Deep packet inspection (DPI) is a defensive control, one of the filtering mechanisms a DDoS test exercises to confirm it separates attack traffic from legitimate flows. Unlike header-only filtering (ACLs, basic firewalls) that decides on IP, port, and protocol alone, DPI examines the packet payload, reading into the application layer to match signatures, anomalous request patterns, or malformed protocol behavior. That visibility lets it drop floods that look valid at the transport layer but carry attack content, such as L7 request floods or protocol-abuse vectors.
Why it matters in DDoS testing
DPI is computationally expensive: inspecting every byte at line rate consumes far more CPU than header matching, so a DPI tier can itself become the layer of first failure under a high packet rate. A test characterizes that ceiling, the point at which inspection cost saturates the device, and checks its false-positive rate so legitimate users are not caught in the filter.
For where inspection sits relative to edge scrubbing, see AWS Shield vs Cloudflare DDoS Protection.