In a recent webinar hosted by CyberRisk Alliance, three Fastly security experts came together to unpack one of the biggest tensions in modern software development: balancing the speed of DevOps with the rigor of security. Moderated by Adrian Sanabria of the Defenders Initiative, the discussion featured insights from Principal Product Manager Liam Mayron, Principal Product Technology Manager Daniel Corbett, and Staff Security Researcher Simran Khalsa - all atFastly. The following is a summary of the discussion. Watch the webinar in its entirety.
Of the many challenges facing DevOps teams, one of the biggest is integrating comprehensive and effective security testing, and doing so without slowing everything down. Security testing that’s bolted on late in the release cycle often introduces bottlenecks, creates friction between teams, and can therefore lead to security missteps going unnoticed - until it’s too late.
Fastly’s WAF Simulator was built to change that. This tool reimagines how DevOps and security teams validate WAF (Web Application Firewall) rules by enabling integrated, continuous, and automated security testing, without interrupting the development flow.
After all these years, security is still a bottleneck
For many, security testing remains almost an afterthought. This disrupts development cycles, slows down product releases, and is bound to strain the relationship between dev and security teams. It’s a classic story: security mandates come in late, break something, or simply don’t align with product goals. And worse still, when security controls are added, they’re not always validated, leading to rules that don’t actually protect anything.
To make things worse, DevOps teams are often handed security responsibilities without proper tooling. “I’ve seen both models,” Liam explained. “Sometimes developers drive security proactively; other times, security is just pushed onto them without support.”
The Origin of WAF Simulator
As was the case for Liam, Daniel, and Simran, also saw this pain firsthand. Developers were unsure whether their WAF rules were actually working, and for a long while, security teams had no easy way to validate WAF rules beyond waiting for the next penetration test - or, worse, a real-world attack.
From internal needs and customer feedback, a clear gap emerged: teams needed a way to test security rules like they test their code. While researching this, a pattern emerged from those DevOps teams Fastly interviewed, revealing the need for pre-production validation, rule-level visibility, Integrated unit testing, and support for both default and custom WAF rules.
Thus, the Fastly WAF Simulator was born!
The Fastly WAF Simulator lets users input sample requests and responses and see, in real time, how the web application firewall will respond. It is API-first, supports UI-based testing for exploratory workflows, and seamlessly integrates into CI/CD pipelines.
Key capabilities include:
Request/response simulation to test expected rule behavior
Visibility into rule-based signals, including bot analysis, business logic enforcement, and block status codes
Custom rule validation with CVE tagging or complex logic
Version-controlled test cases that persist across team changes
And perhaps most critically, the simulator makes security testing accessible without needing to become a curl expert!
Real-World Use: Testing Before Trouble Strikes
Simran described how security research teams can use the simulator to verify coverage for emerging vulnerabilities. “If I get a CVE, I want to know right away - can our WAF detect this? If not, I need to escalate, create a rule, and test it - fast.”
One of the most significant benefits is preventing misconfigurations. During the demo, a seemingly harmless exclusion rule completely broke cross-site scripting (XSS) detection, eliminating both the detection and associated CVE tagging. With automated tests running in GitHub Actions and Slack alerts enabled, the issue would have been caught immediately.
As Daniel explained, “We’re not just preventing breakage - we’re shortening the time from change to resolution. That’s huge when you’re managing 1,000+ sites.”
Enabling a “detection-as-code” mindset
Fastly’s WAF Simulator fully embraces a “detection-as-code” mindset, which applies software engineering principles - like version control, code review, and automated testing - to the creation and management of security detection rules.
Instead of relying on ad hoc or manually updated configurations, detection-as-code treats detection logic as a structured, versioned, and collaborative asset. This approach increases reliability, enables rapid iteration, and helps teams scale threat detection while maintaining consistency across environments. By embedding detection into the development lifecycle, security teams can more effectively align with DevOps practices and respond faster to evolving threats. Rules are documented, versioned, and tested just like application logic.
The WAF simulator supports:
Terraform-based configuration management
YAML-defined unit tests
Slack and GitHub Action alerts for CI/CD test failures
Webhook support to trigger automated validation on rule changes
Security teams constantly find themselves in situations where such an approach will get them out of hot water. It can be something as simple as a team member leaving for another role. Detection as code makes security feel like a natural extension of the dev workflow - not an obstacle to be avoided!
Whether security is embedded in the DevOps team or owned by a dedicated security org, WAF Simulator empowers both. It supports a shared responsibility model where developers manage app-specific security logic while central teams oversee global policies.
Simran summarized it well: “Security becomes part of your role as a developer. You know your app best. This gives you the tools to manage it securely, without flying blind.”
Security That Moves at the Speed of Dev
Security controls are only effective if they’re working, and many organizations don’t know if they are until a breach, a pen test, or a frustrated user discovers otherwise.
WAF Simulator changes the game by bringing speed, visibility, and confidence into DevSecOps workflows. It ensures that rules work as intended, teams stay in sync, and security evolves alongside development, not behind it.
Want to try it out? Explore Fastly’s WAF Simulator Automation project on GitHub and start building smarter, safer workflows - without the speed bumps.
