diff --git a/.github/workflows/appsec.yml b/.github/workflows/appsec.yml
index 7519e0ef91..8e84e776cf 100644
--- a/.github/workflows/appsec.yml
+++ b/.github/workflows/appsec.yml
@@ -42,6 +42,9 @@ concurrency:
   # Automatically cancel previous runs if a new one is triggered to conserve resources.
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
 
+permissions:
+  contents: read
+
 jobs:
   # Prepare the cache of Go modules to share it will the other jobs.
   # This maximizes cache hits and minimizes the time spent downloading Go modules.
diff --git a/.github/workflows/datadog-static-analysis.yml b/.github/workflows/datadog-static-analysis.yml
index 8094914c28..9a00adaad1 100644
--- a/.github/workflows/datadog-static-analysis.yml
+++ b/.github/workflows/datadog-static-analysis.yml
@@ -2,6 +2,10 @@ on: [push]
 
 name: Datadog Static Analysis
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   static-analysis:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ecosystems-label-issue copy.yml b/.github/workflows/ecosystems-label-issue.yml
similarity index 90%
rename from .github/workflows/ecosystems-label-issue copy.yml
rename to .github/workflows/ecosystems-label-issue.yml
index f63226c003..29853e45bc 100644
--- a/.github/workflows/ecosystems-label-issue copy.yml	
+++ b/.github/workflows/ecosystems-label-issue.yml
@@ -5,6 +5,9 @@ on:
       - reopened
       - opened
       - edited
+permissions:
+  contents: read
+  issues: write
 jobs:
   label_issues:
     if: contains(github.event.issue.title, 'contrib')
diff --git a/.github/workflows/ecosystems-label-pr.yml b/.github/workflows/ecosystems-label-pr.yml
index 36f35b5422..4cadafd3e7 100644
--- a/.github/workflows/ecosystems-label-pr.yml
+++ b/.github/workflows/ecosystems-label-pr.yml
@@ -7,6 +7,9 @@ on:
       - opened
       - reopened
       - edited
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   label_issues:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 8e18bed26c..aec9d5d36d 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -14,6 +14,9 @@ on:
     - cron: '00 00 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   govulncheck-tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/multios-unit-tests.yml b/.github/workflows/multios-unit-tests.yml
index 3ca8900602..1cdd9191b6 100644
--- a/.github/workflows/multios-unit-tests.yml
+++ b/.github/workflows/multios-unit-tests.yml
@@ -29,6 +29,9 @@ on:
 env:
   DD_APPSEC_WAF_TIMEOUT: 1m # Increase time WAF time budget to reduce CI flakiness
 
+permissions:
+  contents: read
+
 jobs:
   test-multi-os:
     runs-on: "${{ inputs.runs-on }}"
diff --git a/.github/workflows/parametric-tests.yml b/.github/workflows/parametric-tests.yml
index 7ac69d738b..152bc0ec2d 100644
--- a/.github/workflows/parametric-tests.yml
+++ b/.github/workflows/parametric-tests.yml
@@ -21,6 +21,9 @@ on:
   schedule:
     - cron:  '00 04 * * 2-6'
 
+permissions:
+  contents: read
+
 jobs:
   parametric-tests:
     if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')
diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml
index bed0c20b43..19680b973b 100644
--- a/.github/workflows/smoke-tests.yml
+++ b/.github/workflows/smoke-tests.yml
@@ -27,6 +27,9 @@ on:
 env:
   TEST_RESULTS: /tmp/test-results # path to where test results will be saved
 
+permissions:
+  contents: read
+
 jobs:
   go-get-u:
     #  Run go get -u to upgrade dd-trace-go dependencies to their
@@ -90,7 +93,7 @@ jobs:
           ref: ${{ inputs.ref || github.ref }}
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           cache: true
       - name: go mod tidy
         run: |-
@@ -185,7 +188,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: ./internal/apps/setup-smoke-test/Dockerfile
+          file: ./internal/setup-smoke-test/Dockerfile
           push: false
           load: true
           tags: smoke-test
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index caec4742e2..24ffaae4da 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,6 +4,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml
index 82652d7fc3..c5d95b7ca0 100644
--- a/.github/workflows/system-tests.yml
+++ b/.github/workflows/system-tests.yml
@@ -27,6 +27,9 @@ on:
   schedule:
     - cron:  '00 04 * * 2-6'
 
+permissions:
+  contents: read
+
 jobs:
   system-tests:
     if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')
@@ -43,6 +46,8 @@ jobs:
           - uds-echo
         scenario:
           - DEFAULT
+          - INTEGRATIONS
+          - CROSSED_TRACING_LIBRARIES
           - APPSEC_DISABLED
           - APPSEC_BLOCKING
           - APPSEC_BLOCKING_FULL_DENYLIST
@@ -103,6 +108,8 @@ jobs:
       DD_API_KEY: ${{ secrets.DD_API_KEY }}
       SYSTEM_TESTS_E2E_DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
       SYSTEM_TESTS_E2E_DD_APP_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
+      SYSTEM_TESTS_AWS_ACCESS_KEY_ID: ${{ secrets.SYSTEM_TESTS_IDM_AWS_ACCESS_KEY_ID }}
+      SYSTEM_TESTS_AWS_SECRET_ACCESS_KEY: ${{ secrets.SYSTEM_TESTS_IDM_AWS_SECRET_ACCESS_KEY }}
     name: Test (${{ matrix.weblog-variant }}, ${{ matrix.scenario }})
     steps:
       - name: Checkout system tests
diff --git a/.github/workflows/test-apps.cue b/.github/workflows/test-apps.cue
index 72e6953cef..1f45dea13b 100644
--- a/.github/workflows/test-apps.cue
+++ b/.github/workflows/test-apps.cue
@@ -115,6 +115,10 @@ env: {
   DD_TAGS: "github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs['arg: tags'] }}",
 }
 
+permissions: {
+    contents: "read",
+}
+
 jobs: {
     for i, scenario in #scenarios {
         for j, env in #envs {
diff --git a/.github/workflows/test-apps.yml b/.github/workflows/test-apps.yml
index 95044a8564..bff3c60c53 100644
--- a/.github/workflows/test-apps.yml
+++ b/.github/workflows/test-apps.yml
@@ -64,6 +64,8 @@ name: Test Apps
 env:
   DD_ENV: github
   DD_TAGS: 'github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs[''arg: tags''] }}'
+permissions:
+  contents: read
 jobs:
   job-0-0:
     name: unit-of-work/v1 (prod)
diff --git a/.github/workflows/unit-integration-tests.yml b/.github/workflows/unit-integration-tests.yml
index ac3c391982..cf0996709e 100644
--- a/.github/workflows/unit-integration-tests.yml
+++ b/.github/workflows/unit-integration-tests.yml
@@ -20,6 +20,9 @@ env:
   # without having to download a newer one.
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
   copyright:
     runs-on: ubuntu-latest
@@ -28,10 +31,14 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ inputs.ref || github.ref }}
-      - name: Setup Go
+      - name: Setup Go 
         uses: ./.github/actions/setup-go
         with:
           go-version: ${{ inputs.go-version }}
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
       - name: Copyright
         run: |
           go run checkcopyright.go
diff --git a/appsec/appsec.go b/appsec/appsec.go
index 9298fe79d3..6fe2663a65 100644
--- a/appsec/appsec.go
+++ b/appsec/appsec.go
@@ -33,7 +33,7 @@ var appsecDisabledLog sync.Once
 // Note that passing the raw bytes of the HTTP request body is not expected and would
 // result in inaccurate attack detection.
 // This function always returns nil when appsec is disabled.
-func MonitorParsedHTTPBody(ctx context.Context, body interface{}) error {
+func MonitorParsedHTTPBody(ctx context.Context, body any) error {
 	if !appsec.Enabled() {
 		appsecDisabledLog.Do(func() { log.Warn("appsec: not enabled. Body blocking checks won't be performed.") })
 		return nil
@@ -60,7 +60,15 @@ func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption
 		appsecDisabledLog.Do(func() { log.Warn("appsec: not enabled. User blocking checks won't be performed.") })
 		return nil
 	}
-	return sharedsec.MonitorUser(ctx, id)
+
+	op, errPtr := usersec.StartUserLoginOperation(ctx, usersec.UserLoginOperationArgs{})
+	op.Finish(usersec.UserLoginOperationRes{
+		UserID:    id,
+		SessionID: getSessionID(opts...),
+		Success:   true,
+	})
+
+	return *errPtr
 }
 
 // TrackUserLoginSuccessEvent sets a successful user login event, with the given
@@ -76,17 +84,7 @@ func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption
 // Take-Over (ATO) monitoring, ultimately blocking the IP address and/or user id
 // associated to them.
 func TrackUserLoginSuccessEvent(ctx context.Context, uid string, md map[string]string, opts ...tracer.UserMonitoringOption) error {
-	span := getRootSpan(ctx)
-	if span == nil {
-		return nil
-	}
-
-	const tagPrefix = "appsec.events.users.login.success."
-	span.SetTag(tagPrefix+"track", true)
-	for k, v := range md {
-		span.SetTag(tagPrefix+k, v)
-	}
-	span.SetTag(ext.ManualKeep, true)
+	TrackCustomEvent(ctx, "users.login.success", md)
 	return SetUser(ctx, uid, opts...)
 }
 
@@ -106,14 +104,15 @@ func TrackUserLoginFailureEvent(ctx context.Context, uid string, exists bool, md
 		return
 	}
 
-	const tagPrefix = "appsec.events.users.login.failure."
-	span.SetTag(tagPrefix+"track", true)
-	span.SetTag(tagPrefix+"usr.id", uid)
-	span.SetTag(tagPrefix+"usr.exists", exists)
-	for k, v := range md {
-		span.SetTag(tagPrefix+k, v)
-	}
-	span.SetTag(ext.ManualKeep, true)
+	// We need to do the first call to SetTag ourselves because the map taken by TrackCustomEvent is map[string]string
+	// and not map [string]any, so the `exists` boolean variable does not fit int
+	span.SetTag("appsec.events.users.login.failure.usr.exists", exists)
+	span.SetTag("appsec.events.users.login.failure.usr.id", uid)
+
+	TrackCustomEvent(ctx, "users.login.failure", md)
+
+	op, _ := usersec.StartUserLoginOperation(ctx, usersec.UserLoginOperationArgs{})
+	op.Finish(usersec.UserLoginOperationRes{UserID: uid, Success: false})
 }
 
 // TrackCustomEvent sets a custom event as service entry span tags. This span is
@@ -145,3 +144,13 @@ func getRootSpan(ctx context.Context) *tracer.Span {
 	}
 	return span.Root()
 }
+
+func getSessionID(opts ...tracer.UserMonitoringOption) string {
+	cfg := &tracer.UserMonitoringConfig{
+		Metadata: make(map[string]string),
+	}
+	for _, opt := range opts {
+		opt(cfg)
+	}
+	return cfg.SessionID
+}
diff --git a/contrib/99designs/gqlgen/appsec_test.go b/contrib/99designs/gqlgen/appsec_test.go
new file mode 100644
index 0000000000..cb6beb1ca8
--- /dev/null
+++ b/contrib/99designs/gqlgen/appsec_test.go
@@ -0,0 +1,332 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2022 Datadog, Inc.
+
+package gqlgen
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/99designs/gqlgen/client"
+	"github.com/99designs/gqlgen/graphql"
+	"github.com/99designs/gqlgen/graphql/handler"
+	"github.com/99designs/gqlgen/graphql/handler/transport"
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/mocktracer"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec"
+	"github.com/stretchr/testify/require"
+	"github.com/vektah/gqlparser/v2"
+	"github.com/vektah/gqlparser/v2/ast"
+	"github.com/vektah/gqlparser/v2/gqlerror"
+)
+
+func TestAppSec(t *testing.T) {
+	restore := enableAppSec(t)
+	defer restore()
+
+	t.Run("monitoring", func(t *testing.T) {
+		const (
+			topLevelAttack = "he protec"
+			nestedAttack   = "he attac, but most importantly: he Tupac"
+		)
+		schema := gqlparser.MustLoadSchema(&ast.Source{Input: `type Query {
+			topLevel(id: String!): TopLevel!
+			topLevelMapped(map: MapInput!, key: String!, index: Int!): TopLevel!
+		}
+
+		type TopLevel {
+			nested(id: String!): String!
+		}
+
+		input MapInput {
+			ids: [String!]!
+			bool: Boolean!
+			float: Float!
+		}`})
+		server := handler.New(&graphql.ExecutableSchemaMock{
+			ExecFunc:   execFunc,
+			SchemaFunc: func() *ast.Schema { return schema },
+		})
+		server.Use(NewTracer())
+		server.AddTransport(transport.POST{})
+		c := client.New(server)
+		testCases := map[string]struct {
+			query     string
+			variables map[string]any
+		}{
+			"basic": {
+				query: `query TestQuery($topLevelId: String!, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`,
+				variables: map[string]any{
+					"topLevelId": topLevelAttack,
+					"nestedId":   nestedAttack,
+				},
+			},
+			"with-default-parameter": {
+				query: fmt.Sprintf(`query TestQuery($topLevelId: String = %#v, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`, topLevelAttack),
+				variables: map[string]any{
+					// "topLevelId" omitted (default value used)
+					"nestedId": nestedAttack,
+				},
+			},
+			"embedded-variable": {
+				query: `query TestQuery($topLevelId: String!, $nestedId: String!) {
+					topLevel: topLevelMapped(map: { ids: ["foo", $topLevelId, "baz"], bool: true, float: 3.14 }, key: "ids", index: 1) {
+						nested(id: $nestedId)
+					}
+				}`,
+				variables: map[string]any{
+					"topLevelId": topLevelAttack,
+					"nestedId":   nestedAttack,
+				},
+			},
+		}
+		for name, tc := range testCases {
+			t.Run(name, func(t *testing.T) {
+				mt := mocktracer.Start()
+				defer mt.Stop()
+
+				var resp map[string]any
+				err := c.Post(
+					tc.query, &resp,
+					client.Var("topLevelId", topLevelAttack), client.Var("nestedId", nestedAttack),
+					client.Operation("TestQuery"),
+				)
+				require.NoError(t, err)
+
+				require.Equal(t, map[string]any{"topLevel": map[string]any{"nested": fmt.Sprintf("%s/%s", topLevelAttack, nestedAttack)}}, resp)
+
+				// Ensure the query produced the expected appsec events
+				spans := mt.FinishedSpans()
+				require.NotEmpty(t, spans)
+
+				// The last finished span (which is GraphQL entry) should have the "_dd.appsec.enabled" tag.
+				span := spans[len(spans)-1]
+				require.Equal(t, 1, span.Tag("_dd.appsec.enabled"))
+
+				type ddAppsecJSON struct {
+					Triggers []struct {
+						Rule struct {
+							ID string `json:"id"`
+						} `json:"rule"`
+					} `json:"triggers"`
+				}
+
+				jsonText, ok := span.Tag("_dd.appsec.json").(string)
+				require.True(t, ok, "expected _dd.appsec.json tag on span")
+
+				var parsed ddAppsecJSON
+				err = json.Unmarshal([]byte(jsonText), &parsed)
+				require.NoError(t, err)
+
+				ids := make([]string, 0, len(parsed.Triggers))
+				for _, trigger := range parsed.Triggers {
+					ids = append(ids, trigger.Rule.ID)
+				}
+
+				require.ElementsMatch(t, ids, []string{"test-rule-001", "test-rule-002"})
+			})
+		}
+	})
+}
+
+type appSecQuery struct{}
+
+func (q *appSecQuery) TopLevel(_ context.Context, args struct{ ID string }) (*appSecTopLevel, error) {
+	return &appSecTopLevel{args.ID}, nil
+}
+func (q *appSecQuery) TopLevelMapped(
+	ctx context.Context,
+	args struct {
+		Map struct {
+			IDs   []string
+			Bool  bool
+			Float float64
+		}
+		Key   string
+		Index int32
+	},
+) (*appSecTopLevel, error) {
+	id := args.Map.IDs[args.Index]
+	return q.TopLevel(ctx, struct{ ID string }{id})
+}
+
+type appSecTopLevel struct {
+	id string
+}
+
+func (a *appSecTopLevel) Nested(_ context.Context, args struct{ ID string }) (string, error) {
+	return fmt.Sprintf("%s/%s", a.id, args.ID), nil
+}
+
+// enableAppSec ensures the environment variable to enable appsec is active, and
+// returns a function to restore the previous environment state.
+func enableAppSec(t *testing.T) func() {
+	const rules = `{
+		"version": "2.2",
+		"metadata": {
+			"rules_version": "0.1337.42"
+		},
+		"rules": [
+			{
+				"id": "test-rule-001",
+				"name": "Phony rule number 1",
+				"tags": {
+					"category": "canary",
+					"type": "meme-protec"
+				},
+				"conditions": [{
+					"operator": "phrase_match",
+					"parameters": {
+						"inputs": [{ "address": "graphql.server.resolver" }],
+						"list": ["he protec"]
+					}
+				}],
+				"transformers": ["lowercase"],
+				"on_match": []
+			},
+			{
+				"id": "test-rule-002",
+				"name": "Phony rule number 2",
+				"tags": {
+					"category": "canary",
+					"type": "meme-attac"
+				},
+				"conditions": [{
+					"operator": "phrase_match",
+					"parameters": {
+						"inputs": [{ "address": "graphql.server.resolver" }],
+						"list": ["he attac"]
+					}
+				}],
+				"transformers": ["lowercase"],
+				"on_match": []
+			},
+			{
+				"id": "test-rule-003",
+				"name": "Phony rule number 3",
+				"tags": {
+					"category": "canary",
+					"type": "meme-tupac"
+				},
+				"conditions": [{
+					"operator": "phrase_match",
+					"parameters": {
+						"inputs": [{ "address": "graphql.server.all_resolvers" }],
+						"list": ["he tupac"]
+					}
+				}],
+				"transformers": ["lowercase"],
+				"on_match": []
+			}
+		]
+	}`
+	tmpDir, err := os.MkdirTemp("", "dd-trace-go.graphql-go.graphql.appsec_test.rules-*")
+	require.NoError(t, err)
+	rulesFile := path.Join(tmpDir, "rules.json")
+	err = os.WriteFile(rulesFile, []byte(rules), 0644)
+	require.NoError(t, err)
+	t.Setenv("DD_APPSEC_ENABLED", "1")
+	t.Setenv("DD_APPSEC_RULES", rulesFile)
+	appsec.Start()
+	cleanup := func() {
+		appsec.Stop()
+		_ = os.RemoveAll(tmpDir)
+	}
+	if !appsec.Enabled() {
+		cleanup()
+		t.Skip("could not enable appsec: this platform is likely not supported")
+	}
+	return cleanup
+}
+
+func execFunc(ctx context.Context) graphql.ResponseHandler {
+	type topLevel struct {
+		id string
+	}
+	op := graphql.GetOperationContext(ctx)
+	switch op.Operation.Operation {
+	case ast.Query:
+		return func(ctx context.Context) *graphql.Response {
+			fields := graphql.CollectFields(op, op.Operation.SelectionSet, []string{"Query"})
+			var (
+				val    = make(map[string]any, len(fields))
+				errors gqlerror.List
+			)
+			for _, field := range fields {
+				ctx = graphql.WithFieldContext(ctx, &graphql.FieldContext{
+					Object: "Query",
+					Field:  field,
+					Args:   field.ArgumentMap(op.Variables),
+				})
+				fieldVal, err := op.ResolverMiddleware(ctx, func(ctx context.Context) (any, error) {
+					switch field.Name {
+					case "topLevel":
+						arg := field.Arguments.ForName("id")
+						id, err := arg.Value.Value(op.Variables)
+						return &topLevel{id.(string)}, err
+					case "topLevelMapped":
+						obj, err := field.Arguments.ForName("map").Value.Value(op.Variables)
+						if err != nil {
+							return nil, err
+						}
+						key, err := field.Arguments.ForName("key").Value.Value(op.Variables)
+						if err != nil {
+							return nil, err
+						}
+						index, err := field.Arguments.ForName("index").Value.Value(op.Variables)
+						if err != nil {
+							return nil, err
+						}
+						id := ((obj.(map[string]any))[key.(string)].([]any))[index.(int64)]
+						return &topLevel{id.(string)}, nil
+					default:
+						return nil, fmt.Errorf("unknown field: %s", field.Name)
+					}
+				})
+				if err != nil {
+					errors = append(errors, gqlerror.Errorf("%v", err))
+				} else {
+					redux := make(map[string]any, len(field.SelectionSet))
+					for _, nested := range graphql.CollectFields(op, field.SelectionSet, []string{"TopLevel"}) {
+						ctx = graphql.WithFieldContext(ctx, &graphql.FieldContext{
+							Object: "TopLevel",
+							Field:  nested,
+							Args:   nested.ArgumentMap(op.Variables),
+						})
+						nestedVal, err := op.ResolverMiddleware(ctx, func(ctx context.Context) (any, error) {
+							switch nested.Name {
+							case "nested":
+								arg := nested.Arguments.ForName("id")
+								id, err := arg.Value.Value(op.Variables)
+								return fmt.Sprintf("%s/%s", fieldVal.(*topLevel).id, id.(string)), err
+							default:
+								return nil, fmt.Errorf("unknown field: %s", nested.Name)
+							}
+						})
+						if err != nil {
+							errors = append(errors, gqlerror.Errorf("%v", err))
+						} else {
+							redux[nested.Alias] = nestedVal
+						}
+					}
+					val[field.Alias] = redux
+				}
+			}
+			data, err := json.Marshal(val)
+			if err != nil {
+				errors = append(errors, gqlerror.Errorf("%v", err))
+			}
+			return &graphql.Response{
+				Data:   data,
+				Errors: errors,
+			}
+		}
+	default:
+		return graphql.OneShot(graphql.ErrorResponse(ctx, "not implemented"))
+	}
+}
diff --git a/contrib/99designs/gqlgen/tracer.go b/contrib/99designs/gqlgen/tracer.go
index dc23685340..ed91ee5b1c 100644
--- a/contrib/99designs/gqlgen/tracer.go
+++ b/contrib/99designs/gqlgen/tracer.go
@@ -26,7 +26,6 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec/types"
 )
 
 const componentName = instrumentation.Package99DesignsGQLGen
@@ -76,12 +75,12 @@ func (t *gqlTracer) Validate(_ graphql.ExecutableSchema) error {
 func (t *gqlTracer) InterceptOperation(ctx context.Context, next graphql.OperationHandler) graphql.ResponseHandler {
 	opCtx := graphql.GetOperationContext(ctx)
 	span, ctx := t.createRootSpan(ctx, opCtx)
-	ctx, req := graphqlsec.StartRequestOperation(ctx, span, types.RequestOperationArgs{
+	ctx, req := graphqlsec.StartRequestOperation(ctx, graphqlsec.RequestOperationArgs{
 		RawQuery:      opCtx.RawQuery,
 		OperationName: opCtx.OperationName,
 		Variables:     opCtx.Variables,
 	})
-	ctx, query := graphqlsec.StartExecutionOperation(ctx, span, types.ExecutionOperationArgs{
+	ctx, query := graphqlsec.StartExecutionOperation(ctx, graphqlsec.ExecutionOperationArgs{
 		Query:         opCtx.RawQuery,
 		OperationName: opCtx.OperationName,
 		Variables:     opCtx.Variables,
@@ -96,14 +95,21 @@ func (t *gqlTracer) InterceptOperation(ctx context.Context, next graphql.Operati
 			}
 			defer span.Finish(tracer.WithError(err))
 		}
-		query.Finish(types.ExecutionOperationRes{
-			Data:  response.Data, // NB - This is raw data, but rather not parse it (possibly expensive).
-			Error: response.Errors,
-		})
-		req.Finish(types.RequestOperationRes{
-			Data:  response.Data, // NB - This is raw data, but rather not parse it (possibly expensive).
-			Error: response.Errors,
-		})
+
+		var (
+			executionOperationRes graphqlsec.ExecutionOperationRes
+			requestOperationRes   graphqlsec.RequestOperationRes
+		)
+		if response != nil {
+			executionOperationRes.Data = response.Data
+			executionOperationRes.Error = response.Errors
+
+			requestOperationRes.Data = response.Data
+			requestOperationRes.Error = response.Errors
+		}
+
+		query.Finish(executionOperationRes)
+		req.Finish(span, requestOperationRes)
 		return response
 	}
 }
@@ -139,13 +145,13 @@ func (t *gqlTracer) InterceptField(ctx context.Context, next graphql.Resolver) (
 
 	span, ctx := tracer.StartSpanFromContext(ctx, fieldOp, opts...)
 	defer func() { span.Finish(tracer.WithError(err)) }()
-	ctx, op := graphqlsec.StartResolveOperation(ctx, span, types.ResolveOperationArgs{
+	ctx, op := graphqlsec.StartResolveOperation(ctx, graphqlsec.ResolveOperationArgs{
 		Arguments: fieldCtx.Args,
 		TypeName:  fieldCtx.Object,
 		FieldName: fieldCtx.Field.Name,
 		Trivial:   isTrivial,
 	})
-	defer func() { op.Finish(types.ResolveOperationRes{Data: res, Error: err}) }()
+	defer func() { op.Finish(graphqlsec.ResolveOperationRes{Data: res, Error: err}) }()
 
 	res, err = next(ctx)
 	return
diff --git a/contrib/99designs/gqlgen/tracer_test.go b/contrib/99designs/gqlgen/tracer_test.go
index e36ff984a6..b9aa149d36 100644
--- a/contrib/99designs/gqlgen/tracer_test.go
+++ b/contrib/99designs/gqlgen/tracer_test.go
@@ -206,3 +206,91 @@ func newTestClient(t *testing.T, h *testserver.TestServer, tracer graphql.Handle
 	h.Use(tracer)
 	return client.New(h)
 }
+
+func TestInterceptOperation(t *testing.T) {
+	assertions := assert.New(t)
+	graphqlTestSrv := testserver.New()
+	c := newTestClient(t, graphqlTestSrv, NewTracer())
+
+	t.Run("intercept operation with graphQL Query", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		err := c.Post(`{ name }`, &testServerResponse{})
+		assertions.Nil(err)
+
+		allSpans := mt.FinishedSpans()
+		var root mocktracer.Span
+		var resNames []string
+		var opNames []string
+		for _, span := range allSpans {
+			if span.ParentID() == 0 {
+				root = span
+			}
+			resNames = append(resNames, span.Tag(ext.ResourceName).(string))
+			opNames = append(opNames, span.OperationName())
+			assertions.Equal("99designs/gqlgen", span.Tag(ext.Component))
+		}
+		assertions.ElementsMatch(resNames, []string{readOp, parsingOp, validationOp, "Query.name", `{ name }`})
+		assertions.ElementsMatch(opNames, []string{readOp, parsingOp, validationOp, fieldOp, "graphql.query"})
+		assertions.NotNil(root)
+		assertions.Nil(root.Tag(ext.Error))
+	})
+
+	t.Run("intercept operation with graphQL Mutation", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		err := c.Post(`mutation Name { name }`, &testServerResponse{})
+		// due to testserver.New() implementation, mutation is not supported
+		assertions.NotNil(err)
+
+		allSpans := mt.FinishedSpans()
+		var root mocktracer.Span
+		var resNames []string
+		var opNames []string
+		for _, span := range allSpans {
+			if span.ParentID() == 0 {
+				root = span
+			}
+			resNames = append(resNames, span.Tag(ext.ResourceName).(string))
+			opNames = append(opNames, span.OperationName())
+			assertions.Equal("99designs/gqlgen", span.Tag(ext.Component))
+		}
+		assertions.ElementsMatch(resNames, []string{readOp, parsingOp, validationOp, `mutation Name { name }`})
+		assertions.ElementsMatch(opNames, []string{readOp, parsingOp, validationOp, "graphql.mutation"})
+		assertions.NotNil(root)
+		assertions.NotNil(root.Tag(ext.Error))
+	})
+
+	t.Run("intercept operation with graphQL Subscription", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		go func() {
+			graphqlTestSrv.SendCompleteSubscriptionMessage()
+		}()
+
+		// using raw post because post try to access nil response's Data field
+		resp, err := c.RawPost(`subscription Name { name }`)
+		assertions.Nil(err)
+		assertions.Nil(resp)
+
+		allSpans := mt.FinishedSpans()
+		var root mocktracer.Span
+		var resNames []string
+		var opNames []string
+		for _, span := range allSpans {
+			if span.ParentID() == 0 {
+				root = span
+			}
+			resNames = append(resNames, span.Tag(ext.ResourceName).(string))
+			opNames = append(opNames, span.OperationName())
+			assertions.Equal("99designs/gqlgen", span.Tag(ext.Component))
+		}
+		assertions.ElementsMatch(resNames, []string{`subscription Name { name }`, `subscription Name { name }`, "subscription Name { name }"})
+		assertions.ElementsMatch(opNames, []string{readOp, parsingOp, validationOp})
+		assertions.NotNil(root)
+		assertions.Nil(root.Tag(ext.Error))
+	})
+}
diff --git a/contrib/aws/aws-sdk-go-v2/aws/aws.go b/contrib/aws/aws-sdk-go-v2/aws/aws.go
index 5a5c4aa98d..c131418a30 100644
--- a/contrib/aws/aws-sdk-go-v2/aws/aws.go
+++ b/contrib/aws/aws-sdk-go-v2/aws/aws.go
@@ -369,3 +369,16 @@ func coalesceNameOrArnResource(name *string, arnVal *string) string {
 
 	return ""
 }
+
+func coalesceNameOrArnResource(name *string, arnVal *string) string {
+	if name != nil {
+		return *name
+	}
+
+	if arnVal != nil {
+		parts := strings.Split(*arnVal, "/")
+		return parts[len(parts)-1]
+	}
+
+	return ""
+}
diff --git a/contrib/aws/aws-sdk-go-v2/aws/aws_test.go b/contrib/aws/aws-sdk-go-v2/aws/aws_test.go
index c3f7c14301..294aa71a6c 100644
--- a/contrib/aws/aws-sdk-go-v2/aws/aws_test.go
+++ b/contrib/aws/aws-sdk-go-v2/aws/aws_test.go
@@ -1001,3 +1001,64 @@ func TestStreamName(t *testing.T) {
 		})
 	}
 }
+
+func TestStreamName(t *testing.T) {
+	dummyName := `my-stream`
+	dummyArn := `arn:aws:kinesis:us-east-1:111111111111:stream/` + dummyName
+
+	tests := []struct {
+		name     string
+		input    any
+		expected string
+	}{
+		{
+			name:     "PutRecords with ARN",
+			input:    &kinesis.PutRecordsInput{StreamARN: &dummyArn},
+			expected: dummyName,
+		},
+		{
+			name:     "PutRecords with Name",
+			input:    &kinesis.PutRecordsInput{StreamName: &dummyName},
+			expected: dummyName,
+		},
+		{
+			name:     "PutRecords with both",
+			input:    &kinesis.PutRecordsInput{StreamName: &dummyName, StreamARN: &dummyArn},
+			expected: dummyName,
+		},
+		{
+			name:     "PutRecord with Name",
+			input:    &kinesis.PutRecordInput{StreamName: &dummyName},
+			expected: dummyName,
+		},
+		{
+			name:     "CreateStream",
+			input:    &kinesis.CreateStreamInput{StreamName: &dummyName},
+			expected: dummyName,
+		},
+		{
+			name:     "CreateStream with nothing",
+			input:    &kinesis.CreateStreamInput{},
+			expected: "",
+		},
+		{
+			name:     "GetRecords",
+			input:    &kinesis.GetRecordsInput{StreamARN: &dummyArn},
+			expected: dummyName,
+		},
+		{
+			name:     "GetRecords with nothing",
+			input:    &kinesis.GetRecordsInput{},
+			expected: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := middleware.InitializeInput{
+				Parameters: tt.input,
+			}
+			val := streamName(req)
+			assert.Equal(t, tt.expected, val)
+		})
+	}
+}
diff --git a/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/config.go b/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/config.go
new file mode 100644
index 0000000000..22fd14b944
--- /dev/null
+++ b/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/config.go
@@ -0,0 +1,43 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package tracing
+
+import (
+	"github.com/DataDog/dd-trace-go/v2/internal/namingschema"
+)
+
+type config struct {
+	serviceName     string
+	publishSpanName string
+	receiveSpanName string
+	measured        bool
+}
+
+func defaultConfig() *config {
+	return &config{
+		serviceName:     namingschema.ServiceNameOverrideV0("", ""),
+		publishSpanName: namingschema.OpName(namingschema.GCPPubSubOutbound),
+		receiveSpanName: namingschema.OpName(namingschema.GCPPubSubInbound),
+		measured:        false,
+	}
+}
+
+// Option is used to customize spans started by WrapReceiveHandler or Publish.
+type Option func(cfg *config)
+
+// WithServiceName sets the service name tag for traces started by WrapReceiveHandler or Publish.
+func WithServiceName(serviceName string) Option {
+	return func(cfg *config) {
+		cfg.serviceName = serviceName
+	}
+}
+
+// WithMeasured sets the measured tag for traces started by WrapReceiveHandler or Publish.
+func WithMeasured() Option {
+	return func(cfg *config) {
+		cfg.measured = true
+	}
+}
diff --git a/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/tracing.go b/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/tracing.go
new file mode 100644
index 0000000000..0e19e15220
--- /dev/null
+++ b/contrib/cloud.google.com/go/pubsub.v1/internal/tracing/tracing.go
@@ -0,0 +1,120 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package tracing
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/DataDog/dd-trace-go/v2/ddtrace"
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+	"github.com/DataDog/dd-trace-go/v2/internal/telemetry"
+)
+
+const componentName = "cloud.google.com/go/pubsub.v1"
+
+func init() {
+	telemetry.LoadIntegration(componentName)
+	tracer.MarkIntegrationImported(componentName)
+}
+
+type Message struct {
+	ID              string
+	Data            []byte
+	OrderingKey     string
+	Attributes      map[string]string
+	DeliveryAttempt *int
+	PublishTime     time.Time
+}
+
+type Topic interface {
+	String() string
+}
+
+type Subscription interface {
+	String() string
+}
+
+func TracePublish(ctx context.Context, topic Topic, msg *Message, opts ...Option) (context.Context, func(serverID string, err error)) {
+	cfg := defaultConfig()
+	for _, opt := range opts {
+		opt(cfg)
+	}
+	spanOpts := []ddtrace.StartSpanOption{
+		tracer.ResourceName(topic.String()),
+		tracer.SpanType(ext.SpanTypeMessageProducer),
+		tracer.Tag("message_size", len(msg.Data)),
+		tracer.Tag("ordering_key", msg.OrderingKey),
+		tracer.Tag(ext.Component, componentName),
+		tracer.Tag(ext.SpanKind, ext.SpanKindProducer),
+		tracer.Tag(ext.MessagingSystem, ext.MessagingSystemGCPPubsub),
+	}
+	if cfg.serviceName != "" {
+		spanOpts = append(spanOpts, tracer.ServiceName(cfg.serviceName))
+	}
+	if cfg.measured {
+		spanOpts = append(spanOpts, tracer.Measured())
+	}
+	span, ctx := tracer.StartSpanFromContext(
+		ctx,
+		cfg.publishSpanName,
+		spanOpts...,
+	)
+	if msg.Attributes == nil {
+		msg.Attributes = make(map[string]string)
+	}
+	if err := tracer.Inject(span.Context(), tracer.TextMapCarrier(msg.Attributes)); err != nil {
+		log.Debug("contrib/cloud.google.com/go/pubsub.v1/trace: failed injecting tracing attributes: %v", err)
+	}
+	span.SetTag("num_attributes", len(msg.Attributes))
+
+	var once sync.Once
+	closeSpan := func(serverID string, err error) {
+		once.Do(func() {
+			span.SetTag("server_id", serverID)
+			span.Finish(tracer.WithError(err))
+		})
+	}
+	return ctx, closeSpan
+}
+
+func TraceReceiveFunc(s Subscription, opts ...Option) func(ctx context.Context, msg *Message) (context.Context, func()) {
+	cfg := defaultConfig()
+	for _, opt := range opts {
+		opt(cfg)
+	}
+	log.Debug("contrib/cloud.google.com/go/pubsub.v1/trace: Wrapping Receive Handler: %#v", cfg)
+	return func(ctx context.Context, msg *Message) (context.Context, func()) {
+		parentSpanCtx, _ := tracer.Extract(tracer.TextMapCarrier(msg.Attributes))
+		opts := []ddtrace.StartSpanOption{
+			tracer.ResourceName(s.String()),
+			tracer.SpanType(ext.SpanTypeMessageConsumer),
+			tracer.Tag("message_size", len(msg.Data)),
+			tracer.Tag("num_attributes", len(msg.Attributes)),
+			tracer.Tag("ordering_key", msg.OrderingKey),
+			tracer.Tag("message_id", msg.ID),
+			tracer.Tag("publish_time", msg.PublishTime.String()),
+			tracer.Tag(ext.Component, componentName),
+			tracer.Tag(ext.SpanKind, ext.SpanKindConsumer),
+			tracer.Tag(ext.MessagingSystem, ext.MessagingSystemGCPPubsub),
+			tracer.ChildOf(parentSpanCtx),
+		}
+		if cfg.serviceName != "" {
+			opts = append(opts, tracer.ServiceName(cfg.serviceName))
+		}
+		if cfg.measured {
+			opts = append(opts, tracer.Measured())
+		}
+		span, ctx := tracer.StartSpanFromContext(ctx, cfg.receiveSpanName, opts...)
+		if msg.DeliveryAttempt != nil {
+			span.SetTag("delivery_attempt", *msg.DeliveryAttempt)
+		}
+		return ctx, func() { span.Finish() }
+	}
+}
diff --git a/contrib/cloud.google.com/go/pubsub.v1/option.go b/contrib/cloud.google.com/go/pubsub.v1/option.go
index 796fc47a2c..32c63e9679 100644
--- a/contrib/cloud.google.com/go/pubsub.v1/option.go
+++ b/contrib/cloud.google.com/go/pubsub.v1/option.go
@@ -7,12 +7,8 @@ package pubsub
 
 import "github.com/DataDog/dd-trace-go/v2/instrumentation"
 
-type config struct {
-	serviceName     string
-	publishSpanName string
-	receiveSpanName string
-	measured        bool
-}
+// Option is used to customize spans started by WrapReceiveHandler or Publish.
+type Option = tracing.Option
 
 func defaultConfig() *config {
 	return &config{
diff --git a/contrib/cloud.google.com/go/pubsub.v1/pubsub.go b/contrib/cloud.google.com/go/pubsub.v1/pubsub.go
index a6f0f0507e..eda72364c3 100644
--- a/contrib/cloud.google.com/go/pubsub.v1/pubsub.go
+++ b/contrib/cloud.google.com/go/pubsub.v1/pubsub.go
@@ -32,58 +32,27 @@ func init() {
 // It is required to call (*PublishResult).Get(ctx) on the value returned by Publish to complete
 // the span.
 func Publish(ctx context.Context, t *pubsub.Topic, msg *pubsub.Message, opts ...Option) *PublishResult {
-	cfg := defaultConfig()
-	for _, opt := range opts {
-		opt.apply(cfg)
-	}
-	spanOpts := []tracer.StartSpanOption{
-		tracer.ResourceName(t.String()),
-		tracer.SpanType(ext.SpanTypeMessageProducer),
-		tracer.Tag("message_size", len(msg.Data)),
-		tracer.Tag("ordering_key", msg.OrderingKey),
-		tracer.Tag(ext.Component, componentName),
-		tracer.Tag(ext.SpanKind, ext.SpanKindProducer),
-		tracer.Tag(ext.MessagingSystem, ext.MessagingSystemGCPPubsub),
-	}
-	if cfg.serviceName != "" {
-		spanOpts = append(spanOpts, tracer.ServiceName(cfg.serviceName))
-	}
-	if cfg.measured {
-		spanOpts = append(spanOpts, tracer.Measured())
-	}
-	span, ctx := tracer.StartSpanFromContext(
-		ctx,
-		cfg.publishSpanName,
-		spanOpts...,
-	)
-	if msg.Attributes == nil {
-		msg.Attributes = make(map[string]string)
-	}
-	if err := tracer.Inject(span.Context(), tracer.TextMapCarrier(msg.Attributes)); err != nil {
-		instr.Logger().Debug("contrib/cloud.google.com/go/pubsub.v1/: failed injecting tracing attributes: %v", err)
-	}
-	span.SetTag("num_attributes", len(msg.Attributes))
+	traceMsg := newTraceMessage(msg)
+	ctx, closeSpan := tracing.TracePublish(ctx, t, traceMsg, opts...)
+	msg.Attributes = traceMsg.Attributes
+
 	return &PublishResult{
 		PublishResult: t.Publish(ctx, msg),
-		span:          span,
+		closeSpan:     closeSpan,
 	}
 }
 
 // PublishResult wraps *pubsub.PublishResult
 type PublishResult struct {
 	*pubsub.PublishResult
-	once sync.Once
-	span *tracer.Span
+	closeSpan func(serverID string, err error)
 }
 
 // Get wraps (pubsub.PublishResult).Get(ctx). When this function returns the publish
 // span created in Publish is completed.
 func (r *PublishResult) Get(ctx context.Context) (string, error) {
 	serverID, err := r.PublishResult.Get(ctx)
-	r.once.Do(func() {
-		r.span.SetTag("server_id", serverID)
-		r.span.Finish(tracer.WithError(err))
-	})
+	r.closeSpan(serverID, err)
 	return serverID, err
 }
 
@@ -91,38 +60,24 @@ func (r *PublishResult) Get(ctx context.Context) (string, error) {
 // extracts any tracing metadata attached to the received message, and starts a
 // receive span.
 func WrapReceiveHandler(s *pubsub.Subscription, f func(context.Context, *pubsub.Message), opts ...Option) func(context.Context, *pubsub.Message) {
-	cfg := defaultConfig()
-	for _, opt := range opts {
-		opt.apply(cfg)
-	}
-	instr.Logger().Debug("contrib/cloud.google.com/go/pubsub.v1: Wrapping Receive Handler: %#v", cfg)
+	traceFn := tracing.TraceReceiveFunc(s, opts...)
 	return func(ctx context.Context, msg *pubsub.Message) {
-		parentSpanCtx, _ := tracer.Extract(tracer.TextMapCarrier(msg.Attributes))
-		opts := []tracer.StartSpanOption{
-			tracer.ResourceName(s.String()),
-			tracer.SpanType(ext.SpanTypeMessageConsumer),
-			tracer.Tag("message_size", len(msg.Data)),
-			tracer.Tag("num_attributes", len(msg.Attributes)),
-			tracer.Tag("ordering_key", msg.OrderingKey),
-			tracer.Tag("message_id", msg.ID),
-			tracer.Tag("publish_time", msg.PublishTime.String()),
-			tracer.Tag(ext.Component, componentName),
-			tracer.Tag(ext.SpanKind, ext.SpanKindConsumer),
-			tracer.Tag(ext.MessagingSystem, ext.MessagingSystemGCPPubsub),
-			tracer.ChildOf(parentSpanCtx),
-		}
-		if cfg.serviceName != "" {
-			opts = append(opts, tracer.ServiceName(cfg.serviceName))
-		}
-		if cfg.measured {
-			opts = append(opts, tracer.Measured())
-		}
-
-		span, ctx := tracer.StartSpanFromContext(ctx, cfg.receiveSpanName, opts...)
-		if msg.DeliveryAttempt != nil {
-			span.SetTag("delivery_attempt", *msg.DeliveryAttempt)
-		}
-		defer span.Finish()
+		ctx, closeSpan := traceFn(ctx, newTraceMessage(msg))
+		defer closeSpan()
 		f(ctx, msg)
 	}
 }
+
+func newTraceMessage(msg *pubsub.Message) *tracing.Message {
+	if msg == nil {
+		return nil
+	}
+	return &tracing.Message{
+		ID:              msg.ID,
+		Data:            msg.Data,
+		OrderingKey:     msg.OrderingKey,
+		Attributes:      msg.Attributes,
+		DeliveryAttempt: msg.DeliveryAttempt,
+		PublishTime:     msg.PublishTime,
+	}
+}
diff --git a/contrib/google.golang.org/grpc/appsec.go b/contrib/google.golang.org/grpc/appsec.go
index 0ae8e67c02..6f1ade9724 100644
--- a/contrib/google.golang.org/grpc/appsec.go
+++ b/contrib/google.golang.org/grpc/appsec.go
@@ -7,67 +7,77 @@ package grpc
 
 import (
 	"context"
+	"sync/atomic"
 
 	"github.com/DataDog/appsec-internal-go/netip"
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/grpcsec"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/grpcsec/types"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/sharedsec"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace/grpctrace"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace/httptrace"
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
+
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/actions"
 )
 
+func applyAction(blockAtomic *atomic.Pointer[actions.BlockGRPC], err *error) bool {
+	if blockAtomic == nil {
+		return false
+	}
+
+	block := blockAtomic.Load()
+	if block == nil {
+		return false
+	}
+
+	code, e := block.GRPCWrapper()
+	*err = status.Error(codes.Code(code), e.Error())
+	return true
+}
+
 // UnaryHandler wrapper to use when AppSec is enabled to monitor its execution.
 func appsecUnaryHandlerMiddleware(method string, span *tracer.Span, handler grpc.UnaryHandler) grpc.UnaryHandler {
 	trace.SetAppSecEnabledTags(span)
 	return func(ctx context.Context, req any) (res any, rpcErr error) {
-		var blockedErr error
 		md, _ := metadata.FromIncomingContext(ctx)
-		clientIP := setClientIP(ctx, span, md)
-		args := types.HandlerOperationArgs{
-			Method:   method,
-			Metadata: md,
-			ClientIP: clientIP,
+		var remoteAddr string
+		if p, ok := peer.FromContext(ctx); ok {
+			remoteAddr = p.Addr.String()
 		}
-		ctx, op := grpcsec.StartHandlerOperation(ctx, args, nil, func(op *types.HandlerOperation) {
-			dyngo.OnData(op, func(a *sharedsec.GRPCAction) {
-				code, err := a.GRPCWrapper()
-				blockedErr = status.Error(codes.Code(code), err.Error())
-			})
+
+		ctx, op, blockAtomic := grpcsec.StartHandlerOperation(ctx, grpcsec.HandlerOperationArgs{
+			Method:     method,
+			Metadata:   md,
+			RemoteAddr: remoteAddr,
 		})
+
 		defer func() {
-			events := op.Finish(types.HandlerOperationRes{})
-			if len(events) > 0 {
-				grpctrace.SetSecurityEventsTags(span, events)
+			var statusCode int
+			if statusErr, ok := rpcErr.(interface{ GRPCStatus() *status.Status }); ok && !applyAction(blockAtomic, &rpcErr) {
+				statusCode = int(statusErr.GRPCStatus().Code())
 			}
-			if blockedErr != nil {
-				op.SetTag(trace.BlockedRequestTag, true)
-				rpcErr = blockedErr
-			}
-			grpctrace.SetRequestMetadataTags(span, md)
-			trace.SetTags(span, op.Tags())
+			op.Finish(span, grpcsec.HandlerOperationRes{StatusCode: statusCode})
+			applyAction(blockAtomic, &rpcErr)
 		}()
 
 		// Check if a blocking condition was detected so far with the start operation event (ip blocking, metadata blocking, etc.)
-		if blockedErr != nil {
-			return nil, blockedErr
+		if applyAction(blockAtomic, &rpcErr) {
+			return
 		}
 
 		// As of our gRPC abstract operation definition, we must fake a receive operation for unary RPCs (the same model fits both unary and streaming RPCs)
-		grpcsec.StartReceiveOperation(types.ReceiveOperationArgs{}, op).Finish(types.ReceiveOperationRes{Message: req})
-		// Check if a blocking condition was detected so far with the receive operation events
-		if blockedErr != nil {
-			return nil, blockedErr
+		if _ = grpcsec.MonitorRequestMessage(ctx, req); applyAction(blockAtomic, &rpcErr) {
+			return
 		}
 
+		defer func() {
+			_ = grpcsec.MonitorResponseMessage(ctx, res)
+			applyAction(blockAtomic, &rpcErr)
+		}()
+
 		// Call the original handler - let the deferred function above handle the blocking condition and return error
 		return handler(ctx, req)
 	}
@@ -77,81 +87,72 @@ func appsecUnaryHandlerMiddleware(method string, span *tracer.Span, handler grpc
 func appsecStreamHandlerMiddleware(method string, span *tracer.Span, handler grpc.StreamHandler) grpc.StreamHandler {
 	trace.SetAppSecEnabledTags(span)
 	return func(srv any, stream grpc.ServerStream) (rpcErr error) {
-		// Create a ServerStream wrapper with appsec RPC handler operation and the Go context (to implement the ServerStream interface)
-		appsecStream := &appsecServerStream{
-			ServerStream: stream,
-			// note: the blockedErr field is captured by the RPC handler's OnData closure below
-		}
-
 		ctx := stream.Context()
 		md, _ := metadata.FromIncomingContext(ctx)
-		clientIP := setClientIP(ctx, span, md)
-		grpctrace.SetRequestMetadataTags(span, md)
+		var remoteAddr string
+		if p, ok := peer.FromContext(ctx); ok {
+			remoteAddr = p.Addr.String()
+		}
 
 		// Create the handler operation and listen to blocking gRPC actions to detect a blocking condition
-		args := types.HandlerOperationArgs{
-			Method:   method,
-			Metadata: md,
-			ClientIP: clientIP,
-		}
-		ctx, op := grpcsec.StartHandlerOperation(ctx, args, nil, func(op *types.HandlerOperation) {
-			dyngo.OnData(op, func(a *sharedsec.GRPCAction) {
-				code, e := a.GRPCWrapper()
-				appsecStream.blockedErr = status.Error(codes.Code(code), e.Error())
-			})
+		ctx, op, blockAtomic := grpcsec.StartHandlerOperation(ctx, grpcsec.HandlerOperationArgs{
+			Method:     method,
+			Metadata:   md,
+			RemoteAddr: remoteAddr,
 		})
 
-		// Finish constructing the appsec stream wrapper and replace the original one
-		appsecStream.handlerOperation = op
-		appsecStream.ctx = ctx
+		// Create a ServerStream wrapper with appsec RPC handler operation and the Go context (to implement the ServerStream interface)
 
 		defer func() {
-			events := op.Finish(types.HandlerOperationRes{})
-
-			if len(events) > 0 {
-				grpctrace.SetSecurityEventsTags(span, events)
+			var statusCode int
+			if res, ok := rpcErr.(interface{ Status() codes.Code }); ok && !applyAction(blockAtomic, &rpcErr) {
+				statusCode = int(res.Status())
 			}
 
-			if appsecStream.blockedErr != nil {
-				op.SetTag(trace.BlockedRequestTag, true)
-				// Change the RPC return error with appsec's
-				rpcErr = appsecStream.blockedErr
-			}
-
-			trace.SetTags(span, op.Tags())
+			op.Finish(span, grpcsec.HandlerOperationRes{StatusCode: statusCode})
+			applyAction(blockAtomic, &rpcErr)
 		}()
 
 		// Check if a blocking condition was detected so far with the start operation event (ip blocking, metadata blocking, etc.)
-		if appsecStream.blockedErr != nil {
-			return appsecStream.blockedErr
+		if applyAction(blockAtomic, &rpcErr) {
+			return
 		}
 
 		// Call the original handler - let the deferred function above handle the blocking condition and return error
-		return handler(srv, appsecStream)
+		return handler(srv, &appsecServerStream{
+			ServerStream:     stream,
+			handlerOperation: op,
+			ctx:              ctx,
+			action:           blockAtomic,
+			rpcErr:           &rpcErr,
+		})
 	}
 }
 
 type appsecServerStream struct {
 	grpc.ServerStream
-	handlerOperation *types.HandlerOperation
+	handlerOperation *grpcsec.HandlerOperation
 	ctx              context.Context
-
-	// blockedErr is used to store the error to return when a blocking sec event is detected.
-	blockedErr error
+	action           *atomic.Pointer[actions.BlockGRPC]
+	rpcErr           *error
 }
 
 // RecvMsg implements grpc.ServerStream interface method to monitor its
 // execution with AppSec.
-func (ss *appsecServerStream) RecvMsg(m interface{}) (err error) {
-	op := grpcsec.StartReceiveOperation(types.ReceiveOperationArgs{}, ss.handlerOperation)
+func (ss *appsecServerStream) RecvMsg(msg any) (err error) {
 	defer func() {
-		op.Finish(types.ReceiveOperationRes{Message: m})
-		if ss.blockedErr != nil {
-			// Change the function call return error with appsec's
-			err = ss.blockedErr
+		if _ = grpcsec.MonitorRequestMessage(ss.ctx, msg); applyAction(ss.action, ss.rpcErr) {
+			err = *ss.rpcErr
 		}
 	}()
-	return ss.ServerStream.RecvMsg(m)
+	return ss.ServerStream.RecvMsg(msg)
+}
+
+func (ss *appsecServerStream) SendMsg(msg any) error {
+	if _ = grpcsec.MonitorResponseMessage(ss.ctx, msg); applyAction(ss.action, ss.rpcErr) {
+		return *ss.rpcErr
+	}
+	return ss.ServerStream.SendMsg(msg)
 }
 
 func (ss *appsecServerStream) Context() context.Context {
diff --git a/contrib/google.golang.org/grpc/appsec_test.go b/contrib/google.golang.org/grpc/appsec_test.go
index 3d26a1a3d9..63c29cbec3 100644
--- a/contrib/google.golang.org/grpc/appsec_test.go
+++ b/contrib/google.golang.org/grpc/appsec_test.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"strings"
 	"testing"
@@ -18,6 +19,7 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/mocktracer"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/testutils"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@@ -27,24 +29,27 @@ import (
 
 func TestAppSec(t *testing.T) {
 	testutils.StartAppSec(t)
+	t.Setenv("DD_APPSEC_WAF_TIMEOUT", "1h") // Functionally unlimited
+	appsec.Start()
+	defer appsec.Stop()
 	if !instr.AppSecEnabled() {
 		t.Skip("appsec disabled")
 	}
 
 	setup := func() (fixturepb.FixtureClient, mocktracer.Tracer, func()) {
-		rig, err := newAppsecRig(false)
+		rig, err := newAppsecRig(t, false)
 		require.NoError(t, err)
 
 		mt := mocktracer.Start()
 
 		return rig.client, mt, func() {
-			rig.Close()
+			assert.NoError(t, rig.Close())
 			mt.Stop()
 		}
 	}
 
 	t.Run("unary", func(t *testing.T) {
-		client, mt, cleanup := setup()
+		client, mt, cleanup := setup(t)
 		defer cleanup()
 
 		// Send a XSS attack in the payload along with the canary value in the RPC metadata
@@ -65,7 +70,7 @@ func TestAppSec(t *testing.T) {
 	})
 
 	t.Run("stream", func(t *testing.T) {
-		client, mt, cleanup := setup()
+		client, mt, cleanup := setup(t)
 		defer cleanup()
 
 		// Send a XSS attack in the payload along with the canary value in the RPC metadata
@@ -122,9 +127,9 @@ func TestAppSec(t *testing.T) {
 			histogram[tr.Rule.ID]++
 		}
 
-		require.EqualValues(t, 1, histogram["crs-941-180"]) // XSS attack attempt
-		require.EqualValues(t, 5, histogram["crs-942-270"]) // SQL-injection attack attempt
-		require.EqualValues(t, 1, histogram["ua0-600-55x"]) // canary rule attack attempt
+		assert.EqualValues(t, 1, histogram["crs-941-180"]) // XSS attack attempt
+		assert.EqualValues(t, 5, histogram["crs-942-270"]) // SQL-injection attack attempt
+		assert.EqualValues(t, 1, histogram["ua0-600-55x"]) // canary rule attack attempt
 
 		require.Len(t, histogram, 3)
 	})
@@ -231,13 +236,13 @@ func TestUserBlocking(t *testing.T) {
 	}
 
 	setup := func() (fixturepb.FixtureClient, mocktracer.Tracer, func()) {
-		rig, err := newAppsecRig(false)
+		rig, err := newAppsecRig(t, false)
 		require.NoError(t, err)
 
 		mt := mocktracer.Start()
 
 		return rig.client, mt, func() {
-			rig.Close()
+			assert.NoError(t, rig.Close())
 			mt.Stop()
 		}
 	}
@@ -275,7 +280,7 @@ func TestUserBlocking(t *testing.T) {
 		} {
 			t.Run(tc.name, func(t *testing.T) {
 				// Helper assertion function to run for the unary and stream tests
-				assert := func(t *testing.T, do func(client fixturepb.FixtureClient)) {
+				withClient := func(t *testing.T, do func(client fixturepb.FixtureClient)) {
 					client, mt, cleanup := setup()
 					defer cleanup()
 
@@ -296,7 +301,7 @@ func TestUserBlocking(t *testing.T) {
 				}
 
 				t.Run("unary", func(t *testing.T) {
-					assert(t, func(client fixturepb.FixtureClient) {
+					withClient(t, func(client fixturepb.FixtureClient) {
 						ctx := metadata.NewOutgoingContext(context.Background(), tc.md)
 						reply, err := client.Ping(ctx, &fixturepb.FixtureRequest{Name: tc.message})
 						require.Nil(t, reply)
@@ -305,19 +310,18 @@ func TestUserBlocking(t *testing.T) {
 				})
 
 				t.Run("stream", func(t *testing.T) {
-					assert(t, func(client fixturepb.FixtureClient) {
+					withClient(t, func(client fixturepb.FixtureClient) {
 						ctx := metadata.NewOutgoingContext(context.Background(), tc.md)
 
 						// Open the stream
 						stream, err := client.StreamPing(ctx)
 						require.NoError(t, err)
-						defer func() {
-							require.NoError(t, stream.CloseSend())
-						}()
+						defer func() { assert.NoError(t, stream.CloseSend()) }()
 
 						// Send a message
-						err = stream.Send(&fixturepb.FixtureRequest{Name: tc.message})
-						require.NoError(t, err)
+						if err := stream.Send(&fixturepb.FixtureRequest{Name: tc.message}); err != io.EOF {
+							require.NoError(t, err)
+						}
 
 						// Receive a message
 						reply, err := stream.Recv()
@@ -340,20 +344,20 @@ func TestPasslist(t *testing.T) {
 		t.Skip("appsec disabled")
 	}
 
-	setup := func() (fixturepb.FixtureClient, mocktracer.Tracer, func()) {
-		rig, err := newAppsecRig(false)
+	setup := func(t *testing.T) (fixturepb.FixtureClient, mocktracer.Tracer, func()) {
+		rig, err := newAppsecRig(t, false)
 		require.NoError(t, err)
 
 		mt := mocktracer.Start()
 
 		return rig.client, mt, func() {
-			rig.Close()
+			assert.NoError(t, rig.Close())
 			mt.Stop()
 		}
 	}
 
 	t.Run("unary", func(t *testing.T) {
-		client, mt, cleanup := setup()
+		client, mt, cleanup := setup(t)
 		defer cleanup()
 
 		// Send the payload triggering the sec event thanks to the "zouzou" value in the RPC metadata
@@ -375,7 +379,7 @@ func TestPasslist(t *testing.T) {
 	})
 
 	t.Run("stream", func(t *testing.T) {
-		client, mt, cleanup := setup()
+		client, mt, cleanup := setup(t)
 		defer cleanup()
 
 		// Open the steam triggering the sec event thanks to the "zouzou" value in the RPC metadata
@@ -385,8 +389,9 @@ func TestPasslist(t *testing.T) {
 
 		// Send some messages
 		for i := 0; i < 5; i++ {
-			err = stream.Send(&fixturepb.FixtureRequest{Name: "hello"})
-			require.NoError(t, err)
+			if err := stream.Send(&fixturepb.FixtureRequest{Name: "hello"}); err != io.EOF {
+				require.NoError(t, err)
+			}
 
 			// Check that the handler was properly called
 			res, err := stream.Recv()
@@ -410,8 +415,8 @@ func TestPasslist(t *testing.T) {
 	})
 }
 
-func newAppsecRig(traceClient bool, interceptorOpts ...Option) (*appsecRig, error) {
-	interceptorOpts = append([]Option{WithService("grpc")}, interceptorOpts...)
+func newAppsecRig(t *testing.T, traceClient bool, interceptorOpts ...Option) (*appsecRig, error) {
+	interceptorOpts = append([]Option{WithServiceName("grpc")}, interceptorOpts...)
 
 	server := grpc.NewServer(
 		grpc.UnaryInterceptor(UnaryServerInterceptor(interceptorOpts...)),
@@ -427,7 +432,7 @@ func newAppsecRig(traceClient bool, interceptorOpts ...Option) (*appsecRig, erro
 	}
 	_, port, _ := net.SplitHostPort(li.Addr().String())
 	// start our test fixtureServer.
-	go server.Serve(li)
+	go func() { assert.NoError(t, server.Serve(li)) }()
 
 	opts := []grpc.DialOption{grpc.WithInsecure()}
 	if traceClient {
@@ -461,9 +466,9 @@ type appsecRig struct {
 	client        fixturepb.FixtureClient
 }
 
-func (r *appsecRig) Close() {
-	r.server.Stop()
-	r.conn.Close()
+func (r *appsecRig) Close() error {
+	defer r.server.GracefulStop()
+	return r.conn.Close()
 }
 
 type appsecFixtureServer struct {
diff --git a/contrib/google.golang.org/grpc/go.mod b/contrib/google.golang.org/grpc/go.mod
index 0afe937a54..604862efde 100644
--- a/contrib/google.golang.org/grpc/go.mod
+++ b/contrib/google.golang.org/grpc/go.mod
@@ -1,22 +1,24 @@
 module github.com/DataDog/dd-trace-go/contrib/google.golang.org/grpc/v2
 
-go 1.21
+go 1.22.0
+
+toolchain go1.23.1
 
 require (
-	github.com/DataDog/appsec-internal-go v1.7.0
+	github.com/DataDog/appsec-internal-go v1.8.0
 	github.com/DataDog/dd-trace-go/instrumentation/testutils/grpc/v2 v2.0.0-20240827110213-c6fc4fe2047a
 	github.com/DataDog/dd-trace-go/v2 v2.0.0-20240909105439-c452671ebc14
 	github.com/stretchr/testify v1.9.0
-	github.com/tinylib/msgp v1.1.9
+	github.com/tinylib/msgp v1.2.1
 	google.golang.org/grpc v1.65.0
 	google.golang.org/protobuf v1.34.2
 )
 
 require (
 	github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 // indirect
-	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 // indirect
+	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 // indirect
 	github.com/DataDog/datadog-go/v5 v5.5.0 // indirect
-	github.com/DataDog/go-libddwaf/v3 v3.3.0 // indirect
+	github.com/DataDog/go-libddwaf/v3 v3.4.0 // indirect
 	github.com/DataDog/go-sqllexer v0.0.11 // indirect
 	github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
 	github.com/DataDog/sketches-go v1.4.5 // indirect
@@ -32,16 +34,16 @@ require (
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/outcaste-io/ristretto v0.2.3 // indirect
-	github.com/philhofer/fwd v1.1.2 // indirect
+	github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.25.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sys v0.23.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
diff --git a/contrib/google.golang.org/grpc/go.sum b/contrib/google.golang.org/grpc/go.sum
index 11c6766d56..7f036f650b 100644
--- a/contrib/google.golang.org/grpc/go.sum
+++ b/contrib/google.golang.org/grpc/go.sum
@@ -1,13 +1,16 @@
 github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
 github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/appsec-internal-go v1.8.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
 github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 h1:/oxF4p/4XUGNpNw2TE7vDu/pJV3elEAZ+jES0/MWtiI=
 github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1/go.mod h1:AVPQWekk3h9AOC7+plBlNB68Sy6UIGFoMMVUDeSoNoI=
 github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 h1:mmkGuCHBFuDBpuwNMcqtY1x1I2fCaPH2Br4xPAAjbkM=
 github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1/go.mod h1:JhAilx32dkIgoDkFXquCTfaWDsAOfe+vfBaxbiZoPI0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0/go.mod h1:4Vo3SJ24uzfKHUHLoFa8t8o+LH+7TCQ7sPcZDtOpSP4=
 github.com/DataDog/datadog-go/v5 v5.5.0 h1:G5KHeB8pWBNXT4Jtw0zAkhdxEAWSpWH00geHI6LDrKU=
 github.com/DataDog/datadog-go/v5 v5.5.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
 github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
 github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
+github.com/DataDog/go-libddwaf/v3 v3.4.0/go.mod h1:n98d9nZ1gzenRSk53wz8l6d34ikxS+hs62A31Fqmyi4=
 github.com/DataDog/go-sqllexer v0.0.11 h1:OfPBjmayreblOXreszbrOTICNZ3qWrA6Bg4sypvxpbw=
 github.com/DataDog/go-sqllexer v0.0.11/go.mod h1:KwkYhpFEVIq+BfobkTC1vfqm4gTi65skV/DpDBXtexc=
 github.com/DataDog/go-tuf v1.1.0-0.5.2 h1:4CagiIekonLSfL8GMHRHcHudo1fQnxELS9g4tiAupQ4=
@@ -71,6 +74,8 @@ github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOv
 github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
 github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
 github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 h1:jYi87L8j62qkXzaYHAQAhEapgukhenIMZRBKTNRLHJ4=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -104,6 +109,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=
 github.com/tinylib/msgp v1.1.9/go.mod h1:BCXGB54lDD8qUEPmiG0cQQUANC4IUQyB2ItS2UDlO/k=
+github.com/tinylib/msgp v1.2.1 h1:6ypy2qcCznxpP4hpORzhtXyTqrBs7cfM9MCCWY8zsmU=
+github.com/tinylib/msgp v1.2.1/go.mod h1:2vIGs3lcUo8izAATNobrCHevYZC/LMsJtw4JPiYPHro=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -117,11 +124,13 @@ golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -135,11 +144,14 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
diff --git a/contrib/google.golang.org/grpc/grpc_test.go b/contrib/google.golang.org/grpc/grpc_test.go
index 6bbe6b112c..b32187320c 100644
--- a/contrib/google.golang.org/grpc/grpc_test.go
+++ b/contrib/google.golang.org/grpc/grpc_test.go
@@ -61,7 +61,7 @@ func TestUnary(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			rig, err := newRig(true, WithService("grpc"), WithRequestTags())
 			require.NoError(t, err, "error setting up rig")
-			defer rig.Close()
+			defer func() { assert.NoError(rig.Close()) }()
 			client := rig.client
 
 			mt := mocktracer.Start()
@@ -222,7 +222,7 @@ func TestStreaming(t *testing.T) {
 
 		rig, err := newRig(true, WithService("grpc"))
 		require.NoError(t, err, "error setting up rig")
-		defer rig.Close()
+		defer func() { assert.NoError(t, rig.Close()) }()
 
 		span, ctx := tracer.StartSpanFromContext(context.Background(), "a",
 			tracer.ServiceName("b"),
@@ -247,7 +247,7 @@ func TestStreaming(t *testing.T) {
 
 		rig, err := newRig(true, WithService("grpc"), WithStreamMessages(false))
 		require.NoError(t, err, "error setting up rig")
-		defer rig.Close()
+		defer func() { assert.NoError(t, rig.Close()) }()
 
 		span, ctx := tracer.StartSpanFromContext(context.Background(), "a",
 			tracer.ServiceName("b"),
@@ -272,7 +272,7 @@ func TestStreaming(t *testing.T) {
 
 		rig, err := newRig(true, WithService("grpc"), WithStreamCalls(false))
 		require.NoError(t, err, "error setting up rig")
-		defer rig.Close()
+		defer func() { assert.NoError(t, rig.Close()) }()
 
 		span, ctx := tracer.StartSpanFromContext(context.Background(), "a",
 			tracer.ServiceName("b"),
@@ -314,7 +314,7 @@ func TestSpanTree(t *testing.T) {
 
 		rig, err := newRig(true, WithService("grpc"))
 		require.NoError(t, err, "error setting up rig")
-		defer rig.Close()
+		defer func() { assert.NoError(rig.Close()) }()
 
 		{
 			// Unary Ping rpc leading to trace:
@@ -349,7 +349,7 @@ func TestSpanTree(t *testing.T) {
 
 		rig, err := newRig(true, WithService("grpc"), WithRequestTags(), WithMetadataTags())
 		require.NoError(t, err, "error setting up rig")
-		defer rig.Close()
+		defer func() { assert.NoError(rig.Close()) }()
 		client := rig.client
 
 		{
@@ -433,7 +433,7 @@ func TestPass(t *testing.T) {
 
 	rig, err := newRig(false, WithService("grpc"))
 	require.NoError(t, err, "error setting up rig")
-	defer rig.Close()
+	defer func() { assert.NoError(rig.Close()) }()
 	client := rig.client
 
 	ctx := context.Background()
@@ -467,7 +467,7 @@ func TestPreservesMetadata(t *testing.T) {
 	if err != nil {
 		t.Fatalf("error setting up rig: %s", err)
 	}
-	defer rig.Close()
+	defer func() { assert.NoError(t, rig.Close()) }()
 
 	ctx := context.Background()
 	ctx = metadata.AppendToOutgoingContext(ctx, "test-key", "test-value")
@@ -495,7 +495,7 @@ func TestStreamSendsErrorCode(t *testing.T) {
 
 	rig, err := newRig(true)
 	require.NoError(t, err, "error setting up rig")
-	defer rig.Close()
+	defer func() { assert.NoError(t, rig.Close()) }()
 
 	ctx := context.Background()
 
@@ -524,7 +524,7 @@ func TestStreamSendsErrorCode(t *testing.T) {
 			containsErrorCode = true
 		}
 	}
-	assert.True(t, containsErrorCode, "at least one span should contain error code")
+	assert.True(t, containsErrorCode, "at least one span should contain error code, the spans were:\n%v", spans)
 
 	// ensure that last span contains error code also
 	gotLastSpanCode := spans[len(spans)-1].Tag(tagCode)
@@ -542,9 +542,9 @@ type rig struct {
 	client        fixturepb.FixtureClient
 }
 
-func (r *rig) Close() {
-	r.server.Stop()
-	r.conn.Close()
+func (r *rig) Close() error {
+	defer r.server.GracefulStop()
+	return r.conn.Close()
 }
 
 func newRigWithInterceptors(
@@ -608,7 +608,7 @@ func TestAnalyticsSettings(t *testing.T) {
 		if err != nil {
 			t.Fatalf("error setting up rig: %s", err)
 		}
-		defer rig.Close()
+		defer func() { assert.NoError(t, rig.Close()) }()
 
 		client := rig.client
 		resp, err := client.Ping(context.Background(), &fixturepb.FixtureRequest{Name: "pass"})
@@ -1079,7 +1079,7 @@ func TestIssue2050(t *testing.T) {
 	}
 	rig, err := newRigWithInterceptors(serverInterceptors, clientInterceptors)
 	require.NoError(t, err)
-	defer rig.Close()
+	defer func() { assert.NoError(t, rig.Close()) }()
 
 	// call tracer.Start after integration is initialized, to reproduce the issue
 	tracer.Start(tracer.WithHTTPClient(httpClient), tracer.WithLogger(testutils.DiscardLogger()))
diff --git a/contrib/graph-gophers/graphql-go/appsec_test.go b/contrib/graph-gophers/graphql-go/appsec_test.go
new file mode 100644
index 0000000000..3c781b9899
--- /dev/null
+++ b/contrib/graph-gophers/graphql-go/appsec_test.go
@@ -0,0 +1,243 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016 Datadog, Inc.
+
+package graphql
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/mocktracer"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec"
+	"github.com/graph-gophers/graphql-go"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAppSec(t *testing.T) {
+	schema := graphql.MustParseSchema(
+		`type Query {
+			topLevel(id: String!): TopLevel!
+			topLevelMapped(map: MapInput!, key: String!, index: Int!): TopLevel!
+		}
+
+		type TopLevel {
+			nested(id: String!): String!
+		}
+
+		input MapInput {
+			ids: [String!]!
+			bool: Boolean!
+			float: Float!
+		}`,
+		&appSecQuery{},
+		graphql.Tracer(NewTracer()),
+	)
+	restore := enableAppSec(t)
+	defer restore()
+
+	t.Run("monitoring", func(t *testing.T) {
+		const (
+			topLevelAttack = "he protec"
+			nestedAttack   = "he attac, but most importantly: he Tupac"
+		)
+		testCases := map[string]struct {
+			query     string
+			variables map[string]any
+		}{
+			"basic": {
+				query: `query TestQuery($topLevelId: String!, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`,
+				variables: map[string]any{
+					"topLevelId": topLevelAttack,
+					"nestedId":   nestedAttack,
+				},
+			},
+			"with-default-parameter": {
+				query: fmt.Sprintf(`query TestQuery($topLevelId: String = %#v, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`, topLevelAttack),
+				variables: map[string]any{
+					// "topLevelId" omitted (default value used)
+					"nestedId": nestedAttack,
+				},
+			},
+			"embedded-variable": {
+				query: `query TestQuery($topLevelId: String!, $nestedId: String!) {
+					topLevel: topLevelMapped(map: { ids: ["foo", $topLevelId, "baz"], bool: true, float: 3.14 }, key: "ids", index: 1) {
+						nested(id: $nestedId)
+					}
+				}`,
+				variables: map[string]any{
+					"topLevelId": topLevelAttack,
+					"nestedId":   nestedAttack,
+				},
+			},
+		}
+		for name, tc := range testCases {
+			t.Run(name, func(t *testing.T) {
+				mt := mocktracer.Start()
+				defer mt.Stop()
+				resp := schema.Exec(context.Background(), tc.query, "TestQuery", tc.variables)
+				require.Empty(t, resp.Errors)
+
+				var data map[string]any
+				err := json.Unmarshal(resp.Data, &data)
+				require.NoError(t, err)
+				require.Equal(t, map[string]any{"topLevel": map[string]any{"nested": fmt.Sprintf("%s/%s", topLevelAttack, nestedAttack)}}, data)
+
+				// Ensure the query produced the expected appsec events
+				spans := mt.FinishedSpans()
+				require.NotEmpty(t, spans)
+
+				// The last finished span (which is GraphQL entry) should have the "_dd.appsec.enabled" tag.
+				span := spans[len(spans)-1]
+				require.Equal(t, 1, span.Tag("_dd.appsec.enabled"))
+				type ddAppsecJSON struct {
+					Triggers []struct {
+						Rule struct {
+							ID string `json:"id"`
+						} `json:"rule"`
+					} `json:"triggers"`
+				}
+				jsonText, ok := span.Tag("_dd.appsec.json").(string)
+				require.True(t, ok, "expected _dd.appsec.json tag on span")
+
+				var parsed ddAppsecJSON
+				err = json.Unmarshal([]byte(jsonText), &parsed)
+				require.NoError(t, err)
+
+				ids := make([]string, 0, len(parsed.Triggers))
+				for _, trigger := range parsed.Triggers {
+					ids = append(ids, trigger.Rule.ID)
+				}
+
+				require.ElementsMatch(t, ids, []string{"test-rule-001", "test-rule-002"})
+			})
+		}
+	})
+}
+
+type appSecQuery struct{}
+
+func (q *appSecQuery) TopLevel(_ context.Context, args struct{ ID string }) (*appSecTopLevel, error) {
+	return &appSecTopLevel{args.ID}, nil
+}
+func (q *appSecQuery) TopLevelMapped(
+	ctx context.Context,
+	args struct {
+		Map struct {
+			IDs   []string
+			Bool  bool
+			Float float64
+		}
+		Key   string
+		Index int32
+	},
+) (*appSecTopLevel, error) {
+	id := args.Map.IDs[args.Index]
+	return q.TopLevel(ctx, struct{ ID string }{id})
+}
+
+type appSecTopLevel struct {
+	id string
+}
+
+func (a *appSecTopLevel) Nested(_ context.Context, args struct{ ID string }) (string, error) {
+	return fmt.Sprintf("%s/%s", a.id, args.ID), nil
+}
+
+// enableAppSec ensures the environment variable to enable appsec is active, and
+// returns a function to restore the previous environment state.
+func enableAppSec(t *testing.T) func() {
+	const rules = `{
+		"version": "2.2",
+		"metadata": {
+			"rules_version": "0.1337.42"
+		},
+		"rules": [
+			{
+				"id": "test-rule-001",
+				"name": "Phony rule number 1",
+				"tags": {
+					"category": "canary",
+					"type": "meme-protec"
+				},
+				"conditions": [{
+					"operator": "phrase_match",
+					"parameters": {
+						"inputs": [{ "address": "graphql.server.resolver" }],
+						"list": ["he protec"]
+					}
+				}],
+				"transformers": ["lowercase"],
+				"on_match": []
+			},
+			{
+				"id": "test-rule-002",
+				"name": "Phony rule number 2",
+				"tags": {
+					"category": "canary",
+					"type": "meme-attac"
+				},
+				"conditions": [{
+					"operator": "phrase_match",
+					"parameters": {
+						"inputs": [{ "address": "graphql.server.resolver" }],
+						"list": ["he attac"]
+					}
+				}],
+				"transformers": ["lowercase"],
+				"on_match": []
+			},
+			{
+				"id": "test-rule-003",
+				"name": "Phony rule number 3",
+				"tags": {
+					"category": "canary",
+					"type": "meme-tupac"
+				},
+				"conditions": [{
+					"operator": "phrase_match",
+					"parameters": {
+						"inputs": [{ "address": "graphql.server.all_resolvers" }],
+						"list": ["he tupac"]
+					}
+				}],
+				"transformers": ["lowercase"],
+				"on_match": []
+			}
+		]
+	}`
+	tmpDir, err := os.MkdirTemp("", "dd-trace-go.graphql-go.graphql.appsec_test.rules-*")
+	require.NoError(t, err)
+	rulesFile := path.Join(tmpDir, "rules.json")
+	err = os.WriteFile(rulesFile, []byte(rules), 0644)
+	require.NoError(t, err)
+	restoreDdAppsecEnabled := setEnv("DD_APPSEC_ENABLED", "1")
+	restoreDdAppsecRules := setEnv("DD_APPSEC_RULES", rulesFile)
+	appsec.Start()
+	restore := func() {
+		appsec.Stop()
+		restoreDdAppsecEnabled()
+		restoreDdAppsecRules()
+		_ = os.RemoveAll(tmpDir)
+	}
+	if !appsec.Enabled() {
+		restore()
+		t.Skip("could not enable appsec: this platform is likely not supported")
+	}
+	return restore
+}
+
+// setEnv sets an the environment variable named `name` to `value` and returns
+// a function that restores the variable to it's original value.
+func setEnv(name string, value string) func() {
+	oldVal := os.Getenv(name)
+	os.Setenv(name, value)
+	return func() {
+		os.Setenv(name, oldVal)
+	}
+}
diff --git a/contrib/graph-gophers/graphql-go/graphql.go b/contrib/graph-gophers/graphql-go/graphql.go
index 117f323c07..15beb6a18d 100644
--- a/contrib/graph-gophers/graphql-go/graphql.go
+++ b/contrib/graph-gophers/graphql-go/graphql.go
@@ -20,7 +20,6 @@ import (
 	ddtracer "github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec/types"
 
 	"github.com/graph-gophers/graphql-go/errors"
 	"github.com/graph-gophers/graphql-go/introspection"
@@ -68,12 +67,12 @@ func (t *Tracer) TraceQuery(ctx context.Context, queryString, operationName stri
 	}
 	span, ctx := ddtracer.StartSpanFromContext(ctx, t.cfg.querySpanName, opts...)
 
