Shadow Testing with Monitor Mode: Deploy Security Rules Risk-Free
One of the biggest challenges in API security is deploying new rules to production safely. Traditional WAFs are all-or-nothing: either you block requests (risking false positives), or you don't protect at all. Today we're introducing Monitor Mode, a game-changing feature that lets you test security rules in production without blocking any traffic.
The Problem: Fear of False Positives
Every security engineer has been here: you want to enable strict SQL injection detection, but you're terrified it might block legitimate requests and break production. CloudFlare, Kong, and most WAFs force you to choose between:
Option 1: Block Mode (Risky)
Enable the rule immediately and hope for the best.
⚠️ Risk: False positives block real users, create support tickets, damage reputation
Option 2: No Protection (Dangerous)
Stay unprotected because you can't test safely.
⚠️ Risk: Vulnerable to attacks while you "wait for a good time" to enable security
Both options are terrible. What you really need is a way to test the rule in production, see exactly what would be blocked, and only flip to enforcement mode when you're confident.
The Solution: Monitor Mode
Monitor mode is shadow testing for API security. It logs everything that would be blocked without actually blocking it. Think of it as a "dry run" for your security rules in production.
How It Works
Deploy with Monitor Mode
Set G8KEPR_MODE=monitor in your environment. All threats are detected and logged, but no requests are blocked.
Review Dashboard & Tune Rules
Check your dashboard for "would-have-blocked" counts. Look for false positives. Adjust rules if needed. Filter by MONITOR: prefix in logs.
Enable Block Mode
Change to G8KEPR_MODE=block (or remove the variable). Threats are now blocked. Zero surprises.
Example: Enabling SQL Injection Detection
Let's walk through a real-world example of enabling SQL injection detection for a payments API:
Step 1: Enable monitor mode in your deployment
# docker-compose.yml
services:
backend:
environment:
G8KEPR_MODE: monitor # Shadow testing mode
# ...other environment variablesStep 2: Deploy and monitor for 1-2 weeks
# Check logs for what would have been blocked
$ docker logs backend | grep "MONITOR MODE"
[MONITOR MODE] Would have blocked: sql_injection (HIGH) from 192.168.1.100
[MONITOR MODE] Would have blocked: xss (CRITICAL) from 10.0.0.50Step 3: Review dashboard metrics
Navigate to Dashboard → Threat Analytics → Filter by MONITOR:*
You see: 234 SQL injection attempts detected, all from suspicious IPs. Zero false positives on legitimate user traffic.
Step 4: Flip to block mode with confidence
# docker-compose.yml
services:
backend:
environment:
G8KEPR_MODE: block # Now actually blocking threats
# ...or just remove the variable - defaults to blockFail-Open vs Fail-Closed
What happens if G8KEPR API is unreachable? We give you control over the behavior:
Fail-Open (Default)
If G8KEPR is down, requests pass through unprotected. Your API stays available.
✓ High availability
✓ No downtime during outages
✗ Temporary security gap
Fail-Closed (High Security)
If G8KEPR is down, all requests are blocked. Maximum security.
✓ No security gaps
✓ Compliance-friendly
✗ Your API goes down if we do
Our SLA: 99.99% uptime with automatic failover across 3 regions. Fail-open recommended for most use cases.
Real-World Workflow
Here's how a typical team uses monitor mode:
Day 1: Deploy Monitor Mode
Set G8KEPR_MODE=monitor and deploy. Security team starts receiving alerts for threats that would be blocked.
Days 2-7: Observe Patterns
Dashboard shows 1,247 SQL injection attempts detected, all from bot traffic. Zero false positives on real users.
Days 8-14: Fine-Tune (if needed)
Optional: If you see false positives, add exceptions for specific endpoints or patterns.
Day 15: Enable Block Mode
Change to G8KEPR_MODE=block. All those attacks are now stopped. Zero surprises.
Why CloudFlare & AWS WAF Don't Have This
You might wonder: why don't the big players offer shadow testing?
CloudFlare: No true monitor mode. You can set rules to "Log" but you can't see aggregated "would-have-blocked" counts or flip all rules to block with one change.
AWS WAF: Has "Count" mode for rules, but it's per-rule configuration with no unified dashboard showing what would happen if you enabled all rules. No one-click flip to enforcement.
G8KEPR makes it dead simple: one environment variable controls everything. Observe, tune, enforce.
Get Started Today
Monitor mode is available now to all G8KEPR users at no extra cost. Here's how to enable it:
Quick Start
# 1. Set environment variable
export G8KEPR_MODE=monitor
# 2. Restart your application
pm2 restart your-app
# 3. Monitor logs for shadow detections
tail -f logs/app.log | grep "MONITOR MODE"
# 4. After 1-2 weeks, flip to block mode
export G8KEPR_MODE=block
pm2 restart your-appTry Monitor Mode Risk-Free
Deploy security rules to production with zero risk. Observe for 1-2 weeks, then enable blocking.
Start Free Trial60 days free • No credit card required • Cancel anytime
Learn More
Monitor mode works great with our other debugging features:
- → Request Tracing with Unique IDs - Debug issues 10x faster with end-to-end tracing
- → Debug Headers Documentation - All about X-G8KEPR-* headers
- → Full Documentation - Complete guide to monitor mode and all features
Ready to Secure Your APIs?
Deploy enterprise-grade API security in 5 minutes. No credit card required.
Start Free Trial