Developers

Testing in Production: When It's Smart and When It's Dangerous

HelpMeTest

HelpMeTest

8 min read
Testing in Production: When It's Smart and When It's Dangerous

The rule "never test in production" comes from an era when production was a black box — no observability, no rollbacks, no feature flags. Netflix deliberately kills EC2 instances in production to test resilience. Google tests new search algorithms on 1% of live queries. The real rule is: never test in production carelessly.

Key Takeaways

Synthetic monitoring is production testing — and you're probably already doing it. If you have a health check hitting your /login endpoint every 5 minutes, that's production testing. The debate is about scope and technique, not whether to do it at all.

Your staging environment is lying to you. Third-party integrations, CDN configurations, real user data edge cases, and database state accumulated over years all behave differently in production. Some bugs only appear there.

Feature flags are the essential risk mitigation layer. Testing in production without feature flags is driving without a seatbelt. With flags, you can roll back a bad rollout in under a minute — no deployment needed.

Canary deployments let you test on 1-5% of real traffic. If the canary fails, 95-99% of users never see it. If it succeeds, you have production-validated evidence before full rollout.

Testing in production means running tests or experiments on live infrastructure that serves real users. The phrase covers a spectrum — from simple health checks (safe, low-risk, everybody does it) to chaos engineering that intentionally kills production services (deliberate, requires significant observability infrastructure). Understanding which techniques fit which risk tolerance is the actual question.

This guide covers the full spectrum: what each technique involves, when it makes sense, and what genuinely shouldn't happen in production.

The Spectrum of Production Testing

"Testing in production" isn't one thing. It's a range of practices with very different risk profiles:

  • Synthetic monitoring: Scripted tests run against production on a schedule — check the login flow, verify an API endpoint, confirm a form submits. Zero impact on real users.
  • Feature flags: Code ships to production disabled, gets enabled for 1% of users, expands based on metrics. Reversible in seconds.
  • Canary releases: Route 5% of real traffic to a new version. Monitor error rates and latency. Expand or roll back.
  • A/B testing: Split traffic between two variants and measure which performs better on business metrics.
  • Shadow testing: Copy production traffic to a new service, compare its responses to the live service, never show the shadow responses to users.
  • Chaos engineering: Deliberately inject failures — kill processes, introduce latency, drop network packets — to build confidence in your system's resilience.

Each of these is a legitimate engineering practice. The risk profile is different for each.

Why Staging Environments Are Never Complete

The strongest argument for production testing is that staging environments have a fundamental limitation: they aren't production.

Third-party integrations behave differently. Payment processors have sandbox modes that don't reproduce all production behavior — rate limits are different, webhook retry logic varies, certain error codes only appear with real transactions. Email delivery services have different throttling rules for sandbox vs. live API keys.

Real data creates edge cases you can't predict. A production database has years of schema migrations behind it. It has rows created by code that was deleted two years ago. It has null values in columns that were added as required fields later. It has multi-byte Unicode in places the schema didn't expect it. Staging data doesn't replicate this.

Scale changes system behavior. A staging environment running 100 concurrent users doesn't predict behavior under 50,000. Database connection pool exhaustion, lock contention on hot rows, and N+1 query problems that take 10ms in staging take 800ms under real load.

Infrastructure differences are subtle. Staging often runs on smaller instances, different geographic regions, and different CDN configurations. A page that loads in 300ms from staging in us-east-1 might load in 900ms for users in Southeast Asia due to missing CDN nodes.

None of this means skipping staging. It means staging alone isn't a complete testing strategy.

Techniques That Work Safely in Production

Synthetic Monitoring

Synthetic monitoring is the safest form of production testing and arguably the most valuable. A synthetic monitor runs a scripted test against production on a schedule — every 5 minutes, every hour, once a day — and alerts when the test fails.

What makes it safe: synthetic tests use dedicated test accounts (not real user accounts), perform read-only operations where possible, and are specifically designed not to create side effects. A synthetic monitor for an e-commerce site might:

  • Load the homepage and verify key elements render
  • Search for a product and confirm results appear
  • Log in with a test account and verify the dashboard loads
  • Hit /api/health and confirm a 200 response

This is exactly how HelpMeTest's monitoring works. You configure tests to target your production URL directly, set them to run every 15 minutes, and get alerted the moment something breaks. You know checkout is broken in 15 minutes — not when a user tweets about it. The free tier supports unlimited health checks with 5-minute monitoring intervals; Pro adds 3-month data retention and parallel execution.

Feature Flags

Feature flags let you deploy code to production while keeping it disabled. The deployment and the activation are two separate events.

A typical rollout with feature flags:

  1. Ship the new code with the flag disabled (0% of users see it)
  2. Enable for internal users — your team, QA staff, employees
  3. Expand to 1% of users and monitor error rates, latency, business metrics
  4. Expand to 10%, 50%, 100% if metrics are healthy
  5. If metrics degrade at any stage, disable the flag — no deployment needed

The rollback time matters. Without feature flags, reverting a bad deployment takes 5-15 minutes for a code deploy. With a feature flag, it takes seconds. For high-traffic services, that difference is the gap between a blip and a major incident.

Open-source feature flag systems include Unleash, Flagsmith, and GrowthBook. LaunchDarkly and Optimizely are the dominant commercial options. At minimum, a Redis key checked at runtime gets you 80% of the benefit.