-	ctx, request := graphqlsec.StartRequestOperation(ctx, span, types.RequestOperationArgs{
+	ctx, request := graphqlsec.StartRequestOperation(ctx, graphqlsec.RequestOperationArgs{
 		RawQuery:      queryString,
 		OperationName: operationName,
 		Variables:     variables,
 	})
-	ctx, query := graphqlsec.StartExecutionOperation(ctx, span, types.ExecutionOperationArgs{
+	ctx, query := graphqlsec.StartExecutionOperation(ctx, graphqlsec.ExecutionOperationArgs{
 		Query:         queryString,
 		OperationName: operationName,
 		Variables:     variables,
@@ -90,8 +89,8 @@ func (t *Tracer) TraceQuery(ctx context.Context, queryString, operationName stri
 			err = fmt.Errorf("%s (and %d more errors)", errs[0], n-1)
 		}
 		defer span.Finish(ddtracer.WithError(err))
-		defer request.Finish(types.RequestOperationRes{Error: err})
-		query.Finish(types.ExecutionOperationRes{Error: err})
+		defer request.Finish(span, graphqlsec.RequestOperationRes{Error: err})
+		query.Finish(graphqlsec.ExecutionOperationRes{Error: err})
 	}
 }
 
@@ -117,7 +116,7 @@ func (t *Tracer) TraceField(ctx context.Context, _, typeName, fieldName string,
 	}
 	span, ctx := ddtracer.StartSpanFromContext(ctx, "graphql.field", opts...)
 
-	ctx, field := graphqlsec.StartResolveOperation(ctx, span, types.ResolveOperationArgs{
+	ctx, field := graphqlsec.StartResolveOperation(ctx, graphqlsec.ResolveOperationArgs{
 		TypeName:  typeName,
 		FieldName: fieldName,
 		Arguments: arguments,
@@ -125,7 +124,7 @@ func (t *Tracer) TraceField(ctx context.Context, _, typeName, fieldName string,
 	})
 
 	return ctx, func(err *errors.QueryError) {
-		field.Finish(types.ResolveOperationRes{Error: err})
+		field.Finish(graphqlsec.ResolveOperationRes{Error: err})
 
 		// must explicitly check for nil, see issue golang/go#22729
 		if err != nil {
diff --git a/contrib/graphql-go/graphql/appsec_test.go b/contrib/graphql-go/graphql/appsec_test.go
index 7327f91a58..e7c4411973 100644
--- a/contrib/graphql-go/graphql/appsec_test.go
+++ b/contrib/graphql-go/graphql/appsec_test.go
@@ -93,7 +93,6 @@ func TestAppSec(t *testing.T) {
 		testCases := map[string]struct {
 			query     string
 			variables map[string]any
-			events    map[string]string
 		}{
 			"basic": {
 				query: `query TestQuery($topLevelId: String!, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`,
@@ -101,10 +100,6 @@ func TestAppSec(t *testing.T) {
 					"topLevelId": topLevelAttack,
 					"nestedId":   nestedAttack,
 				},
-				events: map[string]string{
-					"test-rule-001": "graphql.resolve(topLevel)",
-					"test-rule-002": "graphql.resolve(nested)",
-				},
 			},
 			"with-default-parameter": {
 				query: fmt.Sprintf(`query TestQuery($topLevelId: String = %#v, $nestedId: String!) { topLevel(id: $topLevelId) { nested(id: $nestedId) } }`, topLevelAttack),
@@ -112,10 +107,6 @@ func TestAppSec(t *testing.T) {
 					// "topLevelId" omitted (default value used)
 					"nestedId": nestedAttack,
 				},
-				events: map[string]string{
-					"test-rule-001": "graphql.resolve(topLevel)",
-					"test-rule-002": "graphql.resolve(nested)",
-				},
 			},
 			"embedded-variable": {
 				query: `query TestQuery($topLevelId: String!, $nestedId: String!) {
@@ -127,10 +118,6 @@ func TestAppSec(t *testing.T) {
 					"topLevelId": topLevelAttack,
 					"nestedId":   nestedAttack,
 				},
-				events: map[string]string{
-					"test-rule-001": "graphql.resolve(topLevelMapped)",
-					"test-rule-002": "graphql.resolve(nested)",
-				},
 			},
 		}
 
@@ -152,7 +139,8 @@ func TestAppSec(t *testing.T) {
 				spans := mt.FinishedSpans()
 				require.NotEmpty(t, spans)
 				// The last finished span (which is GraphQL entry) should have the "_dd.appsec.enabled" tag.
-				require.Equal(t, float64(1), spans[len(spans)-1].Tag("_dd.appsec.enabled"))
+				span := spans[len(spans)-1]
+				require.Equal(t, 1, span.Tag("_dd.appsec.enabled"))
 				events := make(map[string]string)
 				type ddAppsecJSON struct {
 					Triggers []struct {
@@ -161,34 +149,20 @@ func TestAppSec(t *testing.T) {
 						} `json:"rule"`
 					} `json:"triggers"`
 				}
-				// Search for AppSec events in the set of spans
-				for _, span := range spans {
-					jsonText, ok := span.Tag("_dd.appsec.json").(string)
-					if !ok || jsonText == "" {
-						continue
-					}
-					var parsed ddAppsecJSON
-					err := json.Unmarshal([]byte(jsonText), &parsed)
-					require.NoError(t, err)
 
-					require.Len(t, parsed.Triggers, 1, "expected exactly 1 trigger on %s span", span.OperationName())
-					ruleID := parsed.Triggers[0].Rule.ID
-					_, duplicate := events[ruleID]
-					require.False(t, duplicate, "found duplicated hit for rule %s", ruleID)
-					var origin string
-					switch name := span.OperationName(); name {
-					case spanResolve:
-						field := span.Tag(tagGraphqlField).(string)
-						origin = fmt.Sprintf("%s(%s)", spanResolve, field)
-					case spanExecute:
-						origin = spanExecute
-					default:
-						require.Fail(t, "rule trigger recorded on unecpected span", "rule %s recorded a hit on unexpected span %s", ruleID, name)
-					}
-					events[ruleID] = origin
+				jsonText, ok := span.Tag("_dd.appsec.json").(string)
+				require.True(t, ok, "expected _dd.appsec.json tag on span")
+
+				var parsed ddAppsecJSON
+				err = json.Unmarshal([]byte(jsonText), &parsed)
+				require.NoError(t, err)
+
+				ids := make([]string, 0, len(parsed.Triggers))
+				for _, trigger := range parsed.Triggers {
+					ids = append(ids, trigger.Rule.ID)
 				}
-				// Ensure they match the expected outcome
-				require.Equal(t, tc.events, events)
+
+				require.ElementsMatch(t, ids, []string{"test-rule-001", "test-rule-002"})
 			})
 		}
 	})
diff --git a/contrib/graphql-go/graphql/graphql.go b/contrib/graphql-go/graphql/graphql.go
index 322664bbb4..67977219d0 100644
--- a/contrib/graphql-go/graphql/graphql.go
+++ b/contrib/graphql-go/graphql/graphql.go
@@ -15,7 +15,6 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec/types"
 
 	"github.com/graphql-go/graphql"
 	"github.com/graphql-go/graphql/gqlerrors"
@@ -61,7 +60,7 @@ type datadogExtension struct{ config }
 type contextKey struct{}
 type contextData struct {
 	serverSpan    *tracer.Span
-	requestOp     *types.RequestOperation
+	requestOp     *graphqlsec.RequestOperation
 	variables     map[string]any
 	query         string
 	operationName string
@@ -70,7 +69,7 @@ type contextData struct {
 // finish closes the top-level request operation, as well as the server span.
 func (c *contextData) finish(data any, err error) {
 	defer c.serverSpan.Finish(tracer.WithError(err))
-	c.requestOp.Finish(types.RequestOperationRes{Data: data, Error: err})
+	c.requestOp.Finish(c.serverSpan, graphqlsec.RequestOperationRes{Data: data, Error: err})
 }
 
 var extensionName = reflect.TypeOf((*datadogExtension)(nil)).Elem().Name()
@@ -95,7 +94,7 @@ func (i datadogExtension) Init(ctx context.Context, params *graphql.Params) cont
 		tracer.Tag(ext.Component, instrumentation.PackageGraphQLGoGraphQL),
 		tracer.Measured(),
 	)
-	ctx, request := graphqlsec.StartRequestOperation(ctx, span, types.RequestOperationArgs{
+	ctx, request := graphqlsec.StartRequestOperation(ctx, graphqlsec.RequestOperationArgs{
 		RawQuery:      params.RequestString,
 		Variables:     params.VariableValues,
 		OperationName: params.OperationName,
@@ -190,7 +189,7 @@ func (i datadogExtension) ExecutionDidStart(ctx context.Context) (context.Contex
 		opts = append(opts, tracer.Tag(ext.EventSampleRate, i.config.analyticsRate))
 	}
 	span, ctx := tracer.StartSpanFromContext(ctx, spanExecute, opts...)
-	ctx, op := graphqlsec.StartExecutionOperation(ctx, span, types.ExecutionOperationArgs{
+	ctx, op := graphqlsec.StartExecutionOperation(ctx, graphqlsec.ExecutionOperationArgs{
 		Query:         data.query,
 		OperationName: data.operationName,
 		Variables:     data.variables,
@@ -201,7 +200,7 @@ func (i datadogExtension) ExecutionDidStart(ctx context.Context) (context.Contex
 			defer data.finish(result.Data, err)
 			span.Finish(tracer.WithError(err))
 		}()
-		op.Finish(types.ExecutionOperationRes{Data: result.Data, Error: err})
+		op.Finish(graphqlsec.ExecutionOperationRes{Data: result.Data, Error: err})
 	}
 }
 
@@ -237,14 +236,14 @@ func (i datadogExtension) ResolveFieldDidStart(ctx context.Context, info *graphq
 		opts = append(opts, tracer.Tag(ext.EventSampleRate, i.config.analyticsRate))
 	}
 	span, ctx := tracer.StartSpanFromContext(ctx, spanResolve, opts...)
-	ctx, op := graphqlsec.StartResolveOperation(ctx, span, types.ResolveOperationArgs{
+	ctx, op := graphqlsec.StartResolveOperation(ctx, graphqlsec.ResolveOperationArgs{
 		TypeName:  info.ParentType.Name(),
 		FieldName: info.FieldName,
 		Arguments: collectArguments(info),
 	})
 	return ctx, func(result any, err error) {
 		defer span.Finish(tracer.WithError(err))
-		op.Finish(types.ResolveOperationRes{Error: err, Data: result})
+		op.Finish(graphqlsec.ResolveOperationRes{Error: err, Data: result})
 	}
 }
 
diff --git a/contrib/internal/telemetrytest/telemetry_test.go b/contrib/internal/telemetrytest/telemetry_test.go
new file mode 100644
index 0000000000..a775fc132e
--- /dev/null
+++ b/contrib/internal/telemetrytest/telemetry_test.go
@@ -0,0 +1,93 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2023 Datadog, Inc.
+package telemetrytest
+
+import (
+	"encoding/json"
+	"os"
+	"os/exec"
+	"strings"
+	"testing"
+
+	"github.com/DataDog/dd-trace-go/contrib/gorilla/mux/v2"
+	"github.com/DataDog/dd-trace-go/v2/internal/telemetry"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestIntegrationInfo verifies that an integration leveraging instrumentation telemetry
+// sends the correct data to the telemetry client.
+func TestIntegrationInfo(t *testing.T) {
+	// mux.NewRouter() uses the net/http and gorilla/mux integration
+	mux.NewRouter()
+	integrations := telemetry.Integrations()
+	require.Len(t, integrations, 2)
+	assert.Equal(t, integrations[0].Name, "net/http")
+	assert.True(t, integrations[0].Enabled)
+	assert.Equal(t, integrations[1].Name, "gorilla/mux")
+	assert.True(t, integrations[1].Enabled)
+}
+
+type contribPkg struct {
+	ImportPath string
+	Name       string
+	Imports    []string
+	Dir        string
+}
+
+var TelemetryImport = "github.com/DataDog/dd-trace-go/v2/internal/telemetry"
+
+func readPackage(t *testing.T, path string) contribPkg {
+	cmd := exec.Command("go", "list", "-json", path)
+	cmd.Stderr = os.Stderr
+	output, err := cmd.Output()
+	require.NoError(t, err)
+	p := contribPkg{}
+	err = json.Unmarshal(output, &p)
+	require.NoError(t, err)
+	return p
+}
+
+func (p *contribPkg) hasTelemetryImport(t *testing.T) bool {
+	for _, imp := range p.Imports {
+		if imp == TelemetryImport {
+			return true
+		}
+	}
+	// if we didn't find it imported directly, it might be imported in one of sub-package imports
+	for _, imp := range p.Imports {
+		if strings.HasPrefix(imp, p.ImportPath) {
+			p := readPackage(t, imp)
+			if p.hasTelemetryImport(t) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// TestTelemetryEnabled verifies that the expected contrib packages leverage instrumentation telemetry
+func TestTelemetryEnabled(t *testing.T) {
+	body, err := exec.Command("go", "list", "-json", "../../...").Output()
+	require.NoError(t, err)
+
+	var packages []contribPkg
+	stream := json.NewDecoder(strings.NewReader(string(body)))
+	for stream.More() {
+		var out contribPkg
+		err := stream.Decode(&out)
+		require.NoError(t, err)
+		packages = append(packages, out)
+	}
+	for _, pkg := range packages {
+		if strings.Contains(pkg.ImportPath, "/test") || strings.Contains(pkg.ImportPath, "/internal") {
+			continue
+		}
+		if !pkg.hasTelemetryImport(t) {
+			t.Fatalf(`package %q is expected use instrumentation telemetry. For more info see https://github.com/DataDog/dd-trace-go/blob/main/contrib/README.md#instrumentation-telemetry`, pkg.ImportPath)
+		}
+	}
+}
diff --git a/contrib/labstack/echo.v4/appsec_test.go b/contrib/labstack/echo.v4/appsec_test.go
index 20ebaa0014..921dc28965 100644
--- a/contrib/labstack/echo.v4/appsec_test.go
+++ b/contrib/labstack/echo.v4/appsec_test.go
@@ -125,8 +125,8 @@ func TestAppSec(t *testing.T) {
 			// The span should contain the security event
 			finished := mt.FinishedSpans()
 			require.Len(t, finished, 1)
-			event := finished[0].Tag("_dd.appsec.json").(string)
-			require.NotNil(t, event)
+			event, ok := finished[0].Tag("_dd.appsec.json").(string)
+			require.True(t, ok, "expected string, found %T", finished[0].Tag("_dd.appsec.json"))
 			require.True(t, strings.Contains(event, "crs-913-120"))
 			// Wildcards are not named in echo
 			require.False(t, strings.Contains(event, "myPathParam3"))
@@ -138,7 +138,7 @@ func TestAppSec(t *testing.T) {
 		mt := mocktracer.Start()
 		defer mt.Stop()
 
-		req, err := http.NewRequest("POST", srv.URL+"/etc/", nil)
+		req, err := http.NewRequest("POST", srv.URL+"/etc/passwd", nil)
 		if err != nil {
 			panic(err)
 		}
@@ -149,8 +149,8 @@ func TestAppSec(t *testing.T) {
 
 		finished := mt.FinishedSpans()
 		require.Len(t, finished, 1)
-		event := finished[0].Tag("_dd.appsec.json").(string)
-		require.NotNil(t, event)
+		event, ok := finished[0].Tag("_dd.appsec.json").(string)
+		require.True(t, ok, "expected string, found %T", finished[0].Tag("_dd.appsec.json"))
 		require.True(t, strings.Contains(event, "server.response.status"))
 		require.True(t, strings.Contains(event, "nfd-000-001"))
 	})
diff --git a/contrib/net/http/http_test.go b/contrib/net/http/http_test.go
index bd668fbe9e..6990087d06 100644
--- a/contrib/net/http/http_test.go
+++ b/contrib/net/http/http_test.go
@@ -325,22 +325,9 @@ func TestServeMuxGo122Patterns(t *testing.T) {
 
 	// Check the /foo span
 	fooSpan := spans[1]
-	if fooW.Code == http.StatusOK {
-		assert.Equal("/foo", fooSpan.Tag(ext.HTTPRoute))
-		assert.Equal("GET /foo", fooSpan.Tag(ext.ResourceName))
-	} else {
-		// Until our go.mod version is go1.22 or greater, the mux will not
-		// understand the "GET /foo" pattern, causing the request to be handled
-		// by the 404 handler. Let's assert what we can, and mark the test as
-		// skipped to highlight the issue.
-		assert.Equal(http.StatusNotFound, fooW.Code)
-		assert.Equal(nil, fooSpan.Tag(ext.HTTPRoute))
-		// Using "GET " as a resource name doesn't seem ideal, but that's how
-		// the mux instrumentation deals with 404s right now.
-		assert.Equal("GET ", fooSpan.Tag(ext.ResourceName))
-		t.Skip("run `go mod edit -go=1.22` to run the full test")
-	}
-
+	assert.Equal(http.StatusOK, fooW.Code)
+	assert.Equal("/foo", fooSpan.Tag(ext.HTTPRoute))
+	assert.Equal("GET /foo", fooSpan.Tag(ext.ResourceName))
 }
 
 func TestWrapHandlerWithResourceNameNoRace(_ *testing.T) {
@@ -360,6 +347,8 @@ func TestWrapHandlerWithResourceNameNoRace(_ *testing.T) {
 			r := httptest.NewRequest("GET", "/", nil)
 			w := httptest.NewRecorder()
 			defer wg.Done()
+			w := httptest.NewRecorder()
+			r := httptest.NewRequest("GET", "/", nil)
 			mux.ServeHTTP(w, r)
 		}()
 	}
@@ -521,10 +510,14 @@ func handler200(w http.ResponseWriter, _ *http.Request) {
 	w.Write([]byte("OK\n"))
 }
 
-func handler500(w http.ResponseWriter, _ *http.Request) {
+func handler500(w http.ResponseWriter, r *http.Request) {
 	http.Error(w, "500!", http.StatusInternalServerError)
 }
 
+func handler400(w http.ResponseWriter, r *http.Request) {
+	http.Error(w, "400!", http.StatusBadRequest)
+}
+
 func BenchmarkHttpServeTrace(b *testing.B) {
 	err := tracer.Start(tracer.WithLogger(testutils.DiscardLogger()), tracer.WithHeaderTags([]string{"3header"}))
 	assert.NoError(b, err)
diff --git a/contrib/net/http/option.go b/contrib/net/http/option.go
index f139f693c9..dca5d9e2f6 100644
--- a/contrib/net/http/option.go
+++ b/contrib/net/http/option.go
@@ -8,6 +8,7 @@ package http
 import (
 	"math"
 	"net/http"
+	"os"
 
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
@@ -179,6 +180,12 @@ func newRoundTripperConfig() *roundTripperConfig {
 		analyticsRate: instr.GlobalAnalyticsRate(),
 		resourceNamer: defaultResourceNamer,
 		ignoreRequest: func(_ *http.Request) bool { return false },
+		queryString:   internal.BoolEnv(envClientQueryStringEnabled, true),
+		isStatusError: isClientError,
+	}
+	v := os.Getenv(envClientErrorStatuses)
+	if fn := httptrace.GetErrorCodesFromInput(v); fn != nil {
+		sharedCfg.isStatusError = fn
 	}
 	return &roundTripperConfig{
 		commonConfig: sharedCfg,
@@ -227,3 +234,7 @@ func WithErrorCheck(fn func(err error) bool) RoundTripperOptionFn {
 		cfg.errCheck = fn
 	}
 }
+
+func isClientError(statusCode int) bool {
+	return statusCode >= 400 && statusCode < 500
+}
diff --git a/contrib/net/http/roundtripper.go b/contrib/net/http/roundtripper.go
index 16bb6fe336..2ba2be908f 100644
--- a/contrib/net/http/roundtripper.go
+++ b/contrib/net/http/roundtripper.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 
 	"github.com/DataDog/dd-trace-go/v2/appsec/events"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/httpsec"
@@ -37,7 +38,7 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (res *http.Response, err er
 		tracer.SpanType(ext.SpanTypeHTTP),
 		tracer.ResourceName(resourceName),
 		tracer.Tag(ext.HTTPMethod, req.Method),
-		tracer.Tag(ext.HTTPURL, url.String()),
+		tracer.Tag(ext.HTTPURL, urlFromRequest(req, rt.cfg.queryString)),
 		tracer.Tag(ext.Component, componentName),
 		tracer.Tag(ext.SpanKind, ext.SpanKindClient),
 		tracer.Tag(ext.NetworkDestinationName, url.Hostname()),
@@ -85,7 +86,6 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (res *http.Response, err er
 	}
 
 	res, err = rt.base.RoundTrip(r2)
-
 	if err != nil {
 		span.SetTag("http.errors", err.Error())
 		if rt.cfg.errCheck == nil || rt.cfg.errCheck(err) {
@@ -93,8 +93,7 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (res *http.Response, err er
 		}
 	} else {
 		span.SetTag(ext.HTTPCode, strconv.Itoa(res.StatusCode))
-		// treat 5XX as errors
-		if res.StatusCode/100 == 5 {
+		if rt.cfg.isStatusError(res.StatusCode) {
 			span.SetTag("http.errors", res.Status)
 			span.SetTag(ext.Error, fmt.Errorf("%d: %s", res.StatusCode, http.StatusText(res.StatusCode)))
 		}
@@ -134,3 +133,32 @@ func WrapClient(c *http.Client, opts ...RoundTripperOption) *http.Client {
 	c.Transport = WrapRoundTripper(c.Transport, opts...)
 	return c
 }
+
+// urlFromRequest returns the URL from the HTTP request. The URL query string is included in the return object iff queryString is true
+// See https://docs.datadoghq.com/tracing/configure_data_security#redacting-the-query-in-the-url for more information.
+func urlFromRequest(r *http.Request, queryString bool) string {
+	// Quoting net/http comments about net.Request.URL on server requests:
+	// "For most requests, fields other than Path and RawQuery will be
+	// empty. (See RFC 7230, Section 5.3)"
+	// This is why we don't rely on url.URL.String(), url.URL.Host, url.URL.Scheme, etc...
+	var url string
+	path := r.URL.EscapedPath()
+	scheme := r.URL.Scheme
+	if r.TLS != nil {
+		scheme = "https"
+	}
+	if r.Host != "" {
+		url = strings.Join([]string{scheme, "://", r.Host, path}, "")
+	} else {
+		url = path
+	}
+	// Collect the query string if we are allowed to report it and obfuscate it if possible/allowed
+	if queryString && r.URL.RawQuery != "" {
+		query := r.URL.RawQuery
+		url = strings.Join([]string{url, query}, "?")
+	}
+	if frag := r.URL.EscapedFragment(); frag != "" {
+		url = strings.Join([]string{url, frag}, "#")
+	}
+	return url
+}
diff --git a/contrib/net/http/roundtripper_test.go b/contrib/net/http/roundtripper_test.go
index 6eb3ff82e2..5a88b83b37 100644
--- a/contrib/net/http/roundtripper_test.go
+++ b/contrib/net/http/roundtripper_test.go
@@ -11,6 +11,8 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
+	"regexp"
 	"strconv"
 	"strings"
 	"testing"
@@ -96,58 +98,67 @@ func TestRoundTripper(t *testing.T) {
 	assert.Equal(t, float64(wantPort), s1.Tag(ext.NetworkDestinationPort))
 }
 
-func TestRoundTripperServerError(t *testing.T) {
-	mt := mocktracer.Start()
-	defer mt.Stop()
-
-	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		spanctx, err := tracer.Extract(tracer.HTTPHeadersCarrier(r.Header))
-		assert.NoError(t, err)
-
-		span := tracer.StartSpan("test",
-			tracer.ChildOf(spanctx))
-		defer span.Finish()
-
-		w.WriteHeader(http.StatusInternalServerError)
-		w.Write([]byte("Error"))
-	}))
-	defer s.Close()
-
-	rt := WrapRoundTripper(http.DefaultTransport,
-		WithBefore(func(req *http.Request, span *tracer.Span) {
-			span.SetTag("CalledBefore", true)
-		}),
-		WithAfter(func(res *http.Response, span *tracer.Span) {
-			span.SetTag("CalledAfter", true)
-		}))
-
+func makeRequests(rt http.RoundTripper, url string, t *testing.T) {
 	client := &http.Client{
 		Transport: rt,
 	}
+	resp, err := client.Get(url + "/400")
+	assert.Nil(t, err)
+	defer resp.Body.Close()
 
-	resp, err := client.Get(s.URL + "/hello/world")
+	resp, err = client.Get(url + "/500")
 	assert.Nil(t, err)
 	defer resp.Body.Close()
 
-	spans := mt.FinishedSpans()
-	assert.Len(t, spans, 2)
-	assert.Equal(t, spans[0].TraceID(), spans[1].TraceID())
+	resp, err = client.Get(url + "/200")
+	assert.Nil(t, err)
+	defer resp.Body.Close()
+}
 
-	s0 := spans[0]
-	assert.Equal(t, "test", s0.OperationName())
-	assert.Equal(t, "test", s0.Tag(ext.ResourceName))
+func TestRoundTripperErrors(t *testing.T) {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/200", handler200)
+	mux.HandleFunc("/400", handler400)
+	mux.HandleFunc("/500", handler500)
+	s := httptest.NewServer(mux)
+	defer s.Close()
 
-	s1 := spans[1]
-	assert.Equal(t, "http.request", s1.OperationName())
-	assert.Equal(t, "http.request", s1.Tag(ext.ResourceName))
-	assert.Equal(t, "500", s1.Tag(ext.HTTPCode))
-	assert.Equal(t, "GET", s1.Tag(ext.HTTPMethod))
-	assert.Equal(t, s.URL+"/hello/world", s1.Tag(ext.HTTPURL))
-	assert.Equal(t, "500: Internal Server Error", s1.Tag(ext.ErrorMsg))
-	assert.Equal(t, "true", s1.Tag("CalledBefore"))
-	assert.Equal(t, "true", s1.Tag("CalledAfter"))
-	assert.Equal(t, ext.SpanKindClient, s1.Tag(ext.SpanKind))
-	assert.Equal(t, "net/http", s1.Tag(ext.Component))
+	t.Run("default", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+		rt := WrapRoundTripper(http.DefaultTransport)
+		makeRequests(rt, s.URL, t)
+		spans := mt.FinishedSpans()
+		assert.Len(t, spans, 3)
+		s := spans[0] // 400 is error
+		assert.Equal(t, "400: Bad Request", s.Tag(ext.Error).(error).Error())
+		assert.Equal(t, "400", s.Tag(ext.HTTPCode))
+		s = spans[1] // 500 is not error
+		assert.Empty(t, s.Tag(ext.Error))
+		assert.Equal(t, "500", s.Tag(ext.HTTPCode))
+		s = spans[2] // 200 is not error
+		assert.Empty(t, s.Tag(ext.Error))
+		assert.Equal(t, "200", s.Tag(ext.HTTPCode))
+	})
+	t.Run("custom", func(t *testing.T) {
+		os.Setenv("DD_TRACE_HTTP_CLIENT_ERROR_STATUSES", "500-510")
+		defer os.Unsetenv("DD_TRACE_HTTP_CLIENT_ERROR_STATUSES")
+		mt := mocktracer.Start()
+		defer mt.Stop()
+		rt := WrapRoundTripper(http.DefaultTransport)
+		makeRequests(rt, s.URL, t)
+		spans := mt.FinishedSpans()
+		assert.Len(t, spans, 3)
+		s := spans[0] // 400 is not error
+		assert.Empty(t, s.Tag(ext.Error))
+		assert.Equal(t, "400", s.Tag(ext.HTTPCode))
+		s = spans[1] // 500 is error
+		assert.Equal(t, "500: Internal Server Error", s.Tag(ext.Error).(error).Error())
+		assert.Equal(t, "500", s.Tag(ext.HTTPCode))
+		s = spans[2] // 200 is not error
+		assert.Empty(t, s.Tag(ext.Error))
+		assert.Equal(t, "200", s.Tag(ext.HTTPCode))
+	})
 }
 
 func TestRoundTripperNetworkError(t *testing.T) {
@@ -537,6 +548,70 @@ func TestSpanOptions(t *testing.T) {
 	assert.Equal(t, tagValue, spans[0].Tag(tagKey))
 }
 
+func TestClientQueryString(t *testing.T) {
+	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("Hello World"))
+	}))
+	defer s.Close()
+	t.Run("default", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		rt := WrapRoundTripper(http.DefaultTransport)
+		client := &http.Client{
+			Transport: rt,
+		}
+		resp, err := client.Get(s.URL + "/hello/world?querystring=xyz")
+		assert.Nil(t, err)
+		defer resp.Body.Close()
+		spans := mt.FinishedSpans()
+		assert.Len(t, spans, 1)
+
+		assert.Regexp(t, regexp.MustCompile(`^http://.*?/hello/world\?querystring=xyz$`), spans[0].Tag(ext.HTTPURL))
+	})
+	t.Run("false", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		os.Setenv("DD_TRACE_HTTP_CLIENT_TAG_QUERY_STRING", "false")
+		defer os.Unsetenv("DD_TRACE_HTTP_CLIENT_TAG_QUERY_STRING")
+
+		rt := WrapRoundTripper(http.DefaultTransport)
+		client := &http.Client{
+			Transport: rt,
+		}
+		resp, err := client.Get(s.URL + "/hello/world?querystring=xyz")
+		assert.Nil(t, err)
+		defer resp.Body.Close()
+		spans := mt.FinishedSpans()
+		assert.Len(t, spans, 1)
+
+		assert.Regexp(t, regexp.MustCompile(`^http://.*?/hello/world$`), spans[0].Tag(ext.HTTPURL))
+	})
+	// DD_TRACE_HTTP_URL_QUERY_STRING_DISABLED applies only to server spans, not client
+	t.Run("Not impacted by DD_TRACE_HTTP_URL_QUERY_STRING_DISABLED", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		os.Setenv("DD_TRACE_HTTP_CLIENT_TAG_QUERY_STRING", "true")
+		os.Setenv("DD_TRACE_HTTP_URL_QUERY_STRING_DISABLED", "true")
+		defer os.Unsetenv("DD_TRACE_HTTP_CLIENT_TAG_QUERY_STRING")
+		defer os.Unsetenv("DD_TRACE_HTTP_URL_QUERY_STRING_DISABLED")
+
+		rt := WrapRoundTripper(http.DefaultTransport)
+		client := &http.Client{
+			Transport: rt,
+		}
+		resp, err := client.Get(s.URL + "/hello/world?querystring=xyz")
+		assert.Nil(t, err)
+		defer resp.Body.Close()
+		spans := mt.FinishedSpans()
+		assert.Len(t, spans, 1)
+
+		assert.Contains(t, spans[0].Tag(ext.HTTPURL), "/hello/world?querystring=xyz")
+	})
+}
+
 func TestRoundTripperPropagation(t *testing.T) {
 	mt := mocktracer.Start()
 	defer mt.Stop()
@@ -629,7 +704,7 @@ func TestAppsec(t *testing.T) {
 
 			require.Contains(t, serviceSpan.Tags(), "_dd.appsec.json")
 			appsecJSON := serviceSpan.Tag("_dd.appsec.json")
-			require.Contains(t, appsecJSON, "server.io.net.url")
+			require.Contains(t, appsecJSON, addresses.ServerIoNetURLAddr)
 
 			require.Contains(t, serviceSpan.Tags(), "_dd.stack")
 			require.NotContains(t, serviceSpan.Tags(), "error.message")
diff --git a/ddtrace/mocktracer/main_test.go b/ddtrace/mocktracer/main_test.go
new file mode 100644
index 0000000000..d584962bf7
--- /dev/null
+++ b/ddtrace/mocktracer/main_test.go
@@ -0,0 +1,15 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package mocktracer
+
+import (
+	"go.uber.org/goleak"
+	"testing"
+)
+
+func TestMain(m *testing.M) {
+	goleak.VerifyTestMain(m)
+}
diff --git a/ddtrace/mocktracer/mockspan_test.go b/ddtrace/mocktracer/mockspan_test.go
new file mode 100644
index 0000000000..4c0d91e8ab
--- /dev/null
+++ b/ddtrace/mocktracer/mockspan_test.go
@@ -0,0 +1,272 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016 Datadog, Inc.
+
+package mocktracer
+
+import (
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/DataDog/dd-trace-go/v2/ddtrace"
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// basicSpan returns a span with no configuration, having the set operation name.
+func basicSpan(operationName string) *mockspan {
+	return newSpan(&mocktracer{}, operationName, &ddtrace.StartSpanConfig{})
+}
+
+func TestNewSpan(t *testing.T) {
+	t.Run("basic", func(t *testing.T) {
+		s := basicSpan("http.request")
+
+		assert := assert.New(t)
+		assert.Equal("http.request", s.name)
+		assert.False(s.startTime.IsZero())
+		assert.Zero(s.parentID)
+		assert.NotNil(s.context)
+		assert.NotZero(s.context.spanID)
+		assert.Equal(s.context.spanID, s.context.traceID)
+	})
+
+	t.Run("options", func(t *testing.T) {
+		tr := new(mocktracer)
+		startTime := time.Now()
+		tags := map[string]interface{}{"k": "v", "k1": "v1"}
+		opts := &ddtrace.StartSpanConfig{
+			StartTime: startTime,
+			Tags:      tags,
+		}
+		s := newSpan(tr, "http.request", opts)
+
+		assert := assert.New(t)
+		assert.Equal(tr, s.tracer)
+		assert.Equal("http.request", s.name)
+		assert.Equal(startTime, s.startTime)
+		assert.Equal(tags, s.tags)
+	})
+
+	t.Run("parent", func(t *testing.T) {
+		baggage := map[string]string{"A": "B", "C": "D"}
+		parentctx := &spanContext{spanID: 1, traceID: 2, baggage: baggage}
+		opts := &ddtrace.StartSpanConfig{Parent: parentctx}
+		s := newSpan(&mocktracer{}, "http.request", opts)
+
+		assert := assert.New(t)
+		assert.NotNil(s.context)
+		assert.Equal(uint64(1), s.parentID)
+		assert.Equal(uint64(2), s.context.traceID)
+		assert.Equal(baggage, s.context.baggage)
+	})
+}
+
+func TestSpanSetTag(t *testing.T) {
+	s := basicSpan("http.request")
+	s.SetTag("a", "b")
+	s.SetTag("c", "d")
+
+	assert := assert.New(t)
+	assert.Len(s.Tags(), 3)
+	assert.Equal("http.request", s.Tag(ext.ResourceName))
+	assert.Equal("b", s.Tag("a"))
+	assert.Equal("d", s.Tag("c"))
+}
+
+func TestSpanSetTagPriority(t *testing.T) {
+	assert := assert.New(t)
+	s := basicSpan("http.request")
+	assert.False(s.context.hasSamplingPriority())
+	s.SetTag(ext.SamplingPriority, -1)
+	assert.True(s.context.hasSamplingPriority())
+	assert.Equal(-1, s.context.samplingPriority())
+}
+
+func TestSpanTagImmutability(t *testing.T) {
+	s := basicSpan("http.request")
+	s.SetTag("a", "b")
+	tags := s.Tags()
+	tags["a"] = 123
+	tags["b"] = 456
+
+	assert := assert.New(t)
+	assert.Equal("b", s.tags["a"])
+	assert.Zero(s.tags["b"])
+}
+
+func TestSpanStartTime(t *testing.T) {
+	startTime := time.Now()
+	s := newSpan(&mocktracer{}, "http.request", &ddtrace.StartSpanConfig{StartTime: startTime})
+
+	assert := assert.New(t)
+	assert.Equal(startTime, s.startTime)
+	assert.Equal(startTime, s.StartTime())
+}
+
+func TestSpanFinishTime(t *testing.T) {
+	s := basicSpan("http.request")
+	finishTime := time.Now()
+	s.Finish(tracer.FinishTime(finishTime))
+
+	assert := assert.New(t)
+	assert.Equal(finishTime, s.finishTime)
+	assert.Equal(finishTime, s.FinishTime())
+}
+
+func TestSpanOperationName(t *testing.T) {
+	t.Run("default", func(t *testing.T) {
+		s := basicSpan("http.request")
+		assert.Equal(t, "http.request", s.name)
+		assert.Equal(t, "http.request", s.OperationName())
+	})
+
+	t.Run("default", func(t *testing.T) {
+		s := basicSpan("http.request")
+		s.SetOperationName("db.query")
+		assert.Equal(t, "db.query", s.name)
+		assert.Equal(t, "db.query", s.OperationName())
+	})
+}
+
+func TestSpanBaggageFunctions(t *testing.T) {
+	t.Run("SetBaggageItem", func(t *testing.T) {
+		s := basicSpan("http.request")
+		s.SetBaggageItem("a", "b")
+		assert.Equal(t, "b", s.context.baggage["a"])
+	})
+
+	t.Run("BaggageItem", func(t *testing.T) {
+		s := basicSpan("http.request")
+		s.SetBaggageItem("a", "b")
+		assert.Equal(t, "b", s.BaggageItem("a"))
+	})
+}
+
+func TestSpanContext(t *testing.T) {
+	t.Run("Context", func(t *testing.T) {
+		s := basicSpan("http.request")
+		assert.Equal(t, s.context, s.Context())
+	})
+
+	t.Run("IDs", func(t *testing.T) {
+		parent := basicSpan("http.request")
+		child := newSpan(&mocktracer{}, "db.query", &ddtrace.StartSpanConfig{
+			Parent: parent.Context(),
+		})
+
+		assert := assert.New(t)
+		assert.Equal(parent.SpanID(), child.ParentID())
+		assert.Equal(parent.TraceID(), child.TraceID())
+		assert.NotZero(child.SpanID())
+	})
+}
+
+func TestSpanFinish(t *testing.T) {
+	s := basicSpan("http.request")
+	want := errors.New("some error")
+	s.Finish(tracer.WithError(want))
+
+	assert := assert.New(t)
+	assert.False(s.FinishTime().IsZero())
+	assert.True(s.FinishTime().Before(time.Now().Add(1 * time.Nanosecond)))
+	assert.Equal(want, s.Tag(ext.Error))
+}
+
+func TestSpanFinishTwice(t *testing.T) {
+	s := basicSpan("http.request")
+	wantError := errors.New("some error")
+	s.Finish(tracer.WithError(wantError))
+
+	assert := assert.New(t)
+	wantTime := s.finishTime
+	time.Sleep(2 * time.Millisecond)
+	s.Finish(tracer.WithError(errors.New("new error")))
+	assert.Equal(wantTime, s.finishTime)
+	assert.Equal(wantError, s.Tag(ext.Error))
+	assert.Equal(len(s.tracer.finishedSpans), 1)
+}
+
+func TestSpanString(t *testing.T) {
+	s := basicSpan("http.request")
+	s.Finish(tracer.WithError(errors.New("some error")))
+
+	assert := assert.New(t)
+	assert.NotEmpty(s.String())
+}
+
+func TestSpanWithID(t *testing.T) {
+	tr := newMockTracer()
+	defer tr.Stop()
+	spanID := uint64(123456789)
+	span := tr.StartSpan("", tracer.WithSpanID(spanID))
+
+	assert := assert.New(t)
+	assert.Equal(spanID, span.Context().SpanID())
+}
+
+func TestSetUser(t *testing.T) {
+	const (
+		id        = "john.doe#12345"
+		name      = "John Doe"
+		email     = "john.doe@hostname.com"
+		scope     = "read:message, write:files"
+		role      = "admin"
+		sessionID = "session#12345"
+	)
+	expected := []struct{ key, value string }{
+		{key: "usr.id", value: id},
+		{key: "usr.name", value: name},
+		{key: "usr.email", value: email},
+		{key: "usr.scope", value: scope},
+		{key: "usr.role", value: role},
+		{key: "usr.session_id", value: sessionID},
+	}
+
+	t.Run("root", func(t *testing.T) {
+		s := basicSpan("root operation")
+		tracer.SetUser(s,
+			id,
+			tracer.WithUserEmail(email),
+			tracer.WithUserName(name),
+			tracer.WithUserScope(scope),
+			tracer.WithUserRole(role),
+			tracer.WithUserSessionID(sessionID))
+		s.Finish()
+		for _, pair := range expected {
+			assert.Equal(t, pair.value, s.Tag(pair.key))
+		}
+	})
+
+	t.Run("nested", func(t *testing.T) {
+		tr := newMockTracer()
+		defer tr.Stop()
+
+		s0 := tr.StartSpan("root operation")
+		s1 := tr.StartSpan("nested operation", tracer.ChildOf(s0.Context()))
+		s2 := tr.StartSpan("nested nested operation", tracer.ChildOf(s1.Context()))
+		tracer.SetUser(s2,
+			id,
+			tracer.WithUserEmail(email),
+			tracer.WithUserName(name),
+			tracer.WithUserScope(scope),
+			tracer.WithUserRole(role),
+			tracer.WithUserSessionID(sessionID))
+		s2.Finish()
+		s1.Finish()
+		s0.Finish()
+		finished := tr.FinishedSpans()
+		require.Len(t, finished, 3)
+		for _, pair := range expected {
+			assert.Equal(t, pair.value, finished[2].Tag(pair.key))
+			assert.Nil(t, finished[1].Tag(pair.key))
+			assert.Nil(t, finished[0].Tag(pair.key))
+		}
+	})
+
+}
diff --git a/ddtrace/mocktracer/mocktracer.go b/ddtrace/mocktracer/mocktracer.go
index 3dcd3a2bfb..b12c96dce6 100644
--- a/ddtrace/mocktracer/mocktracer.go
+++ b/ddtrace/mocktracer/mocktracer.go
@@ -97,6 +97,13 @@ func (t *mocktracer) FinishSpan(s *tracer.Span) {
 	t.addFinishedSpan(s)
 }
 
+// Stop deactivates the mock tracer and sets the active tracer to a no-op.
+func (t *mocktracer) Stop() {
+	internal.SetGlobalTracer(&internal.NoopTracer{})
+	internal.Testing = false
+	t.dsmProcessor.Stop()
+}
+
 // Stop deactivates the mock tracer and sets the active tracer to a no-op.
 func (t *mocktracer) Stop() {
 	tracer.StopTestTracer()
diff --git a/ddtrace/mocktracer/mocktracer_test.go b/ddtrace/mocktracer/mocktracer_test.go
index 45281186e9..23a16d3311 100644
--- a/ddtrace/mocktracer/mocktracer_test.go
+++ b/ddtrace/mocktracer/mocktracer_test.go
@@ -21,6 +21,8 @@ func TestStart(t *testing.T) {
 	if tt, ok := tracer.GetGlobalTracer().(Tracer); !ok || tt != trc {
 		t.Fail()
 	}
+	// If the tracer isn't stopped it leaks goroutines, and breaks other tests.
+	trc.Stop()
 }
 
 func TestTracerStop(t *testing.T) {
@@ -39,6 +41,7 @@ func TestTracerStartSpan(t *testing.T) {
 
 	t.Run("with-service", func(t *testing.T) {
 		mt := newMockTracer()
+		defer mt.Stop()
 		parent := MockSpan(newSpan("http.request", &tracer.StartSpanConfig{Tags: parentTags}))
 		s := MockSpan(mt.StartSpan(
 			"db.query",
@@ -61,6 +64,7 @@ func TestTracerStartSpan(t *testing.T) {
 
 	t.Run("inherit", func(t *testing.T) {
 		mt := newMockTracer()
+		defer mt.Stop()
 		parent := MockSpan(newSpan("http.request", &tracer.StartSpanConfig{Tags: parentTags}))
 		s := MockSpan(mt.StartSpan("db.query", tracer.ChildOf(parent.Context())))
 
@@ -126,6 +130,7 @@ func TestTracerOpenSpans(t *testing.T) {
 
 func TestTracerSetUser(t *testing.T) {
 	mt := Start()
+	defer mt.Stop() // TODO (hannahkm): confirm this is correct
 	span := mt.StartSpan("http.request")
 	tracer.SetUser(span, "test-user",
 		tracer.WithUserEmail("email"),
@@ -172,6 +177,8 @@ func TestTracerReset(t *testing.T) {
 func TestTracerInject(t *testing.T) {
 	t.Run("errors", func(t *testing.T) {
 		mt := newMockTracer()
+		defer mt.Stop()
+
 		assert := assert.New(t)
 
 		err := mt.Inject(&tracer.SpanContext{}, 2)
diff --git a/ddtrace/tracer/civisibility_payload.go b/ddtrace/tracer/civisibility_payload.go
index 73b5095a46..ce1ed04b0d 100644
--- a/ddtrace/tracer/civisibility_payload.go
+++ b/ddtrace/tracer/civisibility_payload.go
@@ -64,6 +64,27 @@ func newCiVisibilityPayload() *ciVisibilityPayload {
 //	An error if reading from the buffer or encoding the payload fails.
 func (p *ciVisibilityPayload) getBuffer(config *config) (*bytes.Buffer, error) {
 	log.Debug("ciVisibilityPayload: .getBuffer (count: %v)", p.itemCount())
+
+	// Create a buffer to read the current payload
+	payloadBuf := new(bytes.Buffer)
+	if _, err := payloadBuf.ReadFrom(p.payload); err != nil {
+		return nil, err
+	}
+
+	// Create the visibility payload
+	visibilityPayload := p.writeEnvelope(config.env, payloadBuf.Bytes())
+
+	// Create a new buffer to encode the visibility payload in MessagePack format
+	encodedBuf := new(bytes.Buffer)
+	if err := msgp.Encode(encodedBuf, visibilityPayload); err != nil {
+		return nil, err
+	}
+
+	return encodedBuf, nil
+}
+
+func (p *ciVisibilityPayload) writeEnvelope(env string, events []byte) *ciTestCyclePayload {
+
 	/*
 			The Payload format in the CI Visibility protocol is like this:
 			{
@@ -84,36 +105,35 @@ func (p *ciVisibilityPayload) getBuffer(config *config) (*bytes.Buffer, error) {
 		The event format can be found in the `civisibility_tslv.go` file in the ciVisibilityEvent documentation
 	*/
 
-	// Create a buffer to read the current payload
-	payloadBuf := new(bytes.Buffer)
-	if _, err := payloadBuf.ReadFrom(p.payload); err != nil {
-		return nil, err
-	}
-
 	// Create the metadata map
 	allMetadata := map[string]string{
 		"language":        "go",
 		"runtime-id":      globalconfig.RuntimeID(),
 		"library_version": version.Tag,
 	}
-	if config.env != "" {
-		allMetadata["env"] = config.env
+	if env != "" {
+		allMetadata["env"] = env
 	}
 
 	// Create the visibility payload
-	visibilityPayload := ciTestCyclePayload{
+	visibilityPayload := &ciTestCyclePayload{
 		Version: 1,
 		Metadata: map[string]map[string]string{
 			"*": allMetadata,
 		},
-		Events: payloadBuf.Bytes(),
+		Events: events,
 	}
 
-	// Create a new buffer to encode the visibility payload in MessagePack format
-	encodedBuf := new(bytes.Buffer)
-	if err := msgp.Encode(encodedBuf, &visibilityPayload); err != nil {
-		return nil, err
+	// Check for the test session name and append the tag at the metadata level
+	if testSessionName, ok := utils.GetCITags()[constants.TestSessionName]; ok {
+		testSessionMap := map[string]string{
+			constants.TestSessionName: testSessionName,
+		}
+		visibilityPayload.Metadata["test_session_end"] = testSessionMap
+		visibilityPayload.Metadata["test_module_end"] = testSessionMap
+		visibilityPayload.Metadata["test_suite_end"] = testSessionMap
+		visibilityPayload.Metadata["test"] = testSessionMap
 	}
 
-	return encodedBuf, nil
+	return visibilityPayload
 }
diff --git a/ddtrace/tracer/civisibility_payload_test.go b/ddtrace/tracer/civisibility_payload_test.go
index 04594b8135..869d835676 100644
--- a/ddtrace/tracer/civisibility_payload_test.go
+++ b/ddtrace/tracer/civisibility_payload_test.go
@@ -7,12 +7,17 @@ package tracer
 
 import (
 	"bytes"
+	"encoding/json"
 	"io"
 	"strconv"
 	"strings"
 	"sync/atomic"
 	"testing"
 
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils"
+	"github.com/DataDog/dd-trace-go/v2/internal/globalconfig"
+	"github.com/DataDog/dd-trace-go/v2/internal/version"
 	"github.com/stretchr/testify/assert"
 	"github.com/tinylib/msgp/msgp"
 )
@@ -80,6 +85,50 @@ func TestCiVisibilityPayloadDecode(t *testing.T) {
 	}
 }
 
+func TestCiVisibilityPayloadEnvelope(t *testing.T) {
+	assert := assert.New(t)
+	p := newCiVisibilityPayload()
+	payload := p.writeEnvelope("none", []byte{})
+
+	// Encode the payload to message pack
+	encodedBuf := new(bytes.Buffer)
+	err := msgp.Encode(encodedBuf, payload)
+	assert.NoError(err)
+
+	// Convert the message pack to json
+	jsonBuf := new(bytes.Buffer)
+	_, err = msgp.CopyToJSON(jsonBuf, encodedBuf)
+	assert.NoError(err)
+
+	// Decode the json payload
+	var testCyclePayload ciTestCyclePayload
+	err = json.Unmarshal(jsonBuf.Bytes(), &testCyclePayload)
+	assert.NoError(err)
+
+	// Now let's assert the decoded envelope metadata
+	assert.Contains(testCyclePayload.Metadata, "*")
+	assert.Subset(testCyclePayload.Metadata["*"], map[string]string{
+		"language":        "go",
+		"runtime-id":      globalconfig.RuntimeID(),
+		"library_version": version.Tag,
+	})
+
+	testSessionName := utils.GetCITags()[constants.TestSessionName]
+	testSessionMap := map[string]string{constants.TestSessionName: testSessionName}
+
+	assert.Contains(testCyclePayload.Metadata, "test_session_end")
+	assert.Subset(testCyclePayload.Metadata["test_session_end"], testSessionMap)
+
+	assert.Contains(testCyclePayload.Metadata, "test_module_end")
+	assert.Subset(testCyclePayload.Metadata["test_module_end"], testSessionMap)
+
+	assert.Contains(testCyclePayload.Metadata, "test_suite_end")
+	assert.Subset(testCyclePayload.Metadata["test_suite_end"], testSessionMap)
+
+	assert.Contains(testCyclePayload.Metadata, "test")
+	assert.Subset(testCyclePayload.Metadata["test"], testSessionMap)
+}
+
 func BenchmarkCiVisibilityPayloadThroughput(b *testing.B) {
 	b.Run("10K", benchmarkCiVisibilityPayloadThroughput(1))
 	b.Run("100K", benchmarkCiVisibilityPayloadThroughput(10))
diff --git a/ddtrace/tracer/civisibility_transport.go b/ddtrace/tracer/civisibility_transport.go
index d238329ca6..5dd1a25a0d 100644
--- a/ddtrace/tracer/civisibility_transport.go
+++ b/ddtrace/tracer/civisibility_transport.go
@@ -106,6 +106,8 @@ func newCiVisibilityTransport(config *config) *ciVisibilityTransport {
 	}
 	log.Debug("ciVisibilityTransport: creating transport instance [agentless: %v, testcycleurl: %v]", agentlessEnabled, testCycleURL)
 
+	log.Debug("ciVisibilityTransport: creating transport instance [agentless: %v, testcycleurl: %v]", agentlessEnabled, testCycleURL)
+
 	return &ciVisibilityTransport{
 		config:           config,
 		testCycleURLPath: testCycleURL,
@@ -159,6 +161,7 @@ func (t *ciVisibilityTransport) send(p *payload) (body io.ReadCloser, err error)
 	}
 	log.Debug("ciVisibilityTransport: sending transport request: %v bytes", buffer.Len())
 
+	log.Debug("ciVisibilityTransport: sending transport request: %v bytes", buffer.Len())
 	response, err := t.config.httpClient.Do(req)
 	if err != nil {
 		return nil, err
diff --git a/ddtrace/tracer/civisibility_tslv.go b/ddtrace/tracer/civisibility_tslv.go
index 888154e5e3..075aace398 100644
--- a/ddtrace/tracer/civisibility_tslv.go
+++ b/ddtrace/tracer/civisibility_tslv.go
@@ -271,6 +271,7 @@ func getCiVisibilityEvent(span *Span) *ciVisibilityEvent {
 //	A pointer to the created ciVisibilityEvent.
 func createTestEventFromSpan(span *Span) *ciVisibilityEvent {
 	tSpan := createTslvSpan(span)
+	tSpan.ParentID = 0
 	tSpan.SessionID = getAndRemoveMetaToUInt64(span, constants.TestSessionIDTag)
 	tSpan.ModuleID = getAndRemoveMetaToUInt64(span, constants.TestModuleIDTag)
 	tSpan.SuiteID = getAndRemoveMetaToUInt64(span, constants.TestSuiteIDTag)
@@ -296,6 +297,7 @@ func createTestEventFromSpan(span *Span) *ciVisibilityEvent {
 //	A pointer to the created ciVisibilityEvent.
 func createTestSuiteEventFromSpan(span *Span) *ciVisibilityEvent {
 	tSpan := createTslvSpan(span)
+	tSpan.ParentID = 0
 	tSpan.SessionID = getAndRemoveMetaToUInt64(span, constants.TestSessionIDTag)
 	tSpan.ModuleID = getAndRemoveMetaToUInt64(span, constants.TestModuleIDTag)
 	tSpan.SuiteID = getAndRemoveMetaToUInt64(span, constants.TestSuiteIDTag)
@@ -318,6 +320,7 @@ func createTestSuiteEventFromSpan(span *Span) *ciVisibilityEvent {
 //	A pointer to the created ciVisibilityEvent.
 func createTestModuleEventFromSpan(span *Span) *ciVisibilityEvent {
 	tSpan := createTslvSpan(span)
+	tSpan.ParentID = 0
 	tSpan.SessionID = getAndRemoveMetaToUInt64(span, constants.TestSessionIDTag)
 	tSpan.ModuleID = getAndRemoveMetaToUInt64(span, constants.TestModuleIDTag)
 	return &ciVisibilityEvent{
@@ -339,6 +342,7 @@ func createTestModuleEventFromSpan(span *Span) *ciVisibilityEvent {
 //	A pointer to the created ciVisibilityEvent.
 func createTestSessionEventFromSpan(span *Span) *ciVisibilityEvent {
 	tSpan := createTslvSpan(span)
+	tSpan.ParentID = 0
 	tSpan.SessionID = getAndRemoveMetaToUInt64(span, constants.TestSessionIDTag)
 	return &ciVisibilityEvent{
 		span:    span,
diff --git a/ddtrace/tracer/civisibility_writer.go b/ddtrace/tracer/civisibility_writer.go
index 0a547ac551..c79ffe7cc0 100644
--- a/ddtrace/tracer/civisibility_writer.go
+++ b/ddtrace/tracer/civisibility_writer.go
@@ -63,7 +63,7 @@ func (w *ciVisibilityTraceWriter) add(trace []*Span) {
 	for _, s := range trace {
 		cvEvent := getCiVisibilityEvent(s)
 		if err := w.payload.push(cvEvent); err != nil {
-			log.Error("Error encoding msgpack: %v", err)
+			log.Error("ciVisibilityTraceWriter: Error encoding msgpack: %v", err)
 		}
 		if w.payload.size() > agentlessPayloadSizeLimit {
 			w.flush()
@@ -105,16 +105,16 @@ func (w *ciVisibilityTraceWriter) flush() {
 		var err error
 		for attempt := 0; attempt <= w.config.sendRetries; attempt++ {
 			size, count = p.size(), p.itemCount()
-			log.Debug("Sending payload: size: %d events: %d\n", size, count)
+			log.Debug("ciVisibilityTraceWriter: sending payload: size: %d events: %d\n", size, count)
 			_, err = w.config.transport.send(p.payload)
 			if err == nil {
-				log.Debug("sent events after %d attempts", attempt+1)
+				log.Debug("ciVisibilityTraceWriter: sent events after %d attempts", attempt+1)
 				return
 			}
-			log.Error("failure sending events (attempt %d), will retry: %v", attempt+1, err)
+			log.Error("ciVisibilityTraceWriter: failure sending events (attempt %d), will retry: %v", attempt+1, err)
 			p.reset()
 			time.Sleep(time.Millisecond)
 		}
-		log.Error("lost %d events: %v", count, err)
+		log.Error("ciVisibilityTraceWriter: lost %d events: %v", count, err)
 	}(oldp)
 }
diff --git a/ddtrace/tracer/option.go b/ddtrace/tracer/option.go
index 1557ac6344..f7a6059ec3 100644
--- a/ddtrace/tracer/option.go
+++ b/ddtrace/tracer/option.go
@@ -273,6 +273,9 @@ type config struct {
 
 	// ciVisibilityEnabled controls if the tracer is loaded with CI Visibility mode. default false
 	ciVisibilityEnabled bool
+
+	// logDirectory is directory for tracer logs specified by user-setting DD_TRACE_LOG_DIRECTORY. default empty/unused
+	logDirectory string
 }
 
 // orchestrionConfig contains Orchestrion configuration.
@@ -377,6 +380,7 @@ func newConfig(opts ...StartOption) (*config, error) {
 	c.logStartup = internal.BoolEnv("DD_TRACE_STARTUP_LOGS", true)
 	c.runtimeMetrics = internal.BoolVal(getDDorOtelConfig("metrics"), false)
 	c.debug = internal.BoolVal(getDDorOtelConfig("debugMode"), false)
+	c.logDirectory = os.Getenv("DD_TRACE_LOG_DIRECTORY")
 	c.enabled = newDynamicConfig("tracing_enabled", internal.BoolVal(getDDorOtelConfig("enabled"), true), func(b bool) bool { return true }, equal[bool])
 	if _, ok := os.LookupEnv("DD_TRACE_ENABLED"); ok {
 		c.enabled.cfgOrigin = telemetry.OriginEnvVar
@@ -506,7 +510,6 @@ func newConfig(opts ...StartOption) (*config, error) {
 	if c.debug {
 		log.SetLevel(log.LevelDebug)
 	}
-
 	// if using stdout or traces are disabled, agent is disabled
 	agentDisabled := c.logToStdout || !c.enabled.current
 	c.agent = loadAgentFeatures(agentDisabled, c.agentURL, c.httpClient)
diff --git a/ddtrace/tracer/rand.go b/ddtrace/tracer/rand.go
index 056f2aeb1c..192a6725f9 100644
--- a/ddtrace/tracer/rand.go
+++ b/ddtrace/tracer/rand.go
@@ -3,68 +3,17 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016 Datadog, Inc.
 
