diff --git a/test/assets/common_versions.sh.template b/test/assets/common_versions.sh.template
index 08a97db286..1fba87e503 100644
--- a/test/assets/common_versions.sh.template
+++ b/test/assets/common_versions.sh.template
@@ -68,6 +68,46 @@ get_vrel_from_rpm() {{
     echo ""
 }}
 
+get_redhat_bootc_image_url() {{
+    local -r registry="$1"
+    local -r release_version="$2"
+    local image_url=""
+
+    # get arch
+    local arch=""
+    if [[ "{ARCH}" =~ x86 ]]; then
+        arch="amd64"
+    elif [[ "{ARCH}" =~ aarch ]]; then
+        arch="arm64"
+    fi
+
+    sha_id=$(skopeo inspect --raw "docker://${{registry}}/openshift4/microshift-bootc-rhel9:v${{release_version}}" | \
+        jq -r ".manifests[] | select(.platform.architecture==\"${{arch}}\") | .digest" 2>/dev/null)
+    if [[ "${{sha_id}}" =~ ^sha256:[0-9a-f]{{64}}$ ]]; then
+        image_url="${{registry}}/openshift4/microshift-bootc-rhel9@${{sha_id}}"
+    fi
+    echo "${{image_url}}"
+}}
+
+get_lrel_release_image_url() {{
+    local -r release_version="$1" # examples: 4.21.0-ec.3, 4.21.0-rc.3 and 4.21.0
+    local image_url=""
+
+    if [[ "${{release_version}}" =~ -ec\. ]]; then
+        image_url="$(curl -s "https://mirror.openshift.com/pub/openshift-v4/{ARCH}/microshift/ocp-dev-preview/${{release_version}}/el9/bootc-pullspec.txt")"
+    elif [[ "${{release_version}}" =~ -rc\. ]]; then
+        image_url="$(curl -s "https://mirror.openshift.com/pub/openshift-v4/{ARCH}/microshift/ocp/${{release_version}}/el9/bootc-pullspec.txt")"
+    elif [[ "${{release_version}}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+        for registry in "registry.redhat.io" "registry.stage.redhat.io"; do
+            image_url="$(get_redhat_bootc_image_url "${{registry}}" "${{release_version}}")"
+            if [ -n "${{image_url}}" ]; then
+                break
+            fi
+        done
+    fi
+    echo "${{image_url}}"
+}}
+
 # The current release minor version (e.g. '17' for '4.17') affects
 # the definition of previous and fake next versions.
 export MINOR_VERSION={minor_version}
@@ -165,9 +205,13 @@ elif [ -n "${{BREW_EC_RELEASE_VERSION}}" ]; then
 else
     BREW_LREL_RELEASE_VERSION="${{BREW_NIGHTLY_RELEASE_VERSION}}"
 fi
-
 export BREW_LREL_RELEASE_VERSION
 
+# Set the latest release image URL
+LATEST_RELEASE_VERSION="$(echo "${{BREW_LREL_RELEASE_VERSION}}" | sed -E 's/(.*)-.*/\1/' | sed -E 's/(.*)~(.*)/\1-\2/')" # examples: 4.21.0 or 4.21.0-rc.3
+LATEST_RELEASE_IMAGE_URL="$(get_lrel_release_image_url "${{LATEST_RELEASE_VERSION}}")"
+export LATEST_RELEASE_IMAGE_URL
+
 # Branch and commit for the openshift-tests-private repository
 OPENSHIFT_TESTS_PRIVATE_REPO_BRANCH="release-4.${{MINOR_VERSION}}"
 OPENSHIFT_TESTS_PRIVATE_REPO_COMMIT="ed0dc50bfaf9b301d175b7035b8c0192ab113db9"
diff --git a/test/bin/common_versions.sh b/test/bin/common_versions.sh
index b0e2196885..c1e8883810 100644
--- a/test/bin/common_versions.sh
+++ b/test/bin/common_versions.sh
@@ -68,6 +68,46 @@ get_vrel_from_rpm() {
     echo ""
 }
 
+get_redhat_bootc_image_url() {
+    local -r registry="$1"
+    local -r release_version="$2"
+    local image_url=""
+
+    # get arch
+    local arch=""
+    if [[ "${UNAME_M}" =~ x86 ]]; then
+        arch="amd64"
+    elif [[ "${UNAME_M}" =~ aarch ]]; then
+        arch="arm64"
+    fi
+
+    sha_id=$(skopeo inspect --raw "docker://${registry}/openshift4/microshift-bootc-rhel9:v${release_version}" | \
+        jq -r ".manifests[] | select(.platform.architecture==\"${arch}\") | .digest" 2>/dev/null)
+    if [[ "${sha_id}" =~ ^sha256:[0-9a-f]{64}$ ]]; then
+        image_url="${registry}/openshift4/microshift-bootc-rhel9@${sha_id}"
+    fi
+    echo "${image_url}"
+}
+
+get_lrel_release_image_url() {
+    local -r release_version="$1" # examples: 4.21.0-ec.3, 4.21.0-rc.3 and 4.21.0
+    local image_url=""
+
+    if [[ "${release_version}" =~ -ec\. ]]; then
+        image_url="$(curl -s "https://mirror.openshift.com/pub/openshift-v4/${UNAME_M}/microshift/ocp-dev-preview/${release_version}/el9/bootc-pullspec.txt")"
+    elif [[ "${release_version}" =~ -rc\. ]]; then
+        image_url="$(curl -s "https://mirror.openshift.com/pub/openshift-v4/${UNAME_M}/microshift/ocp/${release_version}/el9/bootc-pullspec.txt")"
+    elif [[ "${release_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+        for registry in "registry.redhat.io" "registry.stage.redhat.io"; do
+            image_url="$(get_redhat_bootc_image_url "${registry}" "${release_version}")"
+            if [ -n "${image_url}" ]; then
+                break
+            fi
+        done
+    fi
+    echo "${image_url}"
