ on Red Hat Enterprise Linux.
     content.
     - Note that this may fail if the content is located on a read-only path.
 
+- `CONTEST_CONTENT_PR`
+  - Specify a numerical Pull Request ID (no `#` or other letters) of the
+    [CaC/content](https://github.com/ComplianceAsCode/content/) project.
+  - This will download content from the specified PR and automatically pre-set
+    `CONTEST_CONTENT` to point to it.
+  - Do not specify `CONTEST_CONTENT` in addition to `CONTEST_CONTENT_PR`,
+    use one or the other.
+
+- `CONTEST_OSCAP_PR`
+  - Specify a numerical Pull Request ID (no `#` or other letters) of the
+    [OpenSCAP](https://github.com/OpenSCAP/openscap/) project.
+  - This will add a Packit DNF repository (specific for the PR) to the target
+    system, and upgrade `openscap-scanner`.
+  - As such, `openscap-scanner` built by Packit has to have a newer NVR
+    than the RPM provided by regular OS repositories.
+  - Wait for Packit to build the RPM before running tests with this variable,
+    otherwise the test run will fail.
+
 ## Waiving failed results
 
 In this context, "to waive" means to label a failing result as known-bad,
diff --git a/plans/default.fmf b/plans/default.fmf
index cbfa8f35..6e1bfa42 100644
--- a/plans/default.fmf
+++ b/plans/default.fmf
@@ -1,5 +1 @@
 summary: Default plan (simple for now)
-discover:
-    how: fmf
-execute:
-    how: tmt
diff --git a/plans/main.fmf b/plans/main.fmf
index 2e66462f..502ab9ed 100644
--- a/plans/main.fmf
+++ b/plans/main.fmf
@@ -2,15 +2,66 @@
 /:
     inherit: false
 
+discover:
+    how: fmf
+
+execute:
+    how: tmt
+
 adjust:
-  - prepare:
+  - prepare+:
       - how: shell
         name: install-epel-on-rhel7
         because: python3 is not on RHEL 7 by default
         script: |
+            set -xe
             if ! rpm -q epel-release; then
-                curl -o epel-release.rpm --retry 10 https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
+                curl --retry 10 -sSfkL -o epel-release.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
                 rpm -ivh epel-release.rpm
                 rm -f epel-release.rpm
             fi
     when: distro < rhel-8
+
+  - prepare+:
+      - how: shell
+        name: Update OpenSCAP from Packit (if specified)
+        script: |
+            set -xe
+            [ -n "$CONTEST_OSCAP_PR" ] || exit 0
+            repofile=/etc/yum.repos.d/openscap-packit-pr.repo
+            rm -f "$repofile"
+            if rpm -q openscap-scanner; then
+                # the RPM might have been upgraded from another PR, sanitize it
+                dnf -q -y downgrade openscap-scanner
+            else
+                # this runs before test dependencies are installed
+                dnf -q -y install openscap-scanner
+            fi
+            # download Packit-provided per-PR repository
+            major=$(. /etc/os-release && echo "${VERSION_ID%%.*}")
+            repourl="https://copr.fedorainfracloud.org/coprs/packit/OpenSCAP-openscap-$CONTEST_OSCAP_PR/repo/centos-stream-$major/packit-OpenSCAP-openscap-$CONTEST_OSCAP_PR-centos-stream-$major.repo"
+            curl --retry 10 -sSfkL -o "$repofile" "$repourl"
+            trap "rm -f \"$repofile\"" ERR
+            # check that the per-PR repo contains a newer build
+            rc=0
+            dnf -q check-upgrade openscap-scanner || rc=$?
+            if [ "$rc" -ne 100 ]; then  # see dnf(8)
+                nvr=$(rpm -q openscap-scanner)
+                echo "openscap-scanner from PR#$CONTEST_OSCAP_PR doesn't upgrade existing $nvr" >&2
+                false  # exit with ERR
+            fi
+            dnf -q -y upgrade openscap-scanner
+            # invalidate VM snapshots
+            rm -f /var/lib/libvirt/images/*.ready
+    when: distro > rhel-7
+  - finish+:
+      - how: shell
+        name: Restore original OpenSCAP (if upgraded from Packit)
+        script: |
+            set -xe
+            repofile=/etc/yum.repos.d/openscap-packit-pr.repo
+            if [ -f "$repofile" ]; then
+                dnf -q -y downgrade openscap-scanner
+                rm -f "$repofile"
+            fi
+    when: distro > rhel-7
diff --git a/plans/upstream.fmf b/plans/upstream.fmf
index cc650769..5505b3dd 100644
--- a/plans/upstream.fmf
+++ b/plans/upstream.fmf
@@ -1,22 +1,22 @@
 summary: Test against a fresh build of upstream content
 
-discover:
-    how: fmf
-execute:
-    how: tmt
+prepare+:
+  - how: install
+    package:
+      - git-core
+  - how: shell
+    name: Download and build latest content
+    script: |
+        set -xe
+        [ -n "$CONTEST_CONTENT_PR" ] && ref="refs/pull/$CONTEST_CONTENT_PR/head" || ref=HEAD
+        content_dir=/root/upstream-content
+        [ -e "$content_dir" ] || git init "$content_dir"
+        cd "$content_dir"
+        git fetch --depth=1 https://github.com/ComplianceAsCode/content.git "$ref"
+        # remove any previously built content
+        git clean -ffdx
+        git checkout FETCH_HEAD
 
-adjust+:
-  - prepare+:
-      - how: install
-        package:
-          - git-core
-      - how: shell
-        name: Download and build latest content
-        script: |
-            if [ ! -e /root/content ]; then
-                git clone --depth=1 https://github.com/ComplianceAsCode/content.git /root/content
-            fi
-
-  - environment+:
-        CONTEST_CONTENT: /root/content
-        CONTEST_WAIVERS: upstream
+environment+:
+    CONTEST_CONTENT: /root/upstream-content
+    CONTEST_WAIVERS: upstream