-//go:build !go1.22
-
-// TODO(knusbaum): This file should be deleted once go1.21 falls out of support
 package tracer
 
 import (
-	cryptorand "crypto/rand"
 	"math"
-	"math/big"
-	"math/rand"
-	"sync"
-	"time"
-
-	"github.com/DataDog/dd-trace-go/v2/internal/log"
+	"math/rand/v2"
 )
 
-// random holds a thread-safe source of random numbers.
-var random *rand.Rand
-
-func init() {
-	var seed int64
-	n, err := cryptorand.Int(cryptorand.Reader, big.NewInt(math.MaxInt64))
-	if err == nil {
-		seed = n.Int64()
-	} else {
-		log.Warn("cannot generate random seed: %v; using current time", err)
-		seed = time.Now().UnixNano()
-	}
-	random = rand.New(&safeSource{
-		source: rand.NewSource(seed),
-	})
-}
-
-// safeSource holds a thread-safe implementation of rand.Source64.
-type safeSource struct {
-	source rand.Source
-	sync.Mutex
-}
-
-func (rs *safeSource) Int63() int64 {
-	rs.Lock()
-	n := rs.source.Int63()
-	rs.Unlock()
-
-	return n
-}
-
-func (rs *safeSource) Uint64() uint64 { return uint64(rs.Int63()) }
-
-func (rs *safeSource) Seed(seed int64) {
-	rs.Lock()
-	rs.source.Seed(seed)
-	rs.Unlock()
+func randUint64() uint64 {
+	return rand.Uint64()
 }
 
-// generateSpanID returns a random uint64 that has been XORd with the startTime.
-// This is done to get around the 32-bit random seed limitation that may create collisions if there is a large number
-// of go services all generating spans.
 func generateSpanID(startTime int64) uint64 {
-	return random.Uint64() ^ uint64(startTime)
-}
-
-func randUint64() uint64 {
-	return random.Uint64()
+	return rand.Uint64() & math.MaxInt64
 }
diff --git a/ddtrace/tracer/rand_go1_22.go b/ddtrace/tracer/rand_go1_22.go
deleted file mode 100644
index 9e7948e47e..0000000000
--- a/ddtrace/tracer/rand_go1_22.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// Unless explicitly stated otherwise all files in this repository are licensed
-// under the Apache License Version 2.0.
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
-
-//go:build go1.22
-
-package tracer
-
-import (
-	"math"
-	"math/rand/v2"
-)
-
-func randUint64() uint64 {
-	return rand.Uint64()
-}
-
-func generateSpanID(startTime int64) uint64 {
-	return rand.Uint64() & math.MaxInt64
-}
diff --git a/ddtrace/tracer/rules_sampler.go b/ddtrace/tracer/rules_sampler.go
index 07f5d02b74..b600a3da57 100644
--- a/ddtrace/tracer/rules_sampler.go
+++ b/ddtrace/tracer/rules_sampler.go
@@ -19,6 +19,7 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
 	"github.com/DataDog/dd-trace-go/v2/internal/log"
 	"github.com/DataDog/dd-trace-go/v2/internal/samplernames"
+	"github.com/DataDog/dd-trace-go/v2/internal/telemetry"
 
 	"golang.org/x/time/rate"
 )
@@ -516,6 +517,7 @@ const defaultRateLimit = 100.0
 // The limit is DD_TRACE_RATE_LIMIT if set, `defaultRateLimit` otherwise.
 func newRateLimiter() *rateLimiter {
 	limit := defaultRateLimit
+	origin := telemetry.OriginDefault
 	v := os.Getenv("DD_TRACE_RATE_LIMIT")
 	if v != "" {
 		l, err := strconv.ParseFloat(v, 64)
@@ -525,9 +527,11 @@ func newRateLimiter() *rateLimiter {
 			log.Warn("DD_TRACE_RATE_LIMIT negative, using default value %f", limit)
 		} else {
 			// override the default limit
+			origin = telemetry.OriginEnvVar
 			limit = l
 		}
 	}
+	reportTelemetryOnAppStarted(telemetry.Configuration{Name: "trace_rate_limit", Value: limit, Origin: origin})
 	return &rateLimiter{
 		limiter:  rate.NewLimiter(rate.Limit(limit), int(math.Ceil(limit))),
 		prevTime: time.Now(),
diff --git a/ddtrace/tracer/spancontext_test.go b/ddtrace/tracer/spancontext_test.go
index 5a0175fbeb..c5dedf977e 100644
--- a/ddtrace/tracer/spancontext_test.go
+++ b/ddtrace/tracer/spancontext_test.go
@@ -156,6 +156,25 @@ func TestSpanTracePushOne(t *testing.T) {
 	assert.Equal(0, len(trace.spans), "no more spans in the trace")
 }
 
+// Tests to confirm that when the payload queue is full, chunks are dropped
+// and the associated trace is counted as dropped.
+func TestTraceFinishChunk(t *testing.T) {
+	assert := assert.New(t)
+	tracer := newUnstartedTracer()
+	defer tracer.statsd.Close()
+
+	root := newSpan("name", "service", "resource", 0, 0, 0)
+	trace := root.context.trace
+
+	for i := 0; i < payloadQueueSize+1; i++ {
+		trace.mu.Lock()
+		c := chunk{spans: make([]*span, 1)}
+		trace.finishChunk(tracer, &c)
+		trace.mu.Unlock()
+	}
+	assert.Equal(uint32(1), tracer.totalTracesDropped)
+}
+
 func TestPartialFlush(t *testing.T) {
 	t.Setenv("DD_TRACE_PARTIAL_FLUSH_ENABLED", "true")
 	t.Setenv("DD_TRACE_PARTIAL_FLUSH_MIN_SPANS", "2")
diff --git a/ddtrace/tracer/stats_payload_msgp.go b/ddtrace/tracer/stats_payload_msgp.go
index 462e1d680a..70a3a0b4c4 100644
--- a/ddtrace/tracer/stats_payload_msgp.go
+++ b/ddtrace/tracer/stats_payload_msgp.go
@@ -1,3 +1,7 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016 Datadog, Inc.
 package tracer
 
 // Code generated by github.com/tinylib/msgp DO NOT EDIT.
diff --git a/ddtrace/tracer/telemetry.go b/ddtrace/tracer/telemetry.go
index 17d43abe3e..65a2bb1a30 100644
--- a/ddtrace/tracer/telemetry.go
+++ b/ddtrace/tracer/telemetry.go
@@ -12,6 +12,12 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/internal/telemetry"
 )
 
+var additionalConfigs []telemetry.Configuration
+
+func reportTelemetryOnAppStarted(c telemetry.Configuration) {
+	additionalConfigs = append(additionalConfigs, c)
+}
+
 // startTelemetry starts the global instrumentation telemetry client with tracer data
 // unless instrumentation telemetry is disabled via the DD_INSTRUMENTATION_TELEMETRY_ENABLED
 // env var.
@@ -44,7 +50,8 @@ func startTelemetry(c *config) {
 		{Name: "service", Value: c.serviceName},
 		{Name: "universal_version", Value: c.universalVersion},
 		{Name: "env", Value: c.env},
-		{Name: "agent_url", Value: c.agentURL.String()},
+		{Name: "version", Value: c.version},
+		{Name: "trace_agent_url", Value: c.agentURL.String()},
 		{Name: "agent_hostname", Value: c.hostname},
 		{Name: "runtime_metrics_enabled", Value: c.runtimeMetrics},
 		{Name: "dogstatsd_addr", Value: c.dogstatsdAddr},
@@ -55,6 +62,7 @@ func startTelemetry(c *config) {
 		{Name: "trace_peer_service_defaults_enabled", Value: c.peerServiceDefaultsEnabled},
 		{Name: "orchestrion_enabled", Value: c.orchestrionCfg.Enabled},
 		{Name: "trace_enabled", Value: c.enabled.current, Origin: c.enabled.cfgOrigin},
+		{Name: "trace_log_directory", Value: c.logDirectory},
 		c.traceSampleRate.toTelemetry(),
 		c.headerAsTags.toTelemetry(),
 		c.globalTags.toTelemetry(),
@@ -102,5 +110,6 @@ func startTelemetry(c *config) {
 			telemetryConfigs = append(telemetryConfigs, telemetry.Configuration{Name: "orchestrion_" + k, Value: v})
 		}
 	}
+	telemetryConfigs = append(telemetryConfigs, additionalConfigs...)
 	telemetry.GlobalClient.ProductChange(telemetry.NamespaceTracers, true, telemetryConfigs)
 }
diff --git a/ddtrace/tracer/tracer.go b/ddtrace/tracer/tracer.go
index 0bc02e4246..ef5416bade 100644
--- a/ddtrace/tracer/tracer.go
+++ b/ddtrace/tracer/tracer.go
@@ -15,6 +15,7 @@ import (
 	rt "runtime/trace"
 	"strconv"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
@@ -143,6 +144,11 @@ type tracer struct {
 	// abandonedSpansDebugger specifies where and how potentially abandoned spans are stored
 	// when abandoned spans debugging is enabled.
 	abandonedSpansDebugger *abandonedSpansDebugger
+
+	// logFile contains a pointer to the file for writing tracer logs along with helper functionality for closing the file
+	// logFile is closed when tracer stops
+	// by default, tracer logs to stderr and this setting is unused
+	logFile *log.ManagedFile
 }
 
 const (
@@ -305,6 +311,14 @@ func newUnstartedTracer(opts ...StartOption) (*tracer, error) {
 	if c.dataStreamsMonitoringEnabled {
 		dataStreamsProcessor = datastreams.NewProcessor(statsd, c.env, c.serviceName, c.version, c.agentURL, c.httpClient)
 	}
+	var logFile *log.ManagedFile
+	if v := c.logDirectory; v != "" {
+		logFile, err = log.OpenFileAtPath(v)
+		if err != nil {
+			log.Warn("%v", err)
+			c.logDirectory = ""
+		}
+	}
 	t := &tracer{
 		config:           c,
 		traceWriter:      writer,
@@ -314,6 +328,7 @@ func newUnstartedTracer(opts ...StartOption) (*tracer, error) {
 		rulesSampling:    rulesSampler,
 		prioritySampling: sampler,
 		pid:              os.Getpid(),
+		logDroppedTraces: time.NewTicker(1 * time.Second),
 		stats:            newConcentrator(c, defaultStatsBucketSize),
 		obfuscator: obfuscate.NewObfuscator(obfuscate.Config{
 			SQL: obfuscate.SQLConfig{
@@ -326,6 +341,7 @@ func newUnstartedTracer(opts ...StartOption) (*tracer, error) {
 		}),
 		statsd:      statsd,
 		dataStreams: dataStreamsProcessor,
+		logFile:     logFile,
 	}
 	return t, nil
 }
@@ -496,7 +512,15 @@ func (t *tracer) pushChunk(trace *Chunk) {
 	select {
 	case t.out <- trace:
 	default:
-		log.Error("payload queue full, dropping %d traces", len(trace.spans))
+		log.Debug("payload queue full, trace dropped %d spans", len(trace.spans))
+		atomic.AddUint32(&t.totalTracesDropped, 1)
+	}
+	select {
+	case <-t.logDroppedTraces.C:
+		if t := atomic.SwapUint32(&t.totalTracesDropped, 0); t > 0 {
+			log.Error("%d traces dropped through payload queue", t)
+		}
+	default:
 	}
 }
 
@@ -720,6 +744,10 @@ func (t *tracer) Stop() {
 	}
 	appsec.Stop()
 	remoteconfig.Stop()
+	// Close log file last to account for any logs from the above calls
+	if t.logFile != nil {
+		t.logFile.Close()
+	}
 }
 
 // Inject uses the configured or default TextMap Propagator.
diff --git a/ddtrace/tracer/tracer_test.go b/ddtrace/tracer/tracer_test.go
index 476f0b8c40..ac626ea36a 100644
--- a/ddtrace/tracer/tracer_test.go
+++ b/ddtrace/tracer/tracer_test.go
@@ -239,6 +239,27 @@ func TestTracerStart(t *testing.T) {
 	})
 }
 
+func TestTracerLogFile(t *testing.T) {
+	t.Run("valid", func(t *testing.T) {
+		dir, err := os.MkdirTemp("", "example")
+		if err != nil {
+			t.Fatalf("Failure to make temp dir: %v", err)
+		}
+		t.Setenv("DD_TRACE_LOG_DIRECTORY", dir)
+		tracer := newTracer()
+		assert.Equal(t, dir, tracer.config.logDirectory)
+		assert.NotNil(t, tracer.logFile)
+		assert.Equal(t, dir+"/"+log.LoggerFile, tracer.logFile.Name())
+	})
+	t.Run("invalid", func(t *testing.T) {
+		t.Setenv("DD_TRACE_LOG_DIRECTORY", "some/nonexistent/path")
+		tracer := newTracer()
+		defer Stop()
+		assert.Empty(t, tracer.config.logDirectory)
+		assert.Nil(t, tracer.logFile)
+	})
+}
+
 func TestTracerStartSpan(t *testing.T) {
 	t.Run("generic", func(t *testing.T) {
 		tracer, err := newTracer()
diff --git a/go.mod b/go.mod
index 77627f483f..666bfdcca0 100644
--- a/go.mod
+++ b/go.mod
@@ -1,13 +1,13 @@
 module github.com/DataDog/dd-trace-go/v2
 
-go 1.21
+go 1.22.0
 
 require (
-	github.com/DataDog/appsec-internal-go v1.7.0
+	github.com/DataDog/appsec-internal-go v1.8.0
 	github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0
-	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1
+	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0
 	github.com/DataDog/datadog-go/v5 v5.3.0
-	github.com/DataDog/go-libddwaf/v3 v3.3.0
+	github.com/DataDog/go-libddwaf/v3 v3.4.0
 	github.com/DataDog/gostackparse v0.7.0
 	github.com/DataDog/sketches-go v1.4.5
 	github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4
@@ -18,14 +18,15 @@ require (
 	github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3
 	github.com/spaolacci/murmur3 v1.1.0
 	github.com/stretchr/testify v1.9.0
-	github.com/tinylib/msgp v1.1.8
+	github.com/tinylib/msgp v1.2.1
 	github.com/valyala/fasthttp v1.51.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
 	go.opentelemetry.io/otel v1.20.0
 	go.opentelemetry.io/otel/trace v1.20.0
 	go.uber.org/atomic v1.11.0
-	golang.org/x/mod v0.14.0
-	golang.org/x/sys v0.20.0
+	go.uber.org/goleak v1.3.0
+	golang.org/x/mod v0.18.0
+	golang.org/x/sys v0.23.0
 	golang.org/x/time v0.3.0
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
 	google.golang.org/grpc v1.57.1
@@ -33,7 +34,7 @@ require (
 )
 
 require (
-	github.com/DataDog/go-tuf v1.0.2-0.5.2 // indirect
+	github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
@@ -44,12 +45,13 @@ require (
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/klauspost/compress v1.17.1 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/outcaste-io/ristretto v0.2.3 // indirect
-	github.com/philhofer/fwd v1.1.2 // indirect
+	github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rogpeppe/go-internal v1.9.0 // indirect
@@ -58,9 +60,10 @@ require (
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	go.opentelemetry.io/otel/metric v1.20.0 // indirect
-	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
index d68e731518..7e827e58a2 100644
--- a/go.sum
+++ b/go.sum
@@ -1,15 +1,15 @@
-github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
-github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/appsec-internal-go v1.8.0 h1:1Tfn3LEogntRqZtf88twSApOCAAO3V+NILYhuQIo4J4=
+github.com/DataDog/appsec-internal-go v1.8.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
 github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8=
 github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 h1:5nE6N3JSs2IG3xzMthNFhXfOaXlrsdgqmJ73lndFf8c=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1/go.mod h1:Vc+snp0Bey4MrrJyiV2tVxxJb6BmLomPvN1RgAvjGaQ=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 h1:LplNAmMgZvGU7kKA0+4c1xWOjz828xweW5TCi8Mw9Q0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0/go.mod h1:4Vo3SJ24uzfKHUHLoFa8t8o+LH+7TCQ7sPcZDtOpSP4=
 github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8=
 github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q=
-github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
-github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
-github.com/DataDog/go-tuf v1.0.2-0.5.2 h1:EeZr937eKAWPxJ26IykAdWA4A0jQXJgkhUjqEI/w7+I=
-github.com/DataDog/go-tuf v1.0.2-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
+github.com/DataDog/go-libddwaf/v3 v3.4.0 h1:NJ2W2vhYaOm1OWr1LJCbdgp7ezG/XLJcQKBmjFwhSuM=
+github.com/DataDog/go-libddwaf/v3 v3.4.0/go.mod h1:n98d9nZ1gzenRSk53wz8l6d34ikxS+hs62A31Fqmyi4=
+github.com/DataDog/go-tuf v1.1.0-0.5.2 h1:4CagiIekonLSfL8GMHRHcHudo1fQnxELS9g4tiAupQ4=
+github.com/DataDog/go-tuf v1.1.0-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
 github.com/DataDog/gostackparse v0.7.0 h1:i7dLkXHvYzHV308hnkvVGDL3BR4FWl7IsXNPz/IGQh4=
 github.com/DataDog/gostackparse v0.7.0/go.mod h1:lTfqcJKqS9KnXQGnyQMCugq3u1FP6UZMfWR0aitKFMM=
 github.com/DataDog/sketches-go v1.4.5 h1:ki7VfeNz7IcNafq7yI/j5U/YCkO3LJiMDtXz9OMQbyE=
@@ -60,6 +60,8 @@ github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBB
 github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
 github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
@@ -69,6 +71,8 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
 github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
 github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/klauspost/compress v1.17.1 h1:NE3C767s2ak2bweCZo3+rdP4U/HoyVXLv/X9f2gPS5g=
 github.com/klauspost/compress v1.17.1/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -80,21 +84,27 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
+github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
 github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
-github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
-github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 h1:jYi87L8j62qkXzaYHAQAhEapgukhenIMZRBKTNRLHJ4=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY=
 github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3/go.mod h1:vl5+MqJ1nBINuSsUI2mGgH79UweUT/B5Fy8857PqyyI=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
@@ -122,14 +132,13 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tinylib/msgp v1.1.8 h1:FCXC1xanKO4I8plpHGH2P7koL/RzZs12l/+r7vakfm0=
-github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw=
+github.com/tinylib/msgp v1.2.1 h1:6ypy2qcCznxpP4hpORzhtXyTqrBs7cfM9MCCWY8zsmU=
+github.com/tinylib/msgp v1.2.1/go.mod h1:2vIGs3lcUo8izAATNobrCHevYZC/LMsJtw4JPiYPHro=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA=
 github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 h1:KfYpVmrjI7JuToy5k8XV3nkapjWx48k4E4JOtVstzQI=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0/go.mod h1:SeQhzAEccGVZVEy7aH87Nh0km+utSpo1pTv6eMMop48=
 go.opentelemetry.io/otel v1.20.0 h1:vsb/ggIY+hUjD/zCAQHpzTmndPqv/ml2ArbsbfBYTAc=
@@ -145,28 +154,20 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -175,31 +176,21 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -224,3 +215,23 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+lukechampine.com/uint128 v1.3.0 h1:cDdUVfRwDUDovz610ABgFD17nXD4/uDgVHl2sC3+sbo=
+lukechampine.com/uint128 v1.3.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
+modernc.org/cc/v3 v3.41.0 h1:QoR1Sn3YWlmA1T4vLaKZfawdVtSiGx8H+cEojbC7v1Q=
+modernc.org/cc/v3 v3.41.0/go.mod h1:Ni4zjJYJ04CDOhG7dn640WGfwBzfE0ecX8TyMB0Fv0Y=
+modernc.org/ccgo/v3 v3.16.15 h1:KbDR3ZAVU+wiLyMESPtbtE/Add4elztFyfsWoNTgxS0=
+modernc.org/ccgo/v3 v3.16.15/go.mod h1:yT7B+/E2m43tmMOT51GMoM98/MtHIcQQSleGnddkUNI=
+modernc.org/libc v1.37.6 h1:orZH3c5wmhIQFTXF+Nt+eeauyd+ZIt2BX6ARe+kD+aw=
+modernc.org/libc v1.37.6/go.mod h1:YAXkAZ8ktnkCKaN9sw/UDeUVkGYJ/YquGO4FTi5nmHE=
+modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
+modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
+modernc.org/memory v1.7.2 h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E=
+modernc.org/memory v1.7.2/go.mod h1:NO4NVCQy0N7ln+T9ngWqOQfi7ley4vpwvARR+Hjw95E=
+modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
+modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/sqlite v1.28.0 h1:Zx+LyDDmXczNnEQdvPuEfcFVA2ZPyaD7UCZDjef3BHQ=
+modernc.org/sqlite v1.28.0/go.mod h1:Qxpazz0zH8Z1xCFyi5GSL3FzbtZ3fvbjmywNogldEW0=
+modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
+modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
+modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
diff --git a/go.work b/go.work
index 606d240ecc..64bf501111 100644
--- a/go.work
+++ b/go.work
@@ -1,6 +1,6 @@
-go 1.22.5 // Go version must match the highest supported version, not the minimum supported version, with format X.Y.
+go 1.23.0 // Go version must match the highest supported version, not the minimum supported version, with format X.Y.
 
-toolchain go1.22.6
+toolchain go1.23.1
 
 use (
 	.
diff --git a/go.work.sum b/go.work.sum
index 0c14d2ebba..9964dc9113 100644
--- a/go.work.sum
+++ b/go.work.sum
@@ -1613,6 +1613,7 @@ github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwD
 github.com/tink-crypto/tink-go-gcpkms/v2 v2.1.0/go.mod h1:QXPc/i5yUEWWZ4lbe2WOam1kDdrXjGHRjl0Lzo7IQDU=
 github.com/tink-crypto/tink-go-hcvault/v2 v2.1.0/go.mod h1:OJLS+EYJo/BTViJj7EBG5deKLeQfYwVNW8HMS1qHAAo=
 github.com/tink-crypto/tink-go/v2 v2.1.0/go.mod h1:y1TnYFt1i2eZVfx4OGc+C+EMp4CoKWAw2VSEuoicHHI=
+github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 h1:uruHq4dN7GR16kFc5fp3d1RIYzJW5onx8Ybykw2YQFA=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/tonistiigi/go-actions-cache v0.0.0-20240227172821-a0b64f338598/go.mod h1:anhKd3mnC1shAbQj1Q4IJ+w6xqezxnyDYlx/yKa7IXM=
@@ -1795,7 +1796,6 @@ golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
 golang.org/x/oauth2 v0.9.0/go.mod h1:qYgFZaFiu6Wg24azG8bdV52QJXJGbZzIIsRCdVKzbLw=
 golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
@@ -1848,6 +1848,7 @@ golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
+golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
 golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
 golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
 golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
diff --git a/instrumentation/appsec/dyngo/operation_test.go b/instrumentation/appsec/dyngo/operation_test.go
index 1db1c05800..13d344fd97 100644
--- a/instrumentation/appsec/dyngo/operation_test.go
+++ b/instrumentation/appsec/dyngo/operation_test.go
@@ -119,7 +119,7 @@ func TestUsage(t *testing.T) {
 		// HTTP body read listener appending the read results to a buffer
 		rawBodyListener := func(called *int, buf *[]byte) dyngo.EventListener[operation, HTTPHandlerArgs] {
 			return func(op operation, _ HTTPHandlerArgs) {
-				dyngo.OnFinish(op, func(op operation, res BodyReadRes) {
+				dyngo.OnFinish(op, func(_ operation, res BodyReadRes) {
 					*called++
 					*buf = append(*buf, res.Buf...)
 				})
@@ -128,7 +128,7 @@ func TestUsage(t *testing.T) {
 
 		// Dummy waf looking for the string `attack` in HTTPHandlerArgs
 		wafListener := func(called *int, blocked *bool) dyngo.EventListener[operation, HTTPHandlerArgs] {
-			return func(op operation, args HTTPHandlerArgs) {
+			return func(_ operation, args HTTPHandlerArgs) {
 				*called++
 
 				if strings.Contains(args.URL.RawQuery, "attack") {
@@ -148,14 +148,14 @@ func TestUsage(t *testing.T) {
 
 		jsonBodyValueListener := func(called *int, value *interface{}) dyngo.EventListener[operation, HTTPHandlerArgs] {
 			return func(op operation, _ HTTPHandlerArgs) {
-				dyngo.On(op, func(op operation, v JSONParserArgs) {
+				dyngo.On(op, func(op operation, _ JSONParserArgs) {
 					didBodyRead := false
 
 					dyngo.On(op, func(_ operation, _ BodyReadArgs) {
 						didBodyRead = true
 					})
 
-					dyngo.OnFinish(op, func(op operation, res JSONParserRes) {
+					dyngo.OnFinish(op, func(_ operation, res JSONParserRes) {
 						*called++
 						if !didBodyRead || res.Err != nil {
 							return
@@ -429,22 +429,22 @@ func TestSwapRootOperation(t *testing.T) {
 	dyngo.OnFinish(root, func(operation, MyOperationRes) { onFinishCalled++ })
 
 	dyngo.SwapRootOperation(root)
-	runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(op dyngo.Operation) {})
+	runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(_ dyngo.Operation) {})
 	require.Equal(t, 1, onStartCalled)
 	require.Equal(t, 1, onFinishCalled)
 
 	dyngo.SwapRootOperation(dyngo.NewRootOperation())
-	runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(op dyngo.Operation) {})
+	runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(_ dyngo.Operation) {})
 	require.Equal(t, 1, onStartCalled)
 	require.Equal(t, 1, onFinishCalled)
 
 	dyngo.SwapRootOperation(nil)
-	runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(op dyngo.Operation) {})
+	runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(_ dyngo.Operation) {})
 	require.Equal(t, 1, onStartCalled)
 	require.Equal(t, 1, onFinishCalled)
 
 	dyngo.SwapRootOperation(root)
-	runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(op dyngo.Operation) {})
+	runOperation(nil, MyOperationArgs{}, MyOperationRes{}, func(_ dyngo.Operation) {})
 	require.Equal(t, 2, onStartCalled)
 	require.Equal(t, 2, onFinishCalled)
 }
diff --git a/instrumentation/appsec/emitter/graphqlsec/execution.go b/instrumentation/appsec/emitter/graphqlsec/execution.go
index 2e982df0bf..06b6981b97 100644
--- a/instrumentation/appsec/emitter/graphqlsec/execution.go
+++ b/instrumentation/appsec/emitter/graphqlsec/execution.go
@@ -11,28 +11,51 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/internal/log"
 
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec/types"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
 )
 
+type (
+	ExecutionOperation struct {
+		dyngo.Operation
+	}
+
+	// ExecutionOperationArgs describes arguments passed to a GraphQL query operation.
+	ExecutionOperationArgs struct {
+		// Variables is the user-provided variables object for the query.
+		Variables map[string]any
+		// Query is the query that is being executed.
+		Query string
+		// OperationName is the user-provided operation name for the query.
+		OperationName string
+	}
+
+	ExecutionOperationRes struct {
+		// Data is the data returned from processing the GraphQL operation.
+		Data any
+		// Error is the error returned by processing the GraphQL Operation, if any.
+		Error error
+	}
+)
+
+// Finish the GraphQL query operation, along with the given results, and emit a finish event up in
+// the operation stack.
+func (q *ExecutionOperation) Finish(res ExecutionOperationRes) {
+	dyngo.FinishOperation(q, res)
+}
+
+func (ExecutionOperationArgs) IsArgOf(*ExecutionOperation)   {}
+func (ExecutionOperationRes) IsResultOf(*ExecutionOperation) {}
+
 // StartExecutionOperation starts a new GraphQL query operation, along with the given arguments, and
 // emits a start event up in the operation stack. The operation is tracked on the returned context,
 // and can be extracted later on using FromContext.
-func StartExecutionOperation(ctx context.Context, span trace.TagSetter, args types.ExecutionOperationArgs) (context.Context, *types.ExecutionOperation) {
-	if span == nil {
-		// The span may be nil (e.g: in case of GraphQL subscriptions with certian contribs). Child
-		// operations might have spans however... and these should be used then.
-		span = trace.NoopTagSetter{}
-	}
-
+func StartExecutionOperation(ctx context.Context, args ExecutionOperationArgs) (context.Context, *ExecutionOperation) {
 	parent, ok := dyngo.FromContext(ctx)
 	if !ok {
 		log.Debug("appsec: StartExecutionOperation: no parent operation found in context")
 	}
 
-	op := &types.ExecutionOperation{
+	op := &ExecutionOperation{
 		Operation: dyngo.NewOperation(parent),
-		TagSetter: span,
 	}
 
 	return dyngo.StartAndRegisterOperation(ctx, op, args), op
diff --git a/instrumentation/appsec/emitter/graphqlsec/request.go b/instrumentation/appsec/emitter/graphqlsec/request.go
index 16dd99131f..ce4796a1bc 100644
--- a/instrumentation/appsec/emitter/graphqlsec/request.go
+++ b/instrumentation/appsec/emitter/graphqlsec/request.go
@@ -17,19 +17,52 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
 )
 
+type (
+	RequestOperation struct {
+		dyngo.Operation
+		// used in case we don't have a parent operation
+		*waf.ContextOperation
+	}
+
+	// RequestOperationArgs describes arguments passed to a GraphQL request.
+	RequestOperationArgs struct {
+		RawQuery      string         // The raw, not-yet-parsed GraphQL query
+		OperationName string         // The user-provided operation name for the query
+		Variables     map[string]any // The user-provided variables object for this request
+	}
+
+	RequestOperationRes struct {
+		// Data is the data returned from processing the GraphQL operation.
+		Data any
+		// Error is the error returned by processing the GraphQL Operation, if any.
+		Error error
+	}
+)
+
+// Finish the GraphQL query operation, along with the given results, and emit a finish event up in
+// the operation stack.
+func (op *RequestOperation) Finish(span trace.TagSetter, res RequestOperationRes) {
+	dyngo.FinishOperation(op, res)
+	if op.ContextOperation != nil {
+		op.ContextOperation.Finish(span)
+	}
+}
+
+func (RequestOperationArgs) IsArgOf(*RequestOperation)   {}
+func (RequestOperationRes) IsResultOf(*RequestOperation) {}
+
 // StartRequestOperation starts a new GraphQL request operation, along with the given arguments, and
 // emits a start event up in the operation stack. The operation is usually linked to tge global root
 // operation. The operation is tracked on the returned context, and can be extracted later on using
 // FromContext.
-func StartRequestOperation(ctx context.Context, span trace.TagSetter, args types.RequestOperationArgs) (context.Context, *types.RequestOperation) {
-	if span == nil {
-		// The span may be nil (e.g: in case of GraphQL subscriptions with certian contribs)
-		span = trace.NoopTagSetter{}
-	}
-
-	op := &types.RequestOperation{
-		Operation: dyngo.NewOperation(nil),
-		TagSetter: span,
+func StartRequestOperation(ctx context.Context, args RequestOperationArgs) (context.Context, *RequestOperation) {
+	parent, ok := dyngo.FromContext(ctx)
+	op := &RequestOperation{}
+	if !ok { // Usually we can find the HTTP Handler Operation as the parent but it's technically optional
+		op.ContextOperation, ctx = waf.StartContextOperation(ctx)
+		op.Operation = dyngo.NewOperation(op.ContextOperation)
+	} else {
+		op.Operation = dyngo.NewOperation(parent)
 	}
 
 	return dyngo.StartAndRegisterOperation(ctx, op, args), op
diff --git a/instrumentation/appsec/emitter/graphqlsec/resolve.go b/instrumentation/appsec/emitter/graphqlsec/resolve.go
index 313d4112ea..fd1b1b6376 100644
--- a/instrumentation/appsec/emitter/graphqlsec/resolve.go
+++ b/instrumentation/appsec/emitter/graphqlsec/resolve.go
@@ -11,22 +11,53 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/internal/log"
 
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/graphqlsec/types"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
 )
 
+type (
+	ResolveOperation struct {
+		dyngo.Operation
+	}
+
+	// ResolveOperationArgs describes arguments passed to a GraphQL field operation.
+	ResolveOperationArgs struct {
+		// TypeName is the name of the field's type
+		TypeName string
+		// FieldName is the name of the field
+		FieldName string
+		// Arguments is the arguments provided to the field resolver
+		Arguments map[string]any
+		// Trivial determines whether the resolution is trivial or not. Leave as false if undetermined.
+		Trivial bool
+	}
+
+	ResolveOperationRes struct {
+		// Data is the data returned from processing the GraphQL operation.
+		Data any
+		// Error is the error returned by processing the GraphQL Operation, if any.
+		Error error
+	}
+)
+
+// Finish the GraphQL Field operation, along with the given results, and emit a finish event up in
+// the operation stack.
+func (q *ResolveOperation) Finish(res ResolveOperationRes) {
+	dyngo.FinishOperation(q, res)
+}
+
+func (ResolveOperationArgs) IsArgOf(*ResolveOperation)   {}
+func (ResolveOperationRes) IsResultOf(*ResolveOperation) {}
+
 // StartResolveOperation starts a new GraphQL Resolve operation, along with the given arguments, and
 // emits a start event up in the operation stack. The operation is tracked on the returned context,
 // and can be extracted later on using FromContext.
-func StartResolveOperation(ctx context.Context, span trace.TagSetter, args types.ResolveOperationArgs) (context.Context, *types.ResolveOperation) {
+func StartResolveOperation(ctx context.Context, args ResolveOperationArgs) (context.Context, *ResolveOperation) {
 	parent, ok := dyngo.FromContext(ctx)
 	if !ok {
 		log.Debug("appsec: StartResolveOperation: no parent operation found in context")
 	}
 
-	op := &types.ResolveOperation{
+	op := &ResolveOperation{
 		Operation: dyngo.NewOperation(parent),
-		TagSetter: span,
 	}
 	return dyngo.StartAndRegisterOperation(ctx, op, args), op
 }
diff --git a/instrumentation/appsec/emitter/grpcsec/grpc.go b/instrumentation/appsec/emitter/grpcsec/grpc.go
index 08a885858f..610706d22b 100644
--- a/instrumentation/appsec/emitter/grpcsec/grpc.go
+++ b/instrumentation/appsec/emitter/grpcsec/grpc.go
@@ -7,37 +7,108 @@
 // defining an abstract run-time representation of gRPC handlers.
 // gRPC integrations must use this package to enable AppSec features for gRPC,
 // which listens to this package's operation events.
+//
+// Abstract gRPC server handler operation definitions. It is based on two
+// operations allowing to describe every type of RPC: the HandlerOperation type
+// which represents the RPC handler, and the ReceiveOperation type which
+// represents the messages the RPC handler receives during its lifetime.
+// This means that the ReceiveOperation(s) will happen within the
+// HandlerOperation.
+// Every type of RPC, unary, client streaming, server streaming, and
+// bidirectional streaming RPCs, can be all represented with a HandlerOperation
+// having one or several ReceiveOperation.
+// The send operation is not required for now and therefore not defined, which
+// means that server and bidirectional streaming RPCs currently have the same
+// run-time representation as unary and client streaming RPCs.
 package grpcsec
 
 import (
 	"context"
+	"sync/atomic"
 
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/grpcsec/types"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
 )
 
+type (
+	// HandlerOperation represents a gRPC server handler operation.
+	// It must be created with StartHandlerOperation() and finished with its
+	// Finish() method.
+	// Security events observed during the operation lifetime should be added
+	// to the operation using its AddSecurityEvent() method.
+	HandlerOperation struct {
+		dyngo.Operation
+		*waf.ContextOperation
+	}
+
+	// HandlerOperationArgs is the grpc handler arguments.
+	HandlerOperationArgs struct {
+		// Method is the gRPC method name.
+		// Corresponds to the address `grpc.server.method`.
+		Method string
+
+		// RPC metadata received by the gRPC handler.
+		// Corresponds to the address `grpc.server.request.metadata`.
+		Metadata map[string][]string
+
+		// RemoteAddr is the IP address of the client that initiated the gRPC request.
+		// May be used as the address `http.client_ip`.
+		RemoteAddr string
+	}
+
+	// HandlerOperationRes is the grpc handler results. Empty as of today.
+	HandlerOperationRes struct {
+		// Raw gRPC status code.
+		// Corresponds to the address `grpc.server.response.status`.
+		StatusCode int
+	}
+)
+
+func (HandlerOperationArgs) IsArgOf(*HandlerOperation)   {}
+func (HandlerOperationRes) IsResultOf(*HandlerOperation) {}
+
 // StartHandlerOperation starts an gRPC server handler operation, along with the
 // given arguments and parent operation, and emits a start event up in the
 // operation stack. When parent is nil, the operation is linked to the global
 // root operation.
-func StartHandlerOperation(ctx context.Context, args types.HandlerOperationArgs, parent dyngo.Operation, setup ...func(*types.HandlerOperation)) (context.Context, *types.HandlerOperation) {
-	op := &types.HandlerOperation{
-		Operation:  dyngo.NewOperation(parent),
-		TagsHolder: trace.NewTagsHolder(),
-	}
-	for _, cb := range setup {
-		cb(op)
+func StartHandlerOperation(ctx context.Context, args HandlerOperationArgs) (context.Context, *HandlerOperation, *atomic.Pointer[actions.BlockGRPC]) {
+	wafOp, ctx := waf.StartContextOperation(ctx)
+	op := &HandlerOperation{
+		Operation:        dyngo.NewOperation(wafOp),
+		ContextOperation: wafOp,
 	}
-	return dyngo.StartAndRegisterOperation(ctx, op, args), op
+
+	var block atomic.Pointer[actions.BlockGRPC]
+	dyngo.OnData(op, func(err *actions.BlockGRPC) {
+		block.Store(err)
+	})
+
+	return dyngo.StartAndRegisterOperation(ctx, op, args), op, &block
+}
+
+// MonitorRequestMessage monitors the gRPC request message body as the WAF address `grpc.server.request.message`.
+func MonitorRequestMessage(ctx context.Context, msg any) error {
+	return waf.RunSimple(ctx,
+		addresses.NewAddressesBuilder().
+			WithGRPCRequestMessage(msg).
+			Build(),
+		"appsec: failed to monitor gRPC request message body")
+}
+
+// MonitorResponseMessage monitors the gRPC response message body as the WAF address `grpc.server.response.message`.
+func MonitorResponseMessage(ctx context.Context, msg any) error {
+	return waf.RunSimple(ctx,
+		addresses.NewAddressesBuilder().
+			WithGRPCResponseMessage(msg).
+			Build(),
+		"appsec: failed to monitor gRPC response message body")
+
 }
 
-// StartReceiveOperation starts a receive operation of a gRPC handler, along
-// with the given arguments and parent operation, and emits a start event up in
-// the operation stack. When parent is nil, the operation is linked to the
-// global root operation.
-func StartReceiveOperation(args types.ReceiveOperationArgs, parent dyngo.Operation) types.ReceiveOperation {
-	op := types.ReceiveOperation{Operation: dyngo.NewOperation(parent)}
-	dyngo.StartOperation(op, args)
-	return op
+// Finish the gRPC handler operation, along with the given results, and emit a
+// finish event up in the operation stack.
+func (op *HandlerOperation) Finish(span trace.TagSetter, res HandlerOperationRes) {
+	dyngo.FinishOperation(op, res)
+	op.ContextOperation.Finish(span)
 }
diff --git a/instrumentation/appsec/emitter/httpsec/http.go b/instrumentation/appsec/emitter/httpsec/http.go
index 9b76995ee1..5472a803c9 100644
--- a/instrumentation/appsec/emitter/httpsec/http.go
+++ b/instrumentation/appsec/emitter/httpsec/http.go
@@ -12,11 +12,11 @@ package httpsec
 
 import (
 	"context"
-
 	// Blank import needed to use embed for the default blocked response payloads
 	_ "embed"
 	"net/http"
-	"strings"
+	"sync"
+	"sync/atomic"
 
 	"github.com/DataDog/dd-trace-go/v2/appsec/events"
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
@@ -31,30 +31,87 @@ import (
 	"github.com/DataDog/appsec-internal-go/netip"
 )
 
+// HandlerOperation type representing an HTTP operation. It must be created with
+// StartOperation() and finished with its Finish().
+type (
+	HandlerOperation struct {
+		dyngo.Operation
+		*waf.ContextOperation
+		mu sync.RWMutex
+	}
+
+	// HandlerOperationArgs is the HTTP handler operation arguments.
+	HandlerOperationArgs struct {
+		Method      string
+		RequestURI  string
+		Host        string
+		RemoteAddr  string
+		Headers     map[string][]string
+		Cookies     map[string][]string
+		QueryParams map[string][]string
+		PathParams  map[string]string
+	}
+
+	// HandlerOperationRes is the HTTP handler operation results.
+	HandlerOperationRes struct {
+		Headers    map[string][]string
+		StatusCode int
+	}
+)
+
+func (HandlerOperationArgs) IsArgOf(*HandlerOperation)   {}
+func (HandlerOperationRes) IsResultOf(*HandlerOperation) {}
+
+func StartOperation(ctx context.Context, args HandlerOperationArgs) (*HandlerOperation, *atomic.Pointer[actions.BlockHTTP], context.Context) {
+	wafOp, ctx := waf.StartContextOperation(ctx)
+	op := &HandlerOperation{
+		Operation:        dyngo.NewOperation(wafOp),
+		ContextOperation: wafOp,
+	}
+
+	// We need to use an atomic pointer to store the action because the action may be created asynchronously in the future
+	var action atomic.Pointer[actions.BlockHTTP]
+	dyngo.OnData(op, func(a *actions.BlockHTTP) {
+		action.Store(a)
+	})
+
+	return op, &action, dyngo.StartAndRegisterOperation(ctx, op, args)
+}
+
+// Finish the HTTP handler operation and its children operations and write everything to the service entry span.
+func (op *HandlerOperation) Finish(res HandlerOperationRes, span ddtrace.Span) {
+	dyngo.FinishOperation(op, res)
+	op.ContextOperation.Finish(span)
+}
+
+const monitorBodyErrorLog = `
+"appsec: parsed http body monitoring ignored: could not find the http handler instrumentation metadata in the request context:
+	the request handler is not being monitored by a middleware function or the provided context is not the expected request context
+`
+
 // MonitorParsedBody starts and finishes the SDK body operation.
 // This function should not be called when AppSec is disabled in order to
 // get preciser error logs.
 func MonitorParsedBody(ctx context.Context, body any) error {
-	parent, _ := dyngo.FromContext(ctx)
-	if parent == nil {
-		log.Error("appsec: parsed http body monitoring ignored: could not find the http handler instrumentation metadata in the request context: the request handler is not being monitored by a middleware function or the provided context is not the expected request context")
-		return nil
-	}
-
-	return ExecuteSDKBodyOperation(parent, types.SDKBodyOperationArgs{Body: body})
+	return waf.RunSimple(ctx,
+		addresses.NewAddressesBuilder().
+			WithRequestBody(body).
+			Build(),
+		monitorBodyErrorLog,
+	)
 }
 
-// ExecuteSDKBodyOperation starts and finishes the SDK Body operation by emitting a dyngo start and finish events
-// An error is returned if the body associated to that operation must be blocked
-func ExecuteSDKBodyOperation(parent dyngo.Operation, args types.SDKBodyOperationArgs) error {
-	var err error
-	op := &types.SDKBodyOperation{Operation: dyngo.NewOperation(parent)}
-	dyngo.OnData(op, func(e *events.BlockingSecurityEvent) {
-		err = e
-	})
-	dyngo.StartOperation(op, args)
-	dyngo.FinishOperation(op, types.SDKBodyOperationRes{})
-	return err
+// Return the map of parsed cookies if any and following the specification of
+// the rule address `server.request.cookies`.
+func makeCookies(parsed []*http.Cookie) map[string][]string {
+	if len(parsed) == 0 {
+		return nil
+	}
+	cookies := make(map[string][]string, len(parsed))
+	for _, c := range parsed {
+		cookies[c.Name] = append(cookies[c.Name], c.Value)
+	}
+	return cookies
 }
 
 // WrapHandler wraps the given HTTP handler with the abstract HTTP operation defined by HandlerOperationArgs and
@@ -71,132 +128,47 @@ func WrapHandler(handler http.Handler, span *tracer.Span, pathParams map[string]
 		opts.ResponseHeaderCopier = defaultWrapHandlerConfig.ResponseHeaderCopier
 	}
 
-	trace.SetAppSecEnabledTags(span)
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ipTags, clientIP := httptrace.ClientIPTags(r.Header, true, r.RemoteAddr)
-		log.Debug("appsec: http client ip detection returned `%s` given the http headers `%v`", clientIP, r.Header)
-		trace.SetTags(span, ipTags)
-
-		var bypassHandler http.Handler
-		var blocking bool
-		var stackTrace *stacktrace.Event
-		args := MakeHandlerOperationArgs(r, clientIP, pathParams)
-		ctx, op := StartOperation(r.Context(), args, func(op *types.Operation) {
-			dyngo.OnData(op, func(a *sharedsec.HTTPAction) {
-				blocking = true
-				bypassHandler = a.Handler
-			})
-			dyngo.OnData(op, func(a *sharedsec.StackTraceAction) {
-				stackTrace = &a.Event
-			})
+		op, blockAtomic, ctx := StartOperation(r.Context(), HandlerOperationArgs{
+			Method:      r.Method,
+			RequestURI:  r.RequestURI,
+			Host:        r.Host,
+			RemoteAddr:  r.RemoteAddr,
+			Headers:     r.Header,
+			Cookies:     makeCookies(r.Cookies()),
+			QueryParams: r.URL.Query(),
+			PathParams:  pathParams,
 		})
 		r = r.WithContext(ctx)
 
 		defer func() {
-			events := op.Finish(MakeHandlerOperationRes(w, opts.ResponseHeaderCopier))
+			var statusCode int
+			if res, ok := w.(interface{ Status() int }); ok {
+				statusCode = res.Status()
+			}
+			op.Finish(HandlerOperationRes{
+				Headers:    opts.ResponseHeaderCopier(w),
+				StatusCode: statusCode,
+			}, span)
 
 			// Execute the onBlock functions to make sure blocking works properly
 			// in case we are instrumenting the Gin framework
-			if blocking {
-				op.SetTag(trace.BlockedRequestTag, true)
+			if blockPtr := blockAtomic.Load(); blockPtr != nil {
 				for _, f := range opts.OnBlock {
 					f()
 				}
-			}
 
-			// Add stacktraces to the span, if any
-			if stackTrace != nil {
-				stacktrace.AddToSpan(span, span.Root(), stackTrace)
-			}
-
-			if bypassHandler != nil {
-				bypassHandler.ServeHTTP(w, r)
-			}
-
-			// Add the request headers span tags out of args.Headers instead of r.Header as it was normalized and some
-			// extra headers have been added such as the Host header which is removed from the original Go request headers
-			// map
-			setRequestHeadersTags(span, args.Headers)
-			setResponseHeadersTags(span, opts.ResponseHeaderCopier(w))
-			trace.SetTags(span, op.Tags())
-			if len(events) > 0 {
-				httptrace.SetSecurityEventsTags(span, events)
+				if blockPtr.Handler != nil {
+					blockPtr.Handler.ServeHTTP(w, r)
+				}
 			}
 		}()
 
-		if bypassHandler != nil {
-			handler = bypassHandler
-			bypassHandler = nil
+		if blockPtr := blockAtomic.Load(); blockPtr != nil && blockPtr.Handler != nil {
+			handler = blockPtr.Handler
+			blockPtr.Handler = nil
 		}
+
 		handler.ServeHTTP(w, r)
 	})
 }
-
-// MakeHandlerOperationArgs creates the HandlerOperationArgs value.
-func MakeHandlerOperationArgs(r *http.Request, clientIP netip.Addr, pathParams map[string]string) types.HandlerOperationArgs {
-	cookies := makeCookies(r) // TODO(Julio-Guerra): avoid actively parsing the cookies thanks to dynamic instrumentation
-	headers := headersRemoveCookies(r.Header)
-	headers["host"] = []string{r.Host}
-	return types.HandlerOperationArgs{
-		Method:     r.Method,
-		RequestURI: r.RequestURI,
-		Headers:    headers,
-		Cookies:    cookies,
-		Query:      r.URL.Query(), // TODO(Julio-Guerra): avoid actively parsing the query values thanks to dynamic instrumentation
-		PathParams: pathParams,
-		ClientIP:   clientIP,
-	}
-}
-
-// MakeHandlerOperationRes creates the HandlerOperationRes value.
-func MakeHandlerOperationRes(w http.ResponseWriter, responseHeadersCopier func(http.ResponseWriter) http.Header) types.HandlerOperationRes {
-	var status int
-	if mw, ok := w.(interface{ Status() int }); ok {
-		status = mw.Status()
-	}
-	return types.HandlerOperationRes{Status: status, Headers: headersRemoveCookies(responseHeadersCopier(w))}
-}
-
-// Remove cookies from the request headers and return the map of headers
-// Used from `server.request.headers.no_cookies` and server.response.headers.no_cookies` addresses for the WAF
-func headersRemoveCookies(headers http.Header) map[string][]string {
-	headersNoCookies := make(http.Header, len(headers))
-	for k, v := range headers {
-		k := strings.ToLower(k)
-		if k == "cookie" {
-			continue
-		}
-		headersNoCookies[k] = v
-	}
-	return headersNoCookies
-}
-
-// Return the map of parsed cookies if any and following the specification of
-// the rule address `server.request.cookies`.
-func makeCookies(r *http.Request) map[string][]string {
-	parsed := r.Cookies()
-	if len(parsed) == 0 {
-		return nil
-	}
-	cookies := make(map[string][]string, len(parsed))
-	for _, c := range parsed {
-		cookies[c.Name] = append(cookies[c.Name], c.Value)
-	}
-	return cookies
-}
-
-// StartOperation starts an HTTP handler operation, along with the given
-// context and arguments and emits a start event up in the operation stack.
-// The operation is linked to the global root operation since an HTTP operation
-// is always expected to be first in the operation stack.
-func StartOperation(ctx context.Context, args types.HandlerOperationArgs, setup ...func(*types.Operation)) (context.Context, *types.Operation) {
-	op := &types.Operation{
-		Operation:  dyngo.NewOperation(nil),
-		TagsHolder: trace.NewTagsHolder(),
-	}
-	for _, cb := range setup {
-		cb(op)
-	}
-
-	return dyngo.StartAndRegisterOperation(ctx, op, args), op
-}
diff --git a/instrumentation/appsec/emitter/httpsec/roundtripper.go b/instrumentation/appsec/emitter/httpsec/roundtripper.go
index 2e4edcd738..6b27d99047 100644
--- a/instrumentation/appsec/emitter/httpsec/roundtripper.go
+++ b/instrumentation/appsec/emitter/httpsec/roundtripper.go
@@ -11,14 +11,31 @@ import (
 
 	"github.com/DataDog/dd-trace-go/v2/appsec/events"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/httpsec/types"
 	"github.com/DataDog/dd-trace-go/v2/internal/log"
 )
 
 var badInputContextOnce sync.Once
 
+type (
+	RoundTripOperation struct {
+		dyngo.Operation
+	}
+
+	// RoundTripOperationArgs is the round trip operation arguments.
+	RoundTripOperationArgs struct {
+		// URL corresponds to the address `server.io.net.url`.
+		URL string
+	}
+
+	// RoundTripOperationRes is the round trip operation results.
+	RoundTripOperationRes struct{}
+)
+
+func (RoundTripOperationArgs) IsArgOf(*RoundTripOperation)   {}
+func (RoundTripOperationRes) IsResultOf(*RoundTripOperation) {}
+
 func ProtectRoundTrip(ctx context.Context, url string) error {
-	opArgs := types.RoundTripOperationArgs{
+	opArgs := RoundTripOperationArgs{
 		URL: url,
 	}
 
@@ -32,7 +49,7 @@ func ProtectRoundTrip(ctx context.Context, url string) error {
 		return nil
 	}
 
-	op := &types.RoundTripOperation{
+	op := &RoundTripOperation{
 		Operation: dyngo.NewOperation(parent),
 	}
 
@@ -43,7 +60,7 @@ func ProtectRoundTrip(ctx context.Context, url string) error {
 	})
 
 	dyngo.StartOperation(op, opArgs)
-	dyngo.FinishOperation(op, types.RoundTripOperationRes{})
+	dyngo.FinishOperation(op, RoundTripOperationRes{})
 
 	if err != nil {
 		log.Debug("appsec: outgoing http request blocked by the WAF on URL: %s", url)
diff --git a/instrumentation/appsec/emitter/sharedsec/actions.go b/instrumentation/appsec/emitter/sharedsec/actions.go
index 1da48e7b0a..cd8d4991ab 100644
--- a/instrumentation/appsec/emitter/sharedsec/actions.go
+++ b/instrumentation/appsec/emitter/sharedsec/actions.go
@@ -1,12 +1,12 @@
 // Unless explicitly stated otherwise all files in this repository are licensed
 // under the Apache License Version 2.0.
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2022 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
 
-package sharedsec
+package actions
 
 import (
-	_ "embed" // Blank import
+	_ "embed" // embed is used to embed the blocked-template.json and blocked-template.html files
 	"net/http"
 	"os"
 	"strings"
@@ -14,7 +14,6 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/appsec/events"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
 	"github.com/DataDog/dd-trace-go/v2/internal/log"
-	"github.com/DataDog/dd-trace-go/v2/internal/stacktrace"
 	"github.com/mitchellh/mapstructure"
 )
 
@@ -42,38 +41,12 @@ func init() {
 				*template = t
 			}
 		}
-
 	}
+
+	registerActionHandler("block_request", NewBlockAction)
 }
 
 type (
-	// Action is a generic interface that represents any WAF action
-	Action interface {
-		Blocking() bool
-		EmitData(op dyngo.Operation)
-	}
-
-	// HTTPAction are actions that interact with an HTTP request flow (block, redirect...)
-	HTTPAction struct {
-		http.Handler
-	}
-	// GRPCAction are actions that interact with a GRPC request flow
-	GRPCAction struct {
-		GRPCWrapper
-	}
-	// StackTraceAction are actions that generate a stacktrace
-	StackTraceAction struct {
-		Event stacktrace.Event
-	}
-
-	// GRPCWrapper is an opaque prototype abstraction for a gRPC handler (to avoid importing grpc)
-	// that returns a status code and an error
-	// TODO: rely on strongly typed actions (with the actual grpc types) by introducing WAF constructors
-	//     living in the contrib packages, along with their dependencies - something like `appsec.RegisterWAFConstructor(newGRPCWAF)`
-	//    Such constructors would receive the full appsec config and rules, so that they would be able to build
-	//    specific blocking actions.
-	GRPCWrapper func() (uint32, error)
-
 	// blockActionParams are the dynamic parameters to be provided to a "block_request"
 	// action type upon invocation
 	blockActionParams struct {
@@ -83,40 +56,58 @@ type (
 		StatusCode     int    `mapstructure:"status_code"`
 		Type           string `mapstructure:"type,omitempty"`
 	}
-	// redirectActionParams are the dynamic parameters to be provided to a "redirect_request"
-	// action type upon invocation
-	redirectActionParams struct {
-		Location   string `mapstructure:"location,omitempty"`
-		StatusCode int    `mapstructure:"status_code"`
+	// GRPCWrapper is an opaque prototype abstraction for a gRPC handler (to avoid importing grpc)
+	// that returns a status code and an error
+	GRPCWrapper func() (uint32, error)
+
+	// BlockGRPC are actions that interact with a GRPC request flow
+	BlockGRPC struct {
+		GRPCWrapper
+	}
+
+	// BlockHTTP are actions that interact with an HTTP request flow
+	BlockHTTP struct {
+		http.Handler
 	}
 )
 
-func (a *HTTPAction) Blocking() bool              { return true }
-func (a *HTTPAction) EmitData(op dyngo.Operation) { dyngo.EmitData(op, a) }
+func (a *BlockGRPC) EmitData(op dyngo.Operation) {
+	dyngo.EmitData(op, a)
+	dyngo.EmitData(op, &events.BlockingSecurityEvent{})
+}
 
-func (a *GRPCAction) Blocking() bool              { return true }
-func (a *GRPCAction) EmitData(op dyngo.Operation) { dyngo.EmitData(op, a) }
+func (a *BlockHTTP) EmitData(op dyngo.Operation) {
+	dyngo.EmitData(op, a)
+	dyngo.EmitData(op, &events.BlockingSecurityEvent{})
+}
 
-func (a *StackTraceAction) Blocking() bool              { return false }
-func (a *StackTraceAction) EmitData(op dyngo.Operation) { dyngo.EmitData(op, a) }
+func newGRPCBlockRequestAction(status int) *BlockGRPC {
+	return &BlockGRPC{GRPCWrapper: newGRPCBlockHandler(status)}
+}
 
-// NewStackTraceAction creates an action for the "stacktrace" action type
-func NewStackTraceAction(params map[string]any) Action {
-	id, ok := params["stack_id"]
-	if !ok {
-		log.Debug("appsec: could not read stack_id parameter for generate_stack action")
-		return nil
+func newGRPCBlockHandler(status int) GRPCWrapper {
+	return func() (uint32, error) {
+		return uint32(status), &events.BlockingSecurityEvent{}
 	}
+}
 
-	strID, ok := id.(string)
-	if !ok {
-		log.Debug("appsec: could not cast stacktrace ID to string")
-		return nil
+func blockParamsFromMap(params map[string]any) (blockActionParams, error) {
+	grpcCode := 10
+	p := blockActionParams{
+		Type:           "auto",
+		StatusCode:     403,
+		GRPCStatusCode: &grpcCode,
 	}
 
-	event := stacktrace.NewEvent(stacktrace.ExploitEvent, stacktrace.WithID(strID))
+	if err := mapstructure.WeakDecode(params, &p); err != nil {
+		return p, err
+	}
 
-	return &StackTraceAction{Event: *event}
+	if p.GRPCStatusCode == nil {
+		p.GRPCStatusCode = &grpcCode
+	}
+
+	return p, nil
 }
 
 // NewBlockAction creates an action for the "block_request" action type
@@ -132,36 +123,8 @@ func NewBlockAction(params map[string]any) []Action {
 	}
 }
 
-// NewRedirectAction creates an action for the "redirect_request" action type
-func NewRedirectAction(params map[string]any) *HTTPAction {
-	p, err := redirectParamsFromMap(params)
-	if err != nil {
-		log.Debug("appsec: couldn't decode redirect action parameters")
-		return nil
-	}
-	return newRedirectRequestAction(p.StatusCode, p.Location)
-}
-
-func newHTTPBlockRequestAction(status int, template string) *HTTPAction {
-	return &HTTPAction{Handler: newBlockHandler(status, template)}
-}
-
-func newGRPCBlockRequestAction(status int) *GRPCAction {
-	return &GRPCAction{GRPCWrapper: newGRPCBlockHandler(status)}
-
-}
-
-func newRedirectRequestAction(status int, loc string) *HTTPAction {
-	// Default to 303 if status is out of redirection codes bounds
-	if status < 300 || status >= 400 {
-		status = 303
-	}
-
-	// If location is not set we fall back on a default block action
-	if loc == "" {
-		return &HTTPAction{Handler: newBlockHandler(403, string(blockedTemplateJSON))}
-	}
-	return &HTTPAction{Handler: http.RedirectHandler(loc, status)}
+func newHTTPBlockRequestAction(status int, template string) *BlockHTTP {
+	return &BlockHTTP{Handler: newBlockHandler(status, template)}
 }
 
 // newBlockHandler creates, initializes and returns a new BlockRequestAction
@@ -189,40 +152,9 @@ func newBlockHandler(status int, template string) http.Handler {
 }
 
 func newBlockRequestHandler(status int, ct string, payload []byte) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	return http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", ct)
 		w.WriteHeader(status)
 		w.Write(payload)
 	})
 }
-
-func newGRPCBlockHandler(status int) GRPCWrapper {
-	return func() (uint32, error) {
-		return uint32(status), &events.BlockingSecurityEvent{}
-	}
-}
-
-func blockParamsFromMap(params map[string]any) (blockActionParams, error) {
-	grpcCode := 10
-	p := blockActionParams{
-		Type:           "auto",
-		StatusCode:     403,
-		GRPCStatusCode: &grpcCode,
-	}
-
-	if err := mapstructure.WeakDecode(params, &p); err != nil {
-		return p, err
-	}
-
-	if p.GRPCStatusCode == nil {
-		p.GRPCStatusCode = &grpcCode
-	}
-	return p, nil
-
-}
-
-func redirectParamsFromMap(params map[string]any) (redirectActionParams, error) {
-	var p redirectActionParams
-	err := mapstructure.WeakDecode(params, &p)
-	return p, err
-}
diff --git a/instrumentation/appsec/emitter/sharedsec/actions_test.go b/instrumentation/appsec/emitter/sharedsec/actions_test.go
index 7f40a4f26f..1e77c8e2d1 100644
--- a/instrumentation/appsec/emitter/sharedsec/actions_test.go
+++ b/instrumentation/appsec/emitter/sharedsec/actions_test.go
@@ -1,9 +1,9 @@
 // Unless explicitly stated otherwise all files in this repository are licensed
 // under the Apache License Version 2.0.
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
 
-package sharedsec
+package actions
 
 import (
 	"io"
@@ -161,11 +161,11 @@ func TestNewRedirectRequestAction(t *testing.T) {
 	mux.HandleFunc("/redirect-no-location", newRedirectRequestAction(303, "").ServeHTTP)
 	mux.HandleFunc("/redirect1", newRedirectRequestAction(http.StatusFound, "/redirect2").ServeHTTP)
 	mux.HandleFunc("/redirect2", newRedirectRequestAction(http.StatusFound, "/redirected").ServeHTTP)
-	mux.HandleFunc("/redirected", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc("/redirected", func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK) // Shouldn't matter since we write 302 before arriving here
 		w.Write([]byte("Redirected"))
 	})
-	srv.Client().CheckRedirect = func(req *http.Request, via []*http.Request) error {
+	srv.Client().CheckRedirect = func(_ *http.Request, via []*http.Request) error {
 		require.GreaterOrEqual(t, len(via), 1)
 		require.Equal(t, "/redirect1", via[0].URL.Path)
 		if len(via) == 2 {
@@ -206,7 +206,7 @@ func TestNewRedirectRequestAction(t *testing.T) {
 	// - empty location: revert to default blocking action instead
 	// - status code outside of [300, 399]: default to 303
 	t.Run("no-location", func(t *testing.T) {
-		srv.Client().CheckRedirect = func(req *http.Request, via []*http.Request) error {
+		srv.Client().CheckRedirect = func(_ *http.Request, _ []*http.Request) error {
 			return nil
 		}
 		req, err := http.NewRequest("POST", srv.URL+"/redirect-no-location", nil)
diff --git a/instrumentation/appsec/emitter/sharedsec/blocked-template.json b/instrumentation/appsec/emitter/sharedsec/blocked-template.json
index 885d766c18..12ae29696f 100644
--- a/instrumentation/appsec/emitter/sharedsec/blocked-template.json
+++ b/instrumentation/appsec/emitter/sharedsec/blocked-template.json
@@ -1 +1 @@
-{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
\ No newline at end of file
diff --git a/instrumentation/appsec/emitter/sqlsec/sql.go b/instrumentation/appsec/emitter/sqlsec/sql.go
index 29b163c4b0..3b1db53068 100644
--- a/instrumentation/appsec/emitter/sqlsec/sql.go
+++ b/instrumentation/appsec/emitter/sqlsec/sql.go
@@ -11,14 +11,30 @@ import (
 
 	"github.com/DataDog/dd-trace-go/v2/appsec/events"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/sqlsec/types"
 	"github.com/DataDog/dd-trace-go/v2/internal/log"
 )
 
 var badInputContextOnce sync.Once
 
+type (
+	SQLOperation struct {
+		dyngo.Operation
+	}
+
+	SQLOperationArgs struct {
+		// Query corresponds to the addres `server.db.statement`
+		Query string
+		// Driver corresponds to the addres `server.db.system`
+		Driver string
+	}
+	SQLOperationRes struct{}
+)
+
+func (SQLOperationArgs) IsArgOf(*SQLOperation)   {}
+func (SQLOperationRes) IsResultOf(*SQLOperation) {}
+
 func ProtectSQLOperation(ctx context.Context, query, driver string) error {
-	opArgs := types.SQLOperationArgs{
+	opArgs := SQLOperationArgs{
 		Query:  query,
 		Driver: driver,
 	}
@@ -33,7 +49,7 @@ func ProtectSQLOperation(ctx context.Context, query, driver string) error {
 		return nil
 	}
 
-	op := &types.SQLOperation{
+	op := &SQLOperation{
 		Operation: dyngo.NewOperation(parent),
 	}
 
@@ -44,7 +60,7 @@ func ProtectSQLOperation(ctx context.Context, query, driver string) error {
 	})
 
 	dyngo.StartOperation(op, opArgs)
-	dyngo.FinishOperation(op, types.SQLOperationRes{})
+	dyngo.FinishOperation(op, SQLOperationRes{})
 
 	if err != nil {
 		log.Debug("appsec: outgoing SQL operation blocked by the WAF")
diff --git a/instrumentation/appsec/trace/grpctrace/grpc_test.go b/instrumentation/appsec/trace/grpctrace/grpc_test.go
index 19ffef36bf..673727abb0 100644
--- a/instrumentation/appsec/trace/grpctrace/grpc_test.go
+++ b/instrumentation/appsec/trace/grpctrace/grpc_test.go
@@ -1,9 +1,9 @@
 // Unless explicitly stated otherwise all files in this repository are licensed
 // under the Apache License Version 2.0.
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
 
-package grpctrace
+package grpcsec
 
 import (
 	"fmt"
@@ -14,6 +14,23 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+type MockSpan struct {
+	Tags map[string]any
+}
+
+func (m *MockSpan) SetTag(key string, value interface{}) {
+	if m.Tags == nil {
+		m.Tags = make(map[string]any)
+	}
+	if key == ext.ManualKeep {
+		if value == samplernames.AppSec {
+			m.Tags[ext.ManualKeep] = true
+		}
+	} else {
+		m.Tags[key] = value
+	}
+}
+
 func TestTags(t *testing.T) {
 	for _, eventCase := range []struct {
 		name          string
@@ -74,8 +91,8 @@ func TestTags(t *testing.T) {
 		} {
 			metadataCase := metadataCase
 			t.Run(fmt.Sprintf("%s-%s", eventCase.name, metadataCase.name), func(t *testing.T) {
-				var span testlib.MockSpan
-				err := setSecurityEventsTags(&span, eventCase.events)
+				var span MockSpan
+				err := waf.SetEventSpanTags(&span, eventCase.events)
 				if eventCase.expectedError {
 					require.Error(t, err)
 					return
@@ -84,7 +101,7 @@ func TestTags(t *testing.T) {
 				SetRequestMetadataTags(&span, metadataCase.md)
 
 				if eventCase.events != nil {
-					testlib.RequireContainsMapSubset(t, span.Tags, map[string]interface{}{
+					require.Subset(t, span.Tags, map[string]interface{}{
 						"_dd.appsec.json": eventCase.expectedTag,
 						"manual.keep":     true,
 						"appsec.event":    true,
@@ -93,10 +110,8 @@ func TestTags(t *testing.T) {
 				}
 
 				if l := len(metadataCase.expectedTags); l > 0 {
-					testlib.RequireContainsMapSubset(t, span.Tags, metadataCase.expectedTags)
+					require.Subset(t, span.Tags, metadataCase.expectedTags)
 				}
-
-				require.False(t, span.Finished)
 			})
 		}
 	}
diff --git a/instrumentation/appsec/trace/httptrace/http.go b/instrumentation/appsec/trace/httptrace/http.go
index 0044c2dcaf..cb0e7d8a5d 100644
--- a/instrumentation/appsec/trace/httptrace/http.go
+++ b/instrumentation/appsec/trace/httptrace/http.go
@@ -1,11 +1,12 @@
 // Unless explicitly stated otherwise all files in this repository are licensed
 // under the Apache License Version 2.0.
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
 
-package httptrace
+package httpsec
 
 import (
+	"net/http"
 	"net/netip"
 	"os"
 	"strings"
@@ -13,7 +14,6 @@ import (
 	"github.com/DataDog/appsec-internal-go/httpsec"
 
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
-	"github.com/DataDog/dd-trace-go/v2/internal/log"
 )
 
 const (
@@ -23,7 +23,7 @@ const (
 
 var (
 	// defaultIPHeaders is the default list of IP-related headers leveraged to
-	// retrieve the public client IP address in ClientIP.
+	// retrieve the public client IP address in RemoteAddr.
 	defaultIPHeaders = []string{
 		"x-forwarded-for",
 		"x-real-ip",
@@ -34,7 +34,7 @@ var (
 		"x-cluster-client-ip",
 		"fastly-client-ip",
 		"cf-connecting-ip",
-		"cf-connecting-ip6",
+		"cf-connecting-ipv6",
 	}
 
 	// defaultCollectedHeaders is the default list of HTTP headers collected as
@@ -67,7 +67,7 @@ var (
 	collectedHeadersLookupMap map[string]struct{}
 
 	// monitoredClientIPHeadersCfg is the list of IP-related headers leveraged to
-	// retrieve the public client IP address in ClientIP. This is defined at init
+	// retrieve the public client IP address in RemoteAddr. This is defined at init
 	// time in function of the value of the envClientIPHeader environment variable.
 	monitoredClientIPHeadersCfg []string
 )
@@ -75,7 +75,7 @@ var (
 // ClientIPTags returns the resulting Datadog span tags `http.client_ip`
 // containing the client IP and `network.client.ip` containing the remote IP.
 // The tags are present only if a valid ip address has been returned by
-// ClientIP().
+// RemoteAddr().
 func ClientIPTags(headers map[string][]string, hasCanonicalHeaders bool, remoteAddr string) (tags map[string]string, clientIP netip.Addr) {
 	remoteIP, clientIP := httpsec.ClientIP(headers, hasCanonicalHeaders, remoteAddr, monitoredClientIPHeadersCfg)
 	tags = httpsec.ClientIPTags(remoteIP, clientIP)
@@ -101,6 +101,20 @@ func NormalizeHTTPHeaders(headers map[string][]string) (normalized map[string]st
 	return normalized
 }
 
+// Remove cookies from the request headers and return the map of headers
+// Used from `server.request.headers.no_cookies` and server.response.headers.no_cookies` addresses for the WAF
+func headersRemoveCookies(headers http.Header) map[string][]string {
+	headersNoCookies := make(http.Header, len(headers))
+	for k, v := range headers {
+		k := strings.ToLower(k)
+		if k == "cookie" {
+			continue
+		}
+		headersNoCookies[k] = v
+	}
+	return headersNoCookies
+}
+
 func normalizeHTTPHeaderName(name string) string {
 	return strings.ToLower(name)
 }
@@ -109,13 +123,6 @@ func normalizeHTTPHeaderValue(values []string) string {
 	return strings.Join(values, ",")
 }
 
-// SetSecurityEventsTags sets the AppSec-specific span tags when a security event occurred into the service entry span.
-func SetSecurityEventsTags(span trace.TagSetter, events []any) {
-	if err := trace.SetEventSpanTags(span, events); err != nil {
-		log.Error("appsec: unexpected error while creating the appsec events tags: %v", err)
-	}
-}
-
 func init() {
 	makeCollectedHTTPHeadersLookupMap()
 	readMonitoredClientIPHeadersConfig()
@@ -130,7 +137,7 @@ func makeCollectedHTTPHeadersLookupMap() {
 
 func readMonitoredClientIPHeadersConfig() {
 	if header := os.Getenv(envClientIPHeader); header != "" {
-		// Make this header the only one to consider in ClientIP
+		// Make this header the only one to consider in RemoteAddr
 		monitoredClientIPHeadersCfg = []string{header}
 
 		// Add this header to the list of collected headers
@@ -141,3 +148,20 @@ func readMonitoredClientIPHeadersConfig() {
 		monitoredClientIPHeadersCfg = defaultIPHeaders
 	}
 }
+
+// setRequestHeadersTags sets the AppSec-specific request headers span tags.
+func setRequestHeadersTags(span trace.TagSetter, headers map[string][]string) {
+	setHeadersTags(span, "http.request.headers.", headers)
+}
+
+// setResponseHeadersTags sets the AppSec-specific response headers span tags.
+func setResponseHeadersTags(span trace.TagSetter, headers map[string][]string) {
+	setHeadersTags(span, "http.response.headers.", headers)
+}
+
+// setHeadersTags sets the AppSec-specific headers span tags.
+func setHeadersTags(span trace.TagSetter, tagPrefix string, headers map[string][]string) {
+	for h, v := range NormalizeHTTPHeaders(headers) {
+		span.SetTag(tagPrefix+h, v)
+	}
+}
diff --git a/instrumentation/httptrace/config.go b/instrumentation/httptrace/config.go
index c5aad3a486..94ed09e4d6 100644
--- a/instrumentation/httptrace/config.go
+++ b/instrumentation/httptrace/config.go
@@ -8,6 +8,8 @@ package httptrace
 import (
 	"os"
 	"regexp"
+	"strconv"
+	"strings"
 
 	"github.com/DataDog/dd-trace-go/v2/internal"
 	"github.com/DataDog/dd-trace-go/v2/internal/log"
@@ -22,6 +24,8 @@ const (
 	envQueryStringRegexp = "DD_TRACE_OBFUSCATION_QUERY_STRING_REGEXP"
 	// envTraceClientIPEnabled is the name of the env var used to specify whether or not to collect client ip in span tags
 	envTraceClientIPEnabled = "DD_TRACE_CLIENT_IP_ENABLED"
+	// envServerErrorStatuses is the name of the env var used to specify error status codes on http server spans
+	envServerErrorStatuses = "DD_TRACE_HTTP_SERVER_ERROR_STATUSES"
 )
 
 // defaultQueryStringRegexp is the regexp used for query string obfuscation if `envQueryStringRegexp` is empty.
@@ -31,6 +35,7 @@ type config struct {
 	queryStringRegexp *regexp.Regexp // specifies the regexp to use for query string obfuscation.
 	queryString       bool           // reports whether the query string should be included in the URL span tag.
 	traceClientIP     bool
+	isStatusError     func(statusCode int) bool
 }
 
 func newConfig() config {
@@ -38,6 +43,11 @@ func newConfig() config {
 		queryString:       !internal.BoolEnv(envQueryStringDisabled, false),
 		queryStringRegexp: defaultQueryStringRegexp,
 		traceClientIP:     internal.BoolEnv(envTraceClientIPEnabled, false),
+		isStatusError:     isServerError,
+	}
+	v := os.Getenv(envServerErrorStatuses)
+	if fn := GetErrorCodesFromInput(v); fn != nil {
+		c.isStatusError = fn
 	}
 	if s, ok := os.LookupEnv(envQueryStringRegexp); !ok {
 		return c
@@ -51,3 +61,62 @@ func newConfig() config {
 	}
 	return c
 }
+
+func isServerError(statusCode int) bool {
+	return statusCode >= 500 && statusCode < 600
+}
+
+// GetErrorCodesFromInput parses a comma-separated string s to determine which codes are to be considered errors
+// Its purpose is to support the DD_TRACE_HTTP_SERVER_ERROR_STATUSES env var
+// If error condition cannot be determined from s, `nil` is returned
+// e.g, input of "100,200,300-400" returns a function that returns true on 100, 200, and all values between 300-400, inclusive
+// any input that cannot be translated to integer values returns nil
+func GetErrorCodesFromInput(s string) func(statusCode int) bool {
+	if s == "" {
+		return nil
+	}
+	var codes []int
+	var ranges [][]int
+	vals := strings.Split(s, ",")
+	for _, val := range vals {
+		// "-" indicates a range of values
+		if strings.Contains(val, "-") {
+			bounds := strings.Split(val, "-")
+			if len(bounds) != 2 {
+				log.Debug("Trouble parsing %v due to entry %v, using default error status determination logic", s, val)
+				return nil
+			}
+			before, err := strconv.Atoi(bounds[0])
+			if err != nil {
+				log.Debug("Trouble parsing %v due to entry %v, using default error status determination logic", s, val)
+				return nil
+			}
+			after, err := strconv.Atoi(bounds[1])
+			if err != nil {
+				log.Debug("Trouble parsing %v due to entry %v, using default error status determination logic", s, val)
+				return nil
+			}
+			ranges = append(ranges, []int{before, after})
+		} else {
+			intVal, err := strconv.Atoi(val)
+			if err != nil {
+				log.Debug("Trouble parsing %v due to entry %v, using default error status determination logic", s, val)
+				return nil
+			}
+			codes = append(codes, intVal)
+		}
+	}
+	return func(statusCode int) bool {
+		for _, c := range codes {
+			if c == statusCode {
+				return true
+			}
+		}
+		for _, bounds := range ranges {
+			if statusCode >= bounds[0] && statusCode <= bounds[1] {
+				return true
+			}
+		}
+		return false
+	}
+}
diff --git a/instrumentation/httptrace/httptrace.go b/instrumentation/httptrace/httptrace.go
index 9478463642..5068a42e31 100644
--- a/instrumentation/httptrace/httptrace.go
+++ b/instrumentation/httptrace/httptrace.go
@@ -38,7 +38,7 @@ func StartRequestSpan(r *http.Request, opts ...tracer.StartSpanOption) (*tracer.
 