+}
+
 # The current release minor version (e.g. '17' for '4.17') affects
 # the definition of previous and fake next versions.
 export MINOR_VERSION=22
@@ -165,9 +205,13 @@ elif [ -n "${BREW_EC_RELEASE_VERSION}" ]; then
 else
     BREW_LREL_RELEASE_VERSION="${BREW_NIGHTLY_RELEASE_VERSION}"
 fi
-
 export BREW_LREL_RELEASE_VERSION
 
+# Set the latest release image URL
+LATEST_RELEASE_VERSION="$(echo "${BREW_LREL_RELEASE_VERSION}" | sed -E 's/(.*)-.*/\1/' | sed -E 's/(.*)~(.*)/\1-\2/')" # examples: 4.21.0 or 4.21.0-rc.3
+LATEST_RELEASE_IMAGE_URL="$(get_lrel_release_image_url "${LATEST_RELEASE_VERSION}")"
+export LATEST_RELEASE_IMAGE_URL
+
 # Branch and commit for the openshift-tests-private repository
 OPENSHIFT_TESTS_PRIVATE_REPO_BRANCH="release-4.${MINOR_VERSION}"
 OPENSHIFT_TESTS_PRIVATE_REPO_COMMIT="ed0dc50bfaf9b301d175b7035b8c0192ab113db9"
diff --git a/test/image-blueprints-bootc/layer5-release/group1/rhel96-bootc-konflux-lrel.containerfile b/test/image-blueprints-bootc/layer5-release/group1/rhel96-bootc-konflux-lrel.containerfile
new file mode 100644
index 0000000000..2805bf677a
--- /dev/null
+++ b/test/image-blueprints-bootc/layer5-release/group1/rhel96-bootc-konflux-lrel.containerfile
@@ -0,0 +1,3 @@
+# {{- if env.Getenv "LATEST_RELEASE_IMAGE_URL" "" -}}
+FROM "{{ env.Getenv "LATEST_RELEASE_IMAGE_URL" }}"
+#{{- end }}
diff --git a/test/scenarios-bootc/releases/el96-crel@published-images-standard2.sh b/test/scenarios-bootc/releases/el96-crel@published-images-standard2.sh
deleted file mode 100644
index ddd3b448c9..0000000000
--- a/test/scenarios-bootc/releases/el96-crel@published-images-standard2.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/bash
-
-# Sourced from scenario.sh and uses functions defined there.
-
-# Enable container signature verification for published MicroShift images.
-# These are ec / rc / z-stream, thus guaranteed to be signed.
-# shellcheck disable=SC2034  # used elsewhere
-IMAGE_SIGSTORE_ENABLED=true
-
-scenario_create_vms() {
-    if [[ "${CURRENT_RELEASE_REPO}" == "" ]] ; then
-        # Empty string means there's no EC build yet, so the test needs to be skipped.