Canary Deployments

A canary deployment routes a percentage of real traffic to the new version of a service while the rest continues to the stable version. A typical progression:

  • Route 5% of traffic to the new version for 15 minutes
  • Monitor error rate, p50 latency, p99 latency, business metrics (conversion rate, add-to-cart events)
  • If healthy, expand to 25%, then 50%, then 100%
  • If error rate increases or latency spikes, route 100% back to the stable version

The threshold for "unhealthy" should be defined before the rollout starts. If your normal error rate is 0.1%, a canary showing 0.8% error rate is a clear stop signal. If you define "healthy" during the rollout, you'll rationalize your way into disasters.

Kubernetes supports canary deployments natively via Argo Rollouts and the Flagger operator. AWS CodeDeploy, Spinnaker, and most modern deployment platforms have built-in canary support.

Shadow Testing

In shadow testing, production traffic is copied and sent to a new service in parallel with the real service. The shadow service processes the requests and returns responses — but those responses are never shown to users. Only the real service's responses are returned.

You then compare shadow responses to production responses and look for differences. This is particularly useful for:

  • Database migrations: Run the new query engine in shadow mode against real production queries, compare results to the current engine
  • Algorithm rewrites: A new recommendation engine processes the same requests as the current one; compare which products get recommended
  • Service rewrites: A new microservice processes all the traffic the monolith handles; verify they return identical responses before cutting traffic over

The catch: shadow testing requires infrastructure to fork traffic, store shadow responses, and run comparisons. Tools like Diffy (open source, Twitter-built) and GoReplay handle this. It's not a starting point for small teams.

Chaos Engineering

Chaos engineering is the most advanced form of production testing, and the most misunderstood. The goal isn't to break things randomly — it's to discover weaknesses in resilience before incidents do.

Netflix's Chaos Monkey randomly terminates EC2 instances. Their premise: if they can tolerate random instance failure in production, they've verified that their auto-scaling and failover actually work under real conditions. Running the same test in staging, with staged traffic, doesn't prove the same thing.

A practical starting point for teams new to chaos engineering:

  1. Define a steady state — what does "normal" look like? (error rate, latency, throughput)
  2. Form a hypothesis — "If Redis goes down, the application will fall back to database queries and degrade gracefully rather than returning 500s"
  3. Inject the failure in a controlled way, during a low-traffic window
  4. Observe whether the hypothesis holds
  5. Fix what breaks

Tools: Chaos Monkey, Litmus (Kubernetes), Gremlin (commercial). Start with infrastructure-level failures (kill a pod, saturate a CPU) before attempting network-level failures.

What You Should Never Test in Production

Some categories genuinely shouldn't be tested in production, regardless of safeguards:

Destructive operations with real user data. Don't test billing webhooks by triggering real Stripe charges. Don't test password reset emails by sending them to real users. Don't test order cancellation flows on real orders. Use sandbox modes, test accounts, and staging for anything that touches real user data irreversibly.

Load and stress testing. Running ab -n 100000 -c 500 against your production API is irresponsible. Load testing should happen in a staging environment that mirrors production infrastructure. The goal of load testing is to find breaking points — you want that to happen where it can't affect real users.

Security penetration testing. SQL injection, XSS, auth bypass, and SSRF tests should never run against production databases or production user sessions. Point your pentest tooling at a dedicated security testing environment. Many production security incidents have started with someone "just quickly checking" a vulnerability in production.

Anything with irreversible side effects. If your test creates data that's difficult to clean up, triggers notifications to real users, or causes charges to appear on accounts, it belongs in staging.

Building a Production Testing Strategy

A practical implementation order, roughly from lowest to highest risk:

1. Start with synthetic monitoring. Set up 5-10 tests covering critical user paths: login, core feature, key API. Run them every 15 minutes. This is the highest-value, lowest-risk production testing investment. HelpMeTest is built specifically for this — configure E2E tests targeting your production URL, get alerted before users report issues.

2. Add feature flags to every new feature. This is infrastructure work, but it changes your entire deployment posture. With feature flags, every production deployment becomes lower-risk because you can always deactivate the new code path.

3. Implement canary deployments. Once your deployment pipeline supports traffic splitting, you have production-validated evidence before committing to full rollout. This catches a class of bugs that only appear under real load with real data.

4. Add shadow testing for major migrations. Database engine upgrades, service rewrites, and algorithm replacements benefit from shadow validation before cutover.

5. Graduate to chaos engineering. Only makes sense when you have strong observability (metrics, tracing, alerting), documented steady state, and confidence in your recovery procedures.

Most teams get 80% of the value from steps 1 and 2. You don't need chaos engineering in year one.

FAQ

Is testing in production ever actually safe?

Yes, with the right techniques and safeguards. Synthetic monitoring and feature flags are both forms of production testing that are practiced safely by teams of every size. The risk depends entirely on what you're testing and how you've designed it.

What's the difference between production testing and monitoring?

Monitoring is passive — watching metrics, aggregating logs, tracking error rates. Production testing is active — running scripts that execute operations against the live system. Synthetic monitoring bridges the two: it's an active test running on a schedule, but its purpose is monitoring.

Do companies like Google and Netflix really test in production?

Yes. Google's approach to search algorithm changes is to run A/B tests on live traffic, typically testing on 0.1-1% of queries before broader rollout. Netflix's Chaos Engineering team deliberately injects failures into production to test resilience. Meta's continuous deployment system ships code to production hundreds of times per day using feature flags.

Can I run my full test suite against production?

Not safely. Your full test suite likely creates test data, modifies records, and exercises flows that have side effects. A subset of your test suite — specifically read-only tests designed for synthetic monitoring — can run against production safely. These should be a small set of critical-path tests written with production execution in mind.

How do I convince my team that production testing is acceptable?

Start with synthetic monitoring. There's no reasonable objection to running read-only health checks against production — it's the practice that catches outages before users do. Once that's established and delivering value, the conversation about feature flags and canary releases becomes easier to have.

Read more