 	var ipTags map[string]string
 	if cfg.traceClientIP {
-		ipTags, _ = httptrace.ClientIPTags(r.Header, true, r.RemoteAddr)
+		ipTags, _ = httpsec.ClientIPTags(r.Header, true, r.RemoteAddr)
 	}
 	nopts := make([]tracer.StartSpanOption, 0, len(opts)+1)
 	nopts = append(nopts,
@@ -69,15 +69,21 @@ func StartRequestSpan(r *http.Request, opts ...tracer.StartSpanOption) (*tracer.
 // code. Any further span finish option can be added with opts.
 func FinishRequestSpan(s *tracer.Span, status int, opts ...tracer.FinishOption) {
 	var statusStr string
+	// if status is 0, treat it like 200 unless 0 was called out in DD_TRACE_HTTP_SERVER_ERROR_STATUSES
 	if status == 0 {
-		statusStr = "200"
+		if cfg.isStatusError(status) {
+			statusStr = "0"
+			s.SetTag(ext.Error, fmt.Errorf("%s: %s", statusStr, http.StatusText(status)))
+		} else {
+			statusStr = "200"
+		}
 	} else {
 		statusStr = strconv.Itoa(status)
+		if cfg.isStatusError(status) {
+			s.SetTag(ext.Error, fmt.Errorf("%s: %s", statusStr, http.StatusText(status)))
+		}
 	}
 	s.SetTag(ext.HTTPCode, statusStr)
-	if status >= 500 && status < 600 {
-		opts = append(opts, tracer.WithError(fmt.Errorf("%s: %s", statusStr, http.StatusText(status))))
-	}
 	s.Finish(opts...)
 }
 
diff --git a/instrumentation/httptrace/httptrace_test.go b/instrumentation/httptrace/httptrace_test.go
index 9329e4dec8..15c01a1e16 100644
--- a/instrumentation/httptrace/httptrace_test.go
+++ b/instrumentation/httptrace/httptrace_test.go
@@ -6,9 +6,11 @@
 package httptrace
 
 import (
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"strconv"
 	"testing"
 
@@ -24,6 +26,117 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestGetErrorCodesFromInput(t *testing.T) {
+	codesOnly := "400,401,402"
+	rangesOnly := "400-405,408-410"
+	mixed := "400,403-405,407-410,412"
+	invalid1 := "1,100-200-300-"
+	invalid2 := "abc:@3$5^,"
+	empty := ""
+	t.Run("codesOnly", func(t *testing.T) {
+		fn := GetErrorCodesFromInput(codesOnly)
+		for i := 400; i <= 402; i++ {
+			assert.True(t, fn(i))
+		}
+		assert.False(t, fn(500))
+		assert.False(t, fn(0))
+	})
+	t.Run("rangesOnly", func(t *testing.T) {
+		fn := GetErrorCodesFromInput(rangesOnly)
+		for i := 400; i <= 405; i++ {
+			assert.True(t, fn(i))
+		}
+		for i := 408; i <= 410; i++ {
+			assert.True(t, fn(i))
+		}
+		assert.False(t, fn(406))
+		assert.False(t, fn(411))
+		assert.False(t, fn(500))
+	})
+	t.Run("mixed", func(t *testing.T) {
+		fn := GetErrorCodesFromInput(mixed)
+		assert.True(t, fn(400))
+		assert.False(t, fn(401))
+		for i := 403; i <= 405; i++ {
+			assert.True(t, fn(i))
+		}
+		assert.False(t, fn(406))
+		for i := 407; i <= 410; i++ {
+			assert.True(t, fn(i))
+		}
+		assert.False(t, fn(411))
+		assert.False(t, fn(500))
+	})
+	// invalid entries below should result in nils
+	t.Run("invalid1", func(t *testing.T) {
+		fn := GetErrorCodesFromInput(invalid1)
+		assert.Nil(t, fn)
+	})
+	t.Run("invalid2", func(t *testing.T) {
+		fn := GetErrorCodesFromInput(invalid2)
+		assert.Nil(t, fn)
+	})
+	t.Run("empty", func(t *testing.T) {
+		fn := GetErrorCodesFromInput(empty)
+		assert.Nil(t, fn)
+	})
+}
+
+func TestConfiguredErrorStatuses(t *testing.T) {
+	defer os.Unsetenv("DD_TRACE_HTTP_SERVER_ERROR_STATUSES")
+	t.Run("configured", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		os.Setenv("DD_TRACE_HTTP_SERVER_ERROR_STATUSES", "199-399,400,501")
+
+		// reset config based on new DD_TRACE_HTTP_SERVER_ERROR_STATUSES value
+		oldConfig := cfg
+		defer func() { cfg = oldConfig }()
+		cfg = newConfig()
+
+		statuses := []int{0, 200, 400, 500}
+		r := httptest.NewRequest(http.MethodGet, "/test", nil)
+		for i, status := range statuses {
+			sp, _ := StartRequestSpan(r)
+			FinishRequestSpan(sp, status)
+			spans := mt.FinishedSpans()
+			require.Len(t, spans, i+1)
+
+			switch status {
+			case 0:
+				assert.Equal(t, "200", spans[i].Tag(ext.HTTPCode))
+				assert.Nil(t, spans[i].Tag(ext.Error))
+			case 200, 400:
+				assert.Equal(t, strconv.Itoa(status), spans[i].Tag(ext.HTTPCode))
+				assert.Equal(t, fmt.Errorf("%s: %s", strconv.Itoa(status), http.StatusText(status)), spans[i].Tag(ext.Error).(error))
+			case 500:
+				assert.Equal(t, strconv.Itoa(status), spans[i].Tag(ext.HTTPCode))
+				assert.Nil(t, spans[i].Tag(ext.Error))
+			}
+		}
+	})
+	t.Run("zero", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		os.Setenv("DD_TRACE_HTTP_SERVER_ERROR_STATUSES", "0")
+
+		// reset config based on new DD_TRACE_HTTP_SERVER_ERROR_STATUSES value
+		oldConfig := cfg
+		defer func() { cfg = oldConfig }()
+		cfg = newConfig()
+
+		r := httptest.NewRequest(http.MethodGet, "/test", nil)
+		sp, _ := StartRequestSpan(r)
+		FinishRequestSpan(sp, 0)
+		spans := mt.FinishedSpans()
+		require.Len(t, spans, 1)
+		assert.Equal(t, "0", spans[0].Tag(ext.HTTPCode))
+		assert.Equal(t, fmt.Errorf("0: %s", http.StatusText(0)), spans[0].Tag(ext.Error).(error))
+	})
+}
+
 func TestHeaderTagsFromRequest(t *testing.T) {
 	mt := mocktracer.Start()
 	defer mt.Stop()
diff --git a/internal/apps/Dockerfile b/internal/apps/Dockerfile
index 2f32c31648..35993e4c94 100644
--- a/internal/apps/Dockerfile
+++ b/internal/apps/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.21
+FROM golang:1.23
 COPY . /dd-trace-go
 WORKDIR /dd-trace-go/internal/apps
 # -t will download all dependencies, including test dependencies
diff --git a/internal/apps/apps.go b/internal/apps/apps.go
index f6683803fc..d769cb2906 100644
--- a/internal/apps/apps.go
+++ b/internal/apps/apps.go
@@ -25,9 +25,11 @@ type Config struct {
 	// default we configure non-stop execution tracing for the test apps unless
 	// a DD_PROFILING_EXECUTION_TRACE_PERIOD env is set or this option is true.
 	DisableExecutionTracing bool
+
+	httpAddr net.Addr
 }
 
-func (c Config) RunHTTP(handler func() http.Handler) {
+func (c *Config) RunHTTP(handler func() http.Handler) {
 	// Parse common test app flags
 	var (
 		httpF   = flag.String("http", "localhost:8080", "HTTP addr to listen on.")
@@ -69,6 +71,7 @@ func (c Config) RunHTTP(handler func() http.Handler) {
 		log.Fatalf("failed to listen: %s", err)
 	}
 	defer l.Close()
+	c.httpAddr = l.Addr()
 	log.Printf("Listening on: http://%s", *httpF)
 	// handler is a func, because if we create a traced handler before starting
 	// the tracer, the service name will default to http.router.
@@ -79,3 +82,7 @@ func (c Config) RunHTTP(handler func() http.Handler) {
 	<-ctx.Done()
 	log.Printf("Received interrupt, shutting down")
 }
+
+func (c Config) HTTPAddr() net.Addr {
+	return c.httpAddr
+}
diff --git a/internal/apps/gc-overhead/main.go b/internal/apps/gc-overhead/main.go
new file mode 100644
index 0000000000..5d69677e80
--- /dev/null
+++ b/internal/apps/gc-overhead/main.go
@@ -0,0 +1,177 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2023 Datadog, Inc.
+
+// gc-overhead implements a http service that demonstrates high GC overhead. The
+// primary use case is to take screenshots of CPU and Memory profiles for blog
+// posts. The code is intentionally inefficient, but should produce plausible
+// FlameGraphs. Loop and data sizes are chosen so that the hotspots in the CPU
+// profile, the Allocated Memory Profile, and the Heap Live Objects profile are
+// different.
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"maps"
+	"math"
+	"math/rand/v2"
+	"net/http"
+	"runtime/debug"
+	"slices"
+	"sync"
+	"time"
+
+	httptrace "github.com/DataDog/dd-trace-go/v2/contrib/net/http"
+	"github.com/DataDog/dd-trace-go/v2/internal/apps"
+)
+
+func main() {
+	// Initialize fake data
+	initFakeData()
+
+	// Experimentally determined value to keep GC overhead around 30%.
+	debug.SetGCPercent(35)
+
+	// Start app
+	app := apps.Config{}
+	app.RunHTTP(func() http.Handler {
+		mux := httptrace.NewServeMux()
+		mux.HandleFunc("/vehicles/update_location", VehiclesUpdateLocationHandler)
+		mux.HandleFunc("/vehicles/list", VehiclesListHandler)
+		return mux
+	})
+}
+
+func VehiclesUpdateLocationHandler(w http.ResponseWriter, r *http.Request) {
+	load := int(sineLoad() * 2e5)
+	for i := 0; i < load; i++ {
+		u := &VehicleLocationUpdate{}
+		data := fakeData.vehicleLocationUpdates[i%len(fakeData.vehicleLocationUpdates)]
+		if err := parseVehicleLocationUpdate(data, u); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		store.Update(u)
+	}
+	w.Write([]byte("ok"))
+}
+
+func parseVehicleLocationUpdate(data []byte, u *VehicleLocationUpdate) error {
+	return json.Unmarshal(data, u)
+}
+
+func VehiclesListHandler(w http.ResponseWriter, r *http.Request) {
+	w.Write(renderVehiclesList().Bytes())
+}
+
+func renderVehiclesList() *bytes.Buffer {
+	buf := &bytes.Buffer{}
+	list := store.List()
+	load := sineLoad() * float64(len(list))
+	list = list[0:int(load)]
+	for _, v := range list {
+		fmt.Fprintf(buf, "%s: %v\n", v.ID, v.History)
+	}
+	return buf
+}
+
+var fakeData struct {
+	vehicleLocationUpdates [1000][]byte
+}
+
+var store = MemoryStore{}
+
+func initFakeData() {
+	for i := 0; i < len(fakeData.vehicleLocationUpdates); i++ {
+		update := VehicleLocationUpdate{
+			ID: fmt.Sprintf("vehicle-%d", i),
+			Position: Position{
+				Longitude: rand.Float64()*180 - 90,
+				Latitude:  rand.Float64()*360 - 180,
+			},
+		}
+		fakeData.vehicleLocationUpdates[i], _ = json.Marshal(update)
+	}
+}
+
+type MemoryStore struct {
+	mu       sync.RWMutex
+	vehicles map[string]*Vehicle
+}
+
+func (m *MemoryStore) Update(u *VehicleLocationUpdate) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.vehicles == nil {
+		m.vehicles = make(map[string]*Vehicle)
+	}
+
+	vehicle, ok := m.vehicles[u.ID]
+	if !ok {
+		vehicle = NewVehicle(u.ID)
+		m.vehicles[u.ID] = vehicle
+	}
+	vehicle.History = append(vehicle.History, &u.Position)
+	const historyLimit = 2000
+	if len(vehicle.History) > historyLimit {
+		// Keep only the last positions
+		copy(vehicle.History, vehicle.History[len(vehicle.History)-historyLimit:])
+		vehicle.History = vehicle.History[:historyLimit]
+	}
+}
+
+func NewVehicle(id string) *Vehicle {
+	return &Vehicle{ID: id, Data: make([]byte, 1024*1024)}
+}
+
+func (m *MemoryStore) List() (vehicles []*Vehicle) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+
+	for _, key := range slices.Sorted(maps.Keys(m.vehicles)) {
+		vehicles = append(vehicles, m.vehicles[key].Copy())
+	}
+	return vehicles
+}
+
+type Position struct {
+	Longitude float64
+	Latitude  float64
+}
+
+type VehicleLocationUpdate struct {
+	ID       string
+	Position Position
+}
+
+type Vehicle struct {
+	ID      string
+	History []*Position
+	Data    []byte
+}
+
+func (v *Vehicle) Copy() *Vehicle {
+	history := make([]*Position, len(v.History))
+	copy(history, v.History)
+	return &Vehicle{
+		ID:      v.ID,
+		History: history,
+	}
+}
+
+// sineLoad returns a value between 0 and 1 that varies sinusoidally over time.
+func sineLoad() float64 {
+	period := 5 * time.Minute
+	// Get the current time in seconds since Unix epoch
+	currentTime := time.Now().UnixNano()
+	// Compute the phase of the sine wave, current time modulo period
+	phase := float64(currentTime) / float64(period) * 2 * math.Pi
+	// Generate the sine wave value (-1 to 1)
+	sineValue := math.Sin(phase)
+	// Normalize the sine wave value to be between 0 and 1
+	return (sineValue + 1) * 0.5
+}
diff --git a/internal/apps/go.mod b/internal/apps/go.mod
index 283e38ecd6..f7bfcf6435 100644
--- a/internal/apps/go.mod
+++ b/internal/apps/go.mod
@@ -1,6 +1,6 @@
 module github.com/DataDog/dd-trace-go/internal/apps
 
-go 1.21
+go 1.23.0
 
 require (
 	github.com/DataDog/dd-trace-go/contrib/net/http/v2 v2.0.0-20240909105439-c452671ebc14
@@ -11,8 +11,8 @@ require (
 require github.com/DataDog/go-sqllexer v0.0.11 // indirect
 
 require (
-	github.com/DataDog/appsec-internal-go v1.7.0 // indirect
-	github.com/DataDog/go-libddwaf/v3 v3.3.0 // indirect
+	github.com/DataDog/appsec-internal-go v1.8.0 // indirect
+	github.com/DataDog/go-libddwaf/v3 v3.4.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 // indirect
 	github.com/ebitengine/purego v0.6.0-alpha.5 // indirect
@@ -24,15 +24,15 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 require (
-	github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 // indirect
-	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 // indirect
-	github.com/DataDog/datadog-go/v5 v5.5.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 // indirect
+	github.com/DataDog/datadog-go/v5 v5.3.0 // indirect
 	github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
 	github.com/DataDog/gostackparse v0.7.0 // indirect
 	github.com/DataDog/sketches-go v1.4.5 // indirect
@@ -41,16 +41,16 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b // indirect
-	github.com/google/uuid v1.6.0 // indirect
-	github.com/philhofer/fwd v1.1.2 // indirect
+	github.com/google/uuid v1.5.0 // indirect
+	github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/stretchr/testify v1.9.0
-	github.com/tinylib/msgp v1.1.9 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	github.com/tinylib/msgp v1.2.1 // indirect
+	golang.org/x/sys v0.23.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 )
diff --git a/internal/apps/go.sum b/internal/apps/go.sum
index 21b6b95485..9329033539 100644
--- a/internal/apps/go.sum
+++ b/internal/apps/go.sum
@@ -1,15 +1,13 @@
-github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
-github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
-github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 h1:/oxF4p/4XUGNpNw2TE7vDu/pJV3elEAZ+jES0/MWtiI=
-github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1/go.mod h1:AVPQWekk3h9AOC7+plBlNB68Sy6UIGFoMMVUDeSoNoI=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 h1:mmkGuCHBFuDBpuwNMcqtY1x1I2fCaPH2Br4xPAAjbkM=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1/go.mod h1:JhAilx32dkIgoDkFXquCTfaWDsAOfe+vfBaxbiZoPI0=
-github.com/DataDog/datadog-go/v5 v5.5.0 h1:G5KHeB8pWBNXT4Jtw0zAkhdxEAWSpWH00geHI6LDrKU=
-github.com/DataDog/datadog-go/v5 v5.5.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
-github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
-github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
-github.com/DataDog/go-sqllexer v0.0.11 h1:OfPBjmayreblOXreszbrOTICNZ3qWrA6Bg4sypvxpbw=
-github.com/DataDog/go-sqllexer v0.0.11/go.mod h1:KwkYhpFEVIq+BfobkTC1vfqm4gTi65skV/DpDBXtexc=
+github.com/DataDog/appsec-internal-go v1.8.0 h1:1Tfn3LEogntRqZtf88twSApOCAAO3V+NILYhuQIo4J4=
+github.com/DataDog/appsec-internal-go v1.8.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 h1:LplNAmMgZvGU7kKA0+4c1xWOjz828xweW5TCi8Mw9Q0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0/go.mod h1:4Vo3SJ24uzfKHUHLoFa8t8o+LH+7TCQ7sPcZDtOpSP4=
+github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8=
+github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q=
+github.com/DataDog/go-libddwaf/v3 v3.4.0 h1:NJ2W2vhYaOm1OWr1LJCbdgp7ezG/XLJcQKBmjFwhSuM=
+github.com/DataDog/go-libddwaf/v3 v3.4.0/go.mod h1:n98d9nZ1gzenRSk53wz8l6d34ikxS+hs62A31Fqmyi4=
 github.com/DataDog/go-tuf v1.1.0-0.5.2 h1:4CagiIekonLSfL8GMHRHcHudo1fQnxELS9g4tiAupQ4=
 github.com/DataDog/go-tuf v1.1.0-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
 github.com/DataDog/gostackparse v0.7.0 h1:i7dLkXHvYzHV308hnkvVGDL3BR4FWl7IsXNPz/IGQh4=
@@ -72,8 +70,9 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
 github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
-github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
-github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 h1:jYi87L8j62qkXzaYHAQAhEapgukhenIMZRBKTNRLHJ4=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -106,8 +105,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=
-github.com/tinylib/msgp v1.1.9/go.mod h1:BCXGB54lDD8qUEPmiG0cQQUANC4IUQyB2ItS2UDlO/k=
+github.com/tinylib/msgp v1.2.1 h1:6ypy2qcCznxpP4hpORzhtXyTqrBs7cfM9MCCWY8zsmU=
+github.com/tinylib/msgp v1.2.1/go.mod h1:2vIGs3lcUo8izAATNobrCHevYZC/LMsJtw4JPiYPHro=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -116,16 +115,14 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
@@ -139,18 +136,18 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/internal/apps/scenario_test.go b/internal/apps/scenario_test.go
index 438b39a845..b7dbd03a0d 100644
--- a/internal/apps/scenario_test.go
+++ b/internal/apps/scenario_test.go
@@ -66,6 +66,42 @@ func TestScenario(t *testing.T) {
 			})
 		}
 	})
+
+	t.Run("gc-overhead", func(t *testing.T) {
+		scenarios := []struct {
+			version   string
+			endpoints []string
+		}{
+			{"v1", []string{"/vehicles/update_location", "/vehicles/list"}},
+		}
+		for _, s := range scenarios {
+			t.Run(s.version, func(t *testing.T) {
+				lc := newLaunchConfig(t)
+				lc.Version = s.version
+				process := lc.Launch(t)
+				defer process.Stop(t)
+				wc.HitEndpoints(t, process, s.endpoints...)
+			})
+		}
+	})
+
+	t.Run("worker-pool-bottleneck", func(t *testing.T) {
+		scenarios := []struct {
+			version   string
+			endpoints []string
+		}{
+			{"v1", []string{"/queue/push"}},
+		}
+		for _, s := range scenarios {
+			t.Run(s.version, func(t *testing.T) {
+				lc := newLaunchConfig(t)
+				lc.Version = s.version
+				process := lc.Launch(t)
+				defer process.Stop(t)
+				wc.HitEndpoints(t, process, s.endpoints...)
+			})
+		}
+	})
 }
 
 func newWorkloadConfig(t *testing.T) (wc workloadConfig) {
@@ -152,6 +188,13 @@ func appName(t *testing.T) string {
 }
 
 func serviceName(t *testing.T) string {
+	// Allow overriding the service name via env var
+	ddService := os.Getenv("DD_SERVICE")
+	if ddService != "" {
+		return ddService
+	}
+
+	// Otherwise derive the service name from the test name
 	return "dd-trace-go/" + strings.Join(strings.Split(t.Name(), "/")[1:], "/")
 }
 
diff --git a/internal/apps/worker-pool-bottleneck/main.go b/internal/apps/worker-pool-bottleneck/main.go
new file mode 100644
index 0000000000..f217fd485d
--- /dev/null
+++ b/internal/apps/worker-pool-bottleneck/main.go
@@ -0,0 +1,143 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+// worker-pool-bottleneck implements a http service that demonstrates a worker
+// pool bottleneck. In particular the service simulates an application that
+// has a queue processing pipeline that consists of:
+//
+// 1. ConsumeMessageWorker: Pulls messages from a queue.
+// 2. DecodeMessageWorker: Decodes messages.
+// 3. LLMMessageWorker: Makes a long-latency call.
+// 4. PublishMessageWorker: Publishes messages.
+//
+// The LLMMessageWorker is the bottleneck in the pipeline because it doesn't
+// have enough workers to keep up with the other workers. This causes the
+// ConsumeMessageWorker and DecodeMessageWorker to block on send operations.
+//
+// The primary use case is to take screenshots of the timeline feature.
+package main
+
+import (
+	"encoding/json"
+	"io"
+	"log"
+	"math/rand/v2"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/DataDog/dd-trace-go/internal/apps"
+	httptrace "github.com/DataDog/dd-trace-go/v2/contrib/net/http"
+)
+
+func main() {
+	// Init queue
+	queue, err := NewQueue()
+	if err != nil {
+		log.Fatalf("failed to create queue: %v", err)
+	}
+
+	// Start app
+	app := apps.Config{}
+	app.RunHTTP(func() http.Handler {
+		// Setup workers
+		consumeDecode := make(chan []byte)
+		decodeLLM := make(chan any)
+		llmPublish := make(chan any)
+		go ConsumeMessageWorker(queue, consumeDecode)
+		for range 4 {
+			go DecodeMessageWorker(consumeDecode, decodeLLM)
+			go LLMMessageWorker(decodeLLM, llmPublish, app.HTTPAddr())
+			go PublishMessageWorker(llmPublish)
+		}
+
+		// Setup HTTP handlers
+		mux := httptrace.NewServeMux()
+		mux.HandleFunc("/queue/push", QueuePushHandler(queue))
+		mux.HandleFunc("/llm", LLMHandler())
+		return mux
+	})
+}
+
+func QueuePushHandler(queue *Queue) http.HandlerFunc {
+	data, _ := fakePayload(16 * 1024)
+	return func(w http.ResponseWriter, r *http.Request) {
+		for i := 0; i < 100; i++ {
+			if err := queue.Push(data); err != nil {
+				log.Fatalf("failed to push message: %v", err)
+			}
+		}
+	}
+}
+
+func LLMHandler() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Flush out the headers and a short message
+		w.WriteHeader(http.StatusOK)
+		rc := http.NewResponseController(w)
+		w.Write([]byte("hello\n"))
+		rc.Flush()
+		// Wait to simulate a long time to respond
+		time.Sleep(time.Duration(rand.Float64() * 100 * float64(time.Millisecond)))
+		// Flush out another short message and finish the response
+		w.Write([]byte("world\n"))
+		rc.Flush()
+	}
+}
+
+func fakePayload(elements int) ([]byte, error) {
+	var payload []int
+	for i := 0; i < elements; i++ {
+		payload = append(payload, i)
+	}
+	return json.Marshal(payload)
+}
+
+func ConsumeMessageWorker(queue *Queue, decode chan<- []byte) {
+	for {
+		msg, err := queue.Pull()
+		if err != nil {
+			log.Fatalf("failed to pull message: %v", err)
+		}
+		decode <- msg
+	}
+}
+
+func DecodeMessageWorker(decode <-chan []byte, llm chan<- any) {
+	for {
+		msg := <-decode
+		var data interface{}
+		if err := json.Unmarshal(msg, &data); err != nil {
+			log.Fatalf("failed to decode message: %v: %q", err, string(msg))
+		}
+		llm <- data
+	}
+}
+
+func LLMMessageWorker(llm <-chan any, db chan<- any, addr net.Addr) {
+	for {
+		msg := <-llm
+		llmCall(addr)
+		db <- msg
+	}
+}
+
+func PublishMessageWorker(db <-chan any) {
+	for {
+		<-db
+	}
+}
+
+func llmCall(addr net.Addr) error {
+	res, err := http.Get("http://" + addr.String() + "/llm")
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	// Ensure that llmCall will spend most of its time in a networking state
+	// so it looks purple in the timeline.
+	_, err = io.ReadAll(res.Body)
+	return err
+}
diff --git a/internal/apps/worker-pool-bottleneck/queue.go b/internal/apps/worker-pool-bottleneck/queue.go
new file mode 100644
index 0000000000..c6a2436c2c
--- /dev/null
+++ b/internal/apps/worker-pool-bottleneck/queue.go
@@ -0,0 +1,98 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package main
+
+import (
+	"encoding/binary"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"sync"
+)
+
+// Queue pretends to be a networked message queue. In particular it arranges
+// for calls Pull() to be blocked in a stack trace doing a net.Conn.Read().
+type Queue struct {
+	listener  net.Listener
+	conn      net.Conn
+	pushMutex sync.Mutex
+	pullMutex sync.Mutex
+}
+
+func NewQueue() (q *Queue, err error) {
+	q = &Queue{}
+	q.listener, err = net.Listen("tcp", "localhost:0")
+	if err != nil {
+		return nil, fmt.Errorf("failed to start TCP server: %v", err)
+	}
+
+	go q.echoServer()
+
+	q.conn, err = net.Dial("tcp", q.listener.Addr().String())
+	if err != nil {
+		return nil, fmt.Errorf("failed to dial TCP server: %v", err)
+	}
+
+	return q, nil
+}
+
+func (q *Queue) echoServer() {
+	conn, err := q.listener.Accept()
+	if err != nil {
+		log.Fatalf("failed to accept connection: %v\n", err)
+		return
+	}
+	defer conn.Close()
+
+	if _, err := io.Copy(conn, conn); err != nil {
+		log.Fatalf("failed to copy data: %v\n", err)
+		return
+	}
+}
+
+func (q *Queue) Push(data []byte) error {
+	q.pushMutex.Lock()
+	defer q.pushMutex.Unlock()
+
+	// Send the length of the message first
+	err := binary.Write(q.conn, binary.BigEndian, uint64(len(data)))
+	if err != nil {
+		return fmt.Errorf("failed to send message length: %v", err)
+	}
+
+	// Send the actual message
+	_, err = q.conn.Write(data)
+	if err != nil {
+		return fmt.Errorf("failed to send message: %v", err)
+	}
+	return nil
+}
+
+func (q *Queue) Pull() ([]byte, error) {
+	q.pullMutex.Lock()
+	defer q.pullMutex.Unlock()
+
+	// Read the length of the message first
+	var length uint64
+	err := binary.Read(q.conn, binary.BigEndian, &length)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read message length: %v", err)
+	}
+
+	// Read the actual message
+	data := make([]byte, length)
+	_, err = io.ReadFull(q.conn, data)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read message: %v", err)
+	}
+	return data, nil
+}
+
+func (q *Queue) Close() {
+	q.listener.Close()
+	q.conn.Close()
+}
diff --git a/internal/appsec/README.md b/internal/appsec/README.md
new file mode 100644
index 0000000000..dc65d03551
--- /dev/null
+++ b/internal/appsec/README.md
@@ -0,0 +1,147 @@
+# Appsec Go Design
+
+This document describes the design of the `internal/appsec` package and everything under it. This package is responsible
+for securing the application by monitoring the operations that are executed by the application and applying actions in
+case a security threats is detected.
+
+Most of the work is to forward information to the module `github.com/DataDog/go-libddwaf` which contains the WAF
+(Web Application Firewall) engine. The WAF does most of the decision making about events and actions. Our goal is to
+connect the different parts of the application and the WAF engine while keeping up to date the various sources of
+configuration that the WAF engine uses.
+
+### Instrumentation Gateway: Dyngo
+
+Having the customer (or orchestrion) instrument their code is the hardest part of the job. That's why we want to provide
+the simplest API possible for them to use. This means loosing the flexibility or enabling and disabling multiple
+products and features at runtime. Flexibility that we still want to provide to the customer, that's why behind every
+API entrypoint present in `dd-trace-go/contrib` that support appsec is a call to the `internal/appsec/dyngo` package.
+
+```mermaid
+flowchart LR
+
+UserCode[User Code] --> Instrumentation --> IG{Instrumentation Gateway} -----> Listener
+```
+
+Dyngo is a context-scoped event listener system that provide a way to listen dynamically to events that are happening in
+the customer code and to react to configuration changes and hot-swap event listeners at runtime.
+
+```mermaid
+flowchart LR
+
+UserCode[User Code] --> appsec/emitter --> IG{dyngo} -----> appsec/listener
+```
+
+### Operation definition requirements
+
+* Each operation must have a `Start*` and a `Finish` method covering calls to dyngo.
+* The content of the arguments and results should not require any external package, at most the standard library.
+
+Example operation:
+
+```go
+package main
+
+import (
+	"context"
+
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+type (
+	ExampleOperation struct {
+		dyngo.Operation
+	}
+
+	ExampleOperationArgs struct {
+		Type string
+	}
+
+	ExampleOperationResult struct {
+		Code int
+	}
+)
+
+func (ExampleOperationArgs) IsArgOf(*ExampleOperation)      {}
+func (ExampleOperationResult) IsResultOf(*ExampleOperation) {}
+
+func StartExampleOperation(ctx context.Context, args ExampleOperationArgs) *ExampleOperation {
+	parent, ok := dyngo.FromContext(ctx)
+	if !ok {
+		log.Error("No parent operation found")
+		return nil
+	}
+	op := &ExampleOperation{
+		Operation: dyngo.NewOperation(parent),
+    }
+	return dyngo.StartOperation(op, args)
+}
+
+func (op *ExampleOperation) Finish(result ExampleOperationResult) {
+    dyngo.FinishOperation(op, result)
+}
+```
+
+> [!CAUTION]
+> Importing external packages in the operation definition will probably cause circular dependencies. This is because
+> the operation definition can be used in the package is will instrument, and the package that will instrument it will
+> probably import the operation definition.
+
+### Operation Stack
+
+Current state of the possible operation stacks
+
+```mermaid
+flowchart TD
+
+    subgraph Top Level Operation
+        SES[trace.ServiceEntrySpanOperation]
+
+        Context[waf.ContextOperation]
+
+        HTTPH[httpsec.HandlerOperation]
+        GRPCH[grpcsec.HandlerOperation]
+        GQL[graphqlsec.RequestOperation]
+    end
+
+    subgraph HTTP
+        RequestBody([httpsec.MonitorRequestBody])
+        Roundtripper[httpsec.RoundTripOperation]
+    end
+
+    subgraph GRPC
+        RequestMessage([grpcsec.MonitorRequestMessage])
+        ResponseMessage([grpcsec.MonitorResponseMessage])
+    end
+
+    subgraph GraphQL
+        Exec[graphqlsec.ExecutionOperation]
+        Resolve[graphqlsec.ResolveOperation]
+    end
+
+    Code{User Code}
+
+    SES --> Context
+    Context --> HTTPH --> Code
+    Context --> GRPCH --> Code
+    Context --> GQL
+
+    GQL --> Exec --> Resolve --> Code
+
+    Code --> RequestBody
+
+    Code --> RequestMessage
+    Code --> ResponseMessage
+
+    Code --> Span[trace.SpanOperation]
+
+    Span --> Roundtripper
+    Span --> OS[ossec.OpenOperation]
+    Span --> SQL[sqlsec.SQLOperation]
+    Span --> User[usersec.UserOperation]
+```
+
+> [!IMPORTANT]
+> Please note that this is how the operation SHOULD be stacked. If the user code does not have a Top Level Operation
+> then nothing will be monitored. In this case an error log should be produced to explain thouroughly the issue to
+> the user.
diff --git a/internal/appsec/_testlib/require.go b/internal/appsec/_testlib/require.go
deleted file mode 100644
index 77cde3e06c..0000000000
--- a/internal/appsec/_testlib/require.go
+++ /dev/null
@@ -1,20 +0,0 @@
-// Unless explicitly stated otherwise all files in this repository are licensed
-// under the Apache License Version 2.0.
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
-
-package testlib
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-// RequireContainsMapSubset requires that the given map m contains the given subset map keys and values.
-func RequireContainsMapSubset(t *testing.T, m map[string]interface{}, subset map[string]interface{}) {
-	for k, v := range subset {
-		require.Contains(t, m, k)
-		require.Equal(t, v, m[k])
-	}
-}
diff --git a/internal/appsec/appsec.go b/internal/appsec/appsec.go
index 34a9018a92..93e8d1e33d 100644
--- a/internal/appsec/appsec.go
+++ b/internal/appsec/appsec.go
@@ -9,8 +9,8 @@ import (
 	"fmt"
 	"sync"
 
-	"github.com/DataDog/appsec-internal-go/limiter"
 	appsecLog "github.com/DataDog/appsec-internal-go/log"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
 	waf "github.com/DataDog/go-libddwaf/v3"
 
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
@@ -134,10 +134,10 @@ func setActiveAppSec(a *appsec) {
 }
 
 type appsec struct {
-	cfg       *config.Config
-	limiter   *limiter.TokenTicker
-	wafHandle *waf.Handle
-	started   bool
+	cfg        *config.Config
+	features   []listener.Feature
+	featuresMu sync.Mutex
+	started    bool
 }
 
 func newAppSec(cfg *config.Config) *appsec {
@@ -160,11 +160,8 @@ func (a *appsec) start(telemetry *appsecTelemetry) error {
 		log.Error("appsec: non-critical error while loading libddwaf: %v", err)
 	}
 
-	a.limiter = limiter.NewTokenTicker(a.cfg.TraceRateLimit, a.cfg.TraceRateLimit)
-	a.limiter.Start()
-
-	// Register the WAF operation event listener
-	if err := a.swapWAF(a.cfg.RulesManager.Latest); err != nil {
+	// Register dyngo listeners
+	if err := a.SwapRootOperation(); err != nil {
 		return err
 	}
 
@@ -193,15 +190,23 @@ func (a *appsec) stop() {
 	// Disable RC blocking first so that the following is guaranteed not to be concurrent anymore.
 	a.disableRCBlocking()
 
+	a.featuresMu.Lock()
+	defer a.featuresMu.Unlock()
+
 	// Disable the currently applied instrumentation
 	dyngo.SwapRootOperation(nil)
-	if a.wafHandle != nil {
-		a.wafHandle.Close()
-		a.wafHandle = nil
-	}
+
+	// Reset rules edits received from the remote configuration
+	// We skip the error because we can't do anything about and it was already logged in config.NewRulesManager
+	a.cfg.RulesManager, _ = config.NewRulesManager(nil)
+
 	// TODO: block until no more requests are using dyngo operations
 
-	a.limiter.Stop()
+	for _, feature := range a.features {
+		feature.Stop()
+	}
+
+	a.features = nil
 }
 
 func init() {
diff --git a/internal/appsec/config/config.go b/internal/appsec/config/config.go
index 331f7c2591..08a6b635da 100644
--- a/internal/appsec/config/config.go
+++ b/internal/appsec/config/config.go
@@ -68,6 +68,30 @@ type Config struct {
 	// RC is the remote configuration client used to receive product configuration updates. Nil if RC is disabled (default)
 	RC   *remoteconfig.ClientConfig
 	RASP bool
+	// SupportedAddresses are the addresses that the AppSec listener will bind to.
+	SupportedAddresses AddressSet
+}
+
+// AddressSet is a set of WAF addresses.
+type AddressSet map[string]struct{}
+
+func NewAddressSet(addrs []string) AddressSet {
+	set := make(AddressSet, len(addrs))
+	for _, addr := range addrs {
+		set[addr] = struct{}{}
+	}
+	return set
+}
+
+// AnyOf returns true if any of the addresses in the set are in the given list.
+func (set AddressSet) AnyOf(anyOf ...string) bool {
+	for _, addr := range anyOf {
+		if _, ok := set[addr]; ok {
+			return true
+		}
+	}
+
+	return false
 }
 
 // WithRCConfig sets the AppSec remote config client configuration to the specified cfg
@@ -105,7 +129,7 @@ func NewConfig() (*Config, error) {
 		return nil, err
 	}
 
-	r, err := NewRulesManeger(rules)
+	r, err := NewRulesManager(rules)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/appsec/config/rules_manager.go b/internal/appsec/config/rules_manager.go
index 75018011f0..9fdd872834 100644
--- a/internal/appsec/config/rules_manager.go
+++ b/internal/appsec/config/rules_manager.go
@@ -8,6 +8,7 @@ package config
 import (
 	"encoding/json"
 	"fmt"
+	"slices"
 
 	"github.com/DataDog/dd-trace-go/v2/internal/log"
 
@@ -28,24 +29,21 @@ type (
 	}
 	// RulesFragment can represent a full ruleset or a fragment of it.
 	RulesFragment struct {
-		Version     string          `json:"version,omitempty"`
-		Metadata    any             `json:"metadata,omitempty"`
-		Rules       []any           `json:"rules,omitempty"`
-		Overrides   []any           `json:"rules_override,omitempty"`
-		Exclusions  []any           `json:"exclusions,omitempty"`
-		RulesData   []RuleDataEntry `json:"rules_data,omitempty"`
-		Actions     []any           `json:"actions,omitempty"`
-		CustomRules []any           `json:"custom_rules,omitempty"`
-		Processors  []any           `json:"processors,omitempty"`
-		Scanners    []any           `json:"scanners,omitempty"`
+		Version       string      `json:"version,omitempty"`
+		Metadata      any         `json:"metadata,omitempty"`
+		Rules         []any       `json:"rules,omitempty"`
+		Overrides     []any       `json:"rules_override,omitempty"`
+		Exclusions    []any       `json:"exclusions,omitempty"`
+		ExclusionData []DataEntry `json:"exclusion_data,omitempty"`
+		RulesData     []DataEntry `json:"rules_data,omitempty"`
+		Actions       []any       `json:"actions,omitempty"`
+		CustomRules   []any       `json:"custom_rules,omitempty"`
+		Processors    []any       `json:"processors,omitempty"`
+		Scanners      []any       `json:"scanners,omitempty"`
 	}
 
-	// RuleDataEntry represents an entry in the "rules_data" top level field of a rules file
-	RuleDataEntry rc.ASMDataRuleData
-	// RulesData is a slice of RulesDataEntry
-	RulesData struct {
-		RulesData []RuleDataEntry `json:"rules_data"`
-	}
+	// DataEntry represents an entry in the "rules_data" top level field of a rules file
+	DataEntry rc.ASMDataRuleData
 )
 
 // DefaultRulesFragment returns a RulesFragment created using the default static recommended rules
@@ -60,27 +58,20 @@ func DefaultRulesFragment() RulesFragment {
 func (f *RulesFragment) clone() (clone RulesFragment) {
 	clone.Version = f.Version
 	clone.Metadata = f.Metadata
-	clone.Overrides = cloneSlice(f.Overrides)
-	clone.Exclusions = cloneSlice(f.Exclusions)
-	clone.RulesData = cloneSlice(f.RulesData)
-	clone.CustomRules = cloneSlice(f.CustomRules)
-	clone.Processors = cloneSlice(f.Processors)
-	clone.Scanners = cloneSlice(f.Scanners)
-	// TODO (Francois Mazeau): copy more fields once we handle them
+	clone.Overrides = slices.Clone(f.Overrides)
+	clone.Exclusions = slices.Clone(f.Exclusions)
+	clone.ExclusionData = slices.Clone(f.ExclusionData)
+	clone.RulesData = slices.Clone(f.RulesData)
+	clone.CustomRules = slices.Clone(f.CustomRules)
+	clone.Processors = slices.Clone(f.Processors)
+	clone.Scanners = slices.Clone(f.Scanners)
 	return
 }
 
-func cloneSlice[T any](slice []T) []T {
-	// TODO: use slices.Clone once go1.21 is the min supported go runtime.
-	clone := make([]T, len(slice), cap(slice))
-	copy(clone, slice)
-	return clone
-}
-
-// NewRulesManeger initializes and returns a new RulesManager using the provided rules.
+// NewRulesManager initializes and returns a new RulesManager using the provided rules.
 // If no rules are provided (nil), the default rules are used instead.
 // If the provided rules are invalid, an error is returned
-func NewRulesManeger(rules []byte) (*RulesManager, error) {
+func NewRulesManager(rules []byte) (*RulesManager, error) {
 	var f RulesFragment
 	if rules == nil {
 		f = DefaultRulesFragment()
@@ -135,6 +126,7 @@ func (r *RulesManager) Compile() {
 	for _, v := range r.Edits {
 		r.Latest.Overrides = append(r.Latest.Overrides, v.Overrides...)
 		r.Latest.Exclusions = append(r.Latest.Exclusions, v.Exclusions...)
+		r.Latest.ExclusionData = append(r.Latest.ExclusionData, v.ExclusionData...)
 		r.Latest.Actions = append(r.Latest.Actions, v.Actions...)
 		r.Latest.RulesData = append(r.Latest.RulesData, v.RulesData...)
 		r.Latest.CustomRules = append(r.Latest.CustomRules, v.CustomRules...)
diff --git a/internal/appsec/emitter/trace/service_entry_span.go b/internal/appsec/emitter/trace/service_entry_span.go
new file mode 100644
index 0000000000..a1f25db400
--- /dev/null
+++ b/internal/appsec/emitter/trace/service_entry_span.go
@@ -0,0 +1,158 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package trace
+
+import (
+	"context"
+	"encoding/json"
+	"sync"
+
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+type (
+	// ServiceEntrySpanOperation is a dyngo.Operation that holds a the first span of a service. Usually a http or grpc span.
+	ServiceEntrySpanOperation struct {
+		dyngo.Operation
+		tags     map[string]any
+		jsonTags map[string]any
+		mu       sync.Mutex
+	}
+
+	// ServiceEntrySpanArgs is the arguments for a ServiceEntrySpanOperation
+	ServiceEntrySpanArgs struct{}
+
+	// ServiceEntrySpanTag is a key value pair event that is used to tag a service entry span
+	ServiceEntrySpanTag struct {
+		Key   string
+		Value any
+	}
+
+	// JSONServiceEntrySpanTag is a key value pair event that is used to tag a service entry span
+	// It will be serialized as JSON when added to the span
+	JSONServiceEntrySpanTag struct {
+		Key   string
+		Value any
+	}
+
+	// ServiceEntrySpanTagsBulk is a bulk event that is used to send tags to a service entry span
+	ServiceEntrySpanTagsBulk struct {
+		Tags             []JSONServiceEntrySpanTag
+		SerializableTags []JSONServiceEntrySpanTag
+	}
+)
+
+func (ServiceEntrySpanArgs) IsArgOf(*ServiceEntrySpanOperation) {}
+
+// SetTag adds the key/value pair to the tags to add to the service entry span
+func (op *ServiceEntrySpanOperation) SetTag(key string, value any) {
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	op.tags[key] = value
+}
+
+// SetSerializableTag adds the key/value pair to the tags to add to the service entry span.
+// The value MAY be serialized as JSON if necessary but simple types will not be serialized.
+func (op *ServiceEntrySpanOperation) SetSerializableTag(key string, value any) {
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	op.setSerializableTag(key, value)
+}
+
+// SetSerializableTags adds the key/value pairs to the tags to add to the service entry span.
+// Values MAY be serialized as JSON if necessary but simple types will not be serialized.
+func (op *ServiceEntrySpanOperation) SetSerializableTags(tags map[string]any) {
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	for key, value := range tags {
+		op.setSerializableTag(key, value)
+	}
+}
+
+func (op *ServiceEntrySpanOperation) setSerializableTag(key string, value any) {
+	switch value.(type) {
+	case string, int8, int16, int32, int64, uint8, uint16, uint32, uint64, float32, float64, bool:
+		op.tags[key] = value
+	default:
+		op.jsonTags[key] = value
+	}
+}
+
+// SetTags fills the span tags using the key/value pairs found in `tags`
+func (op *ServiceEntrySpanOperation) SetTags(tags map[string]any) {
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	for k, v := range tags {
+		op.tags[k] = v
+	}
+}
+
+// SetStringTags fills the span tags using the key/value pairs found in `tags`
+func (op *ServiceEntrySpanOperation) SetStringTags(tags map[string]string) {
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	for k, v := range tags {
+		op.tags[k] = v
+	}
+}
+
+// OnServiceEntrySpanTagEvent is a callback that is called when a dyngo.OnData is triggered with a ServiceEntrySpanTag event
+func (op *ServiceEntrySpanOperation) OnServiceEntrySpanTagEvent(tag ServiceEntrySpanTag) {
+	op.SetTag(tag.Key, tag.Value)
+}
+
+// OnJSONServiceEntrySpanTagEvent is a callback that is called when a dyngo.OnData is triggered with a JSONServiceEntrySpanTag event
+func (op *ServiceEntrySpanOperation) OnJSONServiceEntrySpanTagEvent(tag JSONServiceEntrySpanTag) {
+	op.SetSerializableTag(tag.Key, tag.Value)
+}
+
+// OnServiceEntrySpanTagsBulkEvent is a callback that is called when a dyngo.OnData is triggered with a ServiceEntrySpanTagsBulk event
+func (op *ServiceEntrySpanOperation) OnServiceEntrySpanTagsBulkEvent(bulk ServiceEntrySpanTagsBulk) {
+	for _, v := range bulk.Tags {
+		op.SetTag(v.Key, v.Value)
+	}
+
+	for _, v := range bulk.SerializableTags {
+		op.SetSerializableTag(v.Key, v.Value)
+	}
+}
+
+// OnSpanTagEvent is a listener for SpanTag events.
+func (op *ServiceEntrySpanOperation) OnSpanTagEvent(tag SpanTag) {
+	op.SetTag(tag.Key, tag.Value)
+}
+
+func StartServiceEntrySpanOperation(ctx context.Context) (*ServiceEntrySpanOperation, context.Context) {
+	parent, _ := dyngo.FromContext(ctx)
+	op := &ServiceEntrySpanOperation{
+		Operation: dyngo.NewOperation(parent),
+		tags:      make(map[string]any),
+		jsonTags:  make(map[string]any),
+	}
+	return op, dyngo.StartAndRegisterOperation(ctx, op, ServiceEntrySpanArgs{})
+}
+
+func (op *ServiceEntrySpanOperation) Finish(span TagSetter) {
+	if _, ok := span.(*NoopTagSetter); ok { // If the span is a NoopTagSetter or is nil, we don't need to set any tags
+		return
+	}
+
+	op.mu.Lock()
+	defer op.mu.Unlock()
+
+	for k, v := range op.tags {
+		span.SetTag(k, v)
+	}
+
+	for k, v := range op.jsonTags {
+		strValue, err := json.Marshal(v)
+		if err != nil {
+			log.Debug("appsec: failed to marshal tag %s: %v", k, err)
+		}
+		span.SetTag(k, string(strValue))
+	}
+}
diff --git a/internal/appsec/emitter/trace/span.go b/internal/appsec/emitter/trace/span.go
new file mode 100644
index 0000000000..01e70b770a
--- /dev/null
+++ b/internal/appsec/emitter/trace/span.go
@@ -0,0 +1,67 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package trace
+
+import (
+	"context"
+	"sync"
+
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+)
+
+type (
+	// SpanOperation is a dyngo.Operation that holds a ddtrace.Span.
+	// It used as a middleware for appsec code and the tracer code
+	// hopefully some day this operation will create spans instead of simply using them
+	SpanOperation struct {
+		dyngo.Operation
+		tags map[string]any
+		mu   sync.Mutex
+	}
+
+	// SpanArgs is the arguments for a SpanOperation
+	SpanArgs struct{}
+
+	// SpanTag is a key value pair event that is used to tag the current span
+	SpanTag struct {
+		Key   string
+		Value any
+	}
+)
+
+func (SpanArgs) IsArgOf(*SpanOperation) {}
+
+// SetTag adds the key/value pair to the tags to add to the span
+func (op *SpanOperation) SetTag(key string, value any) {
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	op.tags[key] = value
+}
+
+// OnSpanTagEvent is a listener for SpanTag events.
+func (op *SpanOperation) OnSpanTagEvent(tag SpanTag) {
+	op.SetTag(tag.Key, tag.Value)
+}
+
+func StartSpanOperation(ctx context.Context) (*SpanOperation, context.Context) {
+	op := &SpanOperation{
+		tags: make(map[string]any),
+	}
+	return op, dyngo.StartAndRegisterOperation(ctx, op, SpanArgs{})
+}
+
+func (op *SpanOperation) Finish(span TagSetter) {
+	if _, ok := span.(*NoopTagSetter); ok { // If the span is a NoopTagSetter or is nil, we don't need to set any tags
+		return
+	}
+
+	op.mu.Lock()
+	defer op.mu.Unlock()
+
+	for k, v := range op.tags {
+		span.SetTag(k, v)
+	}
+}
diff --git a/internal/appsec/emitter/trace/tag_setter.go b/internal/appsec/emitter/trace/tag_setter.go
new file mode 100644
index 0000000000..a7f5bc1944
--- /dev/null
+++ b/internal/appsec/emitter/trace/tag_setter.go
@@ -0,0 +1,29 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package trace
+
+// TagSetter is the interface needed to set a span tag.
+type TagSetter interface {
+	SetTag(string, any)
+}
+
+// NoopTagSetter is a TagSetter that does nothing. Useful when no tracer
+// Span is available, but a TagSetter is assumed.
+type NoopTagSetter struct{}
+
+func (NoopTagSetter) SetTag(string, any) {
+	// Do nothing
+}
+
+type TestTagSetter map[string]any
+
+func (t TestTagSetter) SetTag(key string, value any) {
+	t[key] = value
+}
+
+func (t TestTagSetter) Tags() map[string]any {
+	return t
+}
diff --git a/internal/appsec/emitter/usersec/user.go b/internal/appsec/emitter/usersec/user.go
new file mode 100644
index 0000000000..2d87043c28
--- /dev/null
+++ b/internal/appsec/emitter/usersec/user.go
@@ -0,0 +1,51 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package usersec
+
+import (
+	"context"
+
+	"github.com/DataDog/dd-trace-go/v2/appsec/events"
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+)
+
+const errorLog = `
+appsec: user login monitoring ignored: could not find the http handler instrumentation metadata in the request context:
+	the request handler is not being monitored by a middleware function or the provided context is not the expected request context
+`
+
+type (
+	// UserLoginOperation type representing a call to appsec.SetUser(). It gets both created and destroyed in a single
+	// call to ExecuteUserIDOperation
+	UserLoginOperation struct {
+		dyngo.Operation
+	}
+	// UserLoginOperationArgs is the user ID operation arguments.
+	UserLoginOperationArgs struct{}
+
+	// UserLoginOperationRes is the user ID operation results.
+	UserLoginOperationRes struct {
+		UserID    string
+		SessionID string
+		Success   bool
+	}
+)
+
+func StartUserLoginOperation(ctx context.Context, args UserLoginOperationArgs) (*UserLoginOperation, *error) {
+	parent, _ := dyngo.FromContext(ctx)
+	op := &UserLoginOperation{Operation: dyngo.NewOperation(parent)}
+	var err error
+	dyngo.OnData(op, func(e *events.BlockingSecurityEvent) { err = e })
+	dyngo.StartOperation(op, args)
+	return op, &err
+}
+
+func (op *UserLoginOperation) Finish(args UserLoginOperationRes) {
+	dyngo.FinishOperation(op, args)
+}
+
+func (UserLoginOperationArgs) IsArgOf(*UserLoginOperation)   {}
+func (UserLoginOperationRes) IsResultOf(*UserLoginOperation) {}
diff --git a/internal/appsec/emitter/waf/actions/actions.go b/internal/appsec/emitter/waf/actions/actions.go
new file mode 100644
index 0000000000..34a3abdcc3
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/actions.go
@@ -0,0 +1,56 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package actions
+
+import (
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+type (
+	// Action is a generic interface that represents any WAF action
+	Action interface {
+		EmitData(op dyngo.Operation)
+	}
+)
+
+type actionHandler func(map[string]any) []Action
+
+// actionHandlers is a map of action types to their respective handler functions
+// It is populated by the init functions of the actions packages
+var actionHandlers = map[string]actionHandler{}
+
+func registerActionHandler(aType string, handler actionHandler) {
+	if _, ok := actionHandlers[aType]; ok {
+		log.Warn("appsec: action type `%s` already registered", aType)
+		return
+	}
+	actionHandlers[aType] = handler
+}
+
+// SendActionEvents sends the relevant actions to the operation's data listener.
+// It returns true if at least one of those actions require interrupting the request handler
+// When SDKError is not nil, this error is sent to the op with EmitData so that the invoked SDK can return it
+func SendActionEvents(op dyngo.Operation, actions map[string]any) {
+	for aType, params := range actions {
+		log.Debug("appsec: processing %s action with params %v", aType, params)
+		params, ok := params.(map[string]any)
+		if !ok {
+			log.Debug("appsec: could not cast action params to map[string]any from %T", params)
+			continue
+		}
+
+		actionHandler, ok := actionHandlers[aType]
+		if !ok {
+			log.Debug("appsec: unknown action type `%s`", aType)
+			continue
+		}
+
+		for _, a := range actionHandler(params) {
+			a.EmitData(op)
+		}
+	}
+}
diff --git a/internal/appsec/emitter/waf/actions/actions_test.go b/internal/appsec/emitter/waf/actions/actions_test.go
new file mode 100644
index 0000000000..1e77c8e2d1
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/actions_test.go
@@ -0,0 +1,315 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package actions
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewHTTPBlockRequestAction(t *testing.T) {
+	mux := http.NewServeMux()
+	srv := httptest.NewServer(mux)
+	mux.HandleFunc("/json", newHTTPBlockRequestAction(403, "json").ServeHTTP)
+	mux.HandleFunc("/html", newHTTPBlockRequestAction(403, "html").ServeHTTP)
+	mux.HandleFunc("/auto", newHTTPBlockRequestAction(403, "auto").ServeHTTP)
+	defer srv.Close()
+
+	t.Run("json", func(t *testing.T) {
+		for _, tc := range []struct {
+			name   string
+			accept string
+		}{
+			{
+				name: "no-accept",
+			},
+			{
+				name:   "irrelevant-accept",
+				accept: "text/html",
+			},
+			{
+				name:   "accept",
+				accept: "application/json",
+			},
+		} {
+			t.Run(tc.name, func(t *testing.T) {
+				req, err := http.NewRequest("POST", srv.URL+"/json", nil)
+				req.Header.Set("Accept", tc.accept)
+				require.NoError(t, err)
+				res, err := srv.Client().Do(req)
+				require.NoError(t, err)
+				defer res.Body.Close()
+				body, err := io.ReadAll(res.Body)
+				require.Equal(t, 403, res.StatusCode)
+				require.Equal(t, blockedTemplateJSON, body)
+			})
+		}
+	})
+
+	t.Run("html", func(t *testing.T) {
+		for _, tc := range []struct {
+			name   string
+			accept string
+		}{
+			{
+				name: "no-accept",
+			},
+			{
+				name:   "irrelevant-accept",
+				accept: "application/json",
+			},
+			{
+				name:   "accept",
+				accept: "text/html",
+			},
+		} {
+			t.Run(tc.name, func(t *testing.T) {
+				req, err := http.NewRequest("POST", srv.URL+"/html", nil)
+				require.NoError(t, err)
+				res, err := srv.Client().Do(req)
+				require.NoError(t, err)
+				defer res.Body.Close()
+				body, err := io.ReadAll(res.Body)
+				require.Equal(t, 403, res.StatusCode)
+				require.Equal(t, blockedTemplateHTML, body)
+			})
+		}
+	})
+
+	t.Run("auto", func(t *testing.T) {
+		for _, tc := range []struct {
+			name     string
+			accept   string
+			expected []byte
+		}{
+			{
+				name:     "no-accept",
+				expected: blockedTemplateJSON,
+			},
+			{
+				name:     "json-accept-1",
+				accept:   "application/json",
+				expected: blockedTemplateJSON,
+			},
+			{
+				name:     "json-accept-2",
+				accept:   "application/json,text/html",
+				expected: blockedTemplateJSON,
+			},
+			{
+				name:     "json-accept-3",
+				accept:   "irrelevant/content,application/json,text/html",
+				expected: blockedTemplateJSON,
+			},
+			{
+				name:     "json-accept-4",
+				accept:   "irrelevant/content,application/json,text/html,application/json",
+				expected: blockedTemplateJSON,
+			},
+			{
+				name:     "html-accept-1",
+				accept:   "text/html",
+				expected: blockedTemplateHTML,
+			},
+			{
+				name:     "html-accept-2",
+				accept:   "text/html,application/json",
+				expected: blockedTemplateHTML,
+			},
+			{
+				name:     "html-accept-3",
+				accept:   "irrelevant/content,text/html,application/json",
+				expected: blockedTemplateHTML,
+			},
+			{
+				name:     "html-accept-4",
+				accept:   "irrelevant/content,text/html,application/json,text/html",
+				expected: blockedTemplateHTML,
+			},
+			{
+				name:     "irrelevant-accept",
+				accept:   "irrelevant/irrelevant,application/html",
+				expected: blockedTemplateJSON,
+			},
+		} {
+			t.Run(tc.name, func(t *testing.T) {
+				req, err := http.NewRequest("POST", srv.URL+"/auto", nil)
+				req.Header.Set("Accept", tc.accept)
+				require.NoError(t, err)
+				res, err := srv.Client().Do(req)
+				require.NoError(t, err)
+				defer res.Body.Close()
+				body, err := io.ReadAll(res.Body)
+				require.Equal(t, 403, res.StatusCode)
+				require.Equal(t, tc.expected, body)
+			})
+		}
+	})
+}
+
+func TestNewRedirectRequestAction(t *testing.T) {
+	mux := http.NewServeMux()
+	srv := httptest.NewServer(mux)
+	mux.HandleFunc("/redirect-default-status", newRedirectRequestAction(100, "/redirected").ServeHTTP)
+	mux.HandleFunc("/redirect-no-location", newRedirectRequestAction(303, "").ServeHTTP)
+	mux.HandleFunc("/redirect1", newRedirectRequestAction(http.StatusFound, "/redirect2").ServeHTTP)
+	mux.HandleFunc("/redirect2", newRedirectRequestAction(http.StatusFound, "/redirected").ServeHTTP)
+	mux.HandleFunc("/redirected", func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK) // Shouldn't matter since we write 302 before arriving here
+		w.Write([]byte("Redirected"))
+	})
+	srv.Client().CheckRedirect = func(_ *http.Request, via []*http.Request) error {
+		require.GreaterOrEqual(t, len(via), 1)
+		require.Equal(t, "/redirect1", via[0].URL.Path)
+		if len(via) == 2 {
+			require.Equal(t, "/redirect2", via[1].URL.Path)
+			require.NotNil(t, via[1].Response)
+			require.Equal(t, http.StatusFound, via[1].Response.StatusCode)
+		}
+		return nil
+	}
+	defer srv.Close()
+
+	for _, tc := range []struct {
+		name string
+		url  string
+	}{
+		{
+			name: "no-redirect",
+			url:  "/redirected",
+		},
+		{
+			name: "redirect",
+			url:  "/redirect1",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			req, err := http.NewRequest("POST", srv.URL+tc.url, nil)
+			require.NoError(t, err)
+			res, err := srv.Client().Do(req)
+			require.NoError(t, err)
+			defer res.Body.Close()
+			body, err := io.ReadAll(res.Body)
+			require.Equal(t, http.StatusOK, res.StatusCode)
+			require.Equal(t, "Redirected", string(body))
+		})
+	}
+
+	// These tests check that redirect actions can handle bad parameter values
+	// - empty location: revert to default blocking action instead
+	// - status code outside of [300, 399]: default to 303
+	t.Run("no-location", func(t *testing.T) {
+		srv.Client().CheckRedirect = func(_ *http.Request, _ []*http.Request) error {
+			return nil
+		}
+		req, err := http.NewRequest("POST", srv.URL+"/redirect-no-location", nil)
+		require.NoError(t, err)
+		res, err := srv.Client().Do(req)
+		require.NoError(t, err)
+		defer res.Body.Close()
+		body, err := io.ReadAll(res.Body)
+		require.Equal(t, http.StatusForbidden, res.StatusCode)
+		require.Equal(t, blockedTemplateJSON, body)
+	})
+
+	t.Run("bad-status-code", func(t *testing.T) {
+		srv.Client().CheckRedirect = func(req *http.Request, via []*http.Request) error {
+			require.Equal(t, len(via), 1)
+			require.Equal(t, "/redirect-default-status", via[0].URL.Path)
+			require.Equal(t, 303, req.Response.StatusCode)
+			return nil
+		}
+		req, err := http.NewRequest("POST", srv.URL+"/redirect-default-status", nil)
+		require.NoError(t, err)
+		res, err := srv.Client().Do(req)
+		require.NoError(t, err)
+		defer res.Body.Close()
+		body, err := io.ReadAll(res.Body)
+		require.Equal(t, "Redirected", string(body))
+	})
+}
+
+func TestNewBlockParams(t *testing.T) {
+	for name, tc := range map[string]struct {
+		params   map[string]any
+		expected blockActionParams
+	}{
+		"block-1": {
+			params: map[string]any{
+				"status_code": "403",
+				"type":        "auto",
+			},
+			expected: blockActionParams{
+				Type:       "auto",
+				StatusCode: 403,
+			},
+		},
+		"block-2": {
+			params: map[string]any{
+				"status_code": "405",
+				"type":        "html",
+			},
+			expected: blockActionParams{
+				Type:       "html",
+				StatusCode: 405,
+			},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			actionParams, err := blockParamsFromMap(tc.params)
+			require.NoError(t, err)
+			require.Equal(t, tc.expected.Type, actionParams.Type)
+			require.Equal(t, tc.expected.StatusCode, actionParams.StatusCode)
+		})
+	}
+}
+
+func TestNewRedirectParams(t *testing.T) {
+	for name, tc := range map[string]struct {
+		params   map[string]any
+		expected redirectActionParams
+	}{
+		"redirect-1": {
+			params: map[string]any{
+				"status_code": "308",
+				"location":    "/redirected",
+			},
+			expected: redirectActionParams{
+				Location:   "/redirected",
+				StatusCode: 308,
+			},
+		},
+		"redirect-2": {
+			params: map[string]any{
+				"status_code": "303",
+				"location":    "/tmp",
+			},
+			expected: redirectActionParams{
+				Location:   "/tmp",
+				StatusCode: 303,
+			},
+		},
+		"no-location": {
+			params: map[string]any{
+				"status_code": "303",
+			},
+			expected: redirectActionParams{
+				Location:   "",
+				StatusCode: 303,
+			},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			actionParams, err := redirectParamsFromMap(tc.params)
+			require.NoError(t, err)
+			require.Equal(t, tc.expected, actionParams)
+		})
+	}
+}
diff --git a/internal/appsec/emitter/waf/actions/block.go b/internal/appsec/emitter/waf/actions/block.go
new file mode 100644
index 0000000000..cd8d4991ab
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/block.go
@@ -0,0 +1,160 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package actions
+
+import (
+	_ "embed" // embed is used to embed the blocked-template.json and blocked-template.html files
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/DataDog/dd-trace-go/v2/appsec/events"
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+	"github.com/mitchellh/mapstructure"
+)
+
+// blockedTemplateJSON is the default JSON template used to write responses for blocked requests
+//
+//go:embed blocked-template.json
+var blockedTemplateJSON []byte
+
+// blockedTemplateHTML is the default HTML template used to write responses for blocked requests
+//
+//go:embed blocked-template.html
+var blockedTemplateHTML []byte
+
+const (
+	envBlockedTemplateHTML = "DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML"
+	envBlockedTemplateJSON = "DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON"
+)
+
+func init() {
+	for env, template := range map[string]*[]byte{envBlockedTemplateJSON: &blockedTemplateJSON, envBlockedTemplateHTML: &blockedTemplateHTML} {
+		if path, ok := os.LookupEnv(env); ok {
+			if t, err := os.ReadFile(path); err != nil {
+				log.Error("Could not read template at %s: %v", path, err)
+			} else {
+				*template = t
+			}
+		}
+	}
+
+	registerActionHandler("block_request", NewBlockAction)
+}
+
+type (
+	// blockActionParams are the dynamic parameters to be provided to a "block_request"
+	// action type upon invocation
+	blockActionParams struct {
+		// GRPCStatusCode is the gRPC status code to be returned. Since 0 is the OK status, the value is nullable to
+		// be able to distinguish between unset and defaulting to Abort (10), or set to OK (0).
+		GRPCStatusCode *int   `mapstructure:"grpc_status_code,omitempty"`
+		StatusCode     int    `mapstructure:"status_code"`
+		Type           string `mapstructure:"type,omitempty"`
+	}
+	// GRPCWrapper is an opaque prototype abstraction for a gRPC handler (to avoid importing grpc)
+	// that returns a status code and an error
+	GRPCWrapper func() (uint32, error)
+
+	// BlockGRPC are actions that interact with a GRPC request flow
+	BlockGRPC struct {
+		GRPCWrapper
+	}
+
+	// BlockHTTP are actions that interact with an HTTP request flow
+	BlockHTTP struct {
+		http.Handler
+	}
+)
+
+func (a *BlockGRPC) EmitData(op dyngo.Operation) {
+	dyngo.EmitData(op, a)
+	dyngo.EmitData(op, &events.BlockingSecurityEvent{})
+}
+
+func (a *BlockHTTP) EmitData(op dyngo.Operation) {
+	dyngo.EmitData(op, a)
+	dyngo.EmitData(op, &events.BlockingSecurityEvent{})
+}
+
+func newGRPCBlockRequestAction(status int) *BlockGRPC {
+	return &BlockGRPC{GRPCWrapper: newGRPCBlockHandler(status)}
+}
+
+func newGRPCBlockHandler(status int) GRPCWrapper {
+	return func() (uint32, error) {
+		return uint32(status), &events.BlockingSecurityEvent{}
+	}
+}
+
+func blockParamsFromMap(params map[string]any) (blockActionParams, error) {
+	grpcCode := 10
+	p := blockActionParams{
+		Type:           "auto",
+		StatusCode:     403,
+		GRPCStatusCode: &grpcCode,
+	}
+
+	if err := mapstructure.WeakDecode(params, &p); err != nil {
+		return p, err
+	}
+
+	if p.GRPCStatusCode == nil {
+		p.GRPCStatusCode = &grpcCode
+	}
+
+	return p, nil
+}
+
+// NewBlockAction creates an action for the "block_request" action type
+func NewBlockAction(params map[string]any) []Action {
+	p, err := blockParamsFromMap(params)
+	if err != nil {
+		log.Debug("appsec: couldn't decode redirect action parameters")
+		return nil
+	}
+	return []Action{
+		newHTTPBlockRequestAction(p.StatusCode, p.Type),
+		newGRPCBlockRequestAction(*p.GRPCStatusCode),
+	}
+}
+
+func newHTTPBlockRequestAction(status int, template string) *BlockHTTP {
+	return &BlockHTTP{Handler: newBlockHandler(status, template)}
+}
+
+// newBlockHandler creates, initializes and returns a new BlockRequestAction
+func newBlockHandler(status int, template string) http.Handler {
+	htmlHandler := newBlockRequestHandler(status, "text/html", blockedTemplateHTML)
+	jsonHandler := newBlockRequestHandler(status, "application/json", blockedTemplateJSON)
+	switch template {
+	case "json":
+		return jsonHandler
+	case "html":
+		return htmlHandler
+	default:
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			h := jsonHandler
+			hdr := r.Header.Get("Accept")
+			htmlIdx := strings.Index(hdr, "text/html")
+			jsonIdx := strings.Index(hdr, "application/json")
+			// Switch to html handler if text/html comes before application/json in the Accept header
+			if htmlIdx != -1 && (jsonIdx == -1 || htmlIdx < jsonIdx) {
+				h = htmlHandler
+			}
+			h.ServeHTTP(w, r)
+		})
+	}
+}
+
+func newBlockRequestHandler(status int, ct string, payload []byte) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.Header().Set("Content-Type", ct)
+		w.WriteHeader(status)
+		w.Write(payload)
+	})
+}
diff --git a/internal/appsec/emitter/waf/actions/blocked-template.html b/internal/appsec/emitter/waf/actions/blocked-template.html
new file mode 100644
index 0000000000..b43edd96dd
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/blocked-template.html
@@ -0,0 +1 @@
+<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>You've been blocked</title><style>a,body,div,html,span{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}body{background:-webkit-radial-gradient(26% 19%,circle,#fff,#f4f7f9);background:radial-gradient(circle at 26% 19%,#fff,#f4f7f9);display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;width:100%;min-height:100vh;line-height:1;flex-direction:column}p{display:block}main{text-align:center;flex:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;flex-direction:column}p{font-size:18px;line-height:normal;color:#646464;font-family:sans-serif;font-weight:400}a{color:#4842b7}footer{width:100%;text-align:center}footer p{font-size:16px}</style></head><body><main><p>Sorry, you cannot access this page. Please contact the customer service team.</p></main><footer><p>Security provided by <a href="https://www.datadoghq.com/product/security-platform/application-security-monitoring/" target="_blank">Datadog</a></p></footer></body></html>
\ No newline at end of file
diff --git a/internal/appsec/emitter/waf/actions/blocked-template.json b/internal/appsec/emitter/waf/actions/blocked-template.json
new file mode 100644
index 0000000000..12ae29696f
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/blocked-template.json
@@ -0,0 +1 @@
+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
\ No newline at end of file
diff --git a/internal/appsec/emitter/waf/actions/http_redirect.go b/internal/appsec/emitter/waf/actions/http_redirect.go
new file mode 100644
index 0000000000..e9fb1c4965
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/http_redirect.go
@@ -0,0 +1,54 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package actions
+
+import (
+	"net/http"
+
+	"github.com/mitchellh/mapstructure"
+
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+// redirectActionParams are the dynamic parameters to be provided to a "redirect_request"
+// action type upon invocation
+type redirectActionParams struct {
+	Location   string `mapstructure:"location,omitempty"`
+	StatusCode int    `mapstructure:"status_code"`
+}
+
+func init() {
+	registerActionHandler("redirect_request", NewRedirectAction)
+}
+
+func redirectParamsFromMap(params map[string]any) (redirectActionParams, error) {
+	var p redirectActionParams
+	err := mapstructure.WeakDecode(params, &p)
+	return p, err
+}
+
+func newRedirectRequestAction(status int, loc string) *BlockHTTP {
+	// Default to 303 if status is out of redirection codes bounds
+	if status < http.StatusMultipleChoices || status >= http.StatusBadRequest {
+		status = http.StatusSeeOther
+	}
+
+	// If location is not set we fall back on a default block action
+	if loc == "" {
+		return &BlockHTTP{Handler: newBlockHandler(http.StatusForbidden, string(blockedTemplateJSON))}
+	}
+	return &BlockHTTP{Handler: http.RedirectHandler(loc, status)}
+}
+
+// NewRedirectAction creates an action for the "redirect_request" action type
+func NewRedirectAction(params map[string]any) []Action {
+	p, err := redirectParamsFromMap(params)
+	if err != nil {
+		log.Debug("appsec: couldn't decode redirect action parameters")
+		return nil
+	}
+	return []Action{newRedirectRequestAction(p.StatusCode, p.Location)}
+}
diff --git a/internal/appsec/emitter/waf/actions/stacktrace.go b/internal/appsec/emitter/waf/actions/stacktrace.go
new file mode 100644
index 0000000000..9ddd07cf3e
--- /dev/null
+++ b/internal/appsec/emitter/waf/actions/stacktrace.go
@@ -0,0 +1,44 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package actions
+
+import (
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+	"github.com/DataDog/dd-trace-go/v2/internal/stacktrace"
+)
+
+func init() {
+	registerActionHandler("generate_stack", NewStackTraceAction)
+}
+
+// StackTraceAction are actions that generate a stacktrace
+type StackTraceAction struct {
+	Event *stacktrace.Event
+}
+
+func (a *StackTraceAction) EmitData(op dyngo.Operation) { dyngo.EmitData(op, a) }
+
+// NewStackTraceAction creates an action for the "stacktrace" action type
+func NewStackTraceAction(params map[string]any) []Action {
+	id, ok := params["stack_id"]
+	if !ok {
+		log.Debug("appsec: could not read stack_id parameter for generate_stack action")
+		return nil
+	}
+
+	strID, ok := id.(string)
+	if !ok {
+		log.Debug("appsec: could not cast stacktrace ID to string")
+		return nil
+	}
+
+	return []Action{
+		&StackTraceAction{
+			stacktrace.NewEvent(stacktrace.ExploitEvent, stacktrace.WithID(strID)),
+		},
+	}
+}
diff --git a/internal/appsec/emitter/waf/addresses/addresses.go b/internal/appsec/emitter/waf/addresses/addresses.go
new file mode 100644
index 0000000000..03163df23a
--- /dev/null
+++ b/internal/appsec/emitter/waf/addresses/addresses.go
@@ -0,0 +1,40 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package addresses
+
+const (
+	ServerRequestMethodAddr            = "server.request.method"
+	ServerRequestRawURIAddr            = "server.request.uri.raw"
+	ServerRequestHeadersNoCookiesAddr  = "server.request.headers.no_cookies"
+	ServerRequestCookiesAddr           = "server.request.cookies"
+	ServerRequestQueryAddr             = "server.request.query"
+	ServerRequestPathParamsAddr        = "server.request.path_params"
+	ServerRequestBodyAddr              = "server.request.body"
+	ServerResponseStatusAddr           = "server.response.status"
+	ServerResponseHeadersNoCookiesAddr = "server.response.headers.no_cookies"
+
+	ClientIPAddr = "http.client_ip"
+
+	UserIDAddr           = "usr.id"
+	UserSessionIDAddr    = "usr.session_id"
+	UserLoginSuccessAddr = "server.business_logic.users.login.success"
+	UserLoginFailureAddr = "server.business_logic.users.login.failure"
+
+	ServerIoNetURLAddr    = "server.io.net.url"
+	ServerIOFSFileAddr    = "server.io.fs.file"
+	ServerDBStatementAddr = "server.db.statement"
+	ServerDBTypeAddr      = "server.db.system"
+
+	GRPCServerMethodAddr                   = "grpc.server.method"
+	GRPCServerRequestMetadataAddr          = "grpc.server.request.metadata"
+	GRPCServerRequestMessageAddr           = "grpc.server.request.message"
+	GRPCServerResponseMessageAddr          = "grpc.server.response.message"
+	GRPCServerResponseMetadataHeadersAddr  = "grpc.server.response.metadata.headers"
+	GRPCServerResponseMetadataTrailersAddr = "grpc.server.response.metadata.trailers"
+	GRPCServerResponseStatusCodeAddr       = "grpc.server.response.status"
+
+	GraphQLServerResolverAddr = "graphql.server.resolver"
+)
diff --git a/internal/appsec/emitter/waf/addresses/builder.go b/internal/appsec/emitter/waf/addresses/builder.go
new file mode 100644
index 0000000000..946a62bcf9
--- /dev/null
+++ b/internal/appsec/emitter/waf/addresses/builder.go
@@ -0,0 +1,243 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package addresses
+
+import (
+	"net/netip"
+	"strconv"
+
+	waf "github.com/DataDog/go-libddwaf/v3"
+)
+
+const contextProcessKey = "waf.context.processor"
+
+type RunAddressDataBuilder struct {
+	waf.RunAddressData
+}
+
+func NewAddressesBuilder() *RunAddressDataBuilder {
+	return &RunAddressDataBuilder{
+		RunAddressData: waf.RunAddressData{
+			Persistent: make(map[string]any, 1),
+			Ephemeral:  make(map[string]any, 1),
+		},
+	}
+}
+
+func (b *RunAddressDataBuilder) WithMethod(method string) *RunAddressDataBuilder {
+	b.Persistent[ServerRequestMethodAddr] = method
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithRawURI(uri string) *RunAddressDataBuilder {
+	b.Persistent[ServerRequestRawURIAddr] = uri
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithHeadersNoCookies(headers map[string][]string) *RunAddressDataBuilder {
+	if len(headers) == 0 {
+		headers = nil
+	}
+	b.Persistent[ServerRequestHeadersNoCookiesAddr] = headers
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithCookies(cookies map[string][]string) *RunAddressDataBuilder {
+	if len(cookies) == 0 {
+		cookies = nil
+	}
+	b.Persistent[ServerRequestCookiesAddr] = cookies
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithQuery(query map[string][]string) *RunAddressDataBuilder {
+	if len(query) == 0 {
+		query = nil
+	}
+	b.Persistent[ServerRequestQueryAddr] = query
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithPathParams(params map[string]string) *RunAddressDataBuilder {
+	if len(params) == 0 {
+		return b
+	}
+	b.Persistent[ServerRequestPathParamsAddr] = params
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithRequestBody(body any) *RunAddressDataBuilder {
+	if body == nil {
+		return b
+	}
+	b.Persistent[ServerRequestBodyAddr] = body
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithResponseStatus(status int) *RunAddressDataBuilder {
+	if status == 0 {
+		return b
+	}
+	b.Persistent[ServerResponseStatusAddr] = strconv.Itoa(status)
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithResponseHeadersNoCookies(headers map[string][]string) *RunAddressDataBuilder {
+	if len(headers) == 0 {
+		return b
+	}
+	b.Persistent[ServerResponseHeadersNoCookiesAddr] = headers
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithClientIP(ip netip.Addr) *RunAddressDataBuilder {
+	if !ip.IsValid() {
+		return b
+	}
+	b.Persistent[ClientIPAddr] = ip.String()
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithUserID(id string) *RunAddressDataBuilder {
+	if id == "" {
+		return b
+	}
+	b.Persistent[UserIDAddr] = id
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithUserSessionID(id string) *RunAddressDataBuilder {
+	if id == "" {
+		return b
+	}
+	b.Persistent[UserSessionIDAddr] = id
+	return b
+
+}
+
+func (b *RunAddressDataBuilder) WithUserLoginSuccess() *RunAddressDataBuilder {
+	b.Persistent[UserLoginSuccessAddr] = nil
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithUserLoginFailure() *RunAddressDataBuilder {
+	b.Persistent[UserLoginFailureAddr] = nil
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithFilePath(file string) *RunAddressDataBuilder {
+	if file == "" {
+		return b
+	}
+	b.Ephemeral[ServerIOFSFileAddr] = file
+	b.Scope = waf.RASPScope
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithURL(url string) *RunAddressDataBuilder {
+	if url == "" {
+		return b
+	}
+	b.Ephemeral[ServerIoNetURLAddr] = url
+	b.Scope = waf.RASPScope
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithDBStatement(statement string) *RunAddressDataBuilder {
+	if statement == "" {
+		return b
+	}
+	b.Ephemeral[ServerDBStatementAddr] = statement
+	b.Scope = waf.RASPScope
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithDBType(driver string) *RunAddressDataBuilder {
+	if driver == "" {
+		return b
+	}
+	b.Ephemeral[ServerDBTypeAddr] = driver
+	b.Scope = waf.RASPScope
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCMethod(method string) *RunAddressDataBuilder {
+	if method == "" {
+		return b
+	}
+	b.Persistent[GRPCServerMethodAddr] = method
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCRequestMessage(message any) *RunAddressDataBuilder {
+	if message == nil {
+		return b
+	}
+	b.Ephemeral[GRPCServerRequestMessageAddr] = message
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCRequestMetadata(metadata map[string][]string) *RunAddressDataBuilder {
+	if len(metadata) == 0 {
+		return b
+	}
+	b.Persistent[GRPCServerRequestMetadataAddr] = metadata
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCResponseMessage(message any) *RunAddressDataBuilder {
+	if message == nil {
+		return b
+	}
+	b.Ephemeral[GRPCServerResponseMessageAddr] = message
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCResponseMetadataHeaders(headers map[string][]string) *RunAddressDataBuilder {
+	if len(headers) == 0 {
+		return b
+	}
+	b.Persistent[GRPCServerResponseMetadataHeadersAddr] = headers
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCResponseMetadataTrailers(trailers map[string][]string) *RunAddressDataBuilder {
+	if len(trailers) == 0 {
+		return b
+	}
+	b.Persistent[GRPCServerResponseMetadataTrailersAddr] = trailers
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithGRPCResponseStatusCode(status int) *RunAddressDataBuilder {
+	if status == 0 {
+		return b
+	}
+	b.Persistent[GRPCServerResponseStatusCodeAddr] = strconv.Itoa(status)
+	return b
+}
+
+func (b *RunAddressDataBuilder) WithGraphQLResolver(fieldName string, args map[string]any) *RunAddressDataBuilder {
+	if _, ok := b.Ephemeral[GraphQLServerResolverAddr]; !ok {
+		b.Ephemeral[GraphQLServerResolverAddr] = map[string]any{}
+	}
+
+	b.Ephemeral[GraphQLServerResolverAddr].(map[string]any)[fieldName] = args
+	return b
+}
+
+func (b *RunAddressDataBuilder) ExtractSchema() *RunAddressDataBuilder {
+	if _, ok := b.Persistent[contextProcessKey]; !ok {
+		b.Persistent[contextProcessKey] = map[string]bool{}
+	}
+
+	b.Persistent[contextProcessKey].(map[string]bool)["extract-schema"] = true
+	return b
+}
+
+func (b *RunAddressDataBuilder) Build() waf.RunAddressData {
+	return b.RunAddressData
+}
diff --git a/internal/appsec/emitter/waf/context.go b/internal/appsec/emitter/waf/context.go
new file mode 100644
index 0000000000..c2fe17be2d
--- /dev/null
+++ b/internal/appsec/emitter/waf/context.go
@@ -0,0 +1,160 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package waf
+
+import (
+	"context"
+	"maps"
+	"slices"
+	"sync"
+	"sync/atomic"
+
+	"github.com/DataDog/appsec-internal-go/limiter"
+	waf "github.com/DataDog/go-libddwaf/v3"
+
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+	"github.com/DataDog/dd-trace-go/v2/internal/stacktrace"
+
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/trace"
+)
+
+type (
+	ContextOperation struct {
+		dyngo.Operation
+		*trace.ServiceEntrySpanOperation
+
+		// context is an atomic pointer to the current WAF context.
+		// Makes sure the calls to context.Run are safe.
+		context atomic.Pointer[waf.Context]
+		// limiter comes from the WAF feature and is used to limit the number of events as a whole.
+		limiter limiter.Limiter
+		// events is where we store WAF events received from the WAF over the course of the request.
+		events []any
+		// stacks is where we store stack traces received from the WAF over the course of the request.
+		stacks []*stacktrace.Event
+		// derivatives is where we store any span tags generated by the WAF over the course of the request.
+		derivatives map[string]any
+		// supportedAddresses is the set of addresses supported by the WAF.
+		supportedAddresses config.AddressSet
+		// mu protects the events, stacks, and derivatives, supportedAddresses slices.
+		mu sync.Mutex
+		// logOnce is used to log a warning once when a request has too many WAF events via the built-in limiter or the max value.
+		logOnce sync.Once
+	}
+
+	ContextArgs struct{}
+
+	ContextRes struct{}
+
+	// RunEvent is the type of event that should be emitted to child operations to run the WAF
+	RunEvent struct {
+		waf.RunAddressData
+		dyngo.Operation
+	}
+)
+
+func (ContextArgs) IsArgOf(*ContextOperation)   {}
+func (ContextRes) IsResultOf(*ContextOperation) {}
+
+func StartContextOperation(ctx context.Context) (*ContextOperation, context.Context) {
+	entrySpanOp, ctx := trace.StartServiceEntrySpanOperation(ctx)
+	op := &ContextOperation{
+		Operation:                 dyngo.NewOperation(entrySpanOp),
+		ServiceEntrySpanOperation: entrySpanOp,
+	}
+	return op, dyngo.StartAndRegisterOperation(ctx, op, ContextArgs{})
+}
+
+func (op *ContextOperation) Finish(span trace.TagSetter) {
+	dyngo.FinishOperation(op, ContextRes{})
+	op.ServiceEntrySpanOperation.Finish(span)
+}
+
+func (op *ContextOperation) SwapContext(ctx *waf.Context) *waf.Context {
+	return op.context.Swap(ctx)
+}
+
+func (op *ContextOperation) SetLimiter(limiter limiter.Limiter) {
+	op.limiter = limiter
+}
+
+func (op *ContextOperation) AddEvents(events ...any) {
+	if len(events) == 0 {
+		return
+	}
+
+	if !op.limiter.Allow() {
+		log.Warn("appsec: too many WAF events, stopping further reporting")
+		return
+	}
+
+	op.mu.Lock()
+	defer op.mu.Unlock()
+
+	const maxWAFEventsPerRequest = 10
+	if len(op.events) >= maxWAFEventsPerRequest {
+		op.logOnce.Do(func() {
+			log.Warn("appsec: ignoring new WAF event due to the maximum number of security events per request was reached")
+		})
+		return
+	}
+
+	op.events = append(op.events, events...)
+}
+
+func (op *ContextOperation) AddStackTraces(stacks ...*stacktrace.Event) {
+	if len(stacks) == 0 {
+		return
+	}
+
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	op.stacks = append(op.stacks, stacks...)
+}
+
+func (op *ContextOperation) AbsorbDerivatives(derivatives map[string]any) {
+	if len(derivatives) == 0 {
+		return
+	}
+
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	if op.derivatives == nil {
+		op.derivatives = make(map[string]any)
+	}
+
+	for k, v := range derivatives {
+		op.derivatives[k] = v
+	}
+}
+
+func (op *ContextOperation) Derivatives() map[string]any {
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	return maps.Clone(op.derivatives)
+}
+
+func (op *ContextOperation) Events() []any {
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	return slices.Clone(op.events)
+}
+
+func (op *ContextOperation) StackTraces() []*stacktrace.Event {
+	op.mu.Lock()
+	defer op.mu.Unlock()
+	return slices.Clone(op.stacks)
+}
+
+func (op *ContextOperation) OnEvent(event RunEvent) {
+	op.Run(event.Operation, event.RunAddressData)
+}
+
+func (op *ContextOperation) SetSupportedAddresses(addrs config.AddressSet) {
+	op.supportedAddresses = addrs
+}
diff --git a/internal/appsec/emitter/waf/run.go b/internal/appsec/emitter/waf/run.go
new file mode 100644
index 0000000000..cfa1c227ec
--- /dev/null
+++ b/internal/appsec/emitter/waf/run.go
@@ -0,0 +1,78 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package waf
+
+import (
+	"context"
+	"errors"
+	"maps"
+
+	waf "github.com/DataDog/go-libddwaf/v3"
+	wafErrors "github.com/DataDog/go-libddwaf/v3/errors"
+
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/actions"
+
+	"github.com/DataDog/dd-trace-go/v2/appsec/events"
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+// Run runs the WAF with the given address data and sends the results to the event receiver
+// the event receiver can be the same os the method receiver but not always
+// the event receiver is the one that will receive the actions events generated by the WAF
+func (op *ContextOperation) Run(eventReceiver dyngo.Operation, addrs waf.RunAddressData) {
+	ctx := op.context.Load()
+	if ctx == nil { // Context was closed concurrently
+		return
+	}
+
+	// Remove unsupported addresses in case the listener was registered but some addresses are still unsupported
+	// Technically the WAF does this step for us but doing this check before calling the WAF makes us skip encoding huge
+	// values that may be discarded by the WAF afterward.
+	// e.g. gRPC response body address that is not in the default ruleset but will still be sent to the WAF and may be huge
+	for _, addrType := range []map[string]any{addrs.Persistent, addrs.Ephemeral} {
+		maps.DeleteFunc(addrType, func(key string, _ any) bool {
+			_, ok := op.supportedAddresses[key]
+			return !ok
+		})
+	}
+
+	result, err := ctx.Run(addrs)
+	if errors.Is(err, wafErrors.ErrTimeout) {
+		log.Debug("appsec: WAF timeout value reached: %v", err)
+	} else if err != nil {
+		log.Error("appsec: unexpected WAF error: %v", err)
+	}
+
+	op.AddEvents(result.Events...)
+	op.AbsorbDerivatives(result.Derivatives)
+
+	actions.SendActionEvents(eventReceiver, result.Actions)
+
+	if result.HasEvents() {
+		log.Debug("appsec: WAF detected a suspicious event")
+	}
+}
+
+// RunSimple runs the WAF with the given address data and returns an error that should be forwarded to the caller
+func RunSimple(ctx context.Context, addrs waf.RunAddressData, errorLog string) error {
+	parent, _ := dyngo.FromContext(ctx)
+	if parent == nil {
+		log.Error(errorLog)
+		return nil
+	}
+
+	var err error
+	op := dyngo.NewOperation(parent)
+	dyngo.OnData(op, func(e *events.BlockingSecurityEvent) {
+		err = e
+	})
+	dyngo.EmitData(op, RunEvent{
+		Operation:      op,
+		RunAddressData: addrs,
+	})
+	return err
+}
diff --git a/internal/appsec/features.go b/internal/appsec/features.go
new file mode 100644
index 0000000000..4f91dc269e
--- /dev/null
+++ b/internal/appsec/features.go
@@ -0,0 +1,81 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package appsec
+
+import (
+	"errors"
+
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/graphqlsec"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/grpcsec"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/httpsec"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/ossec"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/sqlsec"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/trace"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/usersec"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/waf"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+var features = []listener.NewFeature{
+	trace.NewAppsecSpanTransport,
+	waf.NewWAFFeature,
+	httpsec.NewHTTPSecFeature,
+	grpcsec.NewGRPCSecFeature,
+	graphqlsec.NewGraphQLSecFeature,
+	usersec.NewUserSecFeature,
+	sqlsec.NewSQLSecFeature,
+	ossec.NewOSSecFeature,
+	httpsec.NewSSRFProtectionFeature,
+}
+
+func (a *appsec) SwapRootOperation() error {
+	newRoot := dyngo.NewRootOperation()
+	newFeatures := make([]listener.Feature, 0, len(features))
+	var featureErrors []error
+	for _, newFeature := range features {
+		feature, err := newFeature(a.cfg, newRoot)
+		if err != nil {
+			featureErrors = append(featureErrors, err)
+			continue
+		}
+
+		// If error is nil and feature is nil, it means the feature did not activate itself
+		if feature == nil {
+			continue
+		}
+
+		newFeatures = append(newFeatures, feature)
+	}
+
+	err := errors.Join(featureErrors...)
+	if err != nil {
+		for _, feature := range newFeatures {
+			feature.Stop()
+		}
+		return err
+	}
+
+	a.featuresMu.Lock()
+	defer a.featuresMu.Unlock()
+
+	oldFeatures := a.features
+	a.features = newFeatures
+
+	log.Debug("appsec: stopping the following features: %v", oldFeatures)
+	log.Debug("appsec: starting the following features: %v", newFeatures)
+
+	dyngo.SwapRootOperation(newRoot)
+
+	log.Debug("appsec: swapped root operation")
+
+	for _, oldFeature := range oldFeatures {
+		oldFeature.Stop()
+	}
+
+	return nil
+}
diff --git a/internal/appsec/listener/feature.go b/internal/appsec/listener/feature.go
new file mode 100644
index 0000000000..d22067cd8d
--- /dev/null
+++ b/internal/appsec/listener/feature.go
@@ -0,0 +1,24 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package listener
+
+import (
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+)
+
+// Feature is an interface that represents a feature that can be started and stopped.
+type Feature interface {
+	// String should return a user-friendly name for the feature.
+	String() string
+	// Stop stops the feature.
+	Stop()
+}
+
+// NewFeature is a function that creates a new feature.
+// The error returned will be fatal for the application if not nil.
+// If both the feature and the error are nil, the feature will be considered inactive.
+type NewFeature func(*config.Config, dyngo.Operation) (Feature, error)
diff --git a/internal/appsec/listener/graphqlsec/graphql.go b/internal/appsec/listener/graphqlsec/graphql.go
index 9cd4f2e245..083734c5b2 100644
--- a/internal/appsec/listener/graphqlsec/graphql.go
+++ b/internal/appsec/listener/graphqlsec/graphql.go
@@ -1,7 +1,7 @@
 // Unless explicitly stated otherwise all files in this repository are licensed
 // under the Apache License Version 2.0.
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
 