-        exit 0
-    fi
-
-    local bootc_spec
-    if [[ "${CURRENT_RELEASE_REPO}" == http* ]] ; then
-        # Discover a pre-release MicroShift bootc image reference on the mirror
-        local -r mirror_url="$(dirname "${CURRENT_RELEASE_REPO}")/bootc-pullspec.txt"
-
-        bootc_spec="$(curl -s "${mirror_url}")"
-        if [ -z "${bootc_spec}" ] || [[ "${bootc_spec}" != quay.io/openshift* ]] ; then
-            echo "ERROR: Failed to retrieve a bootc pull spec from '${mirror_url}'"
-            exit 1
-        fi
-    else
-        # Use the latest released MicroShift bootc image reference in public
-        # registry for the current minor version
-        bootc_spec="registry.redhat.io/openshift4/microshift-bootc-rhel9:v4.${MINOR_VERSION}"
-    fi
-
-    prepare_kickstart host1 kickstart-bootc.ks.template "${bootc_spec}"
-    launch_vm --boot_blueprint rhel96-bootc
-
-    # Open the firewall ports. Other scenarios get this behavior by embedding
-    # settings in the blueprint, but we cannot open firewall ports in published
-    # images. We need to do this step before running the RF suite so that suite
-    # can assume it can reach all of the same ports as for any other test.
-    configure_vm_firewall host1
-}
-
-scenario_remove_vms() {
-    if [[ "${CURRENT_RELEASE_REPO}" == "" ]] ; then
-        # Empty string means there's no EC build yet, so the test needs to be skipped.
-        exit 0
-    fi
-    remove_vm host1
-}
-
-scenario_run_tests() {
-    if [[ "${CURRENT_RELEASE_REPO}" == "" ]] ; then
-        # Empty string means there's no EC build yet, so the test needs to be skipped.
-        exit 0
-    fi
-    run_tests host1 \
-        --variable "IMAGE_SIGSTORE_ENABLED:True" \
-        suites/standard2/
-}
diff --git a/test/scenarios-bootc/releases/el96-lrel@published-images-standard1.sh b/test/scenarios-bootc/releases/el96-lrel@published-images-standard1.sh
new file mode 100644
index 0000000000..2f49e05e93
--- /dev/null
+++ b/test/scenarios-bootc/releases/el96-lrel@published-images-standard1.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Sourced from scenario.sh and uses functions defined there.
+
+# Enable container signature verification for published MicroShift images.
+# These are ec / rc / zstream, thus guaranteed to be signed.
+# shellcheck disable=SC2034  # used elsewhere
+IMAGE_SIGSTORE_ENABLED=true
+
+start_image="rhel96-bootc-konflux-lrel"
+
+scenario_create_vms() {
+    exit_if_image_not_found "${start_image}"
+
+    prepare_kickstart host1 kickstart-bootc.ks.template "${LATEST_RELEASE_IMAGE_URL}"
+    launch_vm --boot_blueprint rhel96-bootc
+
+    # Open the firewall ports. Other scenarios get this behavior by embedding
+    # settings in the blueprint, but we cannot open firewall ports in published
+    # images. We need to do this step before running the RF suite so that suite
+    # can assume it can reach all of the same ports as for any other test.
+    configure_vm_firewall host1
+}
+
+scenario_remove_vms() {
+    exit_if_image_not_found "${start_image}"
+
+    remove_vm host1
+}
+
+scenario_run_tests() {
+    exit_if_image_not_found "${start_image}"
+
+    run_tests host1 \
+        --variable "EXPECTED_OS_VERSION:9.6" \
+        --variable "IMAGE_SIGSTORE_ENABLED:True" \
+        suites/standard1/ suites/selinux/validate-selinux-policy.robot
+}
diff --git a/test/scenarios-bootc/releases/el96-lrel@published-images-standard2.sh b/test/scenarios-bootc/releases/el96-lrel@published-images-standard2.sh
new file mode 100644
index 0000000000..fe2df4368f
--- /dev/null
+++ b/test/scenarios-bootc/releases/el96-lrel@published-images-standard2.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Sourced from scenario.sh and uses functions defined there.
+
+# Enable container signature verification for published MicroShift images.
+# These are ec / rc / zstream, thus guaranteed to be signed.
+# shellcheck disable=SC2034  # used elsewhere
+IMAGE_SIGSTORE_ENABLED=true
+
+start_image="rhel96-bootc-konflux-lrel"
+
+scenario_create_vms() {
+    exit_if_image_not_found "${start_image}"
+
+    prepare_kickstart host1 kickstart-bootc.ks.template "${LATEST_RELEASE_IMAGE_URL}"
+    launch_vm --boot_blueprint rhel96-bootc
+
+    # Open the firewall ports. Other scenarios get this behavior by embedding
+    # settings in the blueprint, but we cannot open firewall ports in published
+    # images. We need to do this step before running the RF suite so that suite
+    # can assume it can reach all of the same ports as for any other test.
+    configure_vm_firewall host1
+}
+
+scenario_remove_vms() {
+    exit_if_image_not_found "${start_image}"
+
+    remove_vm host1
+}
+
+scenario_run_tests() {
+    exit_if_image_not_found "${start_image}"
+
+    run_tests host1 \
+        --variable "IMAGE_SIGSTORE_ENABLED:True" \
+        suites/standard2/
+}