A few years ago, my answer would have been a hard no. Production testing always felt too risky because one wrong move could impact users, data, or availability.
Today, though, my perspective has changed. Modern production-safe testing approaches are making it possible to validate security in real environments without causing disruption. In many cases, production is the only place where you can truly understand the actual attack surface and uncover issues that never appear in staging.
Curious where others stand on this. Is production testing something your team performs or avoids?
My comment on this earlier thread I believe still holds value, production presents new opportunities and also very specific risks and can be discovered, explored and investigated so a lot of testing potential.
From a security perspective in my models its mostly scanners and monitoring running rather than specific investigation unless we know something there is very different than we can simulate on a staging or test env.
One of the things I’d suggest though is good security testing is not safe by its very nature, if you are seeing if its possible to crash the system, bring it to a halt, reveal confidential information you are not only potentially going to do harm but you could be breaking laws and regulations in doing so. In many cases for example because I am outside Europe and the data resides there I am not even allowed to look at the personal stuff GDPR for debugging a customer issue never mind trying to reveal if it’s hackable.
You will also get a lot of value by having code access to security risk investigation so pre-production and building security in makes sense so do not consider production testing as a replacement, its too late but as an extension only.
The none invasive scans and monitoring for real attacks though are highly valuable.