 package graphqlsec
 
@@ -23,108 +23,30 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/internal/samplernames"
 )
 
-// GraphQL rule addresses currently supported by the WAF
-const (
-	graphQLServerResolverAddr = "graphql.server.resolver"
-)
+type Feature struct{}
 
-// List of GraphQL rule addresses currently supported by the WAF
-var supportedAddresses = listener.AddressSet{
-	graphQLServerResolverAddr:  {},
-	httpsec.ServerIoNetURLAddr: {},
+func (*Feature) String() string {
+	return "GraphQL Security"
 }
 
-// Install registers the GraphQL WAF Event Listener on the given root operation.
-func Install(wafHandle *waf.Handle, cfg *config.Config, lim limiter.Limiter, root dyngo.Operation) {
-	if listener := newWafEventListener(wafHandle, cfg, lim); listener != nil {
-		log.Debug("appsec: registering the GraphQL WAF Event Listener")
-		dyngo.On(root, listener.onEvent)
-	}
-}
+func (*Feature) Stop() {}
 
-type wafEventListener struct {
-	wafHandle *waf.Handle
-	config    *config.Config
-	addresses listener.AddressSet
-	limiter   limiter.Limiter
-	wafDiags  waf.Diagnostics
-	once      sync.Once
+func (f *Feature) OnResolveField(op *graphqlsec.ResolveOperation, args graphqlsec.ResolveOperationArgs) {
+	dyngo.EmitData(op, waf.RunEvent{
+		Operation: op,
+		RunAddressData: addresses.NewAddressesBuilder().
+			WithGraphQLResolver(args.FieldName, args.Arguments).
+			Build(),
+	})
 }
 
-func newWafEventListener(wafHandle *waf.Handle, cfg *config.Config, limiter limiter.Limiter) *wafEventListener {
-	if wafHandle == nil {
-		log.Debug("appsec: no WAF Handle available, the GraphQL WAF Event Listener will not be registered")
-		return nil
-	}
-
-	addresses := listener.FilterAddressSet(supportedAddresses, wafHandle)
-	if len(addresses) == 0 {
-		log.Debug("appsec: no supported GraphQL address is used by currently loaded WAF rules, the GraphQL WAF Event Listener will not be registered")
-		return nil
+func NewGraphQLSecFeature(config *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+	if !config.SupportedAddresses.AnyOf(addresses.GraphQLServerResolverAddr) {
+		return nil, nil
 	}
 
-	return &wafEventListener{
-		wafHandle: wafHandle,
-		config:    cfg,
-		addresses: addresses,
-		limiter:   limiter,
-		wafDiags:  wafHandle.Diagnostics(),
-	}
-}
-
-// NewWAFEventListener returns the WAF event listener to register in order
-// to enable it.
-func (l *wafEventListener) onEvent(request *types.RequestOperation, _ types.RequestOperationArgs) {
-	wafCtx, err := l.wafHandle.NewContextWithBudget(l.config.WAFTimeout)
-	if err != nil {
-		log.Debug("appsec: could not create budgeted WAF context: %v", err)
-	}
-	// Early return in the following cases:
-	// - wafCtx is nil, meaning it was concurrently released
-	// - err is not nil, meaning context creation failed
-	if wafCtx == nil || err != nil {
-		return
-	}
+	feature := &Feature{}
+	dyngo.On(rootOp, feature.OnResolveField)
 
-	if _, ok := l.addresses[httpsec.ServerIoNetURLAddr]; ok {
-		httpsec.RegisterRoundTripperListener(request, &request.SecurityEventsHolder, wafCtx, l.limiter)
-	}
-
-	// Add span tags notifying this trace is AppSec-enabled
-	trace.SetAppSecEnabledTags(request)
-	l.once.Do(func() {
-		shared.AddRulesMonitoringTags(request, &l.wafDiags)
-		request.SetTag(ext.ManualKeep, samplernames.AppSec)
-	})
-
-	dyngo.On(request, func(query *types.ExecutionOperation, args types.ExecutionOperationArgs) {
-		dyngo.On(query, func(field *types.ResolveOperation, args types.ResolveOperationArgs) {
-			if _, found := l.addresses[graphQLServerResolverAddr]; found {
-				wafResult := shared.RunWAF(
-					wafCtx,
-					waf.RunAddressData{
-						Ephemeral: map[string]any{
-							graphQLServerResolverAddr: map[string]any{args.FieldName: args.Arguments},
-						},
-					},
-				)
-				shared.AddSecurityEvents(&field.SecurityEventsHolder, l.limiter, wafResult.Events)
-			}
-
-			dyngo.OnFinish(field, func(field *types.ResolveOperation, res types.ResolveOperationRes) {
-				trace.SetEventSpanTags(field, field.Events())
-			})
-		})
-
-		dyngo.OnFinish(query, func(query *types.ExecutionOperation, res types.ExecutionOperationRes) {
-			trace.SetEventSpanTags(query, query.Events())
-		})
-	})
-
-	dyngo.OnFinish(request, func(request *types.RequestOperation, res types.RequestOperationRes) {
-		defer wafCtx.Close()
-
-		shared.AddWAFMonitoringTags(request, l.wafDiags.Version, wafCtx.Stats().Metrics())
-		trace.SetEventSpanTags(request, request.Events())
-	})
+	return feature, nil
 }
diff --git a/internal/appsec/listener/grpcsec/grpc.go b/internal/appsec/listener/grpcsec/grpc.go
index cc1831cf09..0a9ed1e6c0 100644
--- a/internal/appsec/listener/grpcsec/grpc.go
+++ b/internal/appsec/listener/grpcsec/grpc.go
@@ -1,7 +1,7 @@
 // Unless explicitly stated otherwise all files in this repository are licensed
 // under the Apache License Version 2.0.
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
 
 package grpcsec
 
@@ -27,183 +27,60 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/internal/samplernames"
 )
 
-// gRPC rule addresses currently supported by the WAF
-const (
-	GRPCServerMethodAddr          = "grpc.server.method"
-	GRPCServerRequestMessageAddr  = "grpc.server.request.message"
-	GRPCServerRequestMetadataAddr = "grpc.server.request.metadata"
-)
+type Feature struct{}
 
-// List of gRPC rule addresses currently supported by the WAF
-var supportedAddresses = listener.AddressSet{
-	GRPCServerMethodAddr:          {},
-	GRPCServerRequestMessageAddr:  {},
-	GRPCServerRequestMetadataAddr: {},
-	httpsec.HTTPClientIPAddr:      {},
-	httpsec.UserIDAddr:            {},
-	httpsec.ServerIoNetURLAddr:    {},
-	ossec.ServerIOFSFileAddr:      {},
-	sqlsec.ServerDBStatementAddr:  {},
-	sqlsec.ServerDBTypeAddr:       {},
+func (*Feature) String() string {
+	return "gRPC Security"
 }
 
-// Install registers the gRPC WAF Event Listener on the given root operation.
-func Install(wafHandle *waf.Handle, cfg *config.Config, lim limiter.Limiter, root dyngo.Operation) {
-	if listener := newWafEventListener(wafHandle, cfg, lim); listener != nil {
-		log.Debug("appsec: registering the gRPC WAF Event Listener")
-		dyngo.On(root, listener.onEvent)
+func (*Feature) Stop() {}
+
+func NewGRPCSecFeature(config *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+	if !config.SupportedAddresses.AnyOf(
+		addresses.ClientIPAddr,
+		addresses.GRPCServerMethodAddr,
+		addresses.GRPCServerRequestMessageAddr,
+		addresses.GRPCServerRequestMetadataAddr,
+		addresses.GRPCServerResponseMessageAddr,
+		addresses.GRPCServerResponseMetadataHeadersAddr,
+		addresses.GRPCServerResponseMetadataTrailersAddr,
+		addresses.GRPCServerResponseStatusCodeAddr) {
+		return nil, nil
 	}
-}
 
-type wafEventListener struct {
-	wafHandle *waf.Handle
-	config    *config.Config
-	addresses listener.AddressSet
-	limiter   limiter.Limiter
-	wafDiags  waf.Diagnostics
-	once      sync.Once
+	feature := &Feature{}
+	dyngo.On(rootOp, feature.OnStart)
+	dyngo.OnFinish(rootOp, feature.OnFinish)
+	return feature, nil
 }
 
-func newWafEventListener(wafHandle *waf.Handle, cfg *config.Config, limiter limiter.Limiter) *wafEventListener {
-	if wafHandle == nil {
-		log.Debug("appsec: no WAF Handle available, the gRPC WAF Event Listener will not be registered")
-		return nil
-	}
+func (f *Feature) OnStart(op *grpcsec.HandlerOperation, args grpcsec.HandlerOperationArgs) {
+	ipTags, clientIP := httpsec.ClientIPTags(args.Metadata, false, args.RemoteAddr)
+	log.Debug("appsec: http client ip detection returned `%s`", clientIP)
 
-	addresses := listener.FilterAddressSet(supportedAddresses, wafHandle)
-	if len(addresses) == 0 {
-		log.Debug("appsec: no supported gRPC address is used by currently loaded WAF rules, the gRPC WAF Event Listener will not be registered")
-		return nil
-	}
+	op.SetStringTags(ipTags)
 
-	return &wafEventListener{
-		wafHandle: wafHandle,
-		config:    cfg,
-		addresses: addresses,
-		limiter:   limiter,
-		wafDiags:  wafHandle.Diagnostics(),
-	}
-}
+	SetRequestMetadataTags(op, args.Metadata)
 
-// NewWAFEventListener returns the WAF event listener to register in order to enable it, listening to gRPC handler
-// events.
-func (l *wafEventListener) onEvent(op *types.HandlerOperation, handlerArgs types.HandlerOperationArgs) {
-	// Limit the maximum number of security events, as a streaming RPC could
-	// receive unlimited number of messages where we could find security events
-	var (
-		nbEvents atomic.Uint32
-		logOnce  sync.Once // per request
+	op.Run(op,
+		addresses.NewAddressesBuilder().
+			WithGRPCMethod(args.Method).
+			WithGRPCRequestMetadata(args.Metadata).
+			WithClientIP(clientIP).
+			Build(),
 	)
-	addEvents := func(events []any) {
-		const maxWAFEventsPerRequest = 10
-		if nbEvents.Load() >= maxWAFEventsPerRequest {
-			logOnce.Do(func() {
-				log.Debug("appsec: ignoring new WAF event due to the maximum number of security events per grpc call reached")
-			})
-			return
-		}
-		nbEvents.Add(uint32(len(events)))
-		shared.AddSecurityEvents(&op.SecurityEventsHolder, l.limiter, events)
-	}
-
-	wafCtx, err := l.wafHandle.NewContextWithBudget(l.config.WAFTimeout)
-	if err != nil {
-		log.Debug("appsec: could not create budgeted WAF context: %v", err)
-	}
-	// Early return in the following cases:
-	// - wafCtx is nil, meaning it was concurrently released
-	// - err is not nil, meaning context creation failed
-	if wafCtx == nil || err != nil {
-		return
-	}
-
-	if httpsec.SSRFAddressesPresent(l.addresses) {
-		httpsec.RegisterRoundTripperListener(op, &op.SecurityEventsHolder, wafCtx, l.limiter)
-	}
-
-	if ossec.OSAddressesPresent(l.addresses) {
-		ossec.RegisterOpenListener(op, &op.SecurityEventsHolder, wafCtx, l.limiter)
-	}
-
-	if sqlsec.SQLAddressesPresent(l.addresses) {
-		sqlsec.RegisterSQLListener(op, &op.SecurityEventsHolder, wafCtx, l.limiter)
-	}
-
-	// Listen to the UserID address if the WAF rules are using it
-	if l.isSecAddressListened(httpsec.UserIDAddr) {
-		// UserIDOperation happens when appsec.SetUser() is called. We run the WAF and apply actions to
-		// see if the associated user should be blocked. Since we don't control the execution flow in this case
-		// (SetUser is SDK), we delegate the responsibility of interrupting the handler to the user.
-		dyngo.On(op, shared.MakeWAFRunListener(&op.SecurityEventsHolder, wafCtx, l.limiter, func(args sharedsec.UserIDOperationArgs) waf.RunAddressData {
-			return waf.RunAddressData{Persistent: map[string]any{httpsec.UserIDAddr: args.UserID}}
-		}))
-	}
-
-	values := make(map[string]any, 2) // 2 because the method and client ip addresses are commonly present in the rules
-	if l.isSecAddressListened(GRPCServerMethodAddr) {
-		// Note that this address is passed asap for the passlist, which are created per grpc method
-		values[GRPCServerMethodAddr] = handlerArgs.Method
-	}
-	if l.isSecAddressListened(httpsec.HTTPClientIPAddr) && handlerArgs.ClientIP.IsValid() {
-		values[httpsec.HTTPClientIPAddr] = handlerArgs.ClientIP.String()
-	}
-
-	wafResult := shared.RunWAF(wafCtx, waf.RunAddressData{Persistent: values})
-	if wafResult.HasEvents() {
-		addEvents(wafResult.Events)
-		log.Debug("appsec: WAF detected an attack before executing the request")
-	}
-	if wafResult.HasActions() {
-		interrupt := shared.ProcessActions(op, wafResult.Actions)
-		if interrupt {
-			wafCtx.Close()
-			return
-		}
-	}
+}
 
-	// When the gRPC handler receives a message
-	dyngo.OnFinish(op, func(_ types.ReceiveOperation, res types.ReceiveOperationRes) {
-		// Run the WAF on the rule addresses available and listened to by the sec rules
-		var values waf.RunAddressData
-		// Add the gRPC message to the values if the WAF rules are using it.
-		// Note that it is an ephemeral address as they can happen more than once per RPC.
-		if l.isSecAddressListened(GRPCServerRequestMessageAddr) {
-			values.Ephemeral = map[string]any{GRPCServerRequestMessageAddr: res.Message}
-		}
-
-		// Add the metadata to the values if the WAF rules are using it.
-		if l.isSecAddressListened(GRPCServerRequestMetadataAddr) {
-			if md := handlerArgs.Metadata; len(md) > 0 {
-				values.Persistent = map[string]any{GRPCServerRequestMetadataAddr: md}
-			}
-		}
-
-		// Run the WAF, ignoring the returned actions - if any - since blocking after the request handler's
-		// response is not supported at the moment.
-		wafResult := shared.RunWAF(wafCtx, values)
-		if wafResult.HasEvents() {
-			log.Debug("appsec: attack detected by the grpc waf")
-			addEvents(wafResult.Events)
-		}
-		if wafResult.HasActions() {
-			shared.ProcessActions(op, wafResult.Actions)
-		}
-	})
-
-	// When the gRPC handler finishes
-	dyngo.OnFinish(op, func(op *types.HandlerOperation, _ types.HandlerOperationRes) {
-		defer wafCtx.Close()
-
-		shared.AddWAFMonitoringTags(op, l.wafDiags.Version, wafCtx.Stats().Metrics())
-		// Log the following metrics once per instantiation of a WAF handle
-		l.once.Do(func() {
-			shared.AddRulesMonitoringTags(op, &l.wafDiags)
-			op.SetTag(ext.ManualKeep, samplernames.AppSec)
-		})
-	})
+func (f *Feature) OnFinish(op *grpcsec.HandlerOperation, res grpcsec.HandlerOperationRes) {
+	op.Run(op,
+		addresses.NewAddressesBuilder().
+			WithGRPCResponseStatusCode(res.StatusCode).
+			Build(),
+	)
 }
 
-func (l *wafEventListener) isSecAddressListened(addr string) bool {
-	_, listened := l.addresses[addr]
-	return listened
+func SetRequestMetadataTags(span trace.TagSetter, metadata map[string][]string) {
+	for h, v := range httpsec.NormalizeHTTPHeaders(metadata) {
+		span.SetTag("grpc.metadata."+h, v)
+	}
 }
diff --git a/internal/appsec/listener/grpcsec/grpc_test.go b/internal/appsec/listener/grpcsec/grpc_test.go
new file mode 100644
index 0000000000..673727abb0
--- /dev/null
+++ b/internal/appsec/listener/grpcsec/grpc_test.go
@@ -0,0 +1,118 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package grpcsec
+
+import (
+	"fmt"
+	"testing"
+
+	testlib "github.com/DataDog/dd-trace-go/v2/internal/appsec/_testlib"
+
+	"github.com/stretchr/testify/require"
+)
+
+type MockSpan struct {
+	Tags map[string]any
+}
+
+func (m *MockSpan) SetTag(key string, value interface{}) {
+	if m.Tags == nil {
+		m.Tags = make(map[string]any)
+	}
+	if key == ext.ManualKeep {
+		if value == samplernames.AppSec {
+			m.Tags[ext.ManualKeep] = true
+		}
+	} else {
+		m.Tags[key] = value
+	}
+}
+
+func TestTags(t *testing.T) {
+	for _, eventCase := range []struct {
+		name          string
+		events        []any
+		expectedTag   string
+		expectedError bool
+	}{
+		{
+			name:   "no-event",
+			events: nil,
+		},
+		{
+			name:        "one-event",
+			events:      []any{"one"},
+			expectedTag: `{"triggers":["one"]}`,
+		},
+		{
+			name:        "two-events",
+			events:      []any{"one", "two"},
+			expectedTag: `{"triggers":["one","two"]}`,
+		},
+	} {
+		eventCase := eventCase
+		for _, metadataCase := range []struct {
+			name         string
+			md           map[string][]string
+			expectedTags map[string]interface{}
+		}{
+			{
+				name: "zero-metadata",
+			},
+			{
+				name: "xff-metadata",
+				md: map[string][]string{
+					"x-forwarded-for": {"1.2.3.4", "4.5.6.7"},
+					":authority":      {"something"},
+				},
+				expectedTags: map[string]interface{}{
+					"grpc.metadata.x-forwarded-for": "1.2.3.4,4.5.6.7",
+				},
+			},
+			{
+				name: "xff-metadata",
+				md: map[string][]string{
+					"x-forwarded-for": {"1.2.3.4"},
+					":authority":      {"something"},
+				},
+				expectedTags: map[string]interface{}{
+					"grpc.metadata.x-forwarded-for": "1.2.3.4",
+				},
+			},
+			{
+				name: "no-monitored-metadata",
+				md: map[string][]string{
+					":authority": {"something"},
+				},
+			},
+		} {
+			metadataCase := metadataCase
+			t.Run(fmt.Sprintf("%s-%s", eventCase.name, metadataCase.name), func(t *testing.T) {
+				var span MockSpan
+				err := waf.SetEventSpanTags(&span, eventCase.events)
+				if eventCase.expectedError {
+					require.Error(t, err)
+					return
+				}
+				require.NoError(t, err)
+				SetRequestMetadataTags(&span, metadataCase.md)
+
+				if eventCase.events != nil {
+					require.Subset(t, span.Tags, map[string]interface{}{
+						"_dd.appsec.json": eventCase.expectedTag,
+						"manual.keep":     true,
+						"appsec.event":    true,
+						"_dd.origin":      "appsec",
+					})
+				}
+
+				if l := len(metadataCase.expectedTags); l > 0 {
+					require.Subset(t, span.Tags, metadataCase.expectedTags)
+				}
+			})
+		}
+	}
+}
diff --git a/internal/appsec/listener/httpsec/http.go b/internal/appsec/listener/httpsec/http.go
index ff5a3dd39d..9a382977ba 100644
--- a/internal/appsec/listener/httpsec/http.go
+++ b/internal/appsec/listener/httpsec/http.go
@@ -1,233 +1,94 @@
 // Unless explicitly stated otherwise all files in this repository are licensed
 // under the Apache License Version 2.0.
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
 
 package httpsec
 
 import (
-	"fmt"
 	"math/rand"
-	"sync"
 
-	"github.com/DataDog/appsec-internal-go/limiter"
-	waf "github.com/DataDog/go-libddwaf/v3"
+	internal "github.com/DataDog/appsec-internal-go/appsec"
 
-	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
 	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/httpsec/types"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/emitter/sharedsec"
 	"github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/addresses"
 	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
-	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/ossec"
-	shared "github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/sharedsec"
-	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/sqlsec"
 	"github.com/DataDog/dd-trace-go/v2/internal/log"
-	"github.com/DataDog/dd-trace-go/v2/internal/samplernames"
 )
 
-// HTTP rule addresses currently supported by the WAF
-const (
-	ServerRequestMethodAddr            = "server.request.method"
-	ServerRequestRawURIAddr            = "server.request.uri.raw"
-	ServerRequestHeadersNoCookiesAddr  = "server.request.headers.no_cookies"
-	ServerRequestCookiesAddr           = "server.request.cookies"
-	ServerRequestQueryAddr             = "server.request.query"
-	ServerRequestPathParamsAddr        = "server.request.path_params"
-	ServerRequestBodyAddr              = "server.request.body"
-	ServerResponseStatusAddr           = "server.response.status"
-	ServerResponseHeadersNoCookiesAddr = "server.response.headers.no_cookies"
-	HTTPClientIPAddr                   = "http.client_ip"
-	UserIDAddr                         = "usr.id"
-	ServerIoNetURLAddr                 = "server.io.net.url"
-)
-
-// List of HTTP rule addresses currently supported by the WAF
-var supportedAddresses = listener.AddressSet{
-	ServerRequestMethodAddr:            {},
-	ServerRequestRawURIAddr:            {},
-	ServerRequestHeadersNoCookiesAddr:  {},
-	ServerRequestCookiesAddr:           {},
-	ServerRequestQueryAddr:             {},
-	ServerRequestPathParamsAddr:        {},
-	ServerRequestBodyAddr:              {},
-	ServerResponseStatusAddr:           {},
-	ServerResponseHeadersNoCookiesAddr: {},
-	HTTPClientIPAddr:                   {},
-	UserIDAddr:                         {},
-	ServerIoNetURLAddr:                 {},
-	ossec.ServerIOFSFileAddr:           {},
-	sqlsec.ServerDBStatementAddr:       {},
-	sqlsec.ServerDBTypeAddr:            {},
-}
-
-// Install registers the HTTP WAF Event Listener on the given root operation.
-func Install(wafHandle *waf.Handle, cfg *config.Config, lim limiter.Limiter, root dyngo.Operation) {
-	if listener := newWafEventListener(wafHandle, cfg, lim); listener != nil {
-		log.Debug("appsec: registering the HTTP WAF Event Listener")
-		dyngo.On(root, listener.onEvent)
-	}
+type Feature struct {
+	APISec internal.APISecConfig
 }
 
-type wafEventListener struct {
-	wafHandle *waf.Handle
-	config    *config.Config
-	addresses listener.AddressSet
-	limiter   limiter.Limiter
-	wafDiags  waf.Diagnostics
-	once      sync.Once
+func (*Feature) String() string {
+	return "HTTP Security"
 }
 
-// newWAFEventListener returns the WAF event listener to register in order to enable it.
-func newWafEventListener(wafHandle *waf.Handle, cfg *config.Config, limiter limiter.Limiter) *wafEventListener {
-	if wafHandle == nil {
-		log.Debug("appsec: no WAF Handle available, the HTTP WAF Event Listener will not be registered")
-		return nil
+func (*Feature) Stop() {}
+
+func NewHTTPSecFeature(config *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+	if !config.SupportedAddresses.AnyOf(addresses.ServerRequestMethodAddr,
+		addresses.ServerRequestRawURIAddr,
+		addresses.ServerRequestHeadersNoCookiesAddr,
+		addresses.ServerRequestCookiesAddr,
+		addresses.ServerRequestQueryAddr,
+		addresses.ServerRequestPathParamsAddr,
+		addresses.ServerRequestBodyAddr,
+		addresses.ServerResponseStatusAddr,
+		addresses.ServerResponseHeadersNoCookiesAddr) {
+		return nil, nil
 	}
 
-	addresses := listener.FilterAddressSet(supportedAddresses, wafHandle)
-	if len(addresses) == 0 {
-		log.Debug("appsec: no supported HTTP address is used by currently loaded WAF rules, the HTTP WAF Event Listener will not be registered")
-		return nil
+	feature := &Feature{
+		APISec: config.APISec,
 	}
 
-	return &wafEventListener{
-		wafHandle: wafHandle,
-		config:    cfg,
-		addresses: addresses,
-		limiter:   limiter,
-		wafDiags:  wafHandle.Diagnostics(),
-	}
+	dyngo.On(rootOp, feature.OnRequest)
+	dyngo.OnFinish(rootOp, feature.OnResponse)
+	return feature, nil
 }
 
-func (l *wafEventListener) onEvent(op *types.Operation, args types.HandlerOperationArgs) {
-	wafCtx, err := l.wafHandle.NewContextWithBudget(l.config.WAFTimeout)
-	if err != nil {
-		log.Debug("appsec: could not create budgeted WAF context: %v", err)
-	}
-	// Early return in the following cases:
-	// - wafCtx is nil, meaning it was concurrently released
-	// - err is not nil, meaning context creation failed
-	if wafCtx == nil || err != nil {
-		// The WAF event listener got concurrently released
-		return
-	}
-
-	if SSRFAddressesPresent(l.addresses) {
-		dyngo.On(op, shared.MakeWAFRunListener(&op.SecurityEventsHolder, wafCtx, l.limiter, func(args types.RoundTripOperationArgs) waf.RunAddressData {
-			return waf.RunAddressData{Ephemeral: map[string]any{ServerIoNetURLAddr: args.URL}}
-		}))
-	}
-
-	if ossec.OSAddressesPresent(l.addresses) {
-		ossec.RegisterOpenListener(op, &op.SecurityEventsHolder, wafCtx, l.limiter)
-	}
-
-	if sqlsec.SQLAddressesPresent(l.addresses) {
-		sqlsec.RegisterSQLListener(op, &op.SecurityEventsHolder, wafCtx, l.limiter)
-	}
-
-	if _, ok := l.addresses[UserIDAddr]; ok {
-		// OnUserIDOperationStart happens when appsec.SetUser() is called. We run the WAF and apply actions to
-		// see if the associated user should be blocked. Since we don't control the execution flow in this case
-		// (SetUser is SDK), we delegate the responsibility of interrupting the handler to the user.
-		dyngo.On(op, shared.MakeWAFRunListener(&op.SecurityEventsHolder, wafCtx, l.limiter, func(args sharedsec.UserIDOperationArgs) waf.RunAddressData {
-			return waf.RunAddressData{Persistent: map[string]any{UserIDAddr: args.UserID}}
-		}))
-	}
+func (feature *Feature) OnRequest(op *httpsec.HandlerOperation, args httpsec.HandlerOperationArgs) {
+	tags, ip := ClientIPTags(args.Headers, true, args.RemoteAddr)
+	log.Debug("appsec: http client ip detection returned `%s` given the http headers `%v`", ip, args.Headers)
+
+	op.SetStringTags(tags)
+	headers := headersRemoveCookies(args.Headers)
+	headers["host"] = []string{args.Host}
+
+	setRequestHeadersTags(op, headers)
+
+	op.Run(op,
+		addresses.NewAddressesBuilder().
+			WithMethod(args.Method).
+			WithRawURI(args.RequestURI).
+			WithHeadersNoCookies(headers).
+			WithCookies(args.Cookies).
+			WithQuery(args.QueryParams).
+			WithPathParams(args.PathParams).
+			WithClientIP(ip).
+			Build(),
+	)
+}
 
-	values := make(map[string]any, 8)
-	for addr := range l.addresses {
-		switch addr {
-		case HTTPClientIPAddr:
-			if args.ClientIP.IsValid() {
-				values[HTTPClientIPAddr] = args.ClientIP.String()
-			}
-		case ServerRequestMethodAddr:
-			values[ServerRequestMethodAddr] = args.Method
-		case ServerRequestRawURIAddr:
-			values[ServerRequestRawURIAddr] = args.RequestURI
-		case ServerRequestHeadersNoCookiesAddr:
-			if headers := args.Headers; headers != nil {
-				values[ServerRequestHeadersNoCookiesAddr] = headers
-			}
-		case ServerRequestCookiesAddr:
-			if cookies := args.Cookies; cookies != nil {
-				values[ServerRequestCookiesAddr] = cookies
-			}
-		case ServerRequestQueryAddr:
-			if query := args.Query; query != nil {
-				values[ServerRequestQueryAddr] = query
-			}
-		case ServerRequestPathParamsAddr:
-			if pathParams := args.PathParams; pathParams != nil {
-				values[ServerRequestPathParamsAddr] = pathParams
-			}
-		}
-	}
+func (feature *Feature) OnResponse(op *httpsec.HandlerOperation, resp httpsec.HandlerOperationRes) {
+	headers := headersRemoveCookies(resp.Headers)
+	setResponseHeadersTags(op, headers)
 
-	wafResult := shared.RunWAF(wafCtx, waf.RunAddressData{Persistent: values})
-	if wafResult.HasActions() || wafResult.HasEvents() {
-		interrupt := shared.ProcessActions(op, wafResult.Actions)
-		shared.AddSecurityEvents(&op.SecurityEventsHolder, l.limiter, wafResult.Events)
-		log.Debug("appsec: WAF detected an attack before executing the request")
-		if interrupt {
-			wafCtx.Close()
-			return
-		}
-	}
+	builder := addresses.NewAddressesBuilder().
+		WithResponseHeadersNoCookies(headers).
+		WithResponseStatus(resp.StatusCode)
 
-	if _, ok := l.addresses[ServerRequestBodyAddr]; ok {
-		dyngo.On(op, shared.MakeWAFRunListener(&op.SecurityEventsHolder, wafCtx, l.limiter, func(args types.SDKBodyOperationArgs) waf.RunAddressData {
-			return waf.RunAddressData{Persistent: map[string]any{ServerRequestBodyAddr: args.Body}}
-		}))
+	if feature.canExtractSchemas() {
+		builder = builder.ExtractSchema()
 	}
 
-	dyngo.OnFinish(op, func(op *types.Operation, res types.HandlerOperationRes) {
-		defer wafCtx.Close()
-
-		values = make(map[string]any, 3)
-		if l.canExtractSchemas() {
-			// This address will be passed as persistent. The WAF will keep it in store and trigger schema extraction
-			// for each run.
-			values["waf.context.processor"] = map[string]any{"extract-schema": true}
-		}
-
-		if _, ok := l.addresses[ServerResponseStatusAddr]; ok {
-			// serverResponseStatusAddr is a string address, so we must format the status code...
-			values[ServerResponseStatusAddr] = fmt.Sprintf("%d", res.Status)
-		}
-
-		if _, ok := l.addresses[ServerResponseHeadersNoCookiesAddr]; ok && res.Headers != nil {
-			values[ServerResponseHeadersNoCookiesAddr] = res.Headers
-		}
-
-		// Run the WAF, ignoring the returned actions - if any - since blocking after the request handler's
-		// response is not supported at the moment.
-		wafResult := shared.RunWAF(wafCtx, waf.RunAddressData{Persistent: values})
-
-		// Add WAF metrics.
-		shared.AddWAFMonitoringTags(op, l.wafDiags.Version, wafCtx.Stats().Metrics())
-
-		// Add the following metrics once per instantiation of a WAF handle
-		l.once.Do(func() {
-			shared.AddRulesMonitoringTags(op, &l.wafDiags)
-			op.SetTag(ext.ManualKeep, samplernames.AppSec)
-		})
-
-		// Log the attacks if any
-		if wafResult.HasEvents() {
-			log.Debug("appsec: attack detected by the waf")
-			shared.AddSecurityEvents(&op.SecurityEventsHolder, l.limiter, wafResult.Events)
-		}
-		for tag, value := range wafResult.Derivatives {
-			op.AddSerializableTag(tag, value)
-		}
-	})
+	op.Run(op, builder.Build())
 }
 
 // canExtractSchemas checks that API Security is enabled and that sampling rate
 // allows extracting schemas
-func (l *wafEventListener) canExtractSchemas() bool {
-	return l.config.APISec.Enabled && l.config.APISec.SampleRate >= rand.Float64()
+func (feature *Feature) canExtractSchemas() bool {
+	return feature.APISec.Enabled && feature.APISec.SampleRate >= rand.Float64()
 }
diff --git a/internal/appsec/listener/httpsec/request.go b/internal/appsec/listener/httpsec/request.go
new file mode 100644
index 0000000000..cb0e7d8a5d
--- /dev/null
+++ b/internal/appsec/listener/httpsec/request.go
@@ -0,0 +1,167 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package httpsec
+
+import (
+	"net/http"
+	"net/netip"
+	"os"
+	"strings"
+
+	"github.com/DataDog/appsec-internal-go/httpsec"
+
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
+)
+
+const (
+	// envClientIPHeader is the name of the env var used to specify the IP header to be used for client IP collection.
+	envClientIPHeader = "DD_TRACE_CLIENT_IP_HEADER"
+)
+
+var (
+	// defaultIPHeaders is the default list of IP-related headers leveraged to
+	// retrieve the public client IP address in RemoteAddr.
+	defaultIPHeaders = []string{
+		"x-forwarded-for",
+		"x-real-ip",
+		"true-client-ip",
+		"x-client-ip",
+		"x-forwarded",
+		"forwarded-for",
+		"x-cluster-client-ip",
+		"fastly-client-ip",
+		"cf-connecting-ip",
+		"cf-connecting-ipv6",
+	}
+
+	// defaultCollectedHeaders is the default list of HTTP headers collected as
+	// request span tags when appsec is enabled.
+	defaultCollectedHeaders = append([]string{
+		"host",
+		"content-length",
+		"content-type",
+		"content-encoding",
+		"content-language",
+		"forwarded",
+		"via",
+		"user-agent",
+		"accept",
+		"accept-encoding",
+		"accept-language",
+		"x-amzn-trace-id",
+		"cloudfront-viewer-ja3-fingerprint",
+		"cf-ray",
+		"x-cloud-trace-context",
+		"x-appgw-trace-id",
+		"akamai-user-risk",
+		"x-sigsci-requestid",
+		"x-sigsci-tags",
+	}, defaultIPHeaders...)
+
+	// collectedHeadersLookupMap is a helper lookup map of HTTP headers to
+	// collect as request span tags when appsec is enabled. It is computed at
+	// init-time based on defaultCollectedHeaders and leveraged by NormalizeHTTPHeaders.
+	collectedHeadersLookupMap map[string]struct{}
+
+	// monitoredClientIPHeadersCfg is the list of IP-related headers leveraged to
+	// retrieve the public client IP address in RemoteAddr. This is defined at init
+	// time in function of the value of the envClientIPHeader environment variable.
+	monitoredClientIPHeadersCfg []string
+)
+
+// ClientIPTags returns the resulting Datadog span tags `http.client_ip`
+// containing the client IP and `network.client.ip` containing the remote IP.
+// The tags are present only if a valid ip address has been returned by
+// RemoteAddr().
+func ClientIPTags(headers map[string][]string, hasCanonicalHeaders bool, remoteAddr string) (tags map[string]string, clientIP netip.Addr) {
+	remoteIP, clientIP := httpsec.ClientIP(headers, hasCanonicalHeaders, remoteAddr, monitoredClientIPHeadersCfg)
+	tags = httpsec.ClientIPTags(remoteIP, clientIP)
+	return tags, clientIP
+}
+
+// NormalizeHTTPHeaders returns the HTTP headers following Datadog's
+// normalization format.
+func NormalizeHTTPHeaders(headers map[string][]string) (normalized map[string]string) {
+	if len(headers) == 0 {
+		return nil
+	}
+	normalized = make(map[string]string, len(collectedHeadersLookupMap))
+	for k, v := range headers {
+		k = normalizeHTTPHeaderName(k)
+		if _, found := collectedHeadersLookupMap[k]; found {
+			normalized[k] = normalizeHTTPHeaderValue(v)
+		}
+	}
+	if len(normalized) == 0 {
+		return nil
+	}
+	return normalized
+}
+
+// Remove cookies from the request headers and return the map of headers
+// Used from `server.request.headers.no_cookies` and server.response.headers.no_cookies` addresses for the WAF
+func headersRemoveCookies(headers http.Header) map[string][]string {
+	headersNoCookies := make(http.Header, len(headers))
+	for k, v := range headers {
+		k := strings.ToLower(k)
+		if k == "cookie" {
+			continue
+		}
+		headersNoCookies[k] = v
+	}
+	return headersNoCookies
+}
+
+func normalizeHTTPHeaderName(name string) string {
+	return strings.ToLower(name)
+}
+
+func normalizeHTTPHeaderValue(values []string) string {
+	return strings.Join(values, ",")
+}
+
+func init() {
+	makeCollectedHTTPHeadersLookupMap()
+	readMonitoredClientIPHeadersConfig()
+}
+
+func makeCollectedHTTPHeadersLookupMap() {
+	collectedHeadersLookupMap = make(map[string]struct{}, len(defaultCollectedHeaders))
+	for _, h := range defaultCollectedHeaders {
+		collectedHeadersLookupMap[h] = struct{}{}
+	}
+}
+
+func readMonitoredClientIPHeadersConfig() {
+	if header := os.Getenv(envClientIPHeader); header != "" {
+		// Make this header the only one to consider in RemoteAddr
+		monitoredClientIPHeadersCfg = []string{header}
+
+		// Add this header to the list of collected headers
+		header = normalizeHTTPHeaderName(header)
+		collectedHeadersLookupMap[header] = struct{}{}
+	} else {
+		// No specific IP header was configured, use the default list
+		monitoredClientIPHeadersCfg = defaultIPHeaders
+	}
+}
+
+// setRequestHeadersTags sets the AppSec-specific request headers span tags.
+func setRequestHeadersTags(span trace.TagSetter, headers map[string][]string) {
+	setHeadersTags(span, "http.request.headers.", headers)
+}
+
+// setResponseHeadersTags sets the AppSec-specific response headers span tags.
+func setResponseHeadersTags(span trace.TagSetter, headers map[string][]string) {
+	setHeadersTags(span, "http.response.headers.", headers)
+}
+
+// setHeadersTags sets the AppSec-specific headers span tags.
+func setHeadersTags(span trace.TagSetter, tagPrefix string, headers map[string][]string) {
+	for h, v := range NormalizeHTTPHeaders(headers) {
+		span.SetTag(tagPrefix+h, v)
+	}
+}
diff --git a/internal/appsec/listener/httpsec/request_test.go b/internal/appsec/listener/httpsec/request_test.go
new file mode 100644
index 0000000000..402c05e4ff
--- /dev/null
+++ b/internal/appsec/listener/httpsec/request_test.go
@@ -0,0 +1,241 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package httpsec
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/metadata"
+
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/waf"
+	"github.com/DataDog/dd-trace-go/v2/internal/samplernames"
+)
+
+func TestClientIP(t *testing.T) {
+	for _, tc := range []struct {
+		name             string
+		addr             net.Addr
+		md               metadata.MD
+		expectedClientIP string
+	}{
+		{
+			name:             "tcp-ipv4-address",
+			addr:             &net.TCPAddr{IP: net.ParseIP("1.2.3.4"), Port: 6789},
+			expectedClientIP: "1.2.3.4",
+		},
+		{
+			name:             "tcp-ipv4-address",
+			addr:             &net.TCPAddr{IP: net.ParseIP("1.2.3.4"), Port: 6789},
+			md:               map[string][]string{"x-client-ip": {"127.0.0.1, 2.3.4.5"}},
+			expectedClientIP: "2.3.4.5",
+		},
+		{
+			name:             "tcp-ipv6-address",
+			addr:             &net.TCPAddr{IP: net.ParseIP("::1"), Port: 6789},
+			expectedClientIP: "::1",
+		},
+		{
+			name:             "udp-ipv4-address",
+			addr:             &net.UDPAddr{IP: net.ParseIP("1.2.3.4"), Port: 6789},
+			expectedClientIP: "1.2.3.4",
+		},
+		{
+			name:             "udp-ipv6-address",
+			addr:             &net.UDPAddr{IP: net.ParseIP("::1"), Port: 6789},
+			expectedClientIP: "::1",
+		},
+		{
+			name: "unix-socket-address",
+			addr: &net.UnixAddr{Name: "/var/my.sock"},
+		},
+	} {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			_, clientIP := ClientIPTags(tc.md, false, tc.addr.String())
+			expectedClientIP, _ := netip.ParseAddr(tc.expectedClientIP)
+			require.Equal(t, expectedClientIP.String(), clientIP.String())
+		})
+	}
+}
+
+func TestNormalizeHTTPHeaders(t *testing.T) {
+	for _, tc := range []struct {
+		headers  map[string][]string
+		expected map[string]string
+	}{
+		{
+			headers:  nil,
+			expected: nil,
+		},
+		{
+			headers: map[string][]string{
+				"cookie": {"not-collected"},
+			},
+			expected: nil,
+		},
+		{
+			headers: map[string][]string{
+				"cookie":          {"not-collected"},
+				"x-forwarded-for": {"1.2.3.4,5.6.7.8"},
+			},
+			expected: map[string]string{
+				"x-forwarded-for": "1.2.3.4,5.6.7.8",
+			},
+		},
+		{
+			headers: map[string][]string{
+				"cookie":          {"not-collected"},
+				"x-forwarded-for": {"1.2.3.4,5.6.7.8", "9.10.11.12,13.14.15.16"},
+			},
+			expected: map[string]string{
+				"x-forwarded-for": "1.2.3.4,5.6.7.8,9.10.11.12,13.14.15.16",
+			},
+		},
+	} {
+		headers := NormalizeHTTPHeaders(tc.headers)
+		require.Equal(t, tc.expected, headers)
+	}
+}
+
+type MockSpan struct {
+	Tags map[string]any
+}
+
+func (m *MockSpan) SetTag(key string, value interface{}) {
+	if m.Tags == nil {
+		m.Tags = make(map[string]any)
+	}
+	if key == ext.ManualKeep {
+		if value == samplernames.AppSec {
+			m.Tags[ext.ManualKeep] = true
+		}
+	} else {
+		m.Tags[key] = value
+	}
+}
+
+func TestTags(t *testing.T) {
+	for _, eventCase := range []struct {
+		name          string
+		events        []any
+		expectedTag   string
+		expectedError bool
+	}{
+		{
+			name:   "no-event",
+			events: nil,
+		},
+		{
+			name:        "one-event",
+			events:      []any{"one"},
+			expectedTag: `{"triggers":["one"]}`,
+		},
+		{
+			name:        "two-events",
+			events:      []any{"one", "two"},
+			expectedTag: `{"triggers":["one","two"]}`,
+		},
+	} {
+		eventCase := eventCase
+		for _, reqHeadersCase := range []struct {
+			name         string
+			headers      map[string][]string
+			expectedTags map[string]interface{}
+		}{
+			{
+				name: "zero-headers",
+			},
+			{
+				name: "xff-header",
+				headers: map[string][]string{
+					"X-Forwarded-For": {"1.2.3.4", "4.5.6.7"},
+					"my-header":       {"something"},
+				},
+				expectedTags: map[string]interface{}{
+					"http.request.headers.x-forwarded-for": "1.2.3.4,4.5.6.7",
+				},
+			},
+			{
+				name: "xff-header",
+				headers: map[string][]string{
+					"X-Forwarded-For": {"1.2.3.4"},
+					"my-header":       {"something"},
+				},
+				expectedTags: map[string]interface{}{
+					"http.request.headers.x-forwarded-for": "1.2.3.4",
+				},
+			},
+			{
+				name: "no-monitored-headers",
+				headers: map[string][]string{
+					"my-header": {"something"},
+				},
+			},
+		} {
+			reqHeadersCase := reqHeadersCase
+			for _, respHeadersCase := range []struct {
+				name         string
+				headers      map[string][]string
+				expectedTags map[string]interface{}
+			}{
+				{
+					name: "zero-headers",
+				},
+				{
+					name: "ct-header",
+					headers: map[string][]string{
+						"Content-Type": {"application/json"},
+						"my-header":    {"something"},
+					},
+					expectedTags: map[string]interface{}{
+						"http.response.headers.content-type": "application/json",
+					},
+				},
+				{
+					name: "no-monitored-headers",
+					headers: map[string][]string{
+						"my-header": {"something"},
+					},
+				},
+			} {
+				respHeadersCase := respHeadersCase
+				t.Run(fmt.Sprintf("%s-%s-%s", eventCase.name, reqHeadersCase.name, respHeadersCase.name), func(t *testing.T) {
+					var span MockSpan
+					err := waf.SetEventSpanTags(&span, eventCase.events)
+					if eventCase.expectedError {
+						require.Error(t, err)
+						return
+					}
+					require.NoError(t, err)
+					setRequestHeadersTags(&span, reqHeadersCase.headers)
+					setResponseHeadersTags(&span, respHeadersCase.headers)
+
+					if eventCase.events != nil {
+						require.Subset(t, span.Tags, map[string]interface{}{
+							"_dd.appsec.json": eventCase.expectedTag,
+							"manual.keep":     true,
+							"appsec.event":    true,
+							"_dd.origin":      "appsec",
+						})
+					}
+
+					if l := len(reqHeadersCase.expectedTags); l > 0 {
+						require.Subset(t, span.Tags, reqHeadersCase.expectedTags)
+					}
+
+					if l := len(respHeadersCase.expectedTags); l > 0 {
+						require.Subset(t, span.Tags, respHeadersCase.expectedTags)
+					}
+				})
+			}
+		}
+	}
+}
diff --git a/internal/appsec/listener/httpsec/roundtripper.go b/internal/appsec/listener/httpsec/roundtripper.go
index 8e51a4f2f7..2d2dcc8358 100644
--- a/internal/appsec/listener/httpsec/roundtripper.go
+++ b/internal/appsec/listener/httpsec/roundtripper.go
@@ -16,14 +16,27 @@ import (
 	"github.com/DataDog/go-libddwaf/v3"
 )
 
-// RegisterRoundTripperListener registers a listener on outgoing HTTP client requests to run the WAF.
-func RegisterRoundTripperListener(op dyngo.Operation, events *trace.SecurityEventsHolder, wafCtx *waf.Context, limiter limiter.Limiter) {
-	dyngo.On(op, sharedsec.MakeWAFRunListener(events, wafCtx, limiter, func(args types.RoundTripOperationArgs) waf.RunAddressData {
-		return waf.RunAddressData{Ephemeral: map[string]any{ServerIoNetURLAddr: args.URL}}
-	}))
+type SSRFProtectionFeature struct{}
+
+func (*SSRFProtectionFeature) String() string {
+	return "SSRF Protection"
+}
+
+func (*SSRFProtectionFeature) Stop() {}
+
+func NewSSRFProtectionFeature(config *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+	if !config.RASP || !config.SupportedAddresses.AnyOf(addresses.ServerIoNetURLAddr) {
+		return nil, nil
+	}
+
+	feature := &SSRFProtectionFeature{}
+	dyngo.On(rootOp, feature.OnStart)
+	return feature, nil
 }
 
-func SSRFAddressesPresent(addresses listener.AddressSet) bool {
-	_, urlAddr := addresses[ServerIoNetURLAddr]
-	return urlAddr
+func (*SSRFProtectionFeature) OnStart(op *httpsec.RoundTripOperation, args httpsec.RoundTripOperationArgs) {
+	dyngo.EmitData(op, waf.RunEvent{
+		Operation:      op,
+		RunAddressData: addresses.NewAddressesBuilder().WithURL(args.URL).Build(),
+	})
 }
diff --git a/internal/appsec/listener/ossec/lfi.go b/internal/appsec/listener/ossec/lfi.go
index 80398f1c86..a8f5ee2257 100644
--- a/internal/appsec/listener/ossec/lfi.go
+++ b/internal/appsec/listener/ossec/lfi.go
@@ -19,28 +19,37 @@ import (
 	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/sharedsec"
 )
 
-const (
-	ServerIOFSFileAddr = "server.io.fs.file"
-)
+type Feature struct{}
 
-func RegisterOpenListener(op dyngo.Operation, eventsHolder *trace.SecurityEventsHolder, wafCtx *waf.Context, limiter limiter.Limiter) {
-	runWAF := sharedsec.MakeWAFRunListener(eventsHolder, wafCtx, limiter, func(args ossec.OpenOperationArgs) waf.RunAddressData {
-		return waf.RunAddressData{Ephemeral: map[string]any{ServerIOFSFileAddr: args.Path}}
-	})
+func (*Feature) String() string {
+	return "LFI Protection"
+}
+
+func (*Feature) Stop() {}
+
+func NewOSSecFeature(cfg *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+	if !cfg.RASP || !cfg.SupportedAddresses.AnyOf(addresses.ServerIOFSFileAddr) {
+		return nil, nil
+	}
 
-	dyngo.On(op, func(op *ossec.OpenOperation, args ossec.OpenOperationArgs) {
-		dyngo.OnData(op, func(e *events.BlockingSecurityEvent) {
-			dyngo.OnFinish(op, func(_ *ossec.OpenOperation, res ossec.OpenOperationRes[*os.File]) {
-				if res.Err != nil {
-					*res.Err = e
-				}
-			})
+	feature := &Feature{}
+	dyngo.On(rootOp, feature.OnStart)
+	return feature, nil
+}
+
+func (*Feature) OnStart(op *ossec.OpenOperation, args ossec.OpenOperationArgs) {
+	dyngo.OnData(op, func(err *events.BlockingSecurityEvent) {
+		dyngo.OnFinish(op, func(_ *ossec.OpenOperation, res ossec.OpenOperationRes[*os.File]) {
+			if res.Err != nil {
+				*res.Err = err
+			}
 		})
-		runWAF(op, args)
 	})
-}
 
-func OSAddressesPresent(addresses listener.AddressSet) bool {
-	_, fileAddr := addresses[ServerIOFSFileAddr]
-	return fileAddr
+	dyngo.EmitData(op, waf.RunEvent{
+		Operation: op,
+		RunAddressData: addresses.NewAddressesBuilder().
+			WithFilePath(args.Path).
+			Build(),
+	})
 }
diff --git a/internal/appsec/listener/sqlsec/sql.go b/internal/appsec/listener/sqlsec/sql.go
index 7ec6e45711..b5aaa7cdce 100644
--- a/internal/appsec/listener/sqlsec/sql.go
+++ b/internal/appsec/listener/sqlsec/sql.go
@@ -16,21 +16,30 @@ import (
 	waf "github.com/DataDog/go-libddwaf/v3"
 )
 
-const (
-	ServerDBStatementAddr = "server.db.statement"
-	ServerDBTypeAddr      = "server.db.system"
-)
+type Feature struct{}
 
-func RegisterSQLListener(op dyngo.Operation, events *trace.SecurityEventsHolder, wafCtx *waf.Context, limiter limiter.Limiter) {
-	dyngo.On(op, sharedsec.MakeWAFRunListener(events, wafCtx, limiter, func(args types.SQLOperationArgs) waf.RunAddressData {
-		return waf.RunAddressData{Ephemeral: map[string]any{ServerDBStatementAddr: args.Query, ServerDBTypeAddr: args.Driver}}
-	}))
+func (*Feature) String() string {
+	return "SQLi Protection"
 }
 
-func SQLAddressesPresent(addresses listener.AddressSet) bool {
-	_, queryAddr := addresses[ServerDBStatementAddr]
-	_, driverAddr := addresses[ServerDBTypeAddr]
+func (*Feature) Stop() {}
+
+func NewSQLSecFeature(cfg *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+	if !cfg.RASP || !cfg.SupportedAddresses.AnyOf(addresses.ServerDBTypeAddr, addresses.ServerDBStatementAddr) {
+		return nil, nil
+	}
 
-	return queryAddr || driverAddr
+	feature := &Feature{}
+	dyngo.On(rootOp, feature.OnStart)
+	return feature, nil
+}
 
+func (*Feature) OnStart(op *sqlsec.SQLOperation, args sqlsec.SQLOperationArgs) {
+	dyngo.EmitData(op, waf.RunEvent{
+		Operation: op,
+		RunAddressData: addresses.NewAddressesBuilder().
+			WithDBStatement(args.Query).
+			WithDBType(args.Driver).
+			Build(),
+	})
 }
diff --git a/internal/appsec/listener/trace/trace.go b/internal/appsec/listener/trace/trace.go
new file mode 100644
index 0000000000..83d580f7b4
--- /dev/null
+++ b/internal/appsec/listener/trace/trace.go
@@ -0,0 +1,53 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package trace
+
+import (
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/trace"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
+)
+
+// AppSec-specific span tags that are expected to
+// be in the web service entry span (span of type `web`) when AppSec is enabled.
+var staticAppsecTags = map[string]any{
+	"_dd.appsec.enabled": 1,
+	"_dd.runtime_family": "go",
+}
+
+type AppsecSpanTransport struct{}
+
+func (*AppsecSpanTransport) String() string {
+	return "Appsec Span Transport"
+}
+
+func (*AppsecSpanTransport) Stop() {}
+
+func NewAppsecSpanTransport(_ *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+	ast := &AppsecSpanTransport{}
+
+	dyngo.On(rootOp, ast.OnServiceEntryStart)
+	dyngo.On(rootOp, ast.OnSpanStart)
+
+	return ast, nil
+}
+
+// OnServiceEntryStart is the start listener of the trace.ServiceEntrySpanOperation start event.
+// It listens for tags and serializable tags and sets them on the span when finishing the operation.
+func (*AppsecSpanTransport) OnServiceEntryStart(op *trace.ServiceEntrySpanOperation, _ trace.ServiceEntrySpanArgs) {
+	op.SetTags(staticAppsecTags)
+	dyngo.OnData(op, op.OnSpanTagEvent)
+	dyngo.OnData(op, op.OnServiceEntrySpanTagEvent)
+	dyngo.OnData(op, op.OnJSONServiceEntrySpanTagEvent)
+	dyngo.OnData(op, op.OnServiceEntrySpanTagsBulkEvent)
+}
+
+// OnSpanStart is the start listener of the trace.SpanOperation start event.
+// It listens for tags and sets them on the current span when finishing the operation.
+func (*AppsecSpanTransport) OnSpanStart(op *trace.SpanOperation, _ trace.SpanArgs) {
+	dyngo.OnData(op, op.OnSpanTagEvent)
+}
diff --git a/internal/appsec/listener/usersec/usec.go b/internal/appsec/listener/usersec/usec.go
new file mode 100644
index 0000000000..19fc6c91ae
--- /dev/null
+++ b/internal/appsec/listener/usersec/usec.go
@@ -0,0 +1,54 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package usersec
+
+import (
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/usersec"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/addresses"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
+)
+
+type Feature struct{}
+
+func (*Feature) String() string {
+	return "User Security"
+}
+
+func (*Feature) Stop() {}
+
+func NewUserSecFeature(cfg *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+	if !cfg.SupportedAddresses.AnyOf(
+		addresses.UserIDAddr,
+		addresses.UserSessionIDAddr,
+		addresses.UserLoginSuccessAddr,
+		addresses.UserLoginFailureAddr) {
+		return nil, nil
+	}
+
+	feature := &Feature{}
+	dyngo.OnFinish(rootOp, feature.OnFinish)
+	return feature, nil
+}
+
+func (*Feature) OnFinish(op *usersec.UserLoginOperation, res usersec.UserLoginOperationRes) {
+	builder := addresses.NewAddressesBuilder().
+		WithUserID(res.UserID).
+		WithUserSessionID(res.SessionID)
+
+	if res.Success {
+		builder = builder.WithUserLoginSuccess()
+	} else {
+		builder = builder.WithUserLoginFailure()
+	}
+
+	dyngo.EmitData(op, waf.RunEvent{
+		Operation:      op,
+		RunAddressData: builder.Build(),
+	})
+}
diff --git a/internal/appsec/listener/waf/tags.go b/internal/appsec/listener/waf/tags.go
new file mode 100644
index 0000000000..1600d418b3
--- /dev/null
+++ b/internal/appsec/listener/waf/tags.go
@@ -0,0 +1,101 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package waf
+
+import (
+	"encoding/json"
+	"fmt"
+
+	waf "github.com/DataDog/go-libddwaf/v3"
+
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/trace"
+	"github.com/DataDog/dd-trace-go/v2/internal/samplernames"
+)
+
+const (
+	wafSpanTagPrefix     = "_dd.appsec."
+	eventRulesVersionTag = wafSpanTagPrefix + "event_rules.version"
+	eventRulesErrorsTag  = wafSpanTagPrefix + "event_rules.errors"
+	eventRulesLoadedTag  = wafSpanTagPrefix + "event_rules.loaded"
+	eventRulesFailedTag  = wafSpanTagPrefix + "event_rules.error_count"
+	wafVersionTag        = wafSpanTagPrefix + "waf.version"
+
+	// BlockedRequestTag used to convey whether a request is blocked
+	BlockedRequestTag = "appsec.blocked"
+)
+
+// AddRulesMonitoringTags adds the tags related to security rules monitoring
+func AddRulesMonitoringTags(th trace.TagSetter, wafDiags waf.Diagnostics) {
+	rInfo := wafDiags.Rules
+	if rInfo == nil {
+		return
+	}
+
+	var rulesetErrors []byte
+	var err error
+	rulesetErrors, err = json.Marshal(wafDiags.Rules.Errors)
+	if err != nil {
+		log.Error("appsec: could not marshal the waf ruleset info errors to json")
+	}
+	th.SetTag(eventRulesErrorsTag, string(rulesetErrors))
+	th.SetTag(eventRulesLoadedTag, len(rInfo.Loaded))
+	th.SetTag(eventRulesFailedTag, len(rInfo.Failed))
+	th.SetTag(wafVersionTag, waf.Version())
+	th.SetTag(ext.ManualKeep, samplernames.AppSec)
+}
+
+// AddWAFMonitoringTags adds the tags related to the monitoring of the Feature
+func AddWAFMonitoringTags(th trace.TagSetter, rulesVersion string, stats map[string]any) {
+	// Rules version is set for every request to help the backend associate Feature duration metrics with rule version
+	th.SetTag(eventRulesVersionTag, rulesVersion)
+
+	// Report the stats sent by the Feature
+	for k, v := range stats {
+		th.SetTag(wafSpanTagPrefix+k, v)
+	}
+}
+
+// SetEventSpanTags sets the security event span tags into the service entry span.
+func SetEventSpanTags(span trace.TagSetter, events []any) error {
+	if len(events) == 0 {
+		return nil
+	}
+
+	// Set the appsec event span tag
+	val, err := makeEventTagValue(events)
+	if err != nil {
+		return err
+	}
+	span.SetTag("_dd.appsec.json", string(val))
+	// Keep this span due to the security event
+	//
+	// This is a workaround to tell the tracer that the trace was kept by AppSec.
+	// Passing any other value than `appsec.SamplerAppSec` has no effect.
+	// Customers should use `span.SetTag(ext.ManualKeep, true)` pattern
+	// to keep the trace, manually.
+	span.SetTag(ext.ManualKeep, samplernames.AppSec)
+	span.SetTag("_dd.origin", "appsec")
+	// Set the appsec.event tag needed by the appsec backend
+	span.SetTag("appsec.event", true)
+	return nil
+}
+
+// Create the value of the security event tag.
+func makeEventTagValue(events []any) (json.RawMessage, error) {
+	type eventTagValue struct {
+		Triggers []any `json:"triggers"`
+	}
+
+	tag, err := json.Marshal(eventTagValue{events})
+	if err != nil {
+		return nil, fmt.Errorf("unexpected error while serializing the appsec event span tag: %v", err)
+	}
+
+	return tag, nil
+}
diff --git a/internal/appsec/listener/sharedsec/shared_test.go b/internal/appsec/listener/waf/tags_test.go
similarity index 77%
rename from internal/appsec/listener/sharedsec/shared_test.go
rename to internal/appsec/listener/waf/tags_test.go
index 8d0cae627b..5402ed4a2d 100644
--- a/internal/appsec/listener/sharedsec/shared_test.go
+++ b/internal/appsec/listener/waf/tags_test.go
@@ -1,9 +1,9 @@
 // Unless explicitly stated otherwise all files in this repository are licensed
 // under the Apache License Version 2.0.
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016 Datadog, Inc.
+// Copyright 2024 Datadog, Inc.
 
