A throwaway demo workload sitting behind a Google Cloud regional load balancer, with traffic redirected through Imperva's cloud WAF for inspection before it ever reaches the container.
The benign button hits /, which bypasses Imperva (straight to Cloud Run) — expect 200. The attack buttons hit /waf, which is routed through Imperva by a path rule on the load balancer — a classic XSS or SQLi probe should be intercepted upstream once the WAF policy is enforcing (watch for a 403 or a connection reset).