Always-on mitigation is a defensive deployment model in which all traffic flows through DDoS scrubbing continuously, rather than being diverted only after an attack is detected. Because the scrubbing path is always in line, there is no detection-and-cutover delay: the reaction window that on-demand (reactive) protection incurs while it recognizes an attack and reroutes traffic is eliminated. The trade-off is steady-state latency and cost from inspecting clean traffic at all times.
Why it matters in DDoS testing
The deployment model dictates what failure looks like. Always-on removes cutover lag but still has to hold under volume; on-demand stays fast in steady state but exposes the origin during the diversion window, exactly when a pulse-wave attack strikes. Validating either model means generating attack-like load against production carefully, the discipline covered in running a DDoS test without disrupting production.