-package sharedsec
+package waf
 
 import (
 	"testing"
@@ -22,7 +22,7 @@ const (
 
 // Test that internal functions used to set span tags use the correct types
 func TestTagsTypes(t *testing.T) {
-	th := trace.NewTagsHolder()
+	th := make(trace.TestTagSetter)
 	wafDiags := waf.Diagnostics{
 		Version: "1.3.0",
 		Rules: &waf.DiagnosticEntry{
@@ -32,14 +32,16 @@ func TestTagsTypes(t *testing.T) {
 		},
 	}
 
-	AddRulesMonitoringTags(&th, &wafDiags)
+	AddRulesMonitoringTags(&th, wafDiags)
 
 	stats := map[string]any{
-		wafDurationTag:                     10,
-		wafDurationExtTag:                  20,
-		wafTimeoutTag:                      0,
-		"_dd.appsec.waf.truncations.depth": []int{1, 2, 3},
-		"_dd.appsec.waf.run":               12000,
+		"waf.duration":          10,
+		"rasp.duration":         10,
+		"waf.duration_ext":      20,
+		"rasp.duration_ext":     20,
+		"waf.timeouts":          0,
+		"waf.truncations.depth": []int{1, 2, 3},
+		"waf.run":               12000,
 	}
 
 	AddWAFMonitoringTags(&th, "1.2.3", stats)
diff --git a/internal/appsec/listener/waf/waf.go b/internal/appsec/listener/waf/waf.go
new file mode 100644
index 0000000000..7055ec1836
--- /dev/null
+++ b/internal/appsec/listener/waf/waf.go
@@ -0,0 +1,128 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package waf
+
+import (
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/DataDog/appsec-internal-go/limiter"
+	wafv3 "github.com/DataDog/go-libddwaf/v3"
+
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener"
+
+	"github.com/DataDog/dd-trace-go/v2/appsec/events"
+	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/dyngo"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf"
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/actions"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+	"github.com/DataDog/dd-trace-go/v2/internal/stacktrace"
+)
+
+type Feature struct {
+	timeout         time.Duration
+	limiter         *limiter.TokenTicker
+	handle          *wafv3.Handle
+	supportedAddrs  config.AddressSet
+	reportRulesTags sync.Once
+}
+
+func NewWAFFeature(cfg *config.Config, rootOp dyngo.Operation) (listener.Feature, error) {
+	if ok, err := wafv3.Load(); err != nil {
+		// 1. If there is an error and the loading is not ok: log as an unexpected error case and quit appsec
+		// Note that we assume here that the test for the unsupported target has been done before calling
+		// this method, so it is now considered an error for this method
+		if !ok {
+			return nil, fmt.Errorf("error while loading libddwaf: %w", err)
+		}
+		// 2. If there is an error and the loading is ok: log as an informative error where appsec can be used
+		log.Error("appsec: non-critical error while loading libddwaf: %v", err)
+	}
+
+	newHandle, err := wafv3.NewHandle(cfg.RulesManager.Latest, cfg.Obfuscator.KeyRegex, cfg.Obfuscator.ValueRegex)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.SupportedAddresses = config.NewAddressSet(newHandle.Addresses())
+
+	tokenTicker := limiter.NewTokenTicker(cfg.TraceRateLimit, cfg.TraceRateLimit)
+	tokenTicker.Start()
+
+	feature := &Feature{
+		handle:         newHandle,
+		timeout:        cfg.WAFTimeout,
+		limiter:        tokenTicker,
+		supportedAddrs: cfg.SupportedAddresses,
+	}
+
+	dyngo.On(rootOp, feature.onStart)
+	dyngo.OnFinish(rootOp, feature.onFinish)
+
+	return feature, nil
+}
+
+func (waf *Feature) onStart(op *waf.ContextOperation, _ waf.ContextArgs) {
+	waf.reportRulesTags.Do(func() {
+		AddRulesMonitoringTags(op, waf.handle.Diagnostics())
+	})
+
+	ctx, err := waf.handle.NewContextWithBudget(waf.timeout)
+	if err != nil {
+		log.Debug("appsec: failed to create Feature context: %v", err)
+	}
+
+	op.SwapContext(ctx)
+	op.SetLimiter(waf.limiter)
+	op.SetSupportedAddresses(waf.supportedAddrs)
+
+	// Run the WAF with the given address data
+	dyngo.OnData(op, op.OnEvent)
+
+	waf.SetupActionHandlers(op)
+}
+
+func (waf *Feature) SetupActionHandlers(op *waf.ContextOperation) {
+	// Set the blocking tag on the operation when a blocking event is received
+	dyngo.OnData(op, func(_ *events.BlockingSecurityEvent) {
+		op.SetTag(BlockedRequestTag, true)
+	})
+
+	// Register the stacktrace if one is requested by a WAF action
+	dyngo.OnData(op, func(err *actions.StackTraceAction) {
+		op.AddStackTraces(err.Event)
+	})
+}
+
+func (waf *Feature) onFinish(op *waf.ContextOperation, _ waf.ContextRes) {
+	ctx := op.SwapContext(nil)
+	if ctx == nil {
+		return
+	}
+
+	ctx.Close()
+
+	AddWAFMonitoringTags(op, waf.handle.Diagnostics().Version, ctx.Stats().Metrics())
+	if err := SetEventSpanTags(op, op.Events()); err != nil {
+		log.Debug("appsec: failed to set event span tags: %v", err)
+	}
+
+	op.SetSerializableTags(op.Derivatives())
+	if stacks := op.StackTraces(); len(stacks) > 0 {
+		op.SetTag(stacktrace.SpanKey, stacktrace.GetSpanValue(stacks...))
+	}
+}
+
+func (*Feature) String() string {
+	return "Web Application Firewall"
+}
+
+func (waf *Feature) Stop() {
+	waf.limiter.Stop()
+	waf.handle.Close()
+}
diff --git a/internal/appsec/remoteconfig.go b/internal/appsec/remoteconfig.go
index 10b1252b6a..6902d6793d 100644
--- a/internal/appsec/remoteconfig.go
+++ b/internal/appsec/remoteconfig.go
@@ -9,6 +9,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"maps"
 	"os"
 
 	"github.com/DataDog/dd-trace-go/v2/internal/appsec/config"
@@ -41,20 +42,13 @@ func statusesFromUpdate(u remoteconfig.ProductUpdate, ack bool, err error) map[s
 	return statuses
 }
 
-func mergeMaps[K comparable, V any](m1 map[K]V, m2 map[K]V) map[K]V {
-	for key, value := range m2 {
-		m1[key] = value
-	}
-	return m1
-}
-
 // combineRCRulesUpdates updates the state of the given RulesManager with the combination of all the provided rules updates
 func combineRCRulesUpdates(r *config.RulesManager, updates map[string]remoteconfig.ProductUpdate) (statuses map[string]rc.ApplyStatus, err error) {
 	// Spare some re-allocations (but there may still be some because 1 update may contain N configs)
 	statuses = make(map[string]rc.ApplyStatus, len(updates))
 	// Set the default statuses for all updates to unacknowledged
 	for _, u := range updates {
-		statuses = mergeMaps(statuses, statusesFromUpdate(u, false, nil))
+		maps.Copy(statuses, statusesFromUpdate(u, false, nil))
 	}
 
 updateLoop:
@@ -66,9 +60,9 @@ updateLoop:
 		switch p {
 		case rc.ProductASMData:
 			// Merge all rules data entries together and store them as a RulesManager edit entry
-			rulesData, status := mergeRulesData(u)
-			statuses = mergeMaps(statuses, status)
-			r.AddEdit("asmdata", config.RulesFragment{RulesData: rulesData})
+			fragment, status := mergeASMDataUpdates(u)
+			maps.Copy(statuses, status)
+			r.AddEdit("asmdata", fragment)
 		case rc.ProductASMDD:
 			var (
 				removalFound = false
@@ -83,7 +77,7 @@ updateLoop:
 				}
 				// Already seen a removal or an update, return an error
 				if err != nil {
-					statuses = mergeMaps(statuses, statusesFromUpdate(u, true, err))
+					maps.Copy(statuses, statusesFromUpdate(u, true, err))
 					break updateLoop
 				}
 
@@ -103,7 +97,7 @@ updateLoop:
 				if removalFound {
 					log.Debug("appsec: Remote config: ASM_DD config removed. Switching back to default rules")
 					r.ChangeBase(config.DefaultRulesFragment(), "")
-					statuses = mergeMaps(statuses, statusesFromUpdate(u, true, nil))
+					maps.Copy(statuses, statusesFromUpdate(u, true, nil))
 				}
 				continue
 			}
@@ -145,7 +139,7 @@ updateLoop:
 	// Set all statuses to ack if no error occured
 	if err == nil {
 		for _, u := range updates {
-			statuses = mergeMaps(statuses, statusesFromUpdate(u, true, nil))
+			maps.Copy(statuses, statusesFromUpdate(u, true, nil))
 		}
 	}
 
@@ -182,17 +176,18 @@ func (a *appsec) onRCRulesUpdate(updates map[string]remoteconfig.ProductUpdate)
 	r.Compile()
 	log.Debug("appsec: Remote config: final compiled rules: %s", r.String())
 
+	// Replace the RulesManager with the new one holding the new state
+	a.cfg.RulesManager = &r
+
 	// If an error occurs while updating the WAF handle, don't swap the RulesManager and propagate the error
 	// to all config statuses since we can't know which config is the faulty one
-	if err = a.swapWAF(r.Latest); err != nil {
+	if err = a.SwapRootOperation(); err != nil {
 		log.Error("appsec: Remote config: could not apply the new security rules: %v", err)
 		for k := range statuses {
 			statuses[k] = genApplyStatus(true, err)
 		}
 		return statuses
 	}
-	// Replace the RulesManager with the new one holding the new state
-	a.cfg.RulesManager = &r
 
 	return statuses
 }
@@ -240,12 +235,41 @@ func (a *appsec) handleASMFeatures(u remoteconfig.ProductUpdate) map[string]rc.A
 	return statuses
 }
 
-func mergeRulesData(u remoteconfig.ProductUpdate) ([]config.RuleDataEntry, map[string]rc.ApplyStatus) {
+func mergeASMDataUpdates(u remoteconfig.ProductUpdate) (config.RulesFragment, map[string]rc.ApplyStatus) {
 	// Following the RFC, merging should only happen when two rules data with the same ID and same Type are received
-	// allRulesData[ID][Type] will return the rules data of said id and type, if it exists
-	allRulesData := make(map[string]map[string]config.RuleDataEntry)
+	type mapKey struct {
+		id  string
+		typ string
+	}
+	mergedRulesData := make(map[mapKey]config.DataEntry)
+	mergedExclusionData := make(map[mapKey]config.DataEntry)
 	statuses := statusesFromUpdate(u, true, nil)
 
+	mergeUpdateEntry := func(mergeMap map[mapKey]config.DataEntry, data []config.DataEntry) {
+		for _, ruleData := range data {
+			key := mapKey{id: ruleData.ID, typ: ruleData.Type}
+			if data, ok := mergeMap[key]; ok {
+				// Merge rules data entries with the same ID and Type
+				mergeMap[key] = config.DataEntry{
+					ID:   data.ID,
+					Type: data.Type,
+					Data: mergeRulesDataEntries(data.Data, ruleData.Data),
+				}
+				continue
+			}
+
+			mergeMap[key] = ruleData
+		}
+	}
+
+	mapValues := func(m map[mapKey]config.DataEntry) []config.DataEntry {
+		values := make([]config.DataEntry, 0, len(m))
+		for _, v := range m {
+			values = append(values, v)
+		}
+		return values
+	}
+
 	for path, raw := range u {
 		log.Debug("appsec: Remote config: processing %s", path)
 
@@ -257,36 +281,30 @@ func mergeRulesData(u remoteconfig.ProductUpdate) ([]config.RuleDataEntry, map[s
 			continue
 		}
 
-		var rulesData config.RulesData
-		if err := json.Unmarshal(raw, &rulesData); err != nil {
+		var asmdataUpdate struct {
+			RulesData     []config.DataEntry `json:"rules_data,omitempty"`
+			ExclusionData []config.DataEntry `json:"exclusion_data,omitempty"`
+		}
+		if err := json.Unmarshal(raw, &asmdataUpdate); err != nil {
 			log.Debug("appsec: Remote config: error while unmarshalling payload for %s: %v. Configuration won't be applied.", path, err)
 			statuses[path] = genApplyStatus(false, err)
 			continue
 		}
 
-		// Check each entry against allRulesData to see if merging is necessary
-		for _, ruleData := range rulesData.RulesData {
-			if allRulesData[ruleData.ID] == nil {
-				allRulesData[ruleData.ID] = make(map[string]config.RuleDataEntry)
-			}
-			if data, ok := allRulesData[ruleData.ID][ruleData.Type]; ok {
-				// Merge rules data entries with the same ID and Type
-				data.Data = mergeRulesDataEntries(data.Data, ruleData.Data)
-				allRulesData[ruleData.ID][ruleData.Type] = data
-			} else {
-				allRulesData[ruleData.ID][ruleData.Type] = ruleData
-			}
-		}
+		mergeUpdateEntry(mergedExclusionData, asmdataUpdate.ExclusionData)
+		mergeUpdateEntry(mergedRulesData, asmdataUpdate.RulesData)
 	}
 
-	// Aggregate all the rules data before passing it over to the WAF
-	var rulesData []config.RuleDataEntry
-	for _, m := range allRulesData {
-		for _, data := range m {
-			rulesData = append(rulesData, data)
-		}
+	var fragment config.RulesFragment
+	if len(mergedRulesData) > 0 {
+		fragment.RulesData = mapValues(mergedRulesData)
+	}
+
+	if len(mergedExclusionData) > 0 {
+		fragment.ExclusionData = mapValues(mergedExclusionData)
 	}
-	return rulesData, statuses
+
+	return fragment, statuses
 }
 
 // mergeRulesDataEntries merges two slices of rules data entries together, removing duplicates and
@@ -372,6 +390,11 @@ var blockingCapabilities = [...]remoteconfig.Capability{
 	remoteconfig.ASMCustomRules,
 	remoteconfig.ASMCustomBlockingResponse,
 	remoteconfig.ASMTrustedIPs,
+	remoteconfig.ASMExclusionData,
+	remoteconfig.ASMEndpointFingerprinting,
+	remoteconfig.ASMSessionFingerprinting,
+	remoteconfig.ASMNetworkFingerprinting,
+	remoteconfig.ASMHeaderFingerprinting,
 }
 
 func (a *appsec) enableRCBlocking() {
@@ -409,7 +432,14 @@ func (a *appsec) enableRASP() {
 	if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPSSRF); err != nil {
 		log.Debug("appsec: Remote config: couldn't register RASP SSRF: %v", err)
 	}
-	// TODO: register other RASP capabilities when supported
+	if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPSQLI); err != nil {
+		log.Debug("appsec: Remote config: couldn't register RASP SQLI: %v", err)
+	}
+	if orchestrion.Enabled() {
+		if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPLFI); err != nil {
+			log.Debug("appsec: Remote config: couldn't register RASP LFI: %v", err)
+		}
+	}
 }
 
 func (a *appsec) disableRCBlocking() {
diff --git a/internal/appsec/remoteconfig_test.go b/internal/appsec/remoteconfig_test.go
index 02805504ae..8b7ce7ba71 100644
--- a/internal/appsec/remoteconfig_test.go
+++ b/internal/appsec/remoteconfig_test.go
@@ -10,7 +10,7 @@ import (
 	"errors"
 	"os"
 	"reflect"
-	"sort"
+	"slices"
 	"strings"
 	"testing"
 
@@ -119,63 +119,63 @@ func TestMergeRulesData(t *testing.T) {
 	for _, tc := range []struct {
 		name     string
 		update   remoteconfig.ProductUpdate
-		expected []config.RuleDataEntry
+		expected config.RulesFragment
 		statuses map[string]rc.ApplyStatus
 	}{
 		{
 			name:     "empty-rule-data",
 			update:   map[string][]byte{},
-			statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
+			statuses: map[string]rc.ApplyStatus{},
 		},
 		{
 			name: "bad-json",
 			update: map[string][]byte{
 				"some/path": []byte(`[}]`),
 			},
-			statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateError}},
+			statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateError, Error: "invalid character '}' looking for beginning of value"}},
 		},
 		{
-			name: "single-value",
+			name: "single-rules-value",
 			update: map[string][]byte{
 				"some/path": []byte(`{"rules_data":[{"id":"test","type":"data_with_expiration","data":[{"expiration":3494138481,"value":"user1"}]}]}`),
 			},
-			expected: []config.RuleDataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+			expected: config.RulesFragment{RulesData: []config.DataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
 				{Expiration: 3494138481, Value: "user1"},
-			}}},
+			}}}},
 			statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
 		},
 		{
-			name: "multiple-values",
+			name: "multiple-rules-values",
 			update: map[string][]byte{
 				"some/path": []byte(`{"rules_data":[{"id":"test","type":"data_with_expiration","data":[{"expiration":3494138481,"value":"user1"},{"expiration":3494138441,"value":"user2"}]}]}`),
 			},
-			expected: []config.RuleDataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+			expected: config.RulesFragment{RulesData: []config.DataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
 				{Expiration: 3494138481, Value: "user1"},
 				{Expiration: 3494138441, Value: "user2"},
-			}}},
+			}}}},
 			statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
 		},
 		{
-			name: "multiple-entries",
+			name: "multiple-rules-entries",
 			update: map[string][]byte{
 				"some/path": []byte(`{"rules_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138444,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":3495138481,"value":"user4"}]}]}`),
 			},
-			expected: []config.RuleDataEntry{
+			expected: config.RulesFragment{RulesData: []config.DataEntry{
 				{ID: "test1", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
 					{Expiration: 3494138444, Value: "user3"},
 				}}, {ID: "test2", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
 					{Expiration: 3495138481, Value: "user4"},
 				}},
-			},
+			}},
 			statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
 		},
 		{
-			name: "merging-entries",
+			name: "merging-rules-entries",
 			update: map[string][]byte{
 				"some/path/1": []byte(`{"rules_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138444,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":3495138481,"value":"user4"}]}]}`),
 				"some/path/2": []byte(`{"rules_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138445,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":0,"value":"user5"}]}]}`),
 			},
-			expected: []config.RuleDataEntry{
+			expected: config.RulesFragment{RulesData: []config.DataEntry{
 				{ID: "test1", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
 					{Expiration: 3494138445, Value: "user3"},
 				}},
@@ -183,7 +183,62 @@ func TestMergeRulesData(t *testing.T) {
 					{Expiration: 3495138481, Value: "user4"},
 					{Expiration: 0, Value: "user5"},
 				}},
+			}},
+			statuses: map[string]rc.ApplyStatus{
+				"some/path/1": {State: rc.ApplyStateAcknowledged},
+				"some/path/2": {State: rc.ApplyStateAcknowledged},
+			},
+		},
+		{
+			name: "single-exclusions-value",
+			update: map[string][]byte{
+				"some/path": []byte(`{"exclusion_data":[{"id":"test","type":"data_with_expiration","data":[{"expiration":3494138481,"value":"user1"}]}]}`),
+			},
+			expected: config.RulesFragment{ExclusionData: []config.DataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+				{Expiration: 3494138481, Value: "user1"},
+			}}}},
+			statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
+		},
+		{
+			name: "multiple-exclusions-values",
+			update: map[string][]byte{
+				"some/path": []byte(`{"exclusion_data":[{"id":"test","type":"data_with_expiration","data":[{"expiration":3494138481,"value":"user1"},{"expiration":3494138441,"value":"user2"}]}]}`),
 			},
+			expected: config.RulesFragment{ExclusionData: []config.DataEntry{{ID: "test", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+				{Expiration: 3494138481, Value: "user1"},
+				{Expiration: 3494138441, Value: "user2"},
+			}}}},
+			statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
+		},
+		{
+			name: "multiple-exclusions-entries",
+			update: map[string][]byte{
+				"some/path": []byte(`{"exclusion_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138444,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":3495138481,"value":"user4"}]}]}`),
+			},
+			expected: config.RulesFragment{ExclusionData: []config.DataEntry{
+				{ID: "test1", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+					{Expiration: 3494138444, Value: "user3"},
+				}}, {ID: "test2", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+					{Expiration: 3495138481, Value: "user4"},
+				}},
+			}},
+			statuses: map[string]rc.ApplyStatus{"some/path": {State: rc.ApplyStateAcknowledged}},
+		},
+		{
+			name: "merging-exclusions-entries",
+			update: map[string][]byte{
+				"some/path/1": []byte(`{"exclusion_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138444,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":3495138481,"value":"user4"}]}]}`),
+				"some/path/2": []byte(`{"exclusion_data":[{"id":"test1","type":"data_with_expiration","data":[{"expiration":3494138445,"value":"user3"}]},{"id":"test2","type":"data_with_expiration","data":[{"expiration":0,"value":"user5"}]}]}`),
+			},
+			expected: config.RulesFragment{ExclusionData: []config.DataEntry{
+				{ID: "test1", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+					{Expiration: 3494138445, Value: "user3"},
+				}},
+				{ID: "test2", Type: "data_with_expiration", Data: []rc.ASMDataRuleDataEntry{
+					{Expiration: 3495138481, Value: "user4"},
+					{Expiration: 0, Value: "user5"},
+				}},
+			}},
 			statuses: map[string]rc.ApplyStatus{
 				"some/path/1": {State: rc.ApplyStateAcknowledged},
 				"some/path/2": {State: rc.ApplyStateAcknowledged},
@@ -191,30 +246,27 @@ func TestMergeRulesData(t *testing.T) {
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			merged, statuses := mergeRulesData(tc.update)
-			// Sort the compared elements since ordering is not guaranteed and the slice hold types that embed
-			// more slices
-			require.Len(t, merged, len(tc.expected))
-			sort.Slice(merged, func(i, j int) bool {
-				return strings.Compare(merged[i].ID, merged[j].ID) < 0
-			})
-			sort.Slice(tc.expected, func(i, j int) bool {
-				return strings.Compare(merged[i].ID, merged[j].ID) < 0
-			})
-
-			for i := range tc.expected {
-				require.Equal(t, tc.expected[i].ID, merged[i].ID)
-				require.Equal(t, tc.expected[i].Type, merged[i].Type)
-				require.ElementsMatch(t, tc.expected[i].Data, merged[i].Data)
-			}
-			for k := range statuses {
-				require.Equal(t, tc.statuses[k].State, statuses[k].State)
-				if statuses[k].State == rc.ApplyStateError {
-					require.NotEmpty(t, statuses[k].Error)
-				} else {
-					require.Empty(t, statuses[k].Error)
+			fragment, statuses := mergeASMDataUpdates(tc.update)
+
+			// Sort the data entries to make the comparison easier
+			sort := func(actual []config.DataEntry) {
+				slices.SortStableFunc(actual, func(a, b config.DataEntry) int {
+					return strings.Compare(a.ID, b.ID)
+				})
+				for _, data := range actual {
+					slices.SortStableFunc(data.Data, func(a, b rc.ASMDataRuleDataEntry) int {
+						return strings.Compare(a.Value, b.Value)
+					})
 				}
 			}
+
+			sort(fragment.RulesData)
+			sort(fragment.ExclusionData)
+			sort(tc.expected.RulesData)
+			sort(tc.expected.ExclusionData)
+
+			require.Equal(t, tc.expected, fragment)
+			require.Equal(t, tc.statuses, statuses)
 		})
 	}
 }
@@ -437,7 +489,7 @@ func craftRCUpdates(fragments map[string]config.RulesFragment) map[string]remote
 				update[rc.ProductASM] = make(remoteconfig.ProductUpdate)
 			}
 			update[rc.ProductASM][path] = data
-		} else if len(frag.RulesData) > 0 {
+		} else if len(frag.RulesData) > 0 || len(frag.ExclusionData) > 0 {
 			if _, ok := update[rc.ProductASMData]; !ok {
 				update[rc.ProductASMData] = make(remoteconfig.ProductUpdate)
 			}
@@ -457,7 +509,7 @@ type testRulesOverrideEntry struct {
 
 func TestOnRCUpdate(t *testing.T) {
 
-	BaseRuleset, err := config.NewRulesManeger(nil)
+	BaseRuleset, err := config.NewRulesManager(nil)
 	require.NoError(t, err)
 	BaseRuleset.Compile()
 
@@ -671,7 +723,7 @@ func TestOnRCUpdate(t *testing.T) {
 }
 
 func TestOnRCUpdateStatuses(t *testing.T) {
-	invalidRuleset, err := config.NewRulesManeger([]byte(`{"version": "2.2", "metadata": {"rules_version": "1.4.2"}, "rules": [{"id": "id","name":"name","tags":{},"conditions":[],"transformers":[],"on_match":[]}]}`))
+	invalidRuleset, err := config.NewRulesManager([]byte(`{"version": "2.2", "metadata": {"rules_version": "1.4.2"}, "rules": [{"id": "id","name":"name","tags":{},"conditions":[],"transformers":[],"on_match":[]}]}`))
 	require.NoError(t, err)
 	invalidRules := invalidRuleset.Base
 	overrides := config.RulesFragment{
@@ -787,10 +839,12 @@ func TestWafRCUpdate(t *testing.T) {
 		require.NoError(t, err)
 		defer wafCtx.Close()
 		values := map[string]interface{}{
-			httpsec.ServerRequestPathParamsAddr: "/rfiinc.txt",
+			addresses.ServerRequestPathParamsAddr: "/rfiinc.txt",
 		}
+
 		// Make sure the rule matches as expected
-		result := sharedsec.RunWAF(wafCtx, waf.RunAddressData{Persistent: values})
+		result, err := wafCtx.Run(waf.RunAddressData{Persistent: values})
+		require.NoError(t, err)
 		require.Contains(t, jsonString(t, result.Events), "crs-913-120")
 		require.Empty(t, result.Actions)
 		// Simulate an RC update that disables the rule
@@ -807,7 +861,8 @@ func TestWafRCUpdate(t *testing.T) {
 		require.NoError(t, err)
 		defer newWafCtx.Close()
 		// Make sure the rule returns a blocking action when matching
-		result = sharedsec.RunWAF(newWafCtx, waf.RunAddressData{Persistent: values})
+		result, err = newWafCtx.Run(waf.RunAddressData{Persistent: values})
+		require.NoError(t, err)
 		require.Contains(t, jsonString(t, result.Events), "crs-913-120")
 		require.Contains(t, result.Actions, "block_request")
 	})
diff --git a/internal/appsec/testdata/fp.json b/internal/appsec/testdata/fp.json
new file mode 100644
index 0000000000..52af47f36c
--- /dev/null
+++ b/internal/appsec/testdata/fp.json
@@ -0,0 +1,207 @@
+{
+    "version": "2.2",
+    "metadata": {
+        "rules_version": "1.4.2"
+    },
+    "rules": [
+        {
+            "id": "crs-933-130-block",
+            "name": "PHP Injection Attack: Global Variables Found",
+            "tags": {
+                "type": "php_code_injection",
+                "crs_id": "933130",
+                "category": "attack_attempt",
+                "confidence": "1"
+            },
+            "conditions": [
+                {
+                    "parameters": {
+                        "inputs": [
+                            {
+                                "address": "server.request.query"
+                            }
+                        ],
+                        "list": [
+                            "$globals"
+                        ]
+                    },
+                    "operator": "phrase_match"
+                }
+            ],
+            "transformers": [
+                "lowercase"
+            ]
+        }
+    ],
+    "processors": [
+        {
+            "id": "http-endpoint-fingerprint",
+            "generator": "http_endpoint_fingerprint",
+            "conditions": [
+                {
+                    "operator": "exists",
+                    "parameters": {
+                        "inputs": [
+                            {
+                                "address": "waf.context.event"
+                            },
+                            {
+                                "address": "server.business_logic.users.login.failure"
+                            },
+                            {
+                                "address": "server.business_logic.users.login.success"
+                            }
+                        ]
+                    }
+                }
+            ],
+            "parameters": {
+                "mappings": [
+                    {
+                        "method": [
+                            {
+                                "address": "server.request.method"
+                            }
+                        ],
+                        "uri_raw": [
+                            {
+                                "address": "server.request.uri.raw"
+                            }
+                        ],
+                        "body": [
+                            {
+                                "address": "server.request.body"
+                            }
+                        ],
+                        "query": [
+                            {
+                                "address": "server.request.query"
+                            }
+                        ],
+                        "output": "_dd.appsec.fp.http.endpoint"
+                    }
+                ]
+            },
+            "evaluate": false,
+            "output": true
+        },
+        {
+            "id": "http-header-fingerprint",
+            "generator": "http_header_fingerprint",
+            "conditions": [
+                {
+                    "operator": "exists",
+                    "parameters": {
+                        "inputs": [
+                            {
+                                "address": "waf.context.event"
+                            },
+                            {
+                                "address": "server.business_logic.users.login.failure"
+                            },
+                            {
+                                "address": "server.business_logic.users.login.success"
+                            }
+                        ]
+                    }
+                }
+            ],
+            "parameters": {
+                "mappings": [
+                    {
+                        "headers": [
+                            {
+                                "address": "server.request.headers.no_cookies"
+                            }
+                        ],
+                        "output": "_dd.appsec.fp.http.header"
+                    }
+                ]
+            },
+            "evaluate": false,
+            "output": true
+        },
+        {
+            "id": "http-network-fingerprint",
+            "generator": "http_network_fingerprint",
+            "conditions": [
+                {
+                    "operator": "exists",
+                    "parameters": {
+                        "inputs": [
+                            {
+                                "address": "waf.context.event"
+                            },
+                            {
+                                "address": "server.business_logic.users.login.failure"
+                            },
+                            {
+                                "address": "server.business_logic.users.login.success"
+                            }
+                        ]
+                    }
+                }
+            ],
+            "parameters": {
+                "mappings": [
+                    {
+                        "headers": [
+                            {
+                                "address": "server.request.headers.no_cookies"
+                            }
+                        ],
+                        "output": "_dd.appsec.fp.http.network"
+                    }
+                ]
+            },
+            "evaluate": false,
+            "output": true
+        },
+        {
+            "id": "session-fingerprint",
+            "generator": "session_fingerprint",
+            "conditions": [
+                {
+                    "operator": "exists",
+                    "parameters": {
+                        "inputs": [
+                            {
+                                "address": "waf.context.event"
+                            },
+                            {
+                                "address": "server.business_logic.users.login.failure"
+                            },
+                            {
+                                "address": "server.business_logic.users.login.success"
+                            }
+                        ]
+                    }
+                }
+            ],
+            "parameters": {
+                "mappings": [
+                    {
+                        "cookies": [
+                            {
+                                "address": "server.request.cookies"
+                            }
+                        ],
+                        "session_id": [
+                            {
+                                "address": "usr.session_id"
+                            }
+                        ],
+                        "user_id": [
+                            {
+                                "address": "usr.id"
+                            }
+                        ],
+                        "output": "_dd.appsec.fp.session"
+                    }
+                ]
+            },
+            "evaluate": false,
+            "output": true
+        }
+    ]
+}
diff --git a/internal/appsec/testdata/sab.json b/internal/appsec/testdata/sab.json
new file mode 100644
index 0000000000..8c1ce8e0df
--- /dev/null
+++ b/internal/appsec/testdata/sab.json
@@ -0,0 +1,136 @@
+{
+    "version": "2.2",
+    "metadata": {
+        "rules_version": "1.4.2"
+    },
+    "rules": [
+        {
+            "id": "crs-933-130-block",
+            "name": "PHP Injection Attack: Global Variables Found",
+            "tags": {
+                "type": "php_code_injection",
+                "crs_id": "933130",
+                "category": "attack_attempt",
+                "confidence": "1"
+            },
+            "conditions": [
+                {
+                    "parameters": {
+                        "inputs": [
+                            {
+                                "address": "server.request.query"
+                            },
+                            {
+                                "address": "server.request.body"
+                            },
+                            {
+                                "address": "server.request.path_params"
+                            },
+                            {
+                                "address": "grpc.server.request.message"
+                            }
+                        ],
+                        "list": [
+                            "$globals",
+                            "$_cookie",
+                            "$_env",
+                            "$_files",
+                            "$_get",
+                            "$_post",
+                            "$_request",
+                            "$_server",
+                            "$_session",
+                            "$argc",
+                            "$argv",
+                            "$http_\\u200bresponse_\\u200bheader",
+                            "$php_\\u200berrormsg",
+                            "$http_cookie_vars",
+                            "$http_env_vars",
+                            "$http_get_vars",
+                            "$http_post_files",
+                            "$http_post_vars",
+                            "$http_raw_post_data",
+                            "$http_request_vars",
+                            "$http_server_vars"
+                        ]
+                    },
+                    "operator": "phrase_match"
+                }
+            ],
+            "transformers": [
+                "lowercase"
+            ]
+        }
+    ],
+    "actions": [
+        {
+            "id": "block_402",
+            "type": "block_request",
+            "parameters": {
+                "status_code": 402,
+                "type": "auto"
+            }
+        },
+        {
+            "id": "block_401",
+            "type": "block_request",
+            "parameters": {
+                "status_code": 401,
+                "type": "auto"
+            }
+        }
+    ],
+    "exclusions": [
+        {
+            "conditions": [
+                {
+                    "operator": "ip_match",
+                    "parameters": {
+                        "data": "suspicious_ips",
+                        "inputs": [
+                            {
+                                "address": "http.client_ip"
+                            }
+                        ]
+                    }
+                }
+            ],
+            "id": "suspicious_ip_blocking",
+            "on_match": "block_402"
+        },
+        {
+            "conditions": [
+                {
+                    "operator": "exact_match",
+                    "parameters": {
+                        "data": "suspicious_users",
+                        "inputs": [
+                            {
+                                "address": "usr.id"
+                            }
+                        ]
+                    }
+                }
+            ],
+            "transformers": [],
+            "id": "suspicious_user_blocking",
+            "on_match": "block_401"
+        }
+    ],
+    "exclusion_data": [
+        {
+            "id": "suspicious_ips",
+            "type": "ip_with_expiration",
+            "data": [
+                { "value": "1.2.3.4" }
+            ]
+        },
+        {
+            "id": "suspicious_users",
+            "type": "data_with_expiration",
+            "data": [
+                { "value": "blocked-user-1" }
+            ]
+        }
+    ]
+}
diff --git a/internal/appsec/waf_test.go b/internal/appsec/waf_test.go
index 4b3e7517cc..1a449f5436 100644
--- a/internal/appsec/waf_test.go
+++ b/internal/appsec/waf_test.go
@@ -45,7 +45,7 @@ func TestCustomRules(t *testing.T) {
 
 	// Start and trace an HTTP server
 	mux := httptrace.NewServeMux()
-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc("/", func(w http.ResponseWriter, _ *http.Request) {
 		w.Write([]byte("Hello World!\n"))
 	})
 
@@ -102,10 +102,10 @@ func TestUserRules(t *testing.T) {
 
 	// Start and trace an HTTP server
 	mux := httptrace.NewServeMux()
-	mux.HandleFunc("/hello", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc("/hello", func(w http.ResponseWriter, _ *http.Request) {
 		w.Write([]byte("Hello World!\n"))
 	})
-	mux.HandleFunc("/response-header", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc("/response-header", func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("match-response-header", "match-response-header")
 		w.WriteHeader(204)
 	})
@@ -168,7 +168,7 @@ func TestWAF(t *testing.T) {
 
 	// Start and trace an HTTP server
 	mux := httptrace.NewServeMux()
-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc("/", func(w http.ResponseWriter, _ *http.Request) {
 		w.Write([]byte("Hello World!\n"))
 	})
 	mux.HandleFunc("/body", func(w http.ResponseWriter, r *http.Request) {
@@ -324,7 +324,7 @@ func TestBlocking(t *testing.T) {
 
 	// Start and trace an HTTP server
 	mux := httptrace.NewServeMux()
-	mux.HandleFunc("/ip", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc("/ip", func(w http.ResponseWriter, _ *http.Request) {
 		w.Write([]byte("Hello World!\n"))
 	})
 	mux.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
@@ -598,6 +598,124 @@ func TestRASPLFI(t *testing.T) {
 	}
 }
 
+func TestSuspiciousAttackerBlocking(t *testing.T) {
+	t.Setenv("DD_APPSEC_RULES", "testdata/sab.json")
+	appsec.Start()
+	defer appsec.Stop()
+	if !appsec.Enabled() {
+		t.Skip("AppSec needs to be enabled for this test")
+	}
+
+	const bodyBlockingRule = "crs-933-130-block"
+
+	// Start and trace an HTTP server
+	mux := httptrace.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		if err := pAppsec.SetUser(r.Context(), r.Header.Get("test-usr")); err != nil {
+			return
+		}
+		buf := new(strings.Builder)
+		io.Copy(buf, r.Body)
+		if err := pAppsec.MonitorParsedHTTPBody(r.Context(), buf.String()); err != nil {
+			return
+		}
+		w.Write([]byte("Hello World!\n"))
+	})
+	srv := httptest.NewServer(mux)
+	defer srv.Close()
+
+	for _, tc := range []struct {
+		name      string
+		headers   map[string]string
+		status    int
+		ruleMatch string
+		attack    string
+	}{
+		{
+			name:   "ip/not-suspicious/no-attack",
+			status: 200,
+		},
+		{
+			name:    "ip/suspicious/no-attack",
+			headers: map[string]string{"x-forwarded-for": "1.2.3.4"},
+			status:  200,
+		},
+		{
+			name:      "ip/not-suspicious/attack",
+			status:    200,
+			attack:    "$globals",
+			ruleMatch: bodyBlockingRule,
+		},
+		{
+			name:      "ip/suspicious/attack",
+			headers:   map[string]string{"x-forwarded-for": "1.2.3.4"},
+			status:    402,
+			attack:    "$globals",
+			ruleMatch: bodyBlockingRule,
+		},
+		{
+			name:   "user/not-suspicious/no-attack",
+			status: 200,
+		},
+		{
+			name:    "user/suspicious/no-attack",
+			headers: map[string]string{"test-usr": "blocked-user-1"},
+			status:  200,
+		},
+		{
+			name:      "user/not-suspicious/attack",
+			status:    200,
+			attack:    "$globals",
+			ruleMatch: bodyBlockingRule,
+		},
+		{
+			name:      "user/suspicious/attack",
+			headers:   map[string]string{"test-usr": "blocked-user-1"},
+			status:    401,
+			attack:    "$globals",
+			ruleMatch: bodyBlockingRule,
+		},
+		{
+			name:    "ip+user/suspicious/no-attack",
+			headers: map[string]string{"x-forwarded-for": "1.2.3.4", "test-usr": "blocked-user-1"},
+			status:  200,
+		},
+		{
+			name:      "ip+user/suspicious/attack",
+			headers:   map[string]string{"x-forwarded-for": "1.2.3.4", "test-usr": "blocked-user-1"},
+			status:    402,
+			attack:    "$globals",
+			ruleMatch: bodyBlockingRule,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			mt := mocktracer.Start()
+			defer mt.Stop()
+			req, err := http.NewRequest("POST", srv.URL, strings.NewReader(tc.attack))
+			require.NoError(t, err)
+			for k, v := range tc.headers {
+				req.Header.Set(k, v)
+			}
+			res, err := srv.Client().Do(req)
+			require.NoError(t, err)
+			defer res.Body.Close()
+			if tc.ruleMatch != "" {
+				spans := mt.FinishedSpans()
+				require.Len(t, spans, 1)
+				require.Contains(t, spans[0].Tag("_dd.appsec.json"), tc.ruleMatch)
+			}
+			require.Equal(t, tc.status, res.StatusCode)
+			b, err := io.ReadAll(res.Body)
+			require.NoError(t, err)
+			if tc.status == 200 {
+				require.Equal(t, "Hello World!\n", string(b))
+			} else {
+				require.NotEqual(t, "Hello World!\n", string(b))
+			}
+		})
+	}
+}
+
 // BenchmarkSampleWAFContext benchmarks the creation of a WAF context and running the WAF on a request/response pair
 // This is a basic sample of what could happen in a real-world scenario.
 func BenchmarkSampleWAFContext(b *testing.B) {
@@ -623,10 +741,10 @@ func BenchmarkSampleWAFContext(b *testing.B) {
 		_, err = ctx.Run(
 			waf.RunAddressData{
 				Persistent: map[string]any{
-					httpsec.HTTPClientIPAddr:        "1.1.1.1",
-					httpsec.ServerRequestMethodAddr: "GET",
-					httpsec.ServerRequestRawURIAddr: "/",
-					httpsec.ServerRequestHeadersNoCookiesAddr: map[string][]string{
+					addresses.ClientIPAddr:            "1.1.1.1",
+					addresses.ServerRequestMethodAddr: "GET",
+					addresses.ServerRequestRawURIAddr: "/",
+					addresses.ServerRequestHeadersNoCookiesAddr: map[string][]string{
 						"host":            {"example.com"},
 						"content-length":  {"0"},
 						"Accept":          {"application/json"},
@@ -634,13 +752,13 @@ func BenchmarkSampleWAFContext(b *testing.B) {
 						"Accept-Encoding": {"gzip"},
 						"Connection":      {"close"},
 					},
-					httpsec.ServerRequestCookiesAddr: map[string][]string{
+					addresses.ServerRequestCookiesAddr: map[string][]string{
 						"cookie": {"session=1234"},
 					},
-					httpsec.ServerRequestQueryAddr: map[string][]string{
+					addresses.ServerRequestQueryAddr: map[string][]string{
 						"query": {"value"},
 					},
-					httpsec.ServerRequestPathParamsAddr: map[string]string{
+					addresses.ServerRequestPathParamsAddr: map[string]string{
 						"param": "value",
 					},
 				},
@@ -654,12 +772,12 @@ func BenchmarkSampleWAFContext(b *testing.B) {
 		_, err = ctx.Run(
 			waf.RunAddressData{
 				Persistent: map[string]any{
-					httpsec.ServerResponseHeadersNoCookiesAddr: map[string][]string{
+					addresses.ServerResponseHeadersNoCookiesAddr: map[string][]string{
 						"content-type":   {"application/json"},
 						"content-length": {"0"},
 						"Connection":     {"close"},
 					},
-					httpsec.ServerResponseStatusAddr: 200,
+					addresses.ServerResponseStatusAddr: 200,
 				},
 			})
 
@@ -671,6 +789,54 @@ func BenchmarkSampleWAFContext(b *testing.B) {
 	}
 }
 
+func TestAttackerFingerprinting(t *testing.T) {
+	t.Setenv("DD_APPSEC_RULES", "testdata/fp.json")
+	appsec.Start()
+	defer appsec.Stop()
+	if !appsec.Enabled() {
+		t.Skip("AppSec needs to be enabled for this test")
+	}
+
+	// Start and trace an HTTP server
+	mux := httptrace.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		pAppsec.TrackUserLoginSuccessEvent(
+			r.Context(),
+			"toto",
+			map[string]string{},
+			tracer.WithUserSessionID("sessionID"))
+
+		pAppsec.MonitorParsedHTTPBody(r.Context(), map[string]string{"key": "value"})
+
+		w.Write([]byte("Hello World!\n"))
+	})
+	srv := httptest.NewServer(mux)
+	defer srv.Close()
+
+	mt := mocktracer.Start()
+	defer mt.Stop()
+	req, err := http.NewRequest("POST", srv.URL+"/test?x=1", nil)
+	require.NoError(t, err)
+	req.AddCookie(&http.Cookie{Name: "cookie", Value: "value"})
+	resp, err := srv.Client().Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Len(t, mt.FinishedSpans(), 1)
+
+	tags := mt.FinishedSpans()[0].Tags()
+
+	require.Contains(t, tags, "_dd.appsec.fp.http.header")
+	require.Contains(t, tags, "_dd.appsec.fp.http.endpoint")
+	require.Contains(t, tags, "_dd.appsec.fp.http.network")
+	require.Contains(t, tags, "_dd.appsec.fp.session")
+
+	require.Regexp(t, `^hdr-`, tags["_dd.appsec.fp.http.header"])
+	require.Regexp(t, `^http-`, tags["_dd.appsec.fp.http.endpoint"])
+	require.Regexp(t, `^ssn-`, tags["_dd.appsec.fp.session"])
+	require.Regexp(t, `^net-`, tags["_dd.appsec.fp.http.network"])
+}
+
 func init() {
 	// This permits running the tests locally without defining the env var manually
 	// We do this because the default go-libddwaf timeout value is too small and makes the tests timeout for no reason
diff --git a/internal/appsec/waf_unit_test.go b/internal/appsec/waf_unit_test.go
index c4c96fa63a..ae7e2b3917 100644
--- a/internal/appsec/waf_unit_test.go
+++ b/internal/appsec/waf_unit_test.go
@@ -10,11 +10,11 @@ import (
 	"testing"
 
 	internal "github.com/DataDog/appsec-internal-go/appsec"
-	"github.com/DataDog/dd-trace-go/v2/instrumentation/appsec/trace"
-	"github.com/DataDog/dd-trace-go/v2/internal/appsec/listener/httpsec"
 	waf "github.com/DataDog/go-libddwaf/v3"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/DataDog/dd-trace-go/v2/internal/appsec/emitter/waf/addresses"
 )
 
 func TestAPISecuritySchemaCollection(t *testing.T) {
@@ -113,7 +113,7 @@ func TestAPISecuritySchemaCollection(t *testing.T) {
 		{
 			name: "headers",
 			addresses: map[string]any{
-				httpsec.ServerRequestHeadersNoCookiesAddr: map[string][]string{
+				addresses.ServerRequestHeadersNoCookiesAddr: map[string][]string{
 					"my-header": {"is-beautiful"},
 				},
 			},
@@ -124,7 +124,7 @@ func TestAPISecuritySchemaCollection(t *testing.T) {
 		{
 			name: "path-params",
 			addresses: map[string]any{
-				httpsec.ServerRequestPathParamsAddr: map[string]string{
+				addresses.ServerRequestPathParamsAddr: map[string]string{
 					"my-path-param": "is-beautiful",
 				},
 			},
@@ -135,7 +135,7 @@ func TestAPISecuritySchemaCollection(t *testing.T) {
 		{
 			name: "query",
 			addresses: map[string]any{
-				httpsec.ServerRequestQueryAddr: map[string][]string{"my-query": {"is-beautiful"}, "my-query-2": {"so-pretty"}},
+				addresses.ServerRequestQueryAddr: map[string][]string{"my-query": {"is-beautiful"}, "my-query-2": {"so-pretty"}},
 			},
 			tags: map[string]string{
 				"_dd.appsec.s.req.query": `[{"my-query":[[[8]],{"len":1}],"my-query-2":[[[8]],{"len":1}]}]`,
@@ -144,13 +144,13 @@ func TestAPISecuritySchemaCollection(t *testing.T) {
 		{
 			name: "combined",
 			addresses: map[string]any{
-				httpsec.ServerRequestHeadersNoCookiesAddr: map[string][]string{
+				addresses.ServerRequestHeadersNoCookiesAddr: map[string][]string{
 					"my-header": {"is-beautiful"},
 				},
-				httpsec.ServerRequestPathParamsAddr: map[string]string{
+				addresses.ServerRequestPathParamsAddr: map[string]string{
 					"my-path-param": "is-beautiful",
 				},
-				httpsec.ServerRequestQueryAddr: map[string][]string{"my-query": {"is-beautiful"}, "my-query-2": {"so-pretty"}},
+				addresses.ServerRequestQueryAddr: map[string][]string{"my-query": {"is-beautiful"}, "my-query-2": {"so-pretty"}},
 			},
 			tags: map[string]string{
 				"_dd.appsec.s.req.headers": `[{"my-header":[[[8]],{"len":1}]}]`,
@@ -176,13 +176,10 @@ func TestAPISecuritySchemaCollection(t *testing.T) {
 			wafRes, err := wafCtx.Run(runData)
 			require.NoError(t, err)
 			require.True(t, wafRes.HasDerivatives())
-			tagsHolder := trace.NewTagsHolder()
 			for k, v := range wafRes.Derivatives {
-				tagsHolder.AddSerializableTag(k, v)
-			}
-
-			for tag, val := range tagsHolder.Tags() {
-				require.Equal(t, tc.tags[tag], val)
+				res, err := json.Marshal(v)
+				require.NoError(t, err)
+				require.Equal(t, tc.tags[k], string(res))
 			}
 		})
 	}
diff --git a/internal/civisibility/constants/env.go b/internal/civisibility/constants/env.go
index ebc00fcb69..66e6de7636 100644
--- a/internal/civisibility/constants/env.go
+++ b/internal/civisibility/constants/env.go
@@ -24,4 +24,17 @@ const (
 	// This environment variable should be set to your Datadog API key, allowing the agentless mode to authenticate and
 	// send data directly to the Datadog platform.
 	APIKeyEnvironmentVariable = "DD_API_KEY"
+
+	// CIVisibilityTestSessionNameEnvironmentVariable indicate the test session name to be used on CI Visibility payloads
+	CIVisibilityTestSessionNameEnvironmentVariable = "DD_TEST_SESSION_NAME"
+
+	// CIVisibilityFlakyRetryEnabledEnvironmentVariable kill-switch that allows to explicitly disable retries even if the remote setting is enabled.
+	// This environment variable should be set to "0" or "false" to disable the flaky retry feature.
+	CIVisibilityFlakyRetryEnabledEnvironmentVariable = "DD_CIVISIBILITY_FLAKY_RETRY_ENABLED"
+
+	// CIVisibilityFlakyRetryCountEnvironmentVariable indicates the maximum number of retry attempts for a single test case.
+	CIVisibilityFlakyRetryCountEnvironmentVariable = "DD_CIVISIBILITY_FLAKY_RETRY_COUNT"
+
+	// CIVisibilityTotalFlakyRetryCountEnvironmentVariable indicates the maximum number of retry attempts for the entire session.
+	CIVisibilityTotalFlakyRetryCountEnvironmentVariable = "DD_CIVISIBILITY_TOTAL_FLAKY_RETRY_COUNT"
 )
diff --git a/internal/civisibility/constants/git.go b/internal/civisibility/constants/git.go
index 6265be391a..a373132950 100644
--- a/internal/civisibility/constants/git.go
+++ b/internal/civisibility/constants/git.go
@@ -49,4 +49,13 @@ const (
 	// GitTag indicates the current git tag.
 	// This constant is used to tag traces with the tag name associated with the current commit.
 	GitTag = "git.tag"
+
+	// GitHeadCommit indicates the GIT head commit hash.
+	GitHeadCommit = "git.commit.head_sha"
+
+	// GitPrBaseCommit indicates the GIT PR base commit hash.
+	GitPrBaseCommit = "git.pull_request.base_branch_sha"
+
+	// GitPrBaseBranch indicates the GIT PR base branch name.
+	GitPrBaseBranch = "git.pull_request.base_branch"
 )
diff --git a/internal/civisibility/constants/tags.go b/internal/civisibility/constants/tags.go
index 4563cb8839..0a6d690835 100644
--- a/internal/civisibility/constants/tags.go
+++ b/internal/civisibility/constants/tags.go
@@ -10,6 +10,10 @@ const (
 	// This tag helps in identifying the source of the trace data.
 	Origin = "_dd.origin"
 
+	// LogicalCPUCores is a tag used to indicate the number of logical cpu cores
+	// This tag is used by the backend to perform calculations
+	LogicalCPUCores = "_dd.host.vcpu_count"
+
 	// CIAppTestOrigin defines the CIApp test origin value.
 	// This constant is used to tag traces that originate from CIApp test executions.
 	CIAppTestOrigin = "ciapp-test"
diff --git a/internal/civisibility/constants/test_tags.go b/internal/civisibility/constants/test_tags.go
index 3a621a20be..7248d82450 100644
--- a/internal/civisibility/constants/test_tags.go
+++ b/internal/civisibility/constants/test_tags.go
@@ -46,6 +46,10 @@ const (
 	// This constant is used to tag traces with the line number in the source file where the test starts.
 	TestSourceStartLine = "test.source.start"
 
+	// TestSourceEndLine indicates the line of the source file where the test ends.
+	// This constant is used to tag traces with the line number in the source file where the test ends.
+	TestSourceEndLine = "test.source.end"
+
 	// TestCodeOwners indicates the test code owners.
 	// This constant is used to tag traces with the code owners responsible for the test.
 	TestCodeOwners = "test.codeowners"
@@ -61,6 +65,21 @@ const (
 	// TestCommandWorkingDirectory indicates the test command working directory relative to the source root.
 	// This constant is used to tag traces with the working directory path relative to the source root.
 	TestCommandWorkingDirectory = "test.working_directory"
+
+	// TestSessionName indicates the test session name
+	// This constant is used to tag traces with the test session name
+	TestSessionName = "test_session.name"
+
+	// TestIsNew indicates a new test
+	// This constant is used to tag test events that are detected as new by early flake detection
+	TestIsNew = "test.is_new"
+
+	// TestIsRetry indicates a retry execution
+	// This constant is used to tag test events that are part of a retry execution
+	TestIsRetry = "test.is_retry"
+
+	// TestEarlyFlakeDetectionRetryAborted indicates a retry abort reason by the early flake detection feature
+	TestEarlyFlakeDetectionRetryAborted = "test.early_flake.abort_reason"
 )
 
 // Define valid test status types.
diff --git a/internal/civisibility/integrations/civisibility.go b/internal/civisibility/integrations/civisibility.go
index f2b4663666..5469261f41 100644
--- a/internal/civisibility/integrations/civisibility.go
+++ b/internal/civisibility/integrations/civisibility.go
@@ -55,6 +55,14 @@ func InitializeCIVisibilityMock() mocktracer.Tracer {
 
 func internalCiVisibilityInitialization(tracerInitializer func([]tracer.StartOption)) {
 	ciVisibilityInitializationOnce.Do(func() {
+		// check the debug flag to enable debug logs. The tracer initialization happens
+		// after the CI Visibility initialization so we need to handle this flag ourselves
+		if internal.BoolEnv("DD_TRACE_DEBUG", false) {
+			log.SetLevel(log.LevelDebug)
+		}
+
+		log.Debug("civisibility: initializing")
+
 		// Since calling this method indicates we are in CI Visibility mode, set the environment variable.
 		_ = os.Setenv(constants.CIVisibilityEnabledEnvironmentVariable, "1")
 
@@ -66,22 +74,29 @@ func internalCiVisibilityInitialization(tracerInitializer func([]tracer.StartOpt
 
 		// Preload all CI, Git, and CodeOwners tags.
 		ciTags := utils.GetCITags()
+		_ = utils.GetCIMetrics()
 
 		// Check if DD_SERVICE has been set; otherwise default to the repo name (from the spec).
 		var opts []tracer.StartOption
-		if v := os.Getenv("DD_SERVICE"); v == "" {
+		serviceName := os.Getenv("DD_SERVICE")
+		if serviceName == "" {
 			if repoURL, ok := ciTags[constants.GitRepositoryURL]; ok {
 				// regex to sanitize the repository url to be used as a service name
-				repoRegex := regexp.MustCompile(`(?m)/([a-zA-Z0-9\\\-_.]*)$`)
+				repoRegex := regexp.MustCompile(`(?m)/([a-zA-Z0-9\-_.]*)$`)
 				matches := repoRegex.FindStringSubmatch(repoURL)
 				if len(matches) > 1 {
 					repoURL = strings.TrimSuffix(matches[1], ".git")
 				}
-				opts = append(opts, tracer.WithService(repoURL))
+				serviceName = repoURL
+				opts = append(opts, tracer.WithService(serviceName))
 			}
 		}
 
+		// Initializing additional features asynchronously
+		go func() { ensureAdditionalFeaturesInitialization(serviceName) }()
+
 		// Initialize the tracer
+		log.Debug("civisibility: initializing tracer")
 		tracerInitializer(opts)
 
 		// Handle SIGINT and SIGTERM signals to ensure we close all open spans and flush the tracer before exiting
@@ -104,13 +119,16 @@ func PushCiVisibilityCloseAction(action ciVisibilityCloseAction) {
 
 // ExitCiVisibility executes all registered close actions and stops the tracer.
 func ExitCiVisibility() {
+	log.Debug("civisibility: exiting")
 	closeActionsMutex.Lock()
 	defer closeActionsMutex.Unlock()
 	defer func() {
 		closeActions = []ciVisibilityCloseAction{}
 
+		log.Debug("civisibility: flushing and stopping tracer")
 		tracer.Flush()
 		tracer.Stop()
+		log.Debug("civisibility: done.")
 	}()
 	for _, v := range closeActions {
 		v()
diff --git a/internal/civisibility/integrations/civisibility_features.go b/internal/civisibility/integrations/civisibility_features.go
new file mode 100644
index 0000000000..420982337c
--- /dev/null
+++ b/internal/civisibility/integrations/civisibility_features.go
@@ -0,0 +1,118 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package integrations
+
+import (
+	"sync"
+
+	"github.com/DataDog/dd-trace-go/v2/internal"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils/net"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+const (
+	DefaultFlakyRetryCount      = 5
+	DefaultFlakyTotalRetryCount = 1_000
+)
+
+type (
+	// FlakyRetriesSetting struct to hold all the settings related to flaky tests retries
+	FlakyRetriesSetting struct {
+		RetryCount               int64
+		TotalRetryCount          int64
+		RemainingTotalRetryCount int64
+	}
+)
+
+var (
+	// additionalFeaturesInitializationOnce ensures we do the additional features initialization just once
+	additionalFeaturesInitializationOnce sync.Once
+
+	// ciVisibilityRapidClient contains the http rapid client to do CI Visibility queries and upload to the rapid backend
+	ciVisibilityClient net.Client
+
+	// ciVisibilitySettings contains the CI Visibility settings for this session
+	ciVisibilitySettings net.SettingsResponseData
+
+	// ciVisibilityEarlyFlakyDetectionSettings contains the CI Visibility Early Flake Detection data for this session
+	ciVisibilityEarlyFlakyDetectionSettings net.EfdResponseData
+
+	// ciVisibilityFlakyRetriesSettings contains the CI Visibility Flaky Retries settings for this session
+	ciVisibilityFlakyRetriesSettings FlakyRetriesSetting
+)
+
+// ensureAdditionalFeaturesInitialization initialize all the additional features
+func ensureAdditionalFeaturesInitialization(serviceName string) {
+	additionalFeaturesInitializationOnce.Do(func() {
+		log.Debug("civisibility: initializing additional features")
+
+		// Create the CI Visibility client
+		ciVisibilityClient = net.NewClientWithServiceName(serviceName)
+		if ciVisibilityClient == nil {
+			log.Error("civisibility: error getting the ci visibility http client")
+			return
+		}
+
+		// Get the CI Visibility settings payload for this test session
+		ciSettings, err := ciVisibilityClient.GetSettings()
+		if err != nil {
+			log.Error("civisibility: error getting CI visibility settings: %v", err)
+		} else if ciSettings != nil {
+			ciVisibilitySettings = *ciSettings
+		}
+
+		// if early flake detection is enabled then we run the early flake detection request
+		if ciVisibilitySettings.EarlyFlakeDetection.Enabled {
+			ciEfdData, err := ciVisibilityClient.GetEarlyFlakeDetectionData()
+			if err != nil {
+				log.Error("civisibility: error getting CI visibility early flake detection data: %v", err)
+			} else if ciEfdData != nil {
+				ciVisibilityEarlyFlakyDetectionSettings = *ciEfdData
+				log.Debug("civisibility: early flake detection data loaded.")
+			}
+		}
+
+		// if flaky test retries is enabled then let's load the flaky retries settings
+		if ciVisibilitySettings.FlakyTestRetriesEnabled {
+			flakyRetryEnabledByEnv := internal.BoolEnv(constants.CIVisibilityFlakyRetryEnabledEnvironmentVariable, true)
+			if flakyRetryEnabledByEnv {
+				totalRetriesCount := (int64)(internal.IntEnv(constants.CIVisibilityTotalFlakyRetryCountEnvironmentVariable, DefaultFlakyTotalRetryCount))
+				retryCount := (int64)(internal.IntEnv(constants.CIVisibilityFlakyRetryCountEnvironmentVariable, DefaultFlakyRetryCount))
+				ciVisibilityFlakyRetriesSettings = FlakyRetriesSetting{
+					RetryCount:               retryCount,
+					TotalRetryCount:          totalRetriesCount,
+					RemainingTotalRetryCount: totalRetriesCount,
+				}
+				log.Debug("civisibility: automatic test retries enabled [retryCount: %v, totalRetryCount: %v]", retryCount, totalRetriesCount)
+			} else {
+				log.Warn("civisibility: flaky test retries was disabled by the environment variable")
+				ciVisibilitySettings.FlakyTestRetriesEnabled = false
+			}
+		}
+	})
+}
+
+// GetSettings gets the settings from the backend settings endpoint
+func GetSettings() *net.SettingsResponseData {
+	// call to ensure the additional features initialization is completed (service name can be null here)
+	ensureAdditionalFeaturesInitialization("")
+	return &ciVisibilitySettings
+}
+
+// GetEarlyFlakeDetectionSettings gets the early flake detection known tests data
+func GetEarlyFlakeDetectionSettings() *net.EfdResponseData {
+	// call to ensure the additional features initialization is completed (service name can be null here)
+	ensureAdditionalFeaturesInitialization("")
+	return &ciVisibilityEarlyFlakyDetectionSettings
+}
+
+// GetFlakyRetriesSettings gets the flaky retries settings
+func GetFlakyRetriesSettings() *FlakyRetriesSetting {
+	// call to ensure the additional features initialization is completed (service name can be null here)
+	ensureAdditionalFeaturesInitialization("")
+	return &ciVisibilityFlakyRetriesSettings
+}
diff --git a/internal/civisibility/integrations/gotesting/instrumentation.go b/internal/civisibility/integrations/gotesting/instrumentation.go
index 4a4e7c9775..177b65cdb1 100644
--- a/internal/civisibility/integrations/gotesting/instrumentation.go
+++ b/internal/civisibility/integrations/gotesting/instrumentation.go
@@ -7,279 +7,452 @@ package gotesting
 
 import (
 	"fmt"
-	"os"
 	"reflect"
 	"runtime"
-	"strings"
+	"slices"
+	"sync"
 	"sync/atomic"
 	"testing"
 	"time"
+	"unsafe"
 
