diff --git a/docs/firewall.md b/docs/firewall.md
new file mode 100644
index 00000000..34cf2384
--- /dev/null
+++ b/docs/firewall.md
@@ -0,0 +1,45 @@
+# Web Application Firewall
+
+Altis provides a robust, battle-tested web application firewall (WAF), which provides protection against exploits and attacks. The Altis WAF is built on AWS technologies, including [AWS WAF](https://aws.amazon.com/waf/) and [AWS Shield Advanced](https://aws.amazon.com/shield/).
+
+Our firewall has protected customers against active attacks, including HTTP request floods up to 1 million requests per second, sustained over hours.
+
+
+## Protection against exploits
+
+The Altis WAF includes protection against web exploits, including Cross-Site Scripting (XSS), SQL injections (SQLi), and other known inputs. It also includes protection against exfiltration of private files accidentally published in your codebase, including .sql and .sh files.
+
+The Altis team manages these protections automatically across the platform on your behalf.
+
+
+## Protection against request floods & denial of service attacks
+
+The Altis WAF provides protection against denial of service (DoS) and distributed denial of service (DDoS) attacks.
+
+Per-IP rate limits are applied across all environments as standard, both across the entire environment as well as per-container, to ensure individual bad actors are limited from being able to adversely affect your site. Rate limits are monitored and adjusted across the platform depending on industry-wide threat analysis; contact Altis support for further information about the currently-applied rate limits.
+
+Altis also includes advanced DDoS protection as standard for our customers. We actively monitor all environments for attacks, with automated interventions and mitigations. Our engineers are on-call 24/7 to respond if necessary, and we work with the AWS Shield Response Team (SRT) where needed to mitigate internet-scale attacks.
+
+For customers who experience persistent DDoS attacks, Altis will work with your team to put additional mitigations in place. For example, stricter rate limits on backend requests (such as `/wp-admin`) may be put in place.
+
+
+## What if my IP address gets blocked?
+
+Our system operates automatically to detect and mitigate threats. In some cases, this can lead to legitimate users being blocked.
+
+If you believe your IP address has been blocked accidentally, contact Altis support, who can investigate why an IP address may be blocked.
+
+For customers with additional DDoS mitigations in place, legitimate backend users (such as editors and site admins) may be blocked at a higher rate than normal. As part of organizing additional mitigations, Altis engineers can relax these mitigations for your users. (Note that regular firewall rules may still apply.)
+
+Advanced bypassing of our firewall, such as allowing specific IP addresses through ("whitelisting"), requires firewall customisation.
+
+
+## Firewall customizations
+
+Our firewall is maintained as standard across our platform, and for most customers, you'll never need to worry about your site. Our platform also provides a variety of options for limiting access further, such as [custom nginx configuration](./nginx-configuration.md).
+
+For customers with advanced use cases, the firewall can be customized at an environment level. This includes allowing specific IP addresses to bypass the firewall, custom blocking rules such as VPN requirements for backend access, and the use of third-party origins.
+
+Firewall customizations come with a degree of risk, and are carefully managed by our team in conjunction with your requirements. For example, allowing a specific IP address to bypass these protections may increase the chance of your infrastructure being overwhelmed. During the initial setup and testing of customizations, the Altis team will work with you to tune the configuration to manage risk.
+
+Firewall customizations are a non-standard feature of Altis, and may come with additional charges. Contact Altis support to inquire further.
diff --git a/docs/testing.md b/docs/testing.md
new file mode 100644
index 00000000..f9848a10
--- /dev/null
+++ b/docs/testing.md
@@ -0,0 +1,62 @@
+# Testing
+
+In order to ensure the performance, reliability, and security of your site, you may wish to perform testing against your Altis environments. Altis permits penetration testing and load testing against your site, with notice provided.
+
+
+## Load Testing
+
+Load testing is typically used to ensure hosting infrastructure is able to meet demand. On Altis, your server infrastructure automatically scales to meet demand, so load testing is not typically required. Automatic scaling is assisted by our engineers rightsizing your environments when you onboard to the platform, as well as continual tuning and adjustment based on our assessment.
+
+While small-scale load testing may be conducted against your production environment, these requests will count towards your billable page views. Large-scale load testing may be detected by our [web application firewall](./firewall.md) as a potential denial of service (DoS) attack, and automatically mitigated.
+
+Altis can provide a production-like environment specifically for load testing. Rate limits and denial of service (DoS) mitigations can be disabled specifically for testing purposes. This environment may come with additional charges. Contact Altis support to organize a load testing environment.
+
+Before performing any load testing, contact Altis support at least one week in advance of any testing with the following details:
+
+* Environments under test
+* Types of test taking place
+* Testing dates
+* Test origin, including supplier and IP addresses where possible
+* Contact information
+* Expected size of test (total requests)
+* Expected peak load of test (requests per minute)
+
+Note that load testing should not be performed against non-production environments, as these environments have different scaling characteristics compared to production environments. In particular, stricter limits and maximums are imposed, as well as different algorithms for how autoscaling applies.
+
+DDoS simulations and network stress tests may not be performed unless explicitly approved by Altis.
+
+
+## Penetration Testing
+
+Penetration testing ("pen testing") can be performed against your environments in order to test the security of your codebase.
+
+Altis also performs penetration testing against the platform as a whole on a yearly basis, including an out-of-the-box configuration of Altis. A copy of our latest penetration testing report is available upon request.
+
+We recommend performing penetration testing against non-production environments (such as staging) where possible, to avoid affecting live user traffic. Ensure your non-production environment is up-to-date with your production branches before conducting these tests, to ensure your tests are representative.
+
+Testing of the following is permitted with prior notice:
+
+* Application security (including XSS, CSRF)
+* Input fuzzing
+* Privacy and data egress tests
+
+The following is not permitted at any time:
+
+* Testing infrastructure not dedicated exclusively to you, such as the Altis Dashboard
+* DNS zone walking
+* Denial of Service (DoS) or Distributed Denial of Service (DDoS) simulations
+* Port, protocol, or request flooding
+
+Testing is also subject to the [AWS Penetration Testing requirements](https://aws.amazon.com/security/penetration-testing/).
+
+Before performing any penetration testing, contact Altis support at least one week in advance of any testing with the following details:
+
+* Environments under test
+* Types of test taking place
+* Testing dates
+* Test origin, including supplier and IP addresses where possible
+* Contact information
+
+This information ensures Altis can respond correctly to any incidents occuring as a result of your test.
+
+Note that [the Altis firewall](./firewall.md) will remain active throughout your test, as it is an active part of mitigating threats. Customers with [firewall customisations](./firewall.md#firewall-customizations) may request bypass of certain rules for testing purposes.