Deploying to production without load testing means your application's failure threshold under traffic is unknown until it collapses. ISO 25010 performance-efficiency.capacity requires knowing the system's limits before they are breached. NIST SC-5 covers resource availability protection. A deployment that handles 50 concurrent users gracefully may fail at 200 — a traffic spike from a product launch, press mention, or marketing campaign will find that limit in the worst possible context. A 2x peak traffic load test with under 1% error rate gives you a defensible headroom margin.
Low because load testing failures are discovered through the test rather than in production, and most apps never hit the traffic levels required to expose the gap, but an untested capacity ceiling is an invisible risk.
Run a load test using k6. Install it and create a test script that ramps to 2x expected peak traffic.
npm install --save-dev k6
// load-test.js
import http from 'k6/http';
import { check } from 'k6';
export const options = {
stages: [
{ duration: '2m', target: 100 }, // ramp up to expected peak
{ duration: '5m', target: 200 }, // hold at 2x peak
{ duration: '2m', target: 0 }, // ramp down
],
thresholds: {
http_req_failed: ['rate<0.01'], // <1% errors
http_req_duration: ['p(95)<500'], // 95th percentile under 500ms
},
};
export default function () {
const res = http.get('https://your-app.com/');
check(res, { 'status is 200': (r) => r.status === 200 });
}
Run with k6 run load-test.js and document results (p50, p95, error rate, peak concurrent users) in DEPLOYMENT.md.
ID: deployment-readiness.environment-configuration.load-testing
Severity: low
What to look for: Enumerate every relevant item. Look for load testing tools in dependencies (k6, artillery, locust, Apache JMeter) or documentation of load tests. Look for test scripts, results, or baseline metrics. Verify test simulated at least 2x expected traffic and error rate was under 1%.
Pass criteria: Load testing has been performed simulating at least 2x expected peak traffic. Results show application remains stable with error rate under 1%.
Fail criteria: No load testing performed, or test did not simulate 2x traffic, or application experienced error rate above 1%.
Skip (N/A) when: The project is API-only with no performance requirements, or traffic expectations are unknown.
Detail on fail: "No load testing found. Peak traffic capacity is unknown." or "Load test performed but only simulated 1.5x peak traffic, below 2x requirement."
Remediation: Run a load test using k6 (cloud-based, free tier):
npm install --save-dev k6
Create load-test.js:
import http from 'k6/http';
import { check } from 'k6';
export let options = {
stages: [
{ duration: '2m', target: 100 },
{ duration: '5m', target: 200 }, // 2x expected traffic
{ duration: '2m', target: 0 },
],
};
export default function () {
let res = http.get('https://your-app.com/');
check(res, {
'status is 200': (r) => r.status === 200,
'response time < 500ms': (r) => r.timings.duration < 500,
});
}
Then run:
k6 run load-test.js
Document results in your DEPLOYMENT.md.