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
 	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations"
 	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils"
 )
 
-// The following functions are being used by the gotesting package for manual instrumentation and the orchestrion
-// automatic instrumentation
+type (
+	// instrumentationMetadata contains the internal instrumentation metadata
+	instrumentationMetadata struct {
+		IsInternal bool
+	}
 
-// instrumentTestingM helper function to instrument internalTests and internalBenchmarks in a `*testing.M` instance.
-func instrumentTestingM(m *testing.M) func(exitCode int) {
-	// Initialize CI Visibility
-	integrations.EnsureCiVisibilityInitialization()
+	// testExecutionMetadata contains metadata regarding an unique *testing.T or *testing.B execution
+	testExecutionMetadata struct {
+		test                        integrations.DdTest // internal CI Visibility test event
+		error                       atomic.Int32        // flag to check if the test event has error data already
+		skipped                     atomic.Int32        // flag to check if the test event has skipped data already
+		panicData                   any                 // panic data recovered from an internal test execution when using an additional feature wrapper
+		panicStacktrace             string              // stacktrace from the panic recovered from an internal test
+		isARetry                    bool                // flag to tag if a current test execution is a retry
+		isANewTest                  bool                // flag to tag if a current test execution is part of a new test (EFD not known test)
+		hasAdditionalFeatureWrapper bool                // flag to check if the current execution is part of an additional feature wrapper
+	}
 
-	// Create a new test session for CI visibility.
-	session = integrations.CreateTestSession()
+	// runTestWithRetryOptions contains the options for calling runTestWithRetry function
+	runTestWithRetryOptions struct {
+		targetFunc        func(t *testing.T)                                                            // target function to retry
+		t                 *testing.T                                                                    // test to be executed
+		initialRetryCount int64                                                                         // initial retry count
+		adjustRetryCount  func(duration time.Duration) int64                                            // adjust retry count function depending on the duration of the first execution
+		shouldRetry       func(ptrToLocalT *testing.T, executionIndex int, remainingRetries int64) bool // function to decide whether we want to perform a retry
+		perExecution      func(ptrToLocalT *testing.T, executionIndex int, duration time.Duration)      // function to run after each test execution
+		onRetryEnd        func(t *testing.T, executionIndex int, lastPtrToLocalT *testing.T)            // function executed when all execution have finished
+		execMetaAdjust    func(execMeta *testExecutionMetadata, executionIndex int)                     // function to modify the execution metadata for each execution
+	}
+)
 
-	ddm := (*M)(m)
+var (
+	// ciVisibilityEnabledValue holds a value to check if ci visibility is enabled or not (1 = enabled / 0 = disabled)
+	ciVisibilityEnabledValue int32 = -1
 
-	// Instrument the internal tests for CI visibility.
-	ddm.instrumentInternalTests(getInternalTestArray(m))
+	// instrumentationMap holds a map of *runtime.Func for tracking instrumented functions
+	instrumentationMap = map[*runtime.Func]*instrumentationMetadata{}
 
-	// Instrument the internal benchmarks for CI visibility.
-	for _, v := range os.Args {
-		// check if benchmarking is enabled to instrument
-		if strings.Contains(v, "-bench") || strings.Contains(v, "test.bench") {
-			ddm.instrumentInternalBenchmarks(getInternalBenchmarkArray(m))
-			break
+	// instrumentationMapMutex is a read-write mutex for synchronizing access to instrumentationMap.
+	instrumentationMapMutex sync.RWMutex
+
+	// ciVisibilityTests holds a map of *testing.T or *testing.B to execution metadata for tracking tests.
+	ciVisibilityTestMetadata = map[unsafe.Pointer]*testExecutionMetadata{}
+
+	// ciVisibilityTestMetadataMutex is a read-write mutex for synchronizing access to ciVisibilityTestMetadata.
+	ciVisibilityTestMetadataMutex sync.RWMutex
+)
+
+// isCiVisibilityEnabled gets if CI Visibility has been enabled or disabled by the "DD_CIVISIBILITY_ENABLED" environment variable
+func isCiVisibilityEnabled() bool {
+	// let's check if the value has already been loaded from the env-vars
+	enabledValue := atomic.LoadInt32(&ciVisibilityEnabledValue)
+	if enabledValue == -1 {
+		// Get the DD_CIVISIBILITY_ENABLED env var, if not present we default to false (for now). This is because if we are here, it means
+		// that the process was instrumented for ci visibility or by using orchestrion.
+		// So effectively this env-var will act as a kill switch for cases where the code is instrumented, but
+		// we don't want the civisibility instrumentation to be enabled.
+		// *** For preview releases we will default to false, meaning that the use of ci visibility must be opt-in ***
+		if internal.BoolEnv(constants.CIVisibilityEnabledEnvironmentVariable, false) {
+			atomic.StoreInt32(&ciVisibilityEnabledValue, 1)
+			return true
+		} else {
+			atomic.StoreInt32(&ciVisibilityEnabledValue, 0)
+			return false
 		}
 	}
 
-	return func(exitCode int) {
-		// Close the session and return the exit code.
-		session.Close(exitCode)
+	return enabledValue == 1
+}
 
-		// Finalize CI Visibility
-		integrations.ExitCiVisibility()
+// getInstrumentationMetadata gets the stored instrumentation metadata for a given *runtime.Func.
+func getInstrumentationMetadata(fn *runtime.Func) *instrumentationMetadata {
+	instrumentationMapMutex.RLock()
+	defer instrumentationMapMutex.RUnlock()
+	if v, ok := instrumentationMap[fn]; ok {
+		return v
 	}
+	return nil
 }
 
-// instrumentTestingTFunc helper function to instrument a testing function func(*testing.T)
-func instrumentTestingTFunc(f func(*testing.T)) func(*testing.T) {
-	// Reflect the function to obtain its pointer.
-	fReflect := reflect.Indirect(reflect.ValueOf(f))
-	moduleName, suiteName := utils.GetModuleAndSuiteName(fReflect.Pointer())
-	originalFunc := runtime.FuncForPC(fReflect.Pointer())
-
-	// Increment the test count in the module.
-	atomic.AddInt32(modulesCounters[moduleName], 1)
-
-	// Increment the test count in the suite.
-	atomic.AddInt32(suitesCounters[suiteName], 1)
-
-	return func(t *testing.T) {
-		// Create or retrieve the module, suite, and test for CI visibility.
-		module := session.GetOrCreateModuleWithFramework(moduleName, testFramework, runtime.Version())
-		suite := module.GetOrCreateSuite(suiteName)
-		test := suite.CreateTest(t.Name())
-		test.SetTestFunc(originalFunc)
-		setCiVisibilityTest(t, test)
-		defer func() {
-			if r := recover(); r != nil {
-				// Handle panic and set error information.
-				test.SetErrorInfo("panic", fmt.Sprint(r), utils.GetStacktrace(1))
-				test.Close(integrations.ResultStatusFail)
-				checkModuleAndSuite(module, suite)
-				integrations.ExitCiVisibility()
-				panic(r)
-			} else {
-				// Normal finalization: determine the test result based on its state.
-				if t.Failed() {
-					test.SetTag(ext.Error, true)
-					suite.SetTag(ext.Error, true)
-					module.SetTag(ext.Error, true)
-					test.Close(integrations.ResultStatusFail)
-				} else if t.Skipped() {
-					test.Close(integrations.ResultStatusSkip)
-				} else {
-					test.Close(integrations.ResultStatusPass)
-				}
-				checkModuleAndSuite(module, suite)
-			}
-		}()
+// setInstrumentationMetadata stores an instrumentation metadata for a given *runtime.Func.
+func setInstrumentationMetadata(fn *runtime.Func, metadata *instrumentationMetadata) {
+	instrumentationMapMutex.RLock()
+	defer instrumentationMapMutex.RUnlock()
+	instrumentationMap[fn] = metadata
+}
 
-		// Execute the original test function.
-		f(t)
-	}
+// createTestMetadata creates the CI visibility test metadata associated with a given *testing.T, *testing.B, *testing.common
+func createTestMetadata(tb testing.TB) *testExecutionMetadata {
+	ciVisibilityTestMetadataMutex.RLock()
+	defer ciVisibilityTestMetadataMutex.RUnlock()
+	execMetadata := &testExecutionMetadata{}
+	ciVisibilityTestMetadata[reflect.ValueOf(tb).UnsafePointer()] = execMetadata
+	return execMetadata
 }
 
-// instrumentTestingTSetErrorInfo helper function to set an error in the `testing.T` CI Visibility span
-func instrumentTestingTSetErrorInfo(t *testing.T, errType string, errMessage string, skip int) {
-	ciTest := getCiVisibilityTest(t)
-	if ciTest != nil {
-		ciTest.SetErrorInfo(errType, errMessage, utils.GetStacktrace(2+skip))
+// getTestMetadata retrieves the CI visibility test metadata associated with a given *testing.T, *testing.B, *testing.common
+func getTestMetadata(tb testing.TB) *testExecutionMetadata {
+	return getTestMetadataFromPointer(reflect.ValueOf(tb).UnsafePointer())
+}
+
+// getTestMetadataFromPointer retrieves the CI visibility test metadata associated with a given *testing.T, *testing.B, *testing.common using a pointer
+func getTestMetadataFromPointer(ptr unsafe.Pointer) *testExecutionMetadata {
+	ciVisibilityTestMetadataMutex.RLock()
+	defer ciVisibilityTestMetadataMutex.RUnlock()
+	if v, ok := ciVisibilityTestMetadata[ptr]; ok {
+		return v
 	}
+	return nil
 }
 
-// instrumentTestingTCloseAndSkip helper function to close and skip with a reason a `testing.T` CI Visibility span
-func instrumentTestingTCloseAndSkip(t *testing.T, skipReason string) {
-	ciTest := getCiVisibilityTest(t)
-	if ciTest != nil {
-		ciTest.CloseWithFinishTimeAndSkipReason(integrations.ResultStatusSkip, time.Now(), skipReason)
+// deleteTestMetadata delete the CI visibility test metadata associated with a given *testing.T, *testing.B, *testing.common
+func deleteTestMetadata(tb testing.TB) {
+	ciVisibilityTestMetadataMutex.RLock()
+	defer ciVisibilityTestMetadataMutex.RUnlock()
+	delete(ciVisibilityTestMetadata, reflect.ValueOf(tb).UnsafePointer())
+}
+
+// checkIfCIVisibilityExitIsRequiredByPanic checks the additional features settings to decide if we allow individual tests to panic or not
+func checkIfCIVisibilityExitIsRequiredByPanic() bool {
+	// Apply additional features
+	settings := integrations.GetSettings()
+
+	// If we don't plan to do retries then we allow to panic
+	return !settings.FlakyTestRetriesEnabled && !settings.EarlyFlakeDetection.Enabled
+}
+
+// applyAdditionalFeaturesToTestFunc applies all the additional features as wrapper of a func(*testing.T)
+func applyAdditionalFeaturesToTestFunc(f func(*testing.T), testInfo *commonInfo) func(*testing.T) {
+	// Apply additional features
+	settings := integrations.GetSettings()
+
+	// Check if we have something to do, if not we bail out
+	if !settings.FlakyTestRetriesEnabled && !settings.EarlyFlakeDetection.Enabled {
+		return f
+	}
+
+	// Target function
+	targetFunc := f
+
+	// Flaky test retries
+	if settings.FlakyTestRetriesEnabled {
+		targetFunc = applyFlakyTestRetriesAdditionalFeature(targetFunc)
+	}
+
+	// Early flake detection
+	if settings.EarlyFlakeDetection.Enabled {
+		targetFunc = applyEarlyFlakeDetectionAdditionalFeature(testInfo, targetFunc, settings)
 	}
+
+	// Register the instrumented func as an internal instrumented func (to avoid double instrumentation)
+	setInstrumentationMetadata(runtime.FuncForPC(reflect.ValueOf(targetFunc).Pointer()), &instrumentationMetadata{IsInternal: true})
+	return targetFunc
 }
 
-// instrumentTestingTSkipNow helper function to close and skip a `testing.T` CI Visibility span
-func instrumentTestingTSkipNow(t *testing.T) {
-	ciTest := getCiVisibilityTest(t)
-	if ciTest != nil {
-		ciTest.Close(integrations.ResultStatusSkip)
+// applyFlakyTestRetriesAdditionalFeature applies the flaky test retries feature as a wrapper of a func(*testing.T)
+func applyFlakyTestRetriesAdditionalFeature(targetFunc func(*testing.T)) func(*testing.T) {
+	flakyRetrySettings := integrations.GetFlakyRetriesSettings()
+
+	// If the retry count per test is > 1 and if we still have remaining total retry count
+	if flakyRetrySettings.RetryCount > 1 && flakyRetrySettings.RemainingTotalRetryCount > 0 {
+		return func(t *testing.T) {
+			runTestWithRetry(&runTestWithRetryOptions{
+				targetFunc:        targetFunc,
+				t:                 t,
+				initialRetryCount: flakyRetrySettings.RetryCount,
+				adjustRetryCount:  nil, // No adjustRetryCount
+				shouldRetry: func(ptrToLocalT *testing.T, executionIndex int, remainingRetries int64) bool {
+					remainingTotalRetries := atomic.AddInt64(&flakyRetrySettings.RemainingTotalRetryCount, -1)
+					// Decide whether to retry
+					return ptrToLocalT.Failed() && remainingRetries >= 0 && remainingTotalRetries >= 0
+				},
+				perExecution: nil, // No perExecution needed
+				onRetryEnd: func(t *testing.T, executionIndex int, lastPtrToLocalT *testing.T) {
+					// Update original `t` with results from last execution
+					tCommonPrivates := getTestPrivateFields(t)
+					tCommonPrivates.SetFailed(lastPtrToLocalT.Failed())
+					tCommonPrivates.SetSkipped(lastPtrToLocalT.Skipped())
+
+					// Update parent status if failed
+					if lastPtrToLocalT.Failed() {
+						tParentCommonPrivates := getTestParentPrivateFields(t)
+						tParentCommonPrivates.SetFailed(true)
+					}
+
+					// Print summary after retries
+					if executionIndex > 0 {
+						status := "passed"
+						if t.Failed() {
+							status = "failed"
+						} else if t.Skipped() {
+							status = "skipped"
+						}
+
+						fmt.Printf("    [ %v after %v retries by Datadog's auto test retries ]\n", status, executionIndex)
+					}
+
+					// Check if total retry count was exceeded
+					if flakyRetrySettings.RemainingTotalRetryCount < 1 {
+						fmt.Println("    the maximum number of total retries was exceeded.")
+					}
+				},
+				execMetaAdjust: nil, // No execMetaAdjust needed
+			})
+		}
 	}
+	return targetFunc
 }
 
-// instrumentTestingBFunc helper function to instrument a benchmark function func(*testing.B)
-func instrumentTestingBFunc(pb *testing.B, name string, f func(*testing.B)) (string, func(*testing.B)) {
-	// Avoid instrumenting twice
-	if hasCiVisibilityBenchmarkFunc(&f) {
-		return name, f
+// applyEarlyFlakeDetectionAdditionalFeature applies the early flake detection feature as a wrapper of a func(*testing.T)
+func applyEarlyFlakeDetectionAdditionalFeature(testInfo *commonInfo, targetFunc func(*testing.T), settings *net.SettingsResponseData) func(*testing.T) {
+	earlyFlakeDetectionData := integrations.GetEarlyFlakeDetectionSettings()
+	if earlyFlakeDetectionData != nil &&
+		len(earlyFlakeDetectionData.Tests) > 0 {
+
+		// Define is a known test flag
+		isAKnownTest := false
+
+		// Check if the test is a known test or a new one
+		if knownSuites, ok := earlyFlakeDetectionData.Tests[testInfo.moduleName]; ok {
+			if knownTests, ok := knownSuites[testInfo.suiteName]; ok {
+				if slices.Contains(knownTests, testInfo.testName) {
+					isAKnownTest = true
+				}
+			}
+		}
+
+		// If it's a new test, then we apply the EFD wrapper
+		if !isAKnownTest {
+			return func(t *testing.T) {
+				var testPassCount, testSkipCount, testFailCount int
+
+				runTestWithRetry(&runTestWithRetryOptions{
+					targetFunc:        targetFunc,
+					t:                 t,
+					initialRetryCount: 0,
+					adjustRetryCount: func(duration time.Duration) int64 {
+						slowTestRetriesSettings := settings.EarlyFlakeDetection.SlowTestRetries
+						durationSecs := duration.Seconds()
+						if durationSecs < 5 {
+							return int64(slowTestRetriesSettings.FiveS)
+						} else if durationSecs < 10 {
+							return int64(slowTestRetriesSettings.TenS)
+						} else if durationSecs < 30 {
+							return int64(slowTestRetriesSettings.ThirtyS)
+						} else if duration.Minutes() < 5 {
+							return int64(slowTestRetriesSettings.FiveM)
+						}
+						return 0
+					},
+					shouldRetry: func(ptrToLocalT *testing.T, executionIndex int, remainingRetries int64) bool {
+						return remainingRetries >= 0
+					},
+					perExecution: func(ptrToLocalT *testing.T, executionIndex int, duration time.Duration) {
+						// Collect test results
+						if ptrToLocalT.Failed() {
+							testFailCount++
+						} else if ptrToLocalT.Skipped() {
+							testSkipCount++
+						} else {
+							testPassCount++
+						}
+					},
+					onRetryEnd: func(t *testing.T, executionIndex int, lastPtrToLocalT *testing.T) {
+						// Update test status based on collected counts
+						tCommonPrivates := getTestPrivateFields(t)
+						tParentCommonPrivates := getTestParentPrivateFields(t)
+						status := "passed"
+						if testPassCount == 0 {
+							if testSkipCount > 0 {
+								status = "skipped"
+								tCommonPrivates.SetSkipped(true)
+							}
+							if testFailCount > 0 {
+								status = "failed"
+								tCommonPrivates.SetFailed(true)
+								tParentCommonPrivates.SetFailed(true)
+							}
+						}
+
+						// Print summary after retries
+						if executionIndex > 0 {
+							fmt.Printf("  [ %v after %v retries by Datadog's early flake detection ]\n", status, executionIndex)
+						}
+					},
+					execMetaAdjust: func(execMeta *testExecutionMetadata, executionIndex int) {
+						// Set the flag new test to true
+						execMeta.isANewTest = true
+					},
+				})
+			}
+		}
 	}
+	return targetFunc
+}
 
-	// Reflect the function to obtain its pointer.
-	fReflect := reflect.Indirect(reflect.ValueOf(f))
-	moduleName, suiteName := utils.GetModuleAndSuiteName(fReflect.Pointer())
-	originalFunc := runtime.FuncForPC(fReflect.Pointer())
+// runTestWithRetry encapsulates the common retry logic for test functions.
+func runTestWithRetry(options *runTestWithRetryOptions) {
+	executionIndex := -1
+	var panicExecution *testExecutionMetadata
+	var lastPtrToLocalT *testing.T
 
-	// Increment the test count in the module.
-	atomic.AddInt32(modulesCounters[moduleName], 1)
+	// Module and suite for this test
+	var module integrations.DdTestModule
+	var suite integrations.DdTestSuite
 
-	// Increment the test count in the suite.
-	atomic.AddInt32(suitesCounters[suiteName], 1)
+	// Check if we have execution metadata to propagate
+	originalExecMeta := getTestMetadata(options.t)
 
-	return subBenchmarkAutoName, func(b *testing.B) {
-		// The sub-benchmark implementation relies on creating a dummy sub benchmark (called [DD:TestVisibility]) with
-		// a Run over the original sub benchmark function to get the child results without interfering measurements
-		// By doing this the name of the sub-benchmark are changed
-		// from:
-		// 		benchmark/child
-		// to:
-		//		benchmark/[DD:TestVisibility]/child
-		// We use regex and decrement the depth level of the benchmark to restore the original name
+	retryCount := options.initialRetryCount
 
-		// Decrement level.
-		bpf := getBenchmarkPrivateFields(b)
-		bpf.AddLevel(-1)
+	for {
+		// Clear the matcher subnames map before each execution to avoid subname tests being called "parent/subname#NN" due to retries
+		getTestContextMatcherPrivateFields(options.t).ClearSubNames()
 
-		startTime := time.Now()
-		module := session.GetOrCreateModuleWithFrameworkAndStartTime(moduleName, testFramework, runtime.Version(), startTime)
-		suite := module.GetOrCreateSuiteWithStartTime(suiteName, startTime)
-		test := suite.CreateTestWithStartTime(fmt.Sprintf("%s/%s", pb.Name(), name), startTime)
-		test.SetTestFunc(originalFunc)
+		// Increment execution index
+		executionIndex++
+
+		// Create a new local copy of `t` to isolate execution results
+		ptrToLocalT := &testing.T{}
+		copyTestWithoutParent(options.t, ptrToLocalT)
 
-		// Restore the original name without the sub-benchmark auto name.
-		*bpf.name = subBenchmarkAutoNameRegex.ReplaceAllString(*bpf.name, "")
+		// Create a dummy parent so we can run the test using this local copy
+		// without affecting the test parent
+		localTPrivateFields := getTestPrivateFields(ptrToLocalT)
+		*localTPrivateFields.parent = unsafe.Pointer(&testing.T{})
 
-		// Run original benchmark.
-		var iPfOfB *benchmarkPrivateFields
-		var recoverFunc *func(r any)
-		instrumentedFunc := func(b *testing.B) {
-			// Stop the timer to do the initialization and replacements.
-			b.StopTimer()
+		// Create an execution metadata instance
+		execMeta := createTestMetadata(ptrToLocalT)
+		execMeta.hasAdditionalFeatureWrapper = true
 
+		// Propagate set tags from a parent wrapper
+		if originalExecMeta != nil {
+			if originalExecMeta.isANewTest {
+				execMeta.isANewTest = true
+			}
+			if originalExecMeta.isARetry {
+				execMeta.isARetry = true
+			}
+		}
+
+		// If we are in a retry execution, set the `isARetry` flag
+		if executionIndex > 0 {
+			execMeta.isARetry = true
+		}
+
+		// Adjust execution metadata
+		if options.execMetaAdjust != nil {
+			options.execMetaAdjust(execMeta, executionIndex)
+		}
+
+		// Run original func similar to how it gets run internally in tRunner
+		startTime := time.Now()
+		chn := make(chan struct{}, 1)
+		go func() {
 			defer func() {
-				if r := recover(); r != nil {
-					if recoverFunc != nil {
-						fn := *recoverFunc
-						fn(r)
-					}
-					panic(r)
-				}
+				chn <- struct{}{}
 			}()
+			options.targetFunc(ptrToLocalT)
+		}()
+		<-chn
+		duration := time.Since(startTime)
 
-			// First time we get the private fields of the inner testing.B.
-			iPfOfB = getBenchmarkPrivateFields(b)
-			// Replace this function with the original one (executed only once - the first iteration[b.run1]).
-			*iPfOfB.benchFunc = f
-			// Set b to the CI visibility test.
-			setCiVisibilityBenchmark(b, test)
+		// Call cleanup functions after this execution
+		if err := testingTRunCleanup(ptrToLocalT, 1); err != nil {
+			fmt.Printf("cleanup error: %v\n", err)
+		}
 
-			// Enable the timer again.
-			b.ResetTimer()
-			b.StartTimer()
+		// Copy the current test to the wrapper if necessary
+		if originalExecMeta != nil {
+			originalExecMeta.test = execMeta.test
+		}
 
-			// Execute original func
-			f(b)
+		// Extract module and suite if present
+		currentSuite := execMeta.test.Suite()
+		if suite == nil && currentSuite != nil {
+			suite = currentSuite
+		}
+		if module == nil && currentSuite != nil && currentSuite.Module() != nil {
+			module = currentSuite.Module()
 		}
 
-		setCiVisibilityBenchmarkFunc(&instrumentedFunc)
-		defer deleteCiVisibilityBenchmarkFunc(&instrumentedFunc)
-		b.Run(name, instrumentedFunc)
-
-		endTime := time.Now()
-		results := iPfOfB.result
-
-		// Set benchmark data for CI visibility.
-		test.SetBenchmarkData("duration", map[string]any{
-			"run":  results.N,
-			"mean": results.NsPerOp(),
-		})
-		test.SetBenchmarkData("memory_total_operations", map[string]any{
-			"run":            results.N,
-			"mean":           results.AllocsPerOp(),
-			"statistics.max": results.MemAllocs,
-		})
-		test.SetBenchmarkData("mean_heap_allocations", map[string]any{
-			"run":  results.N,
-			"mean": results.AllocedBytesPerOp(),
-		})
-		test.SetBenchmarkData("total_heap_allocations", map[string]any{
-			"run":  results.N,
-			"mean": iPfOfB.result.MemBytes,
-		})
-		if len(results.Extra) > 0 {
-			mapConverted := map[string]any{}
-			for k, v := range results.Extra {
-				mapConverted[k] = v
+		// Remove execution metadata
+		deleteTestMetadata(ptrToLocalT)
+
+		// Handle panic data
+		if execMeta.panicData != nil {
+			ptrToLocalT.Fail()
+			if panicExecution == nil {
+				panicExecution = execMeta
 			}
-			test.SetBenchmarkData("extra", mapConverted)
 		}
 
-		// Define a function to handle panic during benchmark finalization.
-		panicFunc := func(r any) {
-			test.SetErrorInfo("panic", fmt.Sprint(r), utils.GetStacktrace(1))
-			suite.SetTag(ext.Error, true)
-			module.SetTag(ext.Error, true)
-			test.Close(integrations.ResultStatusFail)
-			checkModuleAndSuite(module, suite)
-			integrations.ExitCiVisibility()
+		// Adjust retry count after first execution if necessary
+		if options.adjustRetryCount != nil && executionIndex == 0 {
+			retryCount = options.adjustRetryCount(duration)
 		}
-		recoverFunc = &panicFunc
-
-		// Normal finalization: determine the benchmark result based on its state.
-		if iPfOfB.B.Failed() {
-			test.SetTag(ext.Error, true)
-			suite.SetTag(ext.Error, true)
-			module.SetTag(ext.Error, true)
-			test.CloseWithFinishTime(integrations.ResultStatusFail, endTime)
-		} else if iPfOfB.B.Skipped() {
-			test.CloseWithFinishTime(integrations.ResultStatusSkip, endTime)
-		} else {
-			test.CloseWithFinishTime(integrations.ResultStatusPass, endTime)
+
+		// Decrement retry count
+		retryCount--
+
+		// Call perExecution function
+		if options.perExecution != nil {
+			options.perExecution(ptrToLocalT, executionIndex, duration)
 		}
 
-		checkModuleAndSuite(module, suite)
+		// Update lastPtrToLocalT
+		lastPtrToLocalT = ptrToLocalT
+
+		// Decide whether to continue
+		if !options.shouldRetry(ptrToLocalT, executionIndex, retryCount) {
+			break
+		}
 	}
-}
 
-// instrumentTestingBSetErrorInfo helper function to set an error in the `testing.B` CI Visibility span
-func instrumentTestingBSetErrorInfo(b *testing.B, errType string, errMessage string, skip int) {
-	ciTest := getCiVisibilityBenchmark(b)
-	if ciTest != nil {
-		ciTest.SetErrorInfo(errType, errMessage, utils.GetStacktrace(2+skip))
+	// Call onRetryEnd
+	if options.onRetryEnd != nil {
+		options.onRetryEnd(options.t, executionIndex, lastPtrToLocalT)
 	}
-}
 
-// instrumentTestingBCloseAndSkip helper function to close and skip with a reason a `testing.B` CI Visibility span
-func instrumentTestingBCloseAndSkip(b *testing.B, skipReason string) {
-	ciTest := getCiVisibilityBenchmark(b)
-	if ciTest != nil {
-		ciTest.CloseWithFinishTimeAndSkipReason(integrations.ResultStatusSkip, time.Now(), skipReason)
+	// After all test executions, check if we need to close the suite and the module
+	if originalExecMeta == nil {
+		checkModuleAndSuite(module, suite)
 	}
-}
 
-// instrumentTestingBSkipNow helper function to close and skip a `testing.B` CI Visibility span
-func instrumentTestingBSkipNow(b *testing.B) {
-	ciTest := getCiVisibilityBenchmark(b)
-	if ciTest != nil {
-		ciTest.Close(integrations.ResultStatusSkip)
+	// Re-panic if test failed and panic data exists
+	if options.t.Failed() && panicExecution != nil {
+		// Ensure we flush all CI visibility data and close the session event
+		integrations.ExitCiVisibility()
+		panic(fmt.Sprintf("test failed and panicked after %d retries.\n%v\n%v", executionIndex, panicExecution.panicData, panicExecution.panicStacktrace))
 	}
 }
+
+//go:linkname testingTRunCleanup testing.(*common).runCleanup
+func testingTRunCleanup(c *testing.T, ph int) (panicVal any)
diff --git a/internal/civisibility/integrations/gotesting/instrumentation_orchestrion.go b/internal/civisibility/integrations/gotesting/instrumentation_orchestrion.go
new file mode 100644
index 0000000000..2b3345549b
--- /dev/null
+++ b/internal/civisibility/integrations/gotesting/instrumentation_orchestrion.go
@@ -0,0 +1,389 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package gotesting
+
+import (
+	"fmt"
+	"os"
+	"reflect"
+	"runtime"
+	"strings"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils"
+)
+
+// ******************************************************************************************************************
+// WARNING: DO NOT CHANGE THE SIGNATURE OF THESE FUNCTIONS!
+//
+//  The following functions are being used by both the manual api and most importantly the Orchestrion automatic
+//  instrumentation integration.
+// ******************************************************************************************************************
+
+// instrumentTestingM helper function to instrument internalTests and internalBenchmarks in a `*testing.M` instance.
+func instrumentTestingM(m *testing.M) func(exitCode int) {
+	// Check if CI Visibility was disabled using the kill switch before trying to initialize it
+	atomic.StoreInt32(&ciVisibilityEnabledValue, -1)
+	if !isCiVisibilityEnabled() {
+		return func(exitCode int) {}
+	}
+
+	// Initialize CI Visibility
+	integrations.EnsureCiVisibilityInitialization()
+
+	// Create a new test session for CI visibility.
+	session = integrations.CreateTestSession()
+
+	ddm := (*M)(m)
+
+	// Instrument the internal tests for CI visibility.
+	ddm.instrumentInternalTests(getInternalTestArray(m))
+
+	// Instrument the internal benchmarks for CI visibility.
+	for _, v := range os.Args {
+		// check if benchmarking is enabled to instrument
+		if strings.Contains(v, "-bench") || strings.Contains(v, "test.bench") {
+			ddm.instrumentInternalBenchmarks(getInternalBenchmarkArray(m))
+			break
+		}
+	}
+
+	return func(exitCode int) {
+		// Check for code coverage if enabled.
+		if testing.CoverMode() != "" {
+			coveragePercentage := testing.Coverage() * 100
+			session.SetTag(constants.CodeCoveragePercentageOfTotalLines, coveragePercentage)
+		}
+
+		// Close the session and return the exit code.
+		session.Close(exitCode)
+
+		// Finalize CI Visibility
+		integrations.ExitCiVisibility()
+	}
+}
+
+// instrumentTestingTFunc helper function to instrument a testing function func(*testing.T)
+func instrumentTestingTFunc(f func(*testing.T)) func(*testing.T) {
+	// Check if CI Visibility was disabled using the kill switch before instrumenting
+	if !isCiVisibilityEnabled() {
+		return f
+	}
+
+	// Reflect the function to obtain its pointer.
+	fReflect := reflect.Indirect(reflect.ValueOf(f))
+	moduleName, suiteName := utils.GetModuleAndSuiteName(fReflect.Pointer())
+	originalFunc := runtime.FuncForPC(fReflect.Pointer())
+
+	// Avoid instrumenting twice
+	metadata := getInstrumentationMetadata(originalFunc)
+	if metadata != nil && metadata.IsInternal {
+		// If is an internal test, we don't instrument because f is already the instrumented func by executeInternalTest
+		return f
+	}
+
+	instrumentedFn := func(t *testing.T) {
+		// Initialize module counters if not already present.
+		if _, ok := modulesCounters[moduleName]; !ok {
+			var v int32
+			modulesCounters[moduleName] = &v
+		}
+		// Increment the test count in the module.
+		atomic.AddInt32(modulesCounters[moduleName], 1)
+
+		// Initialize suite counters if not already present.
+		if _, ok := suitesCounters[suiteName]; !ok {
+			var v int32
+			suitesCounters[suiteName] = &v
+		}
+		// Increment the test count in the suite.
+		atomic.AddInt32(suitesCounters[suiteName], 1)
+
+		// Create or retrieve the module, suite, and test for CI visibility.
+		module := session.GetOrCreateModuleWithFramework(moduleName, testFramework, runtime.Version())
+		suite := module.GetOrCreateSuite(suiteName)
+		test := suite.CreateTest(t.Name())
+		test.SetTestFunc(originalFunc)
+
+		// Get the metadata regarding the execution (in case is already created from the additional features)
+		execMeta := getTestMetadata(t)
+		if execMeta == nil {
+			// in case there's no additional features then we create the metadata for this execution and defer the disposal
+			execMeta = createTestMetadata(t)
+			defer deleteTestMetadata(t)
+		}
+
+		// Because this is a subtest let's propagate some execution metadata from the parent test
+		testPrivateFields := getTestPrivateFields(t)
+		if testPrivateFields.parent != nil {
+			parentExecMeta := getTestMetadataFromPointer(*testPrivateFields.parent)
+			if parentExecMeta != nil {
+				if parentExecMeta.isANewTest {
+					execMeta.isANewTest = true
+				}
+				if parentExecMeta.isARetry {
+					execMeta.isARetry = true
+				}
+			}
+		}
+
+		// Set the CI visibility test.
+		execMeta.test = test
+
+		// If the execution is for a new test we tag the test event from early flake detection
+		if execMeta.isANewTest {
+			// Set the is new test tag
+			test.SetTag(constants.TestIsNew, "true")
+		}
+
+		// If the execution is a retry we tag the test event
+		if execMeta.isARetry {
+			// Set the retry tag
+			test.SetTag(constants.TestIsRetry, "true")
+		}
+
+		defer func() {
+			if r := recover(); r != nil {
+				// Handle panic and set error information.
+				test.SetErrorInfo("panic", fmt.Sprint(r), utils.GetStacktrace(1))
+				test.Close(integrations.ResultStatusFail)
+				checkModuleAndSuite(module, suite)
+				// this is not an internal test. Retries are not applied to subtest (because the parent internal test is going to be retried)
+				// so for this case we avoid closing CI Visibility, but we don't stop the panic from happening.
+				// it will be handled by `t.Run`
+				if checkIfCIVisibilityExitIsRequiredByPanic() {
+					integrations.ExitCiVisibility()
+				}
+				panic(r)
+			} else {
+				// Normal finalization: determine the test result based on its state.
+				if t.Failed() {
+					test.SetTag(ext.Error, true)
+					suite.SetTag(ext.Error, true)
+					module.SetTag(ext.Error, true)
+					test.Close(integrations.ResultStatusFail)
+				} else if t.Skipped() {
+					test.Close(integrations.ResultStatusSkip)
+				} else {
+					test.Close(integrations.ResultStatusPass)
+				}
+				checkModuleAndSuite(module, suite)
+			}
+		}()
+
+		// Execute the original test function.
+		f(t)
+	}
+
+	setInstrumentationMetadata(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedFn)).Pointer()), &instrumentationMetadata{IsInternal: true})
+	return instrumentedFn
+}
+
+// instrumentSetErrorInfo helper function to set an error in the `*testing.T, *testing.B, *testing.common` CI Visibility span
+func instrumentSetErrorInfo(tb testing.TB, errType string, errMessage string, skip int) {
+	// Check if CI Visibility was disabled using the kill switch before
+	if !isCiVisibilityEnabled() {
+		return
+	}
+
+	// Get the CI Visibility span and check if we can set the error type, message and stack
+	ciTestItem := getTestMetadata(tb)
+	if ciTestItem != nil && ciTestItem.test != nil && ciTestItem.error.CompareAndSwap(0, 1) {
+		ciTestItem.test.SetErrorInfo(errType, errMessage, utils.GetStacktrace(2+skip))
+	}
+}
+
+// instrumentCloseAndSkip helper function to close and skip with a reason a `*testing.T, *testing.B, *testing.common` CI Visibility span
+func instrumentCloseAndSkip(tb testing.TB, skipReason string) {
+	// Check if CI Visibility was disabled using the kill switch before
+	if !isCiVisibilityEnabled() {
+		return
+	}
+
+	// Get the CI Visibility span and check if we can mark it as skipped and close it
+	ciTestItem := getTestMetadata(tb)
+	if ciTestItem != nil && ciTestItem.test != nil && ciTestItem.skipped.CompareAndSwap(0, 1) {
+		ciTestItem.test.CloseWithFinishTimeAndSkipReason(integrations.ResultStatusSkip, time.Now(), skipReason)
+	}
+}
+
+// instrumentSkipNow helper function to close and skip a `*testing.T, *testing.B, *testing.common` CI Visibility span
+func instrumentSkipNow(tb testing.TB) {
+	// Check if CI Visibility was disabled using the kill switch before
+	if !isCiVisibilityEnabled() {
+		return
+	}
+
+	// Get the CI Visibility span and check if we can mark it as skipped and close it
+	ciTestItem := getTestMetadata(tb)
+	if ciTestItem != nil && ciTestItem.test != nil && ciTestItem.skipped.CompareAndSwap(0, 1) {
+		ciTestItem.test.Close(integrations.ResultStatusSkip)
+	}
+}
+
+// instrumentTestingBFunc helper function to instrument a benchmark function func(*testing.B)
+func instrumentTestingBFunc(pb *testing.B, name string, f func(*testing.B)) (string, func(*testing.B)) {
+	// Check if CI Visibility was disabled using the kill switch before instrumenting
+	if !isCiVisibilityEnabled() {
+		return name, f
+	}
+
+	// Reflect the function to obtain its pointer.
+	fReflect := reflect.Indirect(reflect.ValueOf(f))
+	moduleName, suiteName := utils.GetModuleAndSuiteName(fReflect.Pointer())
+	originalFunc := runtime.FuncForPC(fReflect.Pointer())
+
+	// Avoid instrumenting twice
+	if hasCiVisibilityBenchmarkFunc(originalFunc) {
+		return name, f
+	}
+
+	instrumentedFunc := func(b *testing.B) {
+		// The sub-benchmark implementation relies on creating a dummy sub benchmark (called [DD:TestVisibility]) with
+		// a Run over the original sub benchmark function to get the child results without interfering measurements
+		// By doing this the name of the sub-benchmark are changed
+		// from:
+		// 		benchmark/child
+		// to:
+		//		benchmark/[DD:TestVisibility]/child
+		// We use regex and decrement the depth level of the benchmark to restore the original name
+
+		// Initialize module counters if not already present.
+		if _, ok := modulesCounters[moduleName]; !ok {
+			var v int32
+			modulesCounters[moduleName] = &v
+		}
+		// Increment the test count in the module.
+		atomic.AddInt32(modulesCounters[moduleName], 1)
+
+		// Initialize suite counters if not already present.
+		if _, ok := suitesCounters[suiteName]; !ok {
+			var v int32
+			suitesCounters[suiteName] = &v
+		}
+		// Increment the test count in the suite.
+		atomic.AddInt32(suitesCounters[suiteName], 1)
+
+		// Decrement level.
+		bpf := getBenchmarkPrivateFields(b)
+		bpf.AddLevel(-1)
+
+		startTime := time.Now()
+		module := session.GetOrCreateModuleWithFrameworkAndStartTime(moduleName, testFramework, runtime.Version(), startTime)
+		suite := module.GetOrCreateSuiteWithStartTime(suiteName, startTime)
+		test := suite.CreateTestWithStartTime(fmt.Sprintf("%s/%s", pb.Name(), name), startTime)
+		test.SetTestFunc(originalFunc)
+
+		// Restore the original name without the sub-benchmark auto name.
+		*bpf.name = subBenchmarkAutoNameRegex.ReplaceAllString(*bpf.name, "")
+
+		// Run original benchmark.
+		var iPfOfB *benchmarkPrivateFields
+		var recoverFunc *func(r any)
+		instrumentedFunc := func(b *testing.B) {
+			// Stop the timer to do the initialization and replacements.
+			b.StopTimer()
+
+			defer func() {
+				if r := recover(); r != nil {
+					if recoverFunc != nil {
+						fn := *recoverFunc
+						fn(r)
+					}
+					panic(r)
+				}
+			}()
+
+			// First time we get the private fields of the inner testing.B.
+			iPfOfB = getBenchmarkPrivateFields(b)
+			// Replace this function with the original one (executed only once - the first iteration[b.run1]).
+			*iPfOfB.benchFunc = f
+
+			// Get the metadata regarding the execution (in case is already created from the additional features)
+			execMeta := getTestMetadata(b)
+			if execMeta == nil {
+				// in case there's no additional features then we create the metadata for this execution and defer the disposal
+				execMeta = createTestMetadata(b)
+				defer deleteTestMetadata(b)
+			}
+
+			// Set the CI visibility test.
+			execMeta.test = test
+
+			// Enable the timer again.
+			b.ResetTimer()
+			b.StartTimer()
+
+			// Execute original func
+			f(b)
+		}
+
+		setCiVisibilityBenchmarkFunc(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedFunc)).Pointer()))
+		b.Run(name, instrumentedFunc)
+
+		endTime := time.Now()
+		results := iPfOfB.result
+
+		// Set benchmark data for CI visibility.
+		test.SetBenchmarkData("duration", map[string]any{
+			"run":  results.N,
+			"mean": results.NsPerOp(),
+		})
+		test.SetBenchmarkData("memory_total_operations", map[string]any{
+			"run":            results.N,
+			"mean":           results.AllocsPerOp(),
+			"statistics.max": results.MemAllocs,
+		})
+		test.SetBenchmarkData("mean_heap_allocations", map[string]any{
+			"run":  results.N,
+			"mean": results.AllocedBytesPerOp(),
+		})
+		test.SetBenchmarkData("total_heap_allocations", map[string]any{
+			"run":  results.N,
+			"mean": iPfOfB.result.MemBytes,
+		})
+		if len(results.Extra) > 0 {
+			mapConverted := map[string]any{}
+			for k, v := range results.Extra {
+				mapConverted[k] = v
+			}
+			test.SetBenchmarkData("extra", mapConverted)
+		}
+
+		// Define a function to handle panic during benchmark finalization.
+		panicFunc := func(r any) {
+			test.SetErrorInfo("panic", fmt.Sprint(r), utils.GetStacktrace(1))
+			suite.SetTag(ext.Error, true)
+			module.SetTag(ext.Error, true)
+			test.Close(integrations.ResultStatusFail)
+			checkModuleAndSuite(module, suite)
+			integrations.ExitCiVisibility()
+		}
+		recoverFunc = &panicFunc
+
+		// Normal finalization: determine the benchmark result based on its state.
+		if iPfOfB.B.Failed() {
+			test.SetTag(ext.Error, true)
+			suite.SetTag(ext.Error, true)
+			module.SetTag(ext.Error, true)
+			test.CloseWithFinishTime(integrations.ResultStatusFail, endTime)
+		} else if iPfOfB.B.Skipped() {
+			test.CloseWithFinishTime(integrations.ResultStatusSkip, endTime)
+		} else {
+			test.CloseWithFinishTime(integrations.ResultStatusPass, endTime)
+		}
+
+		checkModuleAndSuite(module, suite)
+	}
+	setCiVisibilityBenchmarkFunc(originalFunc)
+	setCiVisibilityBenchmarkFunc(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedFunc)).Pointer()))
+	return subBenchmarkAutoName, instrumentedFunc
+}
diff --git a/internal/civisibility/integrations/gotesting/reflections.go b/internal/civisibility/integrations/gotesting/reflections.go
index 6aaac3ed4c..745aab1468 100644
--- a/internal/civisibility/integrations/gotesting/reflections.go
+++ b/internal/civisibility/integrations/gotesting/reflections.go
@@ -7,17 +7,25 @@ package gotesting
 
 import (
 	"errors"
+	"io"
 	"reflect"
 	"sync"
+	"sync/atomic"
 	"testing"
+	"time"
 	"unsafe"
 )
 
 // getFieldPointerFrom gets an unsafe.Pointer (gc-safe type of pointer) to a struct field
 // useful to get or set values to private field
 func getFieldPointerFrom(value any, fieldName string) (unsafe.Pointer, error) {
-	indirectValue := reflect.Indirect(reflect.ValueOf(value))
-	member := indirectValue.FieldByName(fieldName)
+	return getFieldPointerFromValue(reflect.Indirect(reflect.ValueOf(value)), fieldName)
+}
+
+// getFieldPointerFromValue gets an unsafe.Pointer (gc-safe type of pointer) to a struct field
+// useful to get or set values to private field
+func getFieldPointerFromValue(value reflect.Value, fieldName string) (unsafe.Pointer, error) {
+	member := value.FieldByName(fieldName)
 	if member.IsValid() {
 		return unsafe.Pointer(member.UnsafeAddr()), nil
 	}
@@ -25,7 +33,61 @@ func getFieldPointerFrom(value any, fieldName string) (unsafe.Pointer, error) {
 	return unsafe.Pointer(nil), errors.New("member is invalid")
 }
 
+// copyFieldUsingPointers copies a private field value from one struct to another of the same type
+func copyFieldUsingPointers[V any](source any, target any, fieldName string) error {
+	sourcePtr, err := getFieldPointerFrom(source, fieldName)
+	if err != nil {
+		return err
+	}
+	targetPtr, err := getFieldPointerFrom(target, fieldName)
+	if err != nil {
+		return err
+	}
+
+	*(*V)(targetPtr) = *(*V)(sourcePtr)
+	return nil
+}
+
+// ****************
+// COMMON
+// ****************
+
+// commonPrivateFields is collection of required private fields from testing.common
+type commonPrivateFields struct {
+	mu      *sync.RWMutex
+	level   *int
+	name    *string         // Name of test or benchmark.
+	failed  *bool           // Test or benchmark has failed.
+	skipped *bool           // Test or benchmark has been skipped.
+	parent  *unsafe.Pointer // Parent common
+}
+
+// AddLevel increase or decrease the testing.common.level field value, used by
+// testing.B to create the name of the benchmark test
+func (c *commonPrivateFields) AddLevel(delta int) int {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	*c.level = *c.level + delta
+	return *c.level
+}
+
+// SetFailed set the boolean value in testing.common.failed field value
+func (c *commonPrivateFields) SetFailed(value bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	*c.failed = value
+}
+
+// SetSkipped set the boolean value in testing.common.skipped field value
+func (c *commonPrivateFields) SetSkipped(value bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	*c.skipped = value
+}
+
+// ****************
 // TESTING
+// ****************
 
 // getInternalTestArray gets the pointer to the testing.InternalTest array inside a
 // testing.M instance containing all the "root" tests
@@ -36,7 +98,147 @@ func getInternalTestArray(m *testing.M) *[]testing.InternalTest {
 	return nil
 }
 
+// getTestPrivateFields is a method to retrieve all required privates field from
+// testing.T, returning a commonPrivateFields instance
+func getTestPrivateFields(t *testing.T) *commonPrivateFields {
+	testFields := &commonPrivateFields{}
+
+	// testing.common
+	if ptr, err := getFieldPointerFrom(t, "mu"); err == nil {
+		testFields.mu = (*sync.RWMutex)(ptr)
+	}
+	if ptr, err := getFieldPointerFrom(t, "level"); err == nil {
+		testFields.level = (*int)(ptr)
+	}
+	if ptr, err := getFieldPointerFrom(t, "name"); err == nil {
+		testFields.name = (*string)(ptr)
+	}
+	if ptr, err := getFieldPointerFrom(t, "failed"); err == nil {
+		testFields.failed = (*bool)(ptr)
+	}
+	if ptr, err := getFieldPointerFrom(t, "skipped"); err == nil {
+		testFields.skipped = (*bool)(ptr)
+	}
+	if ptr, err := getFieldPointerFrom(t, "parent"); err == nil {
+		testFields.parent = (*unsafe.Pointer)(ptr)
+	}
+
+	return testFields
+}
+
+// getTestParentPrivateFields is a method to retrieve all required parent privates field from
+// testing.T.parent, returning a commonPrivateFields instance
+func getTestParentPrivateFields(t *testing.T) *commonPrivateFields {
+	indirectValue := reflect.Indirect(reflect.ValueOf(t))
+	member := indirectValue.FieldByName("parent")
+	if member.IsValid() {
+		value := member.Elem()
+		testFields := &commonPrivateFields{}
+
+		// testing.common
+		if ptr, err := getFieldPointerFromValue(value, "mu"); err == nil {
+			testFields.mu = (*sync.RWMutex)(ptr)
+		}
+		if ptr, err := getFieldPointerFromValue(value, "level"); err == nil {
+			testFields.level = (*int)(ptr)
+		}
+		if ptr, err := getFieldPointerFromValue(value, "name"); err == nil {
+			testFields.name = (*string)(ptr)
+		}
+		if ptr, err := getFieldPointerFromValue(value, "failed"); err == nil {
+			testFields.failed = (*bool)(ptr)
+		}
+		if ptr, err := getFieldPointerFromValue(value, "skipped"); err == nil {
+			testFields.skipped = (*bool)(ptr)
+		}
+
+		return testFields
+	}
+	return nil
+}
+
+// contextMatcher is collection of required private fields from testing.context.match
+type contextMatcher struct {
+	mu       *sync.RWMutex
+	subNames *map[string]int32
+}
+
+// ClearSubNames clears the subname map used for creating unique names for subtests
+func (c *contextMatcher) ClearSubNames() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	*c.subNames = map[string]int32{}
+}
+
+// getTestContextMatcherPrivateFields is a method to retrieve all required privates field from
+// testing.T.context.match, returning a contextMatcher instance
+func getTestContextMatcherPrivateFields(t *testing.T) *contextMatcher {
+	indirectValue := reflect.Indirect(reflect.ValueOf(t))
+	contextMember := indirectValue.FieldByName("context")
+	if !contextMember.IsValid() {
+		return nil
+	}
+	contextMember = contextMember.Elem()
+	matchMember := contextMember.FieldByName("match")
+	if !matchMember.IsValid() {
+		return nil
+	}
+	matchMember = matchMember.Elem()
+
+	fields := &contextMatcher{}
+	if ptr, err := getFieldPointerFromValue(matchMember, "mu"); err == nil {
+		fields.mu = (*sync.RWMutex)(ptr)
+	}
+	if ptr, err := getFieldPointerFromValue(matchMember, "subNames"); err == nil {
+		fields.subNames = (*map[string]int32)(ptr)
+	}
+
+	return fields
+}
+
+// copyTestWithoutParent tries to copy all private fields except the t.parent from a *testing.T to another
+func copyTestWithoutParent(source *testing.T, target *testing.T) {
+	// Copy important field values
+	_ = copyFieldUsingPointers[[]byte](source, target, "output")                   // Output generated by test or benchmark.
+	_ = copyFieldUsingPointers[io.Writer](source, target, "w")                     // For flushToParent.
+	_ = copyFieldUsingPointers[bool](source, target, "ran")                        // Test or benchmark (or one of its subtests) was executed.
+	_ = copyFieldUsingPointers[bool](source, target, "failed")                     // Test or benchmark has failed.
+	_ = copyFieldUsingPointers[bool](source, target, "skipped")                    // Test or benchmark has been skipped.
+	_ = copyFieldUsingPointers[bool](source, target, "done")                       // Test is finished and all subtests have completed.
+	_ = copyFieldUsingPointers[map[uintptr]struct{}](source, target, "helperPCs")  // functions to be skipped when writing file/line info
+	_ = copyFieldUsingPointers[map[string]struct{}](source, target, "helperNames") // helperPCs converted to function names
+	_ = copyFieldUsingPointers[[]func()](source, target, "cleanups")               // optional functions to be called at the end of the test
+	_ = copyFieldUsingPointers[string](source, target, "cleanupName")              // Name of the cleanup function.
+	_ = copyFieldUsingPointers[[]uintptr](source, target, "cleanupPc")             // The stack trace at the point where Cleanup was called.
+	_ = copyFieldUsingPointers[bool](source, target, "finished")                   // Test function has completed.
+	_ = copyFieldUsingPointers[bool](source, target, "inFuzzFn")                   // Whether the fuzz target, if this is one, is running.
+
+	_ = copyFieldUsingPointers[unsafe.Pointer](source, target, "chatty")      // A copy of chattyPrinter, if the chatty flag is set.
+	_ = copyFieldUsingPointers[bool](source, target, "bench")                 // Whether the current test is a benchmark.
+	_ = copyFieldUsingPointers[atomic.Bool](source, target, "hasSub")         // whether there are sub-benchmarks.
+	_ = copyFieldUsingPointers[atomic.Bool](source, target, "cleanupStarted") // Registered cleanup callbacks have started to execute
+	_ = copyFieldUsingPointers[string](source, target, "runner")              // Function name of tRunner running the test.
+	_ = copyFieldUsingPointers[bool](source, target, "isParallel")            // Whether the test is parallel.
+
+	_ = copyFieldUsingPointers[int](source, target, "level")            // Nesting depth of test or benchmark.
+	_ = copyFieldUsingPointers[[]uintptr](source, target, "creator")    // If level > 0, the stack trace at the point where the parent called t.Run.
+	_ = copyFieldUsingPointers[string](source, target, "name")          // Name of test or benchmark.
+	_ = copyFieldUsingPointers[unsafe.Pointer](source, target, "start") // Time test or benchmark started
+	_ = copyFieldUsingPointers[time.Duration](source, target, "duration")
+	_ = copyFieldUsingPointers[[]*testing.T](source, target, "sub")            // Queue of subtests to be run in parallel.
+	_ = copyFieldUsingPointers[atomic.Int64](source, target, "lastRaceErrors") // Max value of race.Errors seen during the test or its subtests.
+	_ = copyFieldUsingPointers[atomic.Bool](source, target, "raceErrorLogged")
+	_ = copyFieldUsingPointers[string](source, target, "tempDir")
+	_ = copyFieldUsingPointers[error](source, target, "tempDirErr")
+	_ = copyFieldUsingPointers[int32](source, target, "tempDirSeq")
+
+	_ = copyFieldUsingPointers[bool](source, target, "isEnvSet")
+	_ = copyFieldUsingPointers[unsafe.Pointer](source, target, "context") // For running tests and subtests.
+}
+
+// ****************
 // BENCHMARKS
+// ****************
 
 // get the pointer to the internal benchmark array
 // getInternalBenchmarkArray gets the pointer to the testing.InternalBenchmark array inside
@@ -48,22 +250,6 @@ func getInternalBenchmarkArray(m *testing.M) *[]testing.InternalBenchmark {
 	return nil
 }
 
-// commonPrivateFields is collection of required private fields from testing.common
-type commonPrivateFields struct {
-	mu    *sync.RWMutex
-	level *int
-	name  *string // Name of test or benchmark.
-}
-
-// AddLevel increase or decrease the testing.common.level field value, used by
-// testing.B to create the name of the benchmark test
-func (c *commonPrivateFields) AddLevel(delta int) int {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	*c.level = *c.level + delta
-	return *c.level
-}
-
 // benchmarkPrivateFields is a collection of required private fields from testing.B
 // also contains a pointer to the original testing.B for easy access
 type benchmarkPrivateFields struct {
@@ -80,7 +266,7 @@ func getBenchmarkPrivateFields(b *testing.B) *benchmarkPrivateFields {
 		B: b,
 	}
 
-	// common
+	// testing.common
 	if ptr, err := getFieldPointerFrom(b, "mu"); err == nil {
 		benchFields.mu = (*sync.RWMutex)(ptr)
 	}
@@ -90,8 +276,17 @@ func getBenchmarkPrivateFields(b *testing.B) *benchmarkPrivateFields {
 	if ptr, err := getFieldPointerFrom(b, "name"); err == nil {
 		benchFields.name = (*string)(ptr)
 	}
+	if ptr, err := getFieldPointerFrom(b, "failed"); err == nil {
+		benchFields.failed = (*bool)(ptr)
+	}
+	if ptr, err := getFieldPointerFrom(b, "skipped"); err == nil {
+		benchFields.skipped = (*bool)(ptr)
+	}
+	if ptr, err := getFieldPointerFrom(b, "parent"); err == nil {
+		benchFields.parent = (*unsafe.Pointer)(ptr)
+	}
 
-	// benchmark
+	// testing.B
 	if ptr, err := getFieldPointerFrom(b, "benchFunc"); err == nil {
 		benchFields.benchFunc = (*func(b *testing.B))(ptr)
 	}
diff --git a/internal/civisibility/integrations/gotesting/testcontroller_test.go b/internal/civisibility/integrations/gotesting/testcontroller_test.go
new file mode 100644
index 0000000000..3a679715e2
--- /dev/null
+++ b/internal/civisibility/integrations/gotesting/testcontroller_test.go
@@ -0,0 +1,492 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package gotesting
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"os/exec"
+	"testing"
+
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/ext"
+	"github.com/DataDog/dd-trace-go/v2/ddtrace/mocktracer"
+	"github.com/DataDog/dd-trace-go/v2/internal"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils/net"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+var currentM *testing.M
+var mTracer mocktracer.Tracer
+
+// TestMain is the entry point for testing and runs before any test.
+func TestMain(m *testing.M) {
+	log.SetLevel(log.LevelDebug)
+
+	// We need to spawn separated test process for each scenario
+	scenarios := []string{"TestFlakyTestRetries", "TestEarlyFlakeDetection", "TestFlakyTestRetriesAndEarlyFlakeDetection"}
+
+	if internal.BoolEnv(scenarios[0], false) {
+		fmt.Printf("Scenario %s started.\n", scenarios[0])
+		runFlakyTestRetriesTests(m)
+	} else if internal.BoolEnv(scenarios[1], false) {
+		fmt.Printf("Scenario %s started.\n", scenarios[1])
+		runEarlyFlakyTestDetectionTests(m)
+	} else if internal.BoolEnv(scenarios[2], false) {
+		fmt.Printf("Scenario %s started.\n", scenarios[2])
+		runFlakyTestRetriesWithEarlyFlakyTestDetectionTests(m)
+	} else {
+		fmt.Println("Starting tests...")
+		for _, v := range scenarios {
+			cmd := exec.Command(os.Args[0], os.Args[1:]...)
+			cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+			cmd.Env = append(cmd.Env, os.Environ()...)
+			cmd.Env = append(cmd.Env, fmt.Sprintf("%s=true", v))
+			fmt.Printf("Running scenario: %s:\n", v)
+			err := cmd.Run()
+			fmt.Printf("Done.\n\n")
+			if err != nil {
+				if exiterr, ok := err.(*exec.ExitError); ok {
+					fmt.Printf("Scenario %s failed with exit code: %d\n", v, exiterr.ExitCode())
+					os.Exit(exiterr.ExitCode())
+				} else {
+					fmt.Printf("cmd.Run: %v\n", err)
+					os.Exit(1)
+				}
+				break
+			}
+		}
+	}
+
+	os.Exit(0)
+}
+
+func runFlakyTestRetriesTests(m *testing.M) {
+	// mock the settings api to enable automatic test retries
+	server := setUpHttpServer(true, false, nil)
+	defer server.Close()
+
+	// set a custom retry count
+	os.Setenv(constants.CIVisibilityFlakyRetryCountEnvironmentVariable, "10")
+
+	// initialize the mock tracer for doing assertions on the finished spans
+	currentM = m
+	mTracer = integrations.InitializeCIVisibilityMock()
+
+	// execute the tests, we are expecting some tests to fail and check the assertion later
+	exitCode := RunM(m)
+	if exitCode != 1 {
+		panic("expected the exit code to be 1. We have a failing test on purpose.")
+	}
+
+	// get all finished spans
+	finishedSpans := mTracer.FinishedSpans()
+
+	// 1 session span
+	// 1 module span
+	// 2 suite span (testing_test.go and reflections_test.go)
+	// 5 tests from reflections_test.go
+	// 1 TestMyTest01
+	// 1 TestMyTest02 + 2 subtests
+	// 1 Test_Foo + 3 subtests
+	// 1 TestWithExternalCalls + 2 subtests
+	// 1 TestSkip
+	// 1 TestRetryWithPanic + 3 retry tests from testing_test.go
+	// 1 TestRetryWithFail + 3 retry tests from testing_test.go
+	// 1 TestRetryAlwaysFail + 10 retry tests from testing_test.go
+	// 1 TestNormalPassingAfterRetryAlwaysFail
+	// 1 TestEarlyFlakeDetection
+	// 2 normal spans from testing_test.go
+
+	// check spans by resource name
+	checkSpansByResourceName(finishedSpans, "github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations/gotesting", 1)
+	checkSpansByResourceName(finishedSpans, "reflections_test.go", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest01", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01/sub03", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/yellow_should_return_color", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/banana_should_return_fruit", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/duck_should_return_animal", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/default", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/custom-name", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestSkip", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithPanic", 4)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithFail", 4)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryAlwaysFail", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestNormalPassingAfterRetryAlwaysFail", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestEarlyFlakeDetection", 1)
+
+	// check spans by tag
+	checkSpansByTagName(finishedSpans, constants.TestIsRetry, 16)
+
+	// check spans by type
+	checkSpansByType(finishedSpans,
+		44,
+		1,
+		1,
+		2,
+		38,
+		2)
+
+	os.Exit(0)
+}
+
+func runEarlyFlakyTestDetectionTests(m *testing.M) {
+	// mock the settings api to enable automatic test retries
+	server := setUpHttpServer(false, true, &net.EfdResponseData{
+		Tests: net.EfdResponseDataModules{
+			"github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations/gotesting": net.EfdResponseDataSuites{
+				"reflections_test.go": []string{
+					"TestGetFieldPointerFrom",
+					"TestGetInternalTestArray",
+					"TestGetInternalBenchmarkArray",
+					"TestCommonPrivateFields_AddLevel",
+					"TestGetBenchmarkPrivateFields",
+				},
+			},
+		},
+	})
+	defer server.Close()
+
+	// initialize the mock tracer for doing assertions on the finished spans
+	currentM = m
+	mTracer = integrations.InitializeCIVisibilityMock()
+
+	// execute the tests, we are expecting some tests to fail and check the assertion later
+	exitCode := RunM(m)
+	if exitCode != 1 {
+		panic("expected the exit code to be 1. We have a failing test on purpose.")
+	}
+
+	// get all finished spans
+	finishedSpans := mTracer.FinishedSpans()
+
+	// 1 session span
+	// 1 module span
+	// 2 suite span (testing_test.go and reflections_test.go)
+	// 5 tests from reflections_test.go
+	// 11 TestMyTest01
+	// 11 TestMyTest02 + 22 subtests
+	// 11 Test_Foo + 33 subtests
+	// 11 TestWithExternalCalls + 22 subtests
+	// 11 TestSkip
+	// 11 TestRetryWithPanic
+	// 11 TestRetryWithFail
+	// 11 TestRetryAlwaysFail
+	// 11 TestNormalPassingAfterRetryAlwaysFail
+	// 11 TestEarlyFlakeDetection
+	// 22 normal spans from testing_test.go
+
+	// check spans by resource name
+	checkSpansByResourceName(finishedSpans, "github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations/gotesting", 1)
+	checkSpansByResourceName(finishedSpans, "reflections_test.go", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest01", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01/sub03", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/yellow_should_return_color", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/banana_should_return_fruit", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/duck_should_return_animal", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/default", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/custom-name", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestSkip", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithPanic", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithFail", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryAlwaysFail", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestNormalPassingAfterRetryAlwaysFail", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestEarlyFlakeDetection", 11)
+
+	// check spans by tag
+	checkSpansByTagName(finishedSpans, constants.TestIsNew, 187)
+	checkSpansByTagName(finishedSpans, constants.TestIsRetry, 170)
+
+	// check spans by type
+	checkSpansByType(finishedSpans,
+		218,
+		1,
+		1,
+		2,
+		192,
+		22)
+
+	os.Exit(0)
+}
+
+func runFlakyTestRetriesWithEarlyFlakyTestDetectionTests(m *testing.M) {
+	// mock the settings api to enable automatic test retries
+	server := setUpHttpServer(true, true, &net.EfdResponseData{
+		Tests: net.EfdResponseDataModules{
+			"github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations/gotesting": net.EfdResponseDataSuites{
+				"reflections_test.go": []string{
+					"TestGetFieldPointerFrom",
+					"TestGetInternalTestArray",
+					"TestGetInternalBenchmarkArray",
+					"TestCommonPrivateFields_AddLevel",
+					"TestGetBenchmarkPrivateFields",
+				},
+				"testing_test.go": []string{
+					"TestMyTest01",
+					"TestMyTest02",
+					"Test_Foo",
+					"TestWithExternalCalls",
+					"TestSkip",
+					"TestRetryWithPanic",
+					"TestRetryWithFail",
+					"TestRetryAlwaysFail",
+					"TestNormalPassingAfterRetryAlwaysFail",
+				},
+			},
+		},
+	})
+	defer server.Close()
+
+	// set a custom retry count
+	os.Setenv(constants.CIVisibilityFlakyRetryCountEnvironmentVariable, "10")
+
+	// initialize the mock tracer for doing assertions on the finished spans
+	currentM = m
+	mTracer = integrations.InitializeCIVisibilityMock()
+
+	// execute the tests, we are expecting some tests to fail and check the assertion later
+	exitCode := RunM(m)
+	if exitCode != 1 {
+		panic("expected the exit code to be 1. We have a failing test on purpose.")
+	}
+
+	// get all finished spans
+	finishedSpans := mTracer.FinishedSpans()
+
+	// 1 session span
+	// 1 module span
+	// 2 suite span (testing_test.go and reflections_test.go)
+	// 5 tests from reflections_test.go
+	// 1 TestMyTest01
+	// 1 TestMyTest02 + 2 subtests
+	// 1 Test_Foo + 3 subtests
+	// 1 TestWithExternalCalls + 2 subtests
+	// 1 TestSkip
+	// 1 TestRetryWithPanic + 3 retry tests from testing_test.go
+	// 1 TestRetryWithFail + 3 retry tests from testing_test.go
+	// 1 TestRetryAlwaysFail + 10 retry tests from testing_test.go
+	// 1 TestNormalPassingAfterRetryAlwaysFail
+	// 11 TestEarlyFlakeDetection + 10 retries
+	// 2 normal spans from testing_test.go
+
+	// check spans by resource name
+	checkSpansByResourceName(finishedSpans, "github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations/gotesting", 1)
+	checkSpansByResourceName(finishedSpans, "reflections_test.go", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest01", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestMyTest02/sub01/sub03", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/yellow_should_return_color", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/banana_should_return_fruit", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.Test_Foo/duck_should_return_animal", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/default", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestWithExternalCalls/custom-name", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestSkip", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithPanic", 4)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryWithFail", 4)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestRetryAlwaysFail", 11)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestNormalPassingAfterRetryAlwaysFail", 1)
+	checkSpansByResourceName(finishedSpans, "testing_test.go.TestEarlyFlakeDetection", 21)
+
+	// check spans by tag
+	checkSpansByTagName(finishedSpans, constants.TestIsNew, 21)
+	checkSpansByTagName(finishedSpans, constants.TestIsRetry, 36)
+
+	// check spans by type
+	checkSpansByType(finishedSpans,
+		64,
+		1,
+		1,
+		2,
+		58,
+		2)
+
+	os.Exit(0)
+}
+
+func checkSpansByType(finishedSpans []mocktracer.Span,
+	totalFinishedSpansCount int, sessionSpansCount int, moduleSpansCount int,
+	suiteSpansCount int, testSpansCount int, normalSpansCount int) {
+	calculatedFinishedSpans := len(finishedSpans)
+	fmt.Printf("Number of spans received: %d\n", calculatedFinishedSpans)
+	if calculatedFinishedSpans < totalFinishedSpansCount {
+		panic(fmt.Sprintf("expected at least %d finished spans, got %d", totalFinishedSpansCount, calculatedFinishedSpans))
+	}
+
+	sessionSpans := getSpansWithType(finishedSpans, constants.SpanTypeTestSession)
+	calculatedSessionSpans := len(sessionSpans)
+	fmt.Printf("Number of sessions received: %d\n", calculatedSessionSpans)
+	showResourcesNameFromSpans(sessionSpans)
+	if calculatedSessionSpans != sessionSpansCount {
+		panic(fmt.Sprintf("expected exactly %d session span, got %d", sessionSpansCount, calculatedSessionSpans))
+	}
+
+	moduleSpans := getSpansWithType(finishedSpans, constants.SpanTypeTestModule)
+	calculatedModuleSpans := len(moduleSpans)
+	fmt.Printf("Number of modules received: %d\n", calculatedModuleSpans)
+	showResourcesNameFromSpans(moduleSpans)
+	if calculatedModuleSpans != moduleSpansCount {
+		panic(fmt.Sprintf("expected exactly %d module span, got %d", moduleSpansCount, calculatedModuleSpans))
+	}
+
+	suiteSpans := getSpansWithType(finishedSpans, constants.SpanTypeTestSuite)
+	calculatedSuiteSpans := len(suiteSpans)
+	fmt.Printf("Number of suites received: %d\n", calculatedSuiteSpans)
+	showResourcesNameFromSpans(suiteSpans)
+	if calculatedSuiteSpans != suiteSpansCount {
+		panic(fmt.Sprintf("expected exactly %d suite spans, got %d", suiteSpansCount, calculatedSuiteSpans))
+	}
+
+	testSpans := getSpansWithType(finishedSpans, constants.SpanTypeTest)
+	calculatedTestSpans := len(testSpans)
+	fmt.Printf("Number of tests received: %d\n", calculatedTestSpans)
+	showResourcesNameFromSpans(testSpans)
+	if calculatedTestSpans != testSpansCount {
+		panic(fmt.Sprintf("expected exactly %d test spans, got %d", testSpansCount, calculatedTestSpans))
+	}
+
+	normalSpans := getSpansWithType(finishedSpans, ext.SpanTypeHTTP)
+	calculatedNormalSpans := len(normalSpans)
+	fmt.Printf("Number of http spans received: %d\n", calculatedNormalSpans)
+	showResourcesNameFromSpans(normalSpans)
+	if calculatedNormalSpans != normalSpansCount {
+		panic(fmt.Sprintf("expected exactly %d normal spans, got %d", normalSpansCount, calculatedNormalSpans))
+	}
+}
+
+func checkSpansByResourceName(finishedSpans []mocktracer.Span, resourceName string, count int) []mocktracer.Span {
+	spans := getSpansWithResourceName(finishedSpans, resourceName)
+	numOfSpans := len(spans)
+	if numOfSpans != count {
+		panic(fmt.Sprintf("expected exactly %d spans with resource name: %s, got %d", count, resourceName, numOfSpans))
+	}
+
+	return spans
+}
+
+func checkSpansByTagName(finishedSpans []mocktracer.Span, tagName string, count int) []mocktracer.Span {
+	spans := getSpansWithTagName(finishedSpans, tagName)
+	numOfSpans := len(spans)
+	if numOfSpans != count {
+		panic(fmt.Sprintf("expected exactly %d spans with tag name: %s, got %d", count, tagName, numOfSpans))
+	}
+
+	return spans
+}
+
+func setUpHttpServer(flakyRetriesEnabled bool, earlyFlakyDetectionEnabled bool, earlyFlakyDetectionData *net.EfdResponseData) *httptest.Server {
+	// mock the settings api to enable automatic test retries
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Printf("MockApi received request: %s\n", r.URL.Path)
+
+		// Settings request
+		if r.URL.Path == "/api/v2/libraries/tests/services/setting" {
+			w.Header().Set("Content-Type", "application/json")
+			response := struct {
+				Data struct {
+					ID         string                   `json:"id"`
+					Type       string                   `json:"type"`
+					Attributes net.SettingsResponseData `json:"attributes"`
+				} `json:"data,omitempty"`
+			}{}
+
+			// let's enable flaky test retries
+			response.Data.Attributes = net.SettingsResponseData{
+				FlakyTestRetriesEnabled: flakyRetriesEnabled,
+			}
+			response.Data.Attributes.EarlyFlakeDetection.Enabled = earlyFlakyDetectionEnabled
+			response.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.FiveS = 10
+			response.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.TenS = 5
+			response.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.ThirtyS = 3
+			response.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.FiveM = 2
+
+			fmt.Printf("MockApi sending response: %v\n", response)
+			json.NewEncoder(w).Encode(&response)
+		} else if earlyFlakyDetectionEnabled && r.URL.Path == "/api/v2/ci/libraries/tests" {
+			w.Header().Set("Content-Type", "application/json")
+			response := struct {
+				Data struct {
+					ID         string              `json:"id"`
+					Type       string              `json:"type"`
+					Attributes net.EfdResponseData `json:"attributes"`
+				} `json:"data,omitempty"`
+			}{}
+
+			if earlyFlakyDetectionData != nil {
+				response.Data.Attributes = *earlyFlakyDetectionData
+			}
+
+			fmt.Printf("MockApi sending response: %v\n", response)
+			json.NewEncoder(w).Encode(&response)
+		} else {
+			http.NotFound(w, r)
+		}
+	}))
+
+	// set the custom agentless url and the flaky retry count env-var
+	fmt.Printf("Using mockapi at: %s\n", server.URL)
+	os.Setenv(constants.CIVisibilityAgentlessEnabledEnvironmentVariable, "1")
+	os.Setenv(constants.CIVisibilityAgentlessURLEnvironmentVariable, server.URL)
+	os.Setenv(constants.APIKeyEnvironmentVariable, "12345")
+
+	return server
+}
+
+func getSpansWithType(spans []mocktracer.Span, spanType string) []mocktracer.Span {
+	var result []mocktracer.Span
+	for _, span := range spans {
+		if span.Tag(ext.SpanType) == spanType {
+			result = append(result, span)
+		}
+	}
+
+	return result
+}
+
+func getSpansWithResourceName(spans []mocktracer.Span, resourceName string) []mocktracer.Span {
+	var result []mocktracer.Span
+	for _, span := range spans {
+		if span.Tag(ext.ResourceName) == resourceName {
+			result = append(result, span)
+		}
+	}
+
+	return result
+}
+
+func getSpansWithTagName(spans []mocktracer.Span, tag string) []mocktracer.Span {
+	var result []mocktracer.Span
+	for _, span := range spans {
+		if span.Tag(tag) != nil {
+			result = append(result, span)
+		}
+	}
+
+	return result
+}
+
+func showResourcesNameFromSpans(spans []mocktracer.Span) {
+	for i, span := range spans {
+		fmt.Printf("  [%d] = %v\n", i, span.Tag(ext.ResourceName))
+	}
+}
diff --git a/internal/civisibility/integrations/gotesting/testing.go b/internal/civisibility/integrations/gotesting/testing.go
index 8b83c4d29b..76e85dbccc 100644
--- a/internal/civisibility/integrations/gotesting/testing.go
+++ b/internal/civisibility/integrations/gotesting/testing.go
@@ -128,23 +128,60 @@ func (ddm *M) instrumentInternalTests(internalTests *[]testing.InternalTest) {
 // executeInternalTest wraps the original test function to include CI visibility instrumentation.
 func (ddm *M) executeInternalTest(testInfo *testingTInfo) func(*testing.T) {
 	originalFunc := runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(testInfo.originalFunc)).Pointer())
-	return func(t *testing.T) {
+	instrumentedFunc := func(t *testing.T) {
+		// Get the metadata regarding the execution (in case is already created from the additional features)
+		execMeta := getTestMetadata(t)
+		if execMeta == nil {
+			// in case there's no additional features then we create the metadata for this execution and defer the disposal
+			execMeta = createTestMetadata(t)
+			defer deleteTestMetadata(t)
+		}
+
 		// Create or retrieve the module, suite, and test for CI visibility.
 		module := session.GetOrCreateModuleWithFramework(testInfo.moduleName, testFramework, runtime.Version())
 		suite := module.GetOrCreateSuite(testInfo.suiteName)
 		test := suite.CreateTest(testInfo.testName)
 		test.SetTestFunc(originalFunc)
-		setCiVisibilityTest(t, test)
+
+		// Set the CI Visibility test to the execution metadata
+		execMeta.test = test
+
+		// If the execution is for a new test we tag the test event from early flake detection
+		if execMeta.isANewTest {
+			// Set the is new test tag
+			test.SetTag(constants.TestIsNew, "true")
+		}
+
+		// If the execution is a retry we tag the test event
+		if execMeta.isARetry {
+			// Set the retry tag
+			test.SetTag(constants.TestIsRetry, "true")
+		}
+
+		startTime := time.Now()
 		defer func() {
+			duration := time.Since(startTime)
+			// check if is a new EFD test and the duration >= 5 min
+			if execMeta.isANewTest && duration.Minutes() >= 5 {
+				// Set the EFD retry abort reason
+				test.SetTag(constants.TestEarlyFlakeDetectionRetryAborted, "slow")
+			}
+
 			if r := recover(); r != nil {
 				// Handle panic and set error information.
-				test.SetErrorInfo("panic", fmt.Sprint(r), utils.GetStacktrace(1))
+				execMeta.panicData = r
+				execMeta.panicStacktrace = utils.GetStacktrace(1)
+				test.SetErrorInfo("panic", fmt.Sprint(r), execMeta.panicStacktrace)
 				suite.SetTag(ext.Error, true)
 				module.SetTag(ext.Error, true)
 				test.Close(integrations.ResultStatusFail)
-				checkModuleAndSuite(module, suite)
-				integrations.ExitCiVisibility()
-				panic(r)
+				if !execMeta.hasAdditionalFeatureWrapper {
+					// we are going to let the additional feature wrapper to handle
+					// the panic, and module and suite closing (we don't want to close the suite earlier in case of a retry)
+					checkModuleAndSuite(module, suite)
+					integrations.ExitCiVisibility()
+					panic(r)
+				}
 			} else {
 				// Normal finalization: determine the test result based on its state.
 				if t.Failed() {
@@ -158,13 +195,23 @@ func (ddm *M) executeInternalTest(testInfo *testingTInfo) func(*testing.T) {
 					test.Close(integrations.ResultStatusPass)
 				}
 
-				checkModuleAndSuite(module, suite)
+				if !execMeta.hasAdditionalFeatureWrapper {
+					// we are going to let the additional feature wrapper to handle
+					// the module and suite closing (we don't want to close the suite earlier in case of a retry)
+					checkModuleAndSuite(module, suite)
+				}
 			}
 		}()
 
 		// Execute the original test function.
 		testInfo.originalFunc(t)
 	}
+
+	// Register the instrumented func as an internal instrumented func (to avoid double instrumentation)
+	setInstrumentationMetadata(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedFunc)).Pointer()), &instrumentationMetadata{IsInternal: true})
+
+	// Get the additional feature wrapper
+	return applyAdditionalFeaturesToTestFunc(instrumentedFunc, &testInfo.commonInfo)
 }
 
 // instrumentInternalBenchmarks instruments the internal benchmarks for CI visibility.
@@ -216,13 +263,13 @@ func (ddm *M) instrumentInternalBenchmarks(internalBenchmarks *[]testing.Interna
 
 // executeInternalBenchmark wraps the original benchmark function to include CI visibility instrumentation.
 func (ddm *M) executeInternalBenchmark(benchmarkInfo *testingBInfo) func(*testing.B) {
-	return func(b *testing.B) {
+	originalFunc := runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(benchmarkInfo.originalFunc)).Pointer())
+	instrumentedInternalFunc := func(b *testing.B) {
 
 		// decrement level
 		getBenchmarkPrivateFields(b).AddLevel(-1)
 
 		startTime := time.Now()
-		originalFunc := runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(benchmarkInfo.originalFunc)).Pointer())
 		module := session.GetOrCreateModuleWithFrameworkAndStartTime(benchmarkInfo.moduleName, testFramework, runtime.Version(), startTime)
 		suite := module.GetOrCreateSuiteWithStartTime(benchmarkInfo.suiteName, startTime)
 		test := suite.CreateTestWithStartTime(benchmarkInfo.testName, startTime)
@@ -231,7 +278,7 @@ func (ddm *M) executeInternalBenchmark(benchmarkInfo *testingBInfo) func(*testin
 		// Run the original benchmark function.
 		var iPfOfB *benchmarkPrivateFields
 		var recoverFunc *func(r any)
-		b.Run(b.Name(), func(b *testing.B) {
+		instrumentedFunc := func(b *testing.B) {
 			// Stop the timer to perform initialization and replacements.
 			b.StopTimer()
 
@@ -252,14 +299,26 @@ func (ddm *M) executeInternalBenchmark(benchmarkInfo *testingBInfo) func(*testin
 			iPfOfB = getBenchmarkPrivateFields(b)
 			// Replace the benchmark function with the original one (this must be executed only once - the first iteration[b.run1]).
 			*iPfOfB.benchFunc = benchmarkInfo.originalFunc
-			// Set the CI visibility benchmark.
-			setCiVisibilityBenchmark(b, test)
+
+			// Get the metadata regarding the execution (in case is already created from the additional features)
+			execMeta := getTestMetadata(b)
+			if execMeta == nil {
+				// in case there's no additional features then we create the metadata for this execution and defer the disposal
+				execMeta = createTestMetadata(b)
+				defer deleteTestMetadata(b)
+			}
+
+			// Sets the CI Visibility test
+			execMeta.test = test
 
 			// Restart the timer and execute the original benchmark function.
 			b.ResetTimer()
 			b.StartTimer()
 			benchmarkInfo.originalFunc(b)
-		})
+		}
+
+		setCiVisibilityBenchmarkFunc(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedFunc)).Pointer()))
+		b.Run(b.Name(), instrumentedFunc)
 
 		endTime := time.Now()
 		results := iPfOfB.result
@@ -315,6 +374,9 @@ func (ddm *M) executeInternalBenchmark(benchmarkInfo *testingBInfo) func(*testin
 
 		checkModuleAndSuite(module, suite)
 	}
+	setCiVisibilityBenchmarkFunc(originalFunc)
+	setCiVisibilityBenchmarkFunc(runtime.FuncForPC(reflect.Indirect(reflect.ValueOf(instrumentedInternalFunc)).Pointer()))
+	return instrumentedInternalFunc
 }
 
 // RunM runs the tests and benchmarks using CI visibility.
diff --git a/internal/civisibility/integrations/gotesting/testingB.go b/internal/civisibility/integrations/gotesting/testingB.go
index a4336405b9..22c2044ec1 100644
--- a/internal/civisibility/integrations/gotesting/testingB.go
+++ b/internal/civisibility/integrations/gotesting/testingB.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"regexp"
+	"runtime"
 	"sync"
 	"testing"
 	"time"
@@ -17,20 +18,14 @@ import (
 )
 
 var (
-	// ciVisibilityBenchmarks holds a map of *testing.B to civisibility.DdTest for tracking benchmarks.
-	ciVisibilityBenchmarks = map[*testing.B]integrations.DdTest{}
-
-	// ciVisibilityBenchmarksMutex is a read-write mutex for synchronizing access to ciVisibilityBenchmarks.
-	ciVisibilityBenchmarksMutex sync.RWMutex
-
 	// subBenchmarkAutoName is a placeholder name for CI Visibility sub-benchmarks.
 	subBenchmarkAutoName = "[DD:TestVisibility]"
 
 	// subBenchmarkAutoNameRegex is a regex pattern to match the sub-benchmark auto name.
 	subBenchmarkAutoNameRegex = regexp.MustCompile(`(?si)\/\[DD:TestVisibility\].*`)
 
-	// civisibilityBenchmarksFuncs holds a map of *func(*testing.B) for tracking instrumented functions
-	civisibilityBenchmarksFuncs = map[*func(*testing.B)]struct{}{}
+	// civisibilityBenchmarksFuncs holds a map of *runtime.Func for tracking instrumented functions
+	civisibilityBenchmarksFuncs = map[*runtime.Func]struct{}{}
 
 	// civisibilityBenchmarksFuncsMutex is a read-write mutex for synchronizing access to civisibilityBenchmarksFuncs.
 	civisibilityBenchmarksFuncsMutex sync.RWMutex
@@ -59,9 +54,9 @@ func (ddb *B) Run(name string, f func(*testing.B)) bool {
 // integration tests.
 func (ddb *B) Context() context.Context {
 	b := (*testing.B)(ddb)
-	ciTest := getCiVisibilityBenchmark(b)
-	if ciTest != nil {
-		return ciTest.Context()
+	ciTestItem := getTestMetadata(b)
+	if ciTestItem != nil && ciTestItem.test != nil {
+		return ciTestItem.test.Context()
 	}
 
 	return context.Background()
@@ -113,7 +108,7 @@ func (ddb *B) Skipf(format string, args ...any) {
 // during the test. Calling SkipNow does not stop those other goroutines.
 func (ddb *B) SkipNow() {
 	b := (*testing.B)(ddb)
-	instrumentTestingBSkipNow(b)
+	instrumentSkipNow(b)
 	b.SkipNow()
 }
 
@@ -179,37 +174,18 @@ func (ddb *B) SetParallelism(p int) { (*testing.B)(ddb).SetParallelism(p) }
 
 func (ddb *B) getBWithError(errType string, errMessage string) *testing.B {
 	b := (*testing.B)(ddb)
-	instrumentTestingBSetErrorInfo(b, errType, errMessage, 1)
+	instrumentSetErrorInfo(b, errType, errMessage, 1)
 	return b
 }
 
 func (ddb *B) getBWithSkip(skipReason string) *testing.B {
 	b := (*testing.B)(ddb)
-	instrumentTestingBCloseAndSkip(b, skipReason)
+	instrumentCloseAndSkip(b, skipReason)
 	return b
 }
 
-// getCiVisibilityBenchmark retrieves the CI visibility benchmark associated with a given *testing.B.
-func getCiVisibilityBenchmark(b *testing.B) integrations.DdTest {
-	ciVisibilityBenchmarksMutex.RLock()
-	defer ciVisibilityBenchmarksMutex.RUnlock()
-
-	if v, ok := ciVisibilityBenchmarks[b]; ok {
-		return v
-	}
-
-	return nil
-}
-
-// setCiVisibilityBenchmark associates a CI visibility benchmark with a given *testing.B.
-func setCiVisibilityBenchmark(b *testing.B, ciTest integrations.DdTest) {
-	ciVisibilityBenchmarksMutex.Lock()
-	defer ciVisibilityBenchmarksMutex.Unlock()
-	ciVisibilityBenchmarks[b] = ciTest
-}
-
-// hasCiVisibilityBenchmarkFunc gets if a func(*testing.B) is being instrumented.
-func hasCiVisibilityBenchmarkFunc(fn *func(*testing.B)) bool {
+// hasCiVisibilityBenchmarkFunc gets if a *runtime.Func is being instrumented.
+func hasCiVisibilityBenchmarkFunc(fn *runtime.Func) bool {
 	civisibilityBenchmarksFuncsMutex.RLock()
 	defer civisibilityBenchmarksFuncsMutex.RUnlock()
 
@@ -220,16 +196,9 @@ func hasCiVisibilityBenchmarkFunc(fn *func(*testing.B)) bool {
 	return false
 }
 
-// setCiVisibilityBenchmarkFunc tracks a func(*testing.B) as instrumented benchmark.
-func setCiVisibilityBenchmarkFunc(fn *func(*testing.B)) {
+// setCiVisibilityBenchmarkFunc tracks a *runtime.Func as instrumented benchmark.
+func setCiVisibilityBenchmarkFunc(fn *runtime.Func) {
 	civisibilityBenchmarksFuncsMutex.RLock()
 	defer civisibilityBenchmarksFuncsMutex.RUnlock()
 	civisibilityBenchmarksFuncs[fn] = struct{}{}
 }
-
-// deleteCiVisibilityBenchmarkFunc untracks a func(*testing.B) as instrumented benchmark.
-func deleteCiVisibilityBenchmarkFunc(fn *func(*testing.B)) {
-	civisibilityBenchmarksFuncsMutex.RLock()
-	defer civisibilityBenchmarksFuncsMutex.RUnlock()
-	delete(civisibilityBenchmarksFuncs, fn)
-}
diff --git a/internal/civisibility/integrations/gotesting/testingT.go b/internal/civisibility/integrations/gotesting/testingT.go
index ff3506adcc..0bb9f44bee 100644
--- a/internal/civisibility/integrations/gotesting/testingT.go
+++ b/internal/civisibility/integrations/gotesting/testingT.go
@@ -8,21 +8,12 @@ package gotesting
 import (
 	"context"
 	"fmt"
-	"sync"
 	"testing"
 	"time"
 
 	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/integrations"
 )
 
-var (
-	// ciVisibilityTests holds a map of *testing.T to civisibility.DdTest for tracking tests.
-	ciVisibilityTests = map[*testing.T]integrations.DdTest{}
-
-	// ciVisibilityTestsMutex is a read-write mutex for synchronizing access to ciVisibilityTests.
-	ciVisibilityTestsMutex sync.RWMutex
-)
-
 // T is a type alias for testing.T to provide additional methods for CI visibility.
 type T testing.T
 
@@ -49,9 +40,9 @@ func (ddt *T) Run(name string, f func(*testing.T)) bool {
 // integration tests.
 func (ddt *T) Context() context.Context {
 	t := (*testing.T)(ddt)
-	ciTest := getCiVisibilityTest(t)
-	if ciTest != nil {
-		return ciTest.Context()
+	ciTestItem := getTestMetadata(t)
+	if ciTestItem != nil && ciTestItem.test != nil {
+		return ciTestItem.test.Context()
 	}
 
 	return context.Background()
@@ -103,7 +94,7 @@ func (ddt *T) Skipf(format string, args ...any) {
 // during the test. Calling SkipNow does not stop those other goroutines.
 func (ddt *T) SkipNow() {
 	t := (*testing.T)(ddt)
-	instrumentTestingTSkipNow(t)
+	instrumentSkipNow(t)
 	t.SkipNow()
 }
 
@@ -128,31 +119,12 @@ func (ddt *T) Setenv(key, value string) { (*testing.T)(ddt).Setenv(key, value) }
 
 func (ddt *T) getTWithError(errType string, errMessage string) *testing.T {
 	t := (*testing.T)(ddt)
-	instrumentTestingTSetErrorInfo(t, errType, errMessage, 1)
+	instrumentSetErrorInfo(t, errType, errMessage, 1)
 	return t
 }
 
 func (ddt *T) getTWithSkip(skipReason string) *testing.T {
 	t := (*testing.T)(ddt)
-	instrumentTestingTCloseAndSkip(t, skipReason)
+	instrumentCloseAndSkip(t, skipReason)
 	return t
 }
-
-// getCiVisibilityTest retrieves the CI visibility test associated with a given *testing.T.
-func getCiVisibilityTest(t *testing.T) integrations.DdTest {
-	ciVisibilityTestsMutex.RLock()
-	defer ciVisibilityTestsMutex.RUnlock()
-
-	if v, ok := ciVisibilityTests[t]; ok {
-		return v
-	}
-
-	return nil
-}
-
-// setCiVisibilityTest associates a CI visibility test with a given *testing.T.
-func setCiVisibilityTest(t *testing.T, ciTest integrations.DdTest) {
-	ciVisibilityTestsMutex.Lock()
-	defer ciVisibilityTestsMutex.Unlock()
-	ciVisibilityTests[t] = ciTest
-}
diff --git a/internal/civisibility/integrations/gotesting/testing_test.go b/internal/civisibility/integrations/gotesting/testing_test.go
index b102c8b6a2..b478ef1a07 100644
--- a/internal/civisibility/integrations/gotesting/testing_test.go
+++ b/internal/civisibility/integrations/gotesting/testing_test.go
@@ -10,6 +10,8 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"runtime"
+	"slices"
 	"strconv"
 	"testing"
 
@@ -109,19 +111,28 @@ func Test_Foo(gt *testing.T) {
 	assertTest(gt)
 	t := (*T)(gt)
 	var tests = []struct {
+		index byte
 		name  string
 		input string
 		want  string
 	}{
-		{"yellow should return color", "yellow", "color"},
-		{"banana should return fruit", "banana", "fruit"},
-		{"duck should return animal", "duck", "animal"},
+		{1, "yellow should return color", "yellow", "color"},
+		{2, "banana should return fruit", "banana", "fruit"},
+		{3, "duck should return animal", "duck", "animal"},
 	}
+	buf := []byte{}
 	for _, test := range tests {
+		test := test
 		t.Run(test.name, func(t *testing.T) {
 			t.Log(test.name)
+			buf = append(buf, test.index)
 		})
 	}
+
+	expected := []byte{1, 2, 3}
+	if !slices.Equal(buf, expected) {
+		t.Error("error in subtests closure")
+	}
 }
 
 // Code inspired by contrib/net/http/roundtripper.go
@@ -265,6 +276,59 @@ func TestSkip(gt *testing.T) {
 	t.Skip("Nothing to do here, skipping!")
 }
 
+// Tests for test retries feature
+
+var testRetryWithPanicRunNumber = 0
+
+func TestRetryWithPanic(t *testing.T) {
+	t.Cleanup(func() {
+		if testRetryWithPanicRunNumber == 1 {
+			fmt.Println("CleanUp from the initial execution")
+		} else {
+			fmt.Println("CleanUp from the retry")
+		}
+	})
+	testRetryWithPanicRunNumber++
+	if testRetryWithPanicRunNumber < 4 {
+		panic("Test Panic")
+	}
+}
+
+var testRetryWithFailRunNumber = 0
+
+func TestRetryWithFail(t *testing.T) {
+	t.Cleanup(func() {
+		if testRetryWithFailRunNumber == 1 {
+			fmt.Println("CleanUp from the initial execution")
+		} else {
+			fmt.Println("CleanUp from the retry")
+		}
+	})
+	testRetryWithFailRunNumber++
+	if testRetryWithFailRunNumber < 4 {
+		t.Fatal("Failed due the wrong execution number")
+	}
+}
+
+func TestRetryAlwaysFail(t *testing.T) {
+	t.Parallel()
+	t.Fatal("Always fail to test the auto retries feature")
+}
+
+func TestNormalPassingAfterRetryAlwaysFail(t *testing.T) {}
+
+var run int
+
+func TestEarlyFlakeDetection(t *testing.T) {
+	run++
+	fmt.Printf(" Run: %d", run)
+	if run%2 == 0 {
+		fmt.Println(" Failed")
+		t.FailNow()
+	}
+	fmt.Println(" Passed")
+}
+
 // BenchmarkFirst demonstrates benchmark instrumentation with sub-benchmarks.
 func BenchmarkFirst(gb *testing.B) {
 
@@ -371,8 +435,9 @@ func assertCommon(assert *assert.Assertions, span *mocktracer.Span) {
 	spanTags := span.Tags()
 
 	assert.Subset(spanTags, map[string]interface{}{
-		constants.Origin:   constants.CIAppTestOrigin,
-		constants.TestType: constants.TestTypeTest,
+		constants.Origin:          constants.CIAppTestOrigin,
+		constants.TestType:        constants.TestTypeTest,
+		constants.LogicalCPUCores: float64(runtime.NumCPU()),
 	})
 
 	assert.Contains(spanTags, ext.ResourceName)
diff --git a/internal/civisibility/integrations/manual_api.go b/internal/civisibility/integrations/manual_api.go
index 8f4fe6a678..c7194c6888 100644
--- a/internal/civisibility/integrations/manual_api.go
+++ b/internal/civisibility/integrations/manual_api.go
@@ -211,6 +211,15 @@ func fillCommonTags(opts []tracer.StartSpanOption) []tracer.StartSpanOption {
 
 	// Apply CI tags
 	for k, v := range utils.GetCITags() {
+		// Ignore the test session name (sent at the payload metadata level, see `civisibility_payload.go`)
+		if k == constants.TestSessionName {
+			continue
+		}
+		opts = append(opts, tracer.Tag(k, v))
+	}
+
+	// Apply CI metrics
+	for k, v := range utils.GetCIMetrics() {
 		opts = append(opts, tracer.Tag(k, v))
 	}
 
diff --git a/internal/civisibility/integrations/manual_api_ddtest.go b/internal/civisibility/integrations/manual_api_ddtest.go
index c787e4a49d..da1d88908b 100644
--- a/internal/civisibility/integrations/manual_api_ddtest.go
+++ b/internal/civisibility/integrations/manual_api_ddtest.go
@@ -8,6 +8,9 @@ package integrations
 import (
 	"context"
 	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/token"
 	"runtime"
 	"strings"
 	"time"
@@ -134,11 +137,58 @@ func (t *tslvTest) SetTestFunc(fn *runtime.Func) {
 		return
 	}
 
-	file, line := fn.FileLine(fn.Entry())
-	file = utils.GetRelativePathFromCITagsSourceRoot(file)
+	// let's get the file path and the start line of the function
+	absolutePath, startLine := fn.FileLine(fn.Entry())
+	file := utils.GetRelativePathFromCITagsSourceRoot(absolutePath)
 	t.SetTag(constants.TestSourceFile, file)
-	t.SetTag(constants.TestSourceStartLine, line)
+	t.SetTag(constants.TestSourceStartLine, startLine)
+
+	// now, let's try to get the end line of the function using ast
+	// parse the entire file where the function is defined to create an abstract syntax tree (AST)
+	// if we can't parse the file (source code is not available) we silently bail out
+	fset := token.NewFileSet()
+	fileNode, err := parser.ParseFile(fset, absolutePath, nil, parser.AllErrors)
+	if err == nil {
+		// get the function name without the package name
+		fullName := fn.Name()
+		firstDot := strings.LastIndex(fullName, ".") + 1
+		name := fullName[firstDot:]
+
+		// variable to store the ending line of the function
+		var endLine int
+		// traverse the AST to find the function declaration for the target function
+		ast.Inspect(fileNode, func(n ast.Node) bool {
+			// check if the current node is a function declaration
+			if funcDecl, ok := n.(*ast.FuncDecl); ok {
+				// if the function name matches the target function name
+				if funcDecl.Name.Name == name {
+					// get the line number of the end of the function body
+					endLine = fset.Position(funcDecl.Body.End()).Line
+					// stop further inspection since we have found the target function
+					return false
+				}
+			}
+			// check if the current node is a function literal (FuncLit)
+			if funcLit, ok := n.(*ast.FuncLit); ok {
+				// get the line number of the start of the function literal
+				funcStartLine := fset.Position(funcLit.Body.Pos()).Line
+				// if the start line matches the known start line, record the end line
+				if funcStartLine == startLine {
+					endLine = fset.Position(funcLit.Body.End()).Line
+					return false // stop further inspection since we have found the function
+				}
+			}
+			// continue inspecting other nodes
+			return true
+		})
+
+		// if we found an endLine we check is greater than the calculated startLine
+		if endLine >= startLine {
+			t.SetTag(constants.TestSourceEndLine, endLine)
+		}
+	}
 
+	// get the codeowner of the function
 	codeOwners := utils.GetCodeOwners()
 	if codeOwners != nil {
 		match, found := codeOwners.Match("/" + file)
diff --git a/internal/civisibility/integrations/manual_api_ddtestsession.go b/internal/civisibility/integrations/manual_api_ddtestsession.go
index 2c34a5795e..02a4af2f54 100644
--- a/internal/civisibility/integrations/manual_api_ddtestsession.go
+++ b/internal/civisibility/integrations/manual_api_ddtestsession.go
@@ -9,8 +9,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"path/filepath"
-	"regexp"
 	"strings"
 	"time"
 
@@ -37,23 +35,11 @@ type tslvTestSession struct {
 
 // CreateTestSession initializes a new test session. It automatically determines the command and working directory.
 func CreateTestSession() DdTestSession {
-	var cmd string
-	if len(os.Args) == 1 {
-		cmd = filepath.Base(os.Args[0])
-	} else {
-		cmd = fmt.Sprintf("%s %s ", filepath.Base(os.Args[0]), strings.Join(os.Args[1:], " "))
-	}
-
-	// Filter out some parameters to make the command more stable.
-	cmd = regexp.MustCompile(`(?si)-test.gocoverdir=(.*)\s`).ReplaceAllString(cmd, "")
-	cmd = regexp.MustCompile(`(?si)-test.v=(.*)\s`).ReplaceAllString(cmd, "")
-	cmd = regexp.MustCompile(`(?si)-test.testlogfile=(.*)\s`).ReplaceAllString(cmd, "")
-	cmd = strings.TrimSpace(cmd)
 	wd, err := os.Getwd()
 	if err == nil {
 		wd = utils.GetRelativePathFromCITagsSourceRoot(wd)
 	}
-	return CreateTestSessionWith(cmd, wd, "", time.Now())
+	return CreateTestSessionWith(utils.GetCITags()[constants.TestCommand], wd, "", time.Now())
 }
 
 // CreateTestSessionWith initializes a new test session with specified command, working directory, framework, and start time.
diff --git a/internal/civisibility/integrations/manual_api_mocktracer_test.go b/internal/civisibility/integrations/manual_api_mocktracer_test.go
index eed940e715..29bd8d2590 100644
--- a/internal/civisibility/integrations/manual_api_mocktracer_test.go
+++ b/internal/civisibility/integrations/manual_api_mocktracer_test.go
@@ -245,8 +245,41 @@ func Test(t *testing.T) {
 	test.Close(ResultStatusSkip)
 }
 
-func testAssertions(assert *assert.Assertions, now time.Time, testSpan *mocktracer.Span) {
-	assert.Equal(now.Unix(), testSpan.StartTime().Unix())
+func TestWithInnerFunc(t *testing.T) {
+	mockTracer.Reset()
+	assert := assert.New(t)
+
+	now := time.Now()
+	session, module, suite, test := createDDTest(now)
+	defer func() {
+		session.Close(0)
+		module.Close()
+		suite.Close()
+	}()
+	test.SetError(errors.New("we keep the last error"))
+	test.SetErrorInfo("my-type", "my-message", "my-stack")
+	func() {
+		pc, _, _, _ := runtime.Caller(0)
+		test.SetTestFunc(runtime.FuncForPC(pc))
+	}()
+
+	assert.NotNil(test.Context())
+	assert.Equal("my-test", test.Name())
+	assert.Equal(now, test.StartTime())
+	assert.Equal(suite, test.Suite())
+
+	test.Close(ResultStatusPass)
+
+	finishedSpans := mockTracer.FinishedSpans()
+	assert.Equal(1, len(finishedSpans))
+	testAssertions(assert, now, finishedSpans[0])
+
+	//no-op call
+	test.Close(ResultStatusSkip)
+}
+
+func testAssertions(assert *assert.Assertions, now time.Time, testSpan mocktracer.Span) {
+	assert.Equal(now, testSpan.StartTime())
 	assert.Equal("my-module-framework.test", testSpan.OperationName())
 
 	tags := map[string]interface{}{
@@ -268,6 +301,12 @@ func testAssertions(assert *assert.Assertions, now time.Time, testSpan *mocktrac
 	assert.Contains(spanTags, constants.TestModuleIDTag)
 	assert.Contains(spanTags, constants.TestSuiteIDTag)
 	assert.Contains(spanTags, constants.TestSourceFile)
+
+	// make sure we have both start and end line
 	assert.Contains(spanTags, constants.TestSourceStartLine)
+	assert.Contains(spanTags, constants.TestSourceEndLine)
+	// make sure the startLine < endLine
+	assert.Less(spanTags[constants.TestSourceStartLine].(int), spanTags[constants.TestSourceEndLine].(int))
+
 	commonAssertions(assert, testSpan)
 }
diff --git a/internal/civisibility/utils/ci_providers.go b/internal/civisibility/utils/ci_providers.go
index d7e285fd8a..a8fd4364ff 100644
--- a/internal/civisibility/utils/ci_providers.go
+++ b/internal/civisibility/utils/ci_providers.go
@@ -77,6 +77,14 @@ func getProviderTags() map[string]string {
 		}
 	}
 
+	if log.DebugEnabled() {
+		if providerName, ok := tags[constants.CIProviderName]; ok {
+			log.Debug("civisibility: detected ci provider: %v", providerName)
+		} else {
+			log.Debug("civisibility: no ci provider was detected.")
+		}
+	}
+
 	return tags
 }
 
@@ -399,6 +407,38 @@ func extractGithubActions() map[string]string {
 		tags[constants.CIEnvVars] = string(jsonString)
 	}
 
+	// Extract PR information from the github event json file
+	eventFilePath := os.Getenv("GITHUB_EVENT_PATH")
+	if stats, ok := os.Stat(eventFilePath); ok == nil && !stats.IsDir() {
+		if eventFile, err := os.Open(eventFilePath); err == nil {
+			defer eventFile.Close()
+
+			var eventJson struct {
+				PullRequest struct {
+					Base struct {
+						Sha string `json:"sha"`
+						Ref string `json:"ref"`
+					} `json:"base"`
+					Head struct {
+						Sha string `json:"sha"`
+					} `json:"head"`
+				} `json:"pull_request"`
+			}
+
+			eventDecoder := json.NewDecoder(eventFile)
+			if eventDecoder.Decode(&eventJson) == nil {
+				tags[constants.GitHeadCommit] = eventJson.PullRequest.Head.Sha
+				tags[constants.GitPrBaseCommit] = eventJson.PullRequest.Base.Sha
+				tags[constants.GitPrBaseBranch] = eventJson.PullRequest.Base.Ref
+			}
+		}
+	}
+
+	// Fallback if GitPrBaseBranch is not set
+	if tmpVal, ok := tags[constants.GitPrBaseBranch]; !ok || tmpVal == "" {
+		tags[constants.GitPrBaseBranch] = os.Getenv("GITHUB_BASE_REF")
+	}
+
 	return tags
 }
 
diff --git a/internal/civisibility/utils/ci_providers_test.go b/internal/civisibility/utils/ci_providers_test.go
index b85acc1efc..c4029a2f8f 100644
--- a/internal/civisibility/utils/ci_providers_test.go
+++ b/internal/civisibility/utils/ci_providers_test.go
@@ -13,6 +13,8 @@ import (
 	"path/filepath"
 	"strings"
 	"testing"
+
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
 )
 
 func setEnvs(t *testing.T, env map[string]string) {
@@ -114,3 +116,43 @@ func TestTags(t *testing.T) {
 		})
 	}
 }
+
+func TestGitHubEventFile(t *testing.T) {
+	originalEventPath := os.Getenv("GITHUB_EVENT_PATH")
+	originalBaseRef := os.Getenv("GITHUB_BASE_REF")
+	defer func() {
+		os.Setenv("GITHUB_EVENT_PATH", originalEventPath)
+		os.Setenv("GITHUB_BASE_REF", originalBaseRef)
+	}()
+
+	os.Unsetenv("GITHUB_EVENT_PATH")
+	os.Unsetenv("GITHUB_BASE_REF")
+
+	checkValue := func(tags map[string]string, key, expectedValue string) {
+		if tags[key] != expectedValue {
+			t.Fatalf("Key: %s, the actual value (%s) is different to the expected value (%s)", key, tags[key], expectedValue)
+		}
+	}
+
+	t.Run("with event file", func(t *testing.T) {
+		eventFile := "testdata/fixtures/github-event.json"
+		t.Setenv("GITHUB_EVENT_PATH", eventFile)
+		t.Setenv("GITHUB_BASE_REF", "my-base-ref") // this should be ignored in favor of the event file value
+
+		tags := extractGithubActions()
+		expectedHeadCommit := "df289512a51123083a8e6931dd6f57bb3883d4c4"
+		expectedBaseCommit := "52e0974c74d41160a03d59ddc73bb9f5adab054b"
+		expectedBaseRef := "main"
+
+		checkValue(tags, constants.GitHeadCommit, expectedHeadCommit)
+		checkValue(tags, constants.GitPrBaseCommit, expectedBaseCommit)
+		checkValue(tags, constants.GitPrBaseBranch, expectedBaseRef)
+	})
+
+	t.Run("no event file", func(t *testing.T) {
+		t.Setenv("GITHUB_BASE_REF", "my-base-ref") // this should be ignored in favor of the event file value
+
+		tags := extractGithubActions()
+		checkValue(tags, constants.GitPrBaseBranch, "my-base-ref")
+	})
+}
diff --git a/internal/civisibility/utils/codeowners.go b/internal/civisibility/utils/codeowners.go
index 4e446a6194..3d63da319a 100644
--- a/internal/civisibility/utils/codeowners.go
+++ b/internal/civisibility/utils/codeowners.go
@@ -76,6 +76,9 @@ func GetCodeOwners() *CodeOwners {
 			if _, err := os.Stat(path); err == nil {
 				codeowners, err = NewCodeOwners(path)
 				if err == nil {
+					if logger.DebugEnabled() {
+						logger.Debug("civisibility: codeowner file '%v' was loaded successfully.", path)
+					}
 					return codeowners
 				}
 				logger.Debug("Error parsing codeowners: %s", err)
diff --git a/internal/civisibility/utils/environmentTags.go b/internal/civisibility/utils/environmentTags.go
index e35698a61d..e0193f5d22 100644
--- a/internal/civisibility/utils/environmentTags.go
+++ b/internal/civisibility/utils/environmentTags.go
@@ -6,11 +6,16 @@
 package utils
 
 import (
+	"fmt"
+	"os"
 	"path/filepath"
+	"regexp"
 	"runtime"
+	"strings"
 	"sync"
 
 	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
 	"github.com/DataDog/dd-trace-go/v2/internal/osinfo"
 )
 
@@ -18,6 +23,10 @@ var (
 	// ciTags holds the CI/CD environment variable information.
 	ciTags      map[string]string
 	ciTagsMutex sync.Mutex
+
+	// ciMetrics holds the CI/CD environment numeric variable information
+	ciMetrics      map[string]float64
+	ciMetricsMutex sync.Mutex
 )
 
 // GetCITags retrieves and caches the CI/CD tags from environment variables.
@@ -38,6 +47,24 @@ func GetCITags() map[string]string {
 	return ciTags
 }
 
+// GetCIMetrics retrieves and caches the CI/CD metrics from environment variables.
+// It initializes the ciMetrics map if it is not already initialized.
+// This function is thread-safe due to the use of a mutex.
+//
+// Returns:
+//
+//	A map[string]float64 containing the CI/CD metrics.
+func GetCIMetrics() map[string]float64 {
+	ciMetricsMutex.Lock()
+	defer ciMetricsMutex.Unlock()
+
+	if ciMetrics == nil {
+		ciMetrics = createCIMetricsMap()
+	}
+
+	return ciMetrics
+}
+
 // GetRelativePathFromCITagsSourceRoot calculates the relative path from the CI workspace root to the specified path.
 // If the CI workspace root is not available in the tags, it returns the original path.
 //
@@ -68,12 +95,44 @@ func GetRelativePathFromCITagsSourceRoot(path string) string {
 //	A map[string]string containing the extracted CI/CD tags.
 func createCITagsMap() map[string]string {
 	localTags := getProviderTags()
+
+	// Populate runtime values
 	localTags[constants.OSPlatform] = runtime.GOOS
 	localTags[constants.OSVersion] = osinfo.OSVersion()
 	localTags[constants.OSArchitecture] = runtime.GOARCH
 	localTags[constants.RuntimeName] = runtime.Compiler
 	localTags[constants.RuntimeVersion] = runtime.Version()
+	log.Debug("civisibility: os platform: %v", runtime.GOOS)
+	log.Debug("civisibility: os architecture: %v", runtime.GOARCH)
+	log.Debug("civisibility: runtime version: %v", runtime.Version())
 
+	// Get command line test command
+	var cmd string
+	if len(os.Args) == 1 {
+		cmd = filepath.Base(os.Args[0])
+	} else {
+		cmd = fmt.Sprintf("%s %s ", filepath.Base(os.Args[0]), strings.Join(os.Args[1:], " "))
+	}
+
+	// Filter out some parameters to make the command more stable.
+	cmd = regexp.MustCompile(`(?si)-test.gocoverdir=(.*)\s`).ReplaceAllString(cmd, "")
+	cmd = regexp.MustCompile(`(?si)-test.v=(.*)\s`).ReplaceAllString(cmd, "")
+	cmd = regexp.MustCompile(`(?si)-test.testlogfile=(.*)\s`).ReplaceAllString(cmd, "")
+	cmd = strings.TrimSpace(cmd)
+	localTags[constants.TestCommand] = cmd
+	log.Debug("civisibility: test command: %v", cmd)
+
+	// Populate the test session name
+	if testSessionName, ok := os.LookupEnv(constants.CIVisibilityTestSessionNameEnvironmentVariable); ok {
+		localTags[constants.TestSessionName] = testSessionName
+	} else if jobName, ok := localTags[constants.CIJobName]; ok {
+		localTags[constants.TestSessionName] = fmt.Sprintf("%s-%s", jobName, cmd)
+	} else {
+		localTags[constants.TestSessionName] = cmd
+	}
+	log.Debug("civisibility: test session name: %v", localTags[constants.TestSessionName])
+
+	// Populate missing git data
 	gitData, _ := getLocalGitData()
 
 	// Populate Git metadata from the local Git repository if not already present in localTags
@@ -115,5 +174,20 @@ func createCITagsMap() map[string]string {
 		}
 	}
 
+	log.Debug("civisibility: workspace directory: %v", localTags[constants.CIWorkspacePath])
+	log.Debug("civisibility: common tags created with %v items", len(localTags))
 	return localTags
 }
+
+// createCIMetricsMap creates a map of CI/CD tags by extracting information from environment variables and runtime information.
+//
+// Returns:
+//
+//	A map[string]float64 containing the metrics extracted
+func createCIMetricsMap() map[string]float64 {
+	localMetrics := make(map[string]float64)
+	localMetrics[constants.LogicalCPUCores] = float64(runtime.NumCPU())
+
+	log.Debug("civisibility: common metrics created with %v items", len(localMetrics))
+	return localMetrics
+}
diff --git a/internal/civisibility/utils/environmentTags_test.go b/internal/civisibility/utils/environmentTags_test.go
index 9c3606dbd2..76edf4f026 100644
--- a/internal/civisibility/utils/environmentTags_test.go
+++ b/internal/civisibility/utils/environmentTags_test.go
@@ -25,6 +25,18 @@ func TestGetCITagsCache(t *testing.T) {
 	assert.Equal(t, "newvalue", tags["key"])
 }
 
+func TestGetCIMetricsCache(t *testing.T) {
+	ciMetrics = map[string]float64{"key": float64(1)}
+
+	// First call to initialize ciMetrics
+	tags := GetCIMetrics()
+	assert.Equal(t, float64(1), tags["key"])
+
+	tags["key"] = float64(42)
+	tags = GetCIMetrics()
+	assert.Equal(t, float64(42), tags["key"])
+}
+
 func TestGetRelativePathFromCITagsSourceRoot(t *testing.T) {
 	ciTags = map[string]string{constants.CIWorkspacePath: "/ci/workspace"}
 	absPath := "/ci/workspace/subdir/file.txt"
diff --git a/internal/civisibility/utils/home.go b/internal/civisibility/utils/home.go
index 8625010feb..9fa29fd7cc 100644
--- a/internal/civisibility/utils/home.go
+++ b/internal/civisibility/utils/home.go
@@ -13,6 +13,8 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
 )
 
 // This code is based on: https://github.com/mitchellh/go-homedir/blob/v1.1.0/homedir.go (MIT License)
@@ -55,7 +57,11 @@ func ExpandPath(path string) string {
 // Returns:
 //
 //	The home directory of the current user.
-func getHomeDir() string {
+func getHomeDir() (homeDir string) {
+	defer func() {
+		log.Debug("civisibility: home directory: %v", homeDir)
+	}()
+
 	if runtime.GOOS == "windows" {
 		if home := os.Getenv("HOME"); home != "" {
 			// First prefer the HOME environment variable
diff --git a/internal/civisibility/utils/names.go b/internal/civisibility/utils/names.go
index 1edcb2b972..94eacdb189 100644
--- a/internal/civisibility/utils/names.go
+++ b/internal/civisibility/utils/names.go
@@ -10,9 +10,15 @@ import (
 	"fmt"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strings"
 )
 
+var (
+	// ignoredFunctionsFromStackTrace array with functions we want to ignore on the final stacktrace (because doesn't add anything useful)
+	ignoredFunctionsFromStackTrace = []string{"runtime.gopanic", "runtime.panicmem", "runtime.sigpanic"}
+)
+
 // GetModuleAndSuiteName extracts the module name and suite name from a given program counter (pc).
 // This function utilizes runtime.FuncForPC to retrieve the full function name associated with the
 // program counter, then splits the string to separate the package name from the function name.
@@ -72,6 +78,11 @@ func GetStacktrace(skip int) string {
 	buffer := new(bytes.Buffer)
 	for {
 		if frame, ok := frames.Next(); ok {
+			// let's check if we need to ignore this frame
+			if slices.Contains(ignoredFunctionsFromStackTrace, frame.Function) {
+				continue
+			}
+			// writing frame to the buffer
 			_, _ = fmt.Fprintf(buffer, "%s\n\t%s:%d\n", frame.Function, frame.File, frame.Line)
 		} else {
 			break
diff --git a/internal/civisibility/utils/net/client.go b/internal/civisibility/utils/net/client.go
new file mode 100644
index 0000000000..c7e0e642e8
--- /dev/null
+++ b/internal/civisibility/utils/net/client.go
@@ -0,0 +1,235 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"context"
+	"fmt"
+	"math"
+	"math/rand/v2"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/DataDog/dd-trace-go/v2/internal"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/constants"
+	"github.com/DataDog/dd-trace-go/v2/internal/civisibility/utils"
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+const (
+	DefaultMaxRetries int           = 5
+	DefaultBackoff    time.Duration = 150 * time.Millisecond
+)
+
+type (
+	Client interface {
+		GetSettings() (*SettingsResponseData, error)
+		GetEarlyFlakeDetectionData() (*EfdResponseData, error)
+		GetCommits(localCommits []string) ([]string, error)
+		SendPackFiles(packFiles []string) (bytes int64, err error)
+	}
+
+	client struct {
+		id                 string
+		agentless          bool
+		baseURL            string
+		environment        string
+		serviceName        string
+		workingDirectory   string
+		repositoryURL      string
+		commitSha          string
+		branchName         string
+		testConfigurations testConfigurations
+		headers            map[string]string
+		handler            *RequestHandler
+	}
+
+	testConfigurations struct {
+		OsPlatform          string            `json:"os.platform,omitempty"`
+		OsVersion           string            `json:"os.version,omitempty"`
+		OsArchitecture      string            `json:"os.architecture,omitempty"`
+		RuntimeName         string            `json:"runtime.name,omitempty"`
+		RuntimeArchitecture string            `json:"runtime.architecture,omitempty"`
+		RuntimeVersion      string            `json:"runtime.version,omitempty"`
+		Custom              map[string]string `json:"custom,omitempty"`
+	}
+)
+
+var _ Client = &client{}
+
+func NewClientWithServiceName(serviceName string) Client {
+	ciTags := utils.GetCITags()
+
+	// get the environment
+	environment := os.Getenv("DD_ENV")
+	if environment == "" {
+		environment = "none"
+	}
+
+	// get the service name
+	if serviceName == "" {
+		serviceName = os.Getenv("DD_SERVICE")
+		if serviceName == "" {
+			if repoURL, ok := ciTags[constants.GitRepositoryURL]; ok {
+				// regex to sanitize the repository url to be used as a service name
+				repoRegex := regexp.MustCompile(`(?m)/([a-zA-Z0-9\-_.]*)$`)
+				matches := repoRegex.FindStringSubmatch(repoURL)
+				if len(matches) > 1 {
+					repoURL = strings.TrimSuffix(matches[1], ".git")
+				}
+				serviceName = repoURL
+			}
+		}
+	}
+
+	// get all custom configuration (test.configuration.*)
+	var customConfiguration map[string]string
+	if v := os.Getenv("DD_TAGS"); v != "" {
+		prefix := "test.configuration."
+		for k, v := range internal.ParseTagString(v) {
+			if strings.HasPrefix(k, prefix) {
+				if customConfiguration == nil {
+					customConfiguration = map[string]string{}
+				}
+
+				customConfiguration[strings.TrimPrefix(k, prefix)] = v
+			}
+		}
+	}
+
+	// create default http headers and get base url
+	defaultHeaders := map[string]string{}
+	var baseURL string
+	var requestHandler *RequestHandler
+
+	agentlessEnabled := internal.BoolEnv(constants.CIVisibilityAgentlessEnabledEnvironmentVariable, false)
+	if agentlessEnabled {
+		// Agentless mode is enabled.
+		APIKeyValue := os.Getenv(constants.APIKeyEnvironmentVariable)
+		if APIKeyValue == "" {
+			log.Error("An API key is required for agentless mode. Use the DD_API_KEY env variable to set it")
+			return nil
+		}
+
+		defaultHeaders["dd-api-key"] = APIKeyValue
+
+		// Check for a custom agentless URL.
+		agentlessURL := os.Getenv(constants.CIVisibilityAgentlessURLEnvironmentVariable)
+
+		if agentlessURL == "" {
+			// Use the standard agentless URL format.
+			site := "datadoghq.com"
+			if v := os.Getenv("DD_SITE"); v != "" {
+				site = v
+			}
+
+			baseURL = fmt.Sprintf("https://api.%s", site)
+		} else {
+			// Use the custom agentless URL.
+			baseURL = agentlessURL
+		}
+
+		requestHandler = NewRequestHandler()
+	} else {
+		// Use agent mode with the EVP proxy.
+		defaultHeaders["X-Datadog-EVP-Subdomain"] = "api"
+
+		agentURL := internal.AgentURLFromEnv()
+		if agentURL.Scheme == "unix" {
+			// If we're connecting over UDS we can just rely on the agent to provide the hostname
+			log.Debug("connecting to agent over unix, do not set hostname on any traces")
+			dialer := &net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+				DualStack: true,
+			}
+			requestHandler = NewRequestHandlerWithClient(&http.Client{
+				Transport: &http.Transport{
+					Proxy: http.ProxyFromEnvironment,
+					DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
+						return dialer.DialContext(ctx, "unix", (&net.UnixAddr{
+							Name: agentURL.Path,
+							Net:  "unix",
+						}).String())
+					},
+					MaxIdleConns:          100,
+					IdleConnTimeout:       90 * time.Second,
+					TLSHandshakeTimeout:   10 * time.Second,
+					ExpectContinueTimeout: 1 * time.Second,
+				},
+				Timeout: 10 * time.Second,
+			})
+			agentURL = &url.URL{
+				Scheme: "http",
+				Host:   fmt.Sprintf("UDS_%s", strings.NewReplacer(":", "_", "/", "_", `\`, "_").Replace(agentURL.Path)),
+			}
+		} else {
+			requestHandler = NewRequestHandler()
+		}
+
+		baseURL = agentURL.String()
+	}
+
+	// create random id (the backend associate all transactions with the client request)
+	id := fmt.Sprint(rand.Uint64() & math.MaxInt64)
+	defaultHeaders["trace_id"] = id
+	defaultHeaders["parent_id"] = id
+
+	log.Debug("ciVisibilityHttpClient: new client created [id: %v, agentless: %v, url: %v, env: %v, serviceName: %v]",
+		id, agentlessEnabled, baseURL, environment, serviceName)
+	return &client{
+		id:               id,
+		agentless:        agentlessEnabled,
+		baseURL:          baseURL,
+		environment:      environment,
+		serviceName:      serviceName,
+		workingDirectory: ciTags[constants.CIWorkspacePath],
+		repositoryURL:    ciTags[constants.GitRepositoryURL],
+		commitSha:        ciTags[constants.GitCommitSHA],
+		branchName:       ciTags[constants.GitBranch],
+		testConfigurations: testConfigurations{
+			OsPlatform:     ciTags[constants.OSPlatform],
+			OsVersion:      ciTags[constants.OSVersion],
+			OsArchitecture: ciTags[constants.OSArchitecture],
+			RuntimeName:    ciTags[constants.RuntimeName],
+			RuntimeVersion: ciTags[constants.RuntimeVersion],
+			Custom:         customConfiguration,
+		},
+		headers: defaultHeaders,
+		handler: requestHandler,
+	}
+}
+
+func NewClient() Client {
+	return NewClientWithServiceName("")
+}
+
+func (c *client) getURLPath(urlPath string) string {
+	if c.agentless {
+		return fmt.Sprintf("%s/%s", c.baseURL, urlPath)
+	}
+
+	return fmt.Sprintf("%s/%s/%s", c.baseURL, "evp_proxy/v2", urlPath)
+}
+
+func (c *client) getPostRequestConfig(url string, body interface{}) *RequestConfig {
+	return &RequestConfig{
+		Method:     "POST",
+		URL:        c.getURLPath(url),
+		Headers:    c.headers,
+		Body:       body,
+		Format:     FormatJSON,
+		Compressed: false,
+		Files:      nil,
+		MaxRetries: DefaultMaxRetries,
+		Backoff:    DefaultBackoff,
+	}
+}
diff --git a/internal/civisibility/utils/net/client_test.go b/internal/civisibility/utils/net/client_test.go
new file mode 100644
index 0000000000..732e17d03a
--- /dev/null
+++ b/internal/civisibility/utils/net/client_test.go
@@ -0,0 +1,231 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"os"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func saveEnv() []string {
+	return os.Environ()
+}
+
+func restoreEnv(env []string) {
+	os.Clearenv()
+	for _, e := range env {
+		kv := strings.SplitN(e, "=", 2)
+		os.Setenv(kv[0], kv[1])
+	}
+}
+
+func TestNewClient_DefaultValues(t *testing.T) {
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	os.Clearenv()
+	os.Setenv("PATH", path)
+	// Do not set any environment variables to simulate default behavior
+
+	cInterface := NewClient()
+	if cInterface == nil {
+		t.Fatal("Expected non-nil client")
+	}
+
+	c, ok := cInterface.(*client)
+	if !ok {
+		t.Fatal("Expected client to be of type *client")
+	}
+
+	if c.environment != "none" {
+		t.Errorf("Expected environment 'none', got '%s'", c.environment)
+	}
+
+	if c.agentless {
+		t.Errorf("Expected agentless to be false")
+	}
+
+	// Since serviceName depends on CI tags, which we cannot mock without access to internal functions,
+	// we check if serviceName is set or not empty.
+	if c.serviceName == "" {
+		t.Errorf("Expected serviceName to be set, got empty string")
+	}
+}
+
+func TestNewClient_AgentlessEnabled(t *testing.T) {
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	os.Clearenv()
+	os.Setenv("PATH", path)
+	os.Setenv("DD_CIVISIBILITY_AGENTLESS_ENABLED", "true")
+	os.Setenv("DD_API_KEY", "test_api_key")
+	os.Setenv("DD_SITE", "site.com")
+
+	cInterface := NewClient()
+	if cInterface == nil {
+		t.Fatal("Expected non-nil client")
+	}
+
+	c, ok := cInterface.(*client)
+	if !ok {
+		t.Fatal("Expected client to be of type *client")
+	}
+
+	if !c.agentless {
+		t.Errorf("Expected agentless to be true")
+	}
+
+	expectedBaseURL := "https://api.site.com"
+	if c.baseURL != expectedBaseURL {
+		t.Errorf("Expected baseUrl '%s', got '%s'", expectedBaseURL, c.baseURL)
+	}
+
+	if c.headers["dd-api-key"] != "test_api_key" {
+		t.Errorf("Expected dd-api-key 'test_api_key', got '%s'", c.headers["dd-api-key"])
+	}
+}
+
+func TestNewClient_AgentlessEnabledWithNoApiKey(t *testing.T) {
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	os.Clearenv()
+	os.Setenv("PATH", path)
+	os.Setenv("DD_CIVISIBILITY_AGENTLESS_ENABLED", "true")
+
+	cInterface := NewClient()
+	if cInterface != nil {
+		t.Fatal("Expected nil client")
+	}
+}
+
+func TestNewClient_CustomAgentlessURL(t *testing.T) {
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, "https://custom.agentless.url")
+
+	cInterface := NewClient()
+	if cInterface == nil {
+		t.Fatal("Expected non-nil client")
+	}
+
+	c, ok := cInterface.(*client)
+	if !ok {
+		t.Fatal("Expected client to be of type *client")
+	}
+
+	if c.baseURL != "https://custom.agentless.url" {
+		t.Errorf("Expected baseUrl 'https://custom.agentless.url', got '%s'", c.baseURL)
+	}
+}
+
+func TestClient_getUrlPath_Agentless(t *testing.T) {
+	c := &client{
+		agentless: true,
+		baseURL:   "https://api.customhost.com",
+	}
+
+	urlPath := c.getURLPath("some/path")
+	expected := "https://api.customhost.com/some/path"
+	if urlPath != expected {
+		t.Errorf("Expected urlPath '%s', got '%s'", expected, urlPath)
+	}
+}
+
+func TestClient_getUrlPath_Agent(t *testing.T) {
+	c := &client{
+		agentless: false,
+		baseURL:   "http://agent.url",
+	}
+
+	urlPath := c.getURLPath("some/path")
+	expected := "http://agent.url/evp_proxy/v2/some/path"
+	if urlPath != expected {
+		t.Errorf("Expected urlPath '%s', got '%s'", expected, urlPath)
+	}
+}
+
+func TestClient_getPostRequestConfig(t *testing.T) {
+	c := &client{
+		agentless: false,
+		baseURL:   "http://agent.url",
+		headers: map[string]string{
+			"trace_id":  "12345",
+			"parent_id": "12345",
+		},
+	}
+
+	body := map[string]string{"key": "value"}
+	config := c.getPostRequestConfig("some/path", body)
+
+	if config.Method != "POST" {
+		t.Errorf("Expected Method 'POST', got '%s'", config.Method)
+	}
+
+	expectedURL := "http://agent.url/evp_proxy/v2/some/path"
+	if config.URL != expectedURL {
+		t.Errorf("Expected URL '%s', got '%s'", expectedURL, config.URL)
+	}
+
+	if !reflect.DeepEqual(config.Headers, c.headers) {
+		t.Errorf("Headers do not match")
+	}
+
+	if config.Format != FormatJSON {
+		t.Errorf("Expected Format 'FormatJSON', got '%v'", config.Format)
+	}
+
+	if config.Compressed {
+		t.Errorf("Expected Compressed to be false")
+	}
+
+	if config.MaxRetries != DefaultMaxRetries {
+		t.Errorf("Expected MaxRetries '%d', got '%d'", DefaultMaxRetries, config.MaxRetries)
+	}
+
+	if config.Backoff != DefaultBackoff {
+		t.Errorf("Expected Backoff '%v', got '%v'", DefaultBackoff, config.Backoff)
+	}
+}
+
+func TestNewClient_TestConfigurations(t *testing.T) {
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, "https://custom.agentless.url")
+	os.Setenv("DD_TAGS", "test.configuration.MyTag:MyValue")
+
+	cInterface := NewClient()
+	if cInterface == nil {
+		t.Fatal("Expected non-nil client")
+	}
+
+	c, ok := cInterface.(*client)
+	if !ok {
+		t.Fatal("Expected client to be of type *client")
+	}
+
+	if c.testConfigurations.Custom["MyTag"] != "MyValue" {
+		t.Errorf("Expected 'MyValue', got '%s'", c.testConfigurations.Custom["MyTag"])
+	}
+}
+
+func setCiVisibilityEnv(path string, url string) {
+	os.Clearenv()
+	os.Setenv("PATH", path)
+	os.Setenv("DD_CIVISIBILITY_AGENTLESS_ENABLED", "true")
+	os.Setenv("DD_API_KEY", "test_api_key")
+	os.Setenv("DD_CIVISIBILITY_AGENTLESS_URL", url)
+}
diff --git a/internal/civisibility/utils/net/efd_api.go b/internal/civisibility/utils/net/efd_api.go
new file mode 100644
index 0000000000..5e2ad94547
--- /dev/null
+++ b/internal/civisibility/utils/net/efd_api.go
@@ -0,0 +1,77 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"fmt"
+)
+
+const (
+	efdRequestType string = "ci_app_libraries_tests_request"
+	efdURLPath     string = "api/v2/ci/libraries/tests"
+)
+
+type (
+	efdRequest struct {
+		Data efdRequestHeader `json:"data"`
+	}
+
+	efdRequestHeader struct {
+		ID         string         `json:"id"`
+		Type       string         `json:"type"`
+		Attributes EfdRequestData `json:"attributes"`
+	}
+
+	EfdRequestData struct {
+		Service        string             `json:"service"`
+		Env            string             `json:"env"`
+		RepositoryURL  string             `json:"repository_url"`
+		Configurations testConfigurations `json:"configurations"`
+	}
+
+	efdResponse struct {
+		Data struct {
+			ID         string          `json:"id"`
+			Type       string          `json:"type"`
+			Attributes EfdResponseData `json:"attributes"`
+		} `json:"data"`
+	}
+
+	EfdResponseData struct {
+		Tests EfdResponseDataModules `json:"tests"`
+	}
+
+	EfdResponseDataModules map[string]EfdResponseDataSuites
+	EfdResponseDataSuites  map[string][]string
+)
+
+func (c *client) GetEarlyFlakeDetectionData() (*EfdResponseData, error) {
+	body := efdRequest{
+		Data: efdRequestHeader{
+			ID:   c.id,
+			Type: efdRequestType,
+			Attributes: EfdRequestData{
+				Service:        c.serviceName,
+				Env:            c.environment,
+				RepositoryURL:  c.repositoryURL,
+				Configurations: c.testConfigurations,
+			},
+		},
+	}
+
+	response, err := c.handler.SendRequest(*c.getPostRequestConfig(efdURLPath, body))
+	if err != nil {
+		return nil, fmt.Errorf("sending early flake detection request: %s", err.Error())
+	}
+
+	var responseObject efdResponse
+	err = response.Unmarshal(&responseObject)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshalling early flake detection data response: %s", err.Error())
+	}
+
+	return &responseObject.Data.Attributes, nil
+}
diff --git a/internal/civisibility/utils/net/efd_api_test.go b/internal/civisibility/utils/net/efd_api_test.go
new file mode 100644
index 0000000000..93008d25ce
--- /dev/null
+++ b/internal/civisibility/utils/net/efd_api_test.go
@@ -0,0 +1,106 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestEfdApiRequest(t *testing.T) {
+	var c *client
+	expectedResponse := efdResponse{}
+	expectedResponse.Data.Type = settingsRequestType
+	expectedResponse.Data.Attributes.Tests = EfdResponseDataModules{
+		"MyModule1": EfdResponseDataSuites{
+			"MySuite1": []string{"Test1", "Test2"},
+		},
+		"MyModule2": EfdResponseDataSuites{
+			"MySuite2": []string{"Test3", "Test4"},
+		},
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			http.Error(w, "failed to read body", http.StatusBadRequest)
+			return
+		}
+
+		if r.Header.Get(HeaderContentType) == ContentTypeJSON {
+			var request efdRequest
+			json.Unmarshal(body, &request)
+			assert.Equal(t, c.id, request.Data.ID)
+			assert.Equal(t, efdRequestType, request.Data.Type)
+			assert.Equal(t, efdURLPath, r.URL.Path[1:])
+			assert.Equal(t, c.environment, request.Data.Attributes.Env)
+			assert.Equal(t, c.repositoryURL, request.Data.Attributes.RepositoryURL)
+			assert.Equal(t, c.serviceName, request.Data.Attributes.Service)
+			assert.Equal(t, c.testConfigurations, request.Data.Attributes.Configurations)
+
+			w.Header().Set(HeaderContentType, ContentTypeJSON)
+			expectedResponse.Data.ID = request.Data.ID
+			json.NewEncoder(w).Encode(expectedResponse)
+		}
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	c = cInterface.(*client)
+	efdData, err := cInterface.GetEarlyFlakeDetectionData()
+	assert.Nil(t, err)
+	assert.Equal(t, expectedResponse.Data.Attributes, *efdData)
+}
+
+func TestEfdApiRequestFailToUnmarshal(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "failed to read body", http.StatusBadRequest)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	efdData, err := cInterface.GetEarlyFlakeDetectionData()
+	assert.Nil(t, efdData)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "cannot unmarshal response")
+}
+
+func TestEfdApiRequestFailToGet(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "internal processing error", http.StatusInternalServerError)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	efdData, err := cInterface.GetEarlyFlakeDetectionData()
+	assert.Nil(t, efdData)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "sending early flake detection request")
+}
diff --git a/internal/civisibility/utils/net/http.go b/internal/civisibility/utils/net/http.go
new file mode 100644
index 0000000000..fdccf1ec47
--- /dev/null
+++ b/internal/civisibility/utils/net/http.go
@@ -0,0 +1,398 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"mime"
+	"mime/multipart"
+	"net/http"
+	"net/textproto"
+	"strconv"
+	"time"
+
+	"github.com/DataDog/dd-trace-go/v2/internal/log"
+)
+
+// Constants for common strings
+const (
+	ContentTypeJSON            = "application/json"
+	ContentTypeJSONAlternative = "application/vnd.api+json"
+	ContentTypeOctetStream     = "application/octet-stream"
+	ContentEncodingGzip        = "gzip"
+	HeaderContentType          = "Content-Type"
+	HeaderContentEncoding      = "Content-Encoding"
+	HeaderAcceptEncoding       = "Accept-Encoding"
+	HeaderRateLimitReset       = "x-ratelimit-reset"
+	HTTPStatusTooManyRequests  = 429
+	FormatJSON                 = "json"
+)
+
+// FormFile represents a file to be uploaded in a multipart form request.
+type FormFile struct {
+	FieldName   string      // The name of the form field
+	FileName    string      // The name of the file
+	Content     interface{} // The content of the file (can be []byte, map, struct, etc.)
+	ContentType string      // The MIME type of the file (e.g., "application/json", "application/octet-stream")
+}
+
+// RequestConfig holds configuration for a request.
+type RequestConfig struct {
+	Method     string            // HTTP method: GET or POST
+	URL        string            // Request URL
+	Headers    map[string]string // Additional HTTP headers
+	Body       interface{}       // Request body for JSON, MessagePack, or raw bytes
+	Format     string            // Format: "json" or "msgpack"
+	Compressed bool              // Whether to use gzip compression
+	Files      []FormFile        // Files to be uploaded in a multipart form data request
+	MaxRetries int               // Maximum number of retries
+	Backoff    time.Duration     // Initial backoff duration for retries
+}
+
+// Response represents the HTTP response with deserialization capabilities and status code.
+type Response struct {
+	Body         []byte // Response body in raw format
+	Format       string // Format of the response (json or msgpack)
+	StatusCode   int    // HTTP status code
+	CanUnmarshal bool   // Whether the response body can be unmarshalled
+}
+
+// Unmarshal deserializes the response body into the provided target based on the response format.
+func (r *Response) Unmarshal(target interface{}) error {
+	if !r.CanUnmarshal {
+		return fmt.Errorf("cannot unmarshal response with status code %d", r.StatusCode)
+	}
+
+	switch r.Format {
+	case FormatJSON:
+		return json.Unmarshal(r.Body, target)
+	default:
+		return fmt.Errorf("unsupported format '%s' for unmarshalling", r.Format)
+	}
+}
+
+// RequestHandler handles HTTP requests with retries and different formats.
+type RequestHandler struct {
+	Client *http.Client
+}
+
+// NewRequestHandler creates a new RequestHandler with a default HTTP client.
+func NewRequestHandler() *RequestHandler {
+	return &RequestHandler{
+		Client: &http.Client{
+			Timeout: 45 * time.Second, // Customize timeout as needed
+		},
+	}
+}
+
+// NewRequestHandlerWithClient creates a new RequestHandler with a custom http.Client
+func NewRequestHandlerWithClient(client *http.Client) *RequestHandler {
+	return &RequestHandler{
+		Client: client,
+	}
+}
+
+// SendRequest sends an HTTP request based on the provided configuration.
+func (rh *RequestHandler) SendRequest(config RequestConfig) (*Response, error) {
+	if config.MaxRetries <= 0 {
+		config.MaxRetries = DefaultMaxRetries // Default retries
+	}
+	if config.Backoff <= 0 {
+		config.Backoff = DefaultBackoff // Default backoff
+	}
+	if config.Method == "" {
+		return nil, errors.New("HTTP method is required")
+	}
+	if config.URL == "" {
+		return nil, errors.New("URL is required")
+	}
+
+	for attempt := 0; attempt <= config.MaxRetries; attempt++ {
+		log.Debug("ciVisibilityHttpClient: new request [method: %v, url: %v, attempt: %v, maxRetries: %v]",
+			config.Method, config.URL, attempt, config.MaxRetries)
+		stopRetries, rs, err := rh.internalSendRequest(&config, attempt)
+		if stopRetries {
+			return rs, err
+		}
+	}
+
+	return nil, errors.New("max retries exceeded")
+}
+
+func (rh *RequestHandler) internalSendRequest(config *RequestConfig, attempt int) (stopRetries bool, response *Response, requestError error) {
+	var req *http.Request
+
+	// Check if it's a multipart form data request
+	if len(config.Files) > 0 {
+		// Create multipart form data body
+		body, contentType, err := createMultipartFormData(config.Files, config.Compressed)
+		if err != nil {
+			return true, nil, err
+		}
+
+		if log.DebugEnabled() {
+			var files []string
+			for _, f := range config.Files {
+				files = append(files, f.FileName)
+			}
+			log.Debug("ciVisibilityHttpClient: sending files %v", files)
+		}
+		req, err = http.NewRequest(config.Method, config.URL, bytes.NewBuffer(body))
+		if err != nil {
+			return true, nil, err
+		}
+		req.Header.Set(HeaderContentType, contentType)
+		if config.Compressed {
+			req.Header.Set(HeaderContentEncoding, ContentEncodingGzip)
+		}
+	} else if config.Body != nil {
+		// Handle JSON body
+		serializedBody, err := serializeData(config.Body, config.Format)
+		if err != nil {
+			return true, nil, err
+		}
+
+		if log.DebugEnabled() {
+			log.Debug("ciVisibilityHttpClient: serialized body [compressed: %v] %v", config.Compressed, string(serializedBody))
+		}
+
+		// Compress body if needed
+		if config.Compressed {
+			serializedBody, err = compressