How do we implement mod security and can we test before switching?

How does recommend implementing mod security and how do we configure rules for mod security? We are not so much interested in caching yet but may want mod security but need to know how to set up the rules?
We are not at a place where we want to cut over QA and production systems, so is there a way we can test the mod security in a “playground” area?. Can we test without cutting the site over?

You can certainly test before you go live, we have a couple of ways to do this. can be configured for your Production environment and full tested before making any DNS changes. It is the DNS change that actually brings your customers onto our platform, so you can completely set up and test before you go live.

When your site is live on, you may also want to test changes to your apps and the configuration in a sandbox or test environment. Because fully supports a normal development workflow, you can also set up an instance of on your local PC so that you can see if any changes to your app or ModSecurity rules are having the intended effect.