--- title: "Tracing Agents Rule Evaluation for Protection" slug: "tracing-agents-rule-evaluation-for-protection" description: "Traceable enables agent-based rule evaluation for API security, allowing custom security policies to be enforced inline or out-of-band based on the tracing agent and deployment model. This approach ensures early API request inspection with real-time options to block, allow, or monitor traffic across cloud-native environments." updated: 2026-02-24T09:50:56Z published: 2026-02-24T09:50:56Z --- > ## Documentation Index > Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt > Use this file to discover all available pages before exploring further. # Tracing Agents Rule Evaluation for Protection ##### Updates (January 2026 to March 2026) - *February 2026* — Updated the topic to add information about the availability of inline blocking in F5 and F5 HSL deployment setups. Traceable lets you choose the Rule Evaluation Point based on the tracing agents used in your deployment. The following table highlights the agent-specific rule evaluation points for the Tracing agent (TA). For more information, see [Custom Policies](https://docs.traceable.ai/docs/custom-policy#creating-custom-rules). Depending on the deployment, Traceable evaluates the rules near the application (Inline) or Out-of-Band. This determines how early Traceable inspects the request and whether it blocks, allows, or monitors it. The following table highlights the different Tracing agents and the rule evaluation point they support based on the initial deployment [setup](/v1/docs/traceable-runtime-protection#traceable-application-and-api-protection-deployment-models): | Deployment Setup | Inline Blocking | Rule Evaluation Point | | --- | --- | --- | | Akamai Edgeworker | **X** | Out-of-Band | | Akana | **X** | Out-of-Band | | Apigee | ✔️ | Inline and Out-of-Band | | AWS API GW | **X** | Out-of-Band | | AWS Lambda Runtime Extension | ✔️ | Inline and Out-of-Band | | Axway | **X** | Out-of-Band | | Azure APIM | ✔️ | Inline and Out-of-Band | | CA Layer7 | **X** | Out-of-Band | | Cloudflare worker | **X** | Out-of-Band | | Cloudflare Lambda | ✔️ | Inline and Out-of-Band | | ebpf | **X** | Out-of-Band | | Fastly | **X** | Out-of-Band | | F5 | **X** | Out-of-Band | | F5 HSL | **X** | Out-of-Band | | HA Proxy | ✔️ | Inline and Out-of-Band | | IBM APIC | ✔️ | Inline and Out-of-Band | | IBM DataPower | ✔️ | Inline and Out-of-Band | | IIS | ✔️ | Inline and Out-of-Band | | Istio | ✔️ | Inline and Out-of-Band | | Kong | ✔️ | Inline and Out-of-Band | | Mulsesoft Mule GW | ✔️ | Inline and Out-of-Band | | Traefik | **X** | Out-of-Band | | Mulesoft Flex GW | **X** | Out-of-Band | | Netlify | **X** | Out-of-Band | | Netscaler | ✔️ | Inline and Out-of-Band | | Nginix | ✔️ | Inline and Out-of-Band | | DotNet | ✔️ | Inline and Out-of-Band | | Golang | ✔️ | Inline and Out-of-Band | | Java | ✔️ | Inline and Out-of-Band | | Nodejs | ✔️ | Inline and Out-of-Band | | Python | ✔️ | Inline and Out-of-Band | | Ruby | **X** | Out-of-Band | Rule Evaluation Point indicates where Traceable evaluates a security rule as a request moves through your ecosystem. Depending on the deployment, Traceable evaluates the rules near the application, at the network edge, or within the platform. This determines how early Traceable inspects the request and whether it blocks, modifies, or monitors the traffic.