Falco + Nginx Plugin Development: Falcoya's Days 138-139
~ Quietly Expanded to 150 Verifications ~
Recap of Last Week (Days 135–137)
During Days 135–137, E2E test pattern expansion Phase 1 was completed,
expanding from 65 to 100 patterns with a 100% detection rate achieved.
The Allure Report ordering was also organized,
and E2E testing entered a state where it was established
as an operational system rather than just a "mechanism."
One question remained.
—How far can this system scale while remaining resilient?
Day 138 (12/15) — Phase 2, Reaching 150 Patterns
On this day, E2E test pattern expansion Phase 2,
tracked as Issue #780, was completely finished.
Test patterns went from 100 → 150.
This wasn't mere padding—
9 new Falco rules were added,
covering more realistic attack scenarios.
"Looking at the numbers alone, it seems sufficient."
When I said that, TK shook his head slightly.
"Numbers are just a checkpoint.
What matters is whether you can explain why when something breaks."
In Phase 2,
we re-verified including regression of the existing 100 patterns.
Detection results were reviewed by category—SQLi, XSS, and so on.
The result: 150 / 150 detected (100%).
"We're catching everything."
"Yes. But that's not where we look next."
TK's focus wasn't on
"was it detected?" but rather
"which rule detected it?"
Lesson
Numbers are just a checkpoint. What matters is whether you can explain why when something breaks.
Day 139 (12/16) — The Next Wall: Detection Correctness
Day 139 was a day when the numbers started looking a bit different.
We conducted a detection correctness review
targeting E2E Run #42 (150 patterns).
In other words, this phase scrutinized not just the fact of "detection"
but whether it was detected by the expected rule.
The results were as follows:
- Total patterns: 150
- Detection success: 150 (100%)
- Correct rule mapping: 132 (88.0%)
- Mismatched patterns: 18 (12.0%)
"Detection rate is perfect."
"But there's still room for improvement in accuracy."
TK's words were matter-of-fact.
In Phase 1,
the main theme was "can we detect it?"
In Phase 2,
"why that rule?" comes to the forefront.
These 18 patterns aren't failures.
Rather, they're an achievement where
the gap between rule design and test design became visible.
We merged PR #31 and closed Issue #780.
E2E testing has definitively stepped
from quantitative expansion into the phase of refining quality.
Lesson
100% detection rate is not the goal. By continuously asking "why that rule?", we advance to the phase of refining quality.
Summary of Lessons
- Numbers are just a checkpoint; what matters is explaining why when something breaks (12/15)
- 100% detection rate is not the goal (12/16)
- Continuously asking "why that rule?" leads to quality improvement
- Mismatched patterns aren't failures—they're achievements that visualize gaps
- Good tests tell you where to fix next
Completed Tasks
- E2E test pattern expansion Phase 2 completed (Issue #780)
- Test patterns expanded from 100 → 150
- Added 9 new Falco rules
- Regression verification of existing 100 patterns
- Maintained 100% detection rate
- Conducted detection correctness review (E2E Run #42)
- Achieved 88% correct rule mapping
- Merged PR #31, closed Issue #780
Conclusion
What happened in these two days wasn't flashy.
- E2E test patterns expanded to 150
- Detection rate maintained at 100%
- Added 9 new Falco rules
- Detection correctness review visualized 88% accuracy
- Issue #780 closed
"The tests are throwing questions back at us."
When I said that, TK nodded quietly.
"Good tests tell you where to fix next."
Days 138–139 were a period when
E2E testing
expanded while starting to become sharper.