Tool restrictions – Established vulnerabilities are likely to be supported by Metasploit modules or at least have proof-of-concept code floating around in the wilderness. This fits environments and testing scenarios where clients have requested tests be performed from the perspective of regular users or to simulate an internal attack.

Time – While time restrictions are the obvious solution to challenging someone, it's not really applicable in real life. The necessity for speed is present in a testing environment, but it is a soft skill. The ability to detect and exploit with skill is a far more valuable trait to nurture.

Fun ones – Play random noises or get them to listen to Barney the Dinosaur (though I cannot be held responsible for any long-term psychological damage caused by this action). While it may seem childish, testers should be able to perform in uncomfortable and strange environments. Most of the time, it'll be sitting in a cold server room with only the sounds of fans to keep you company (the blowy kind, not the "we love you!" kind), but who knows where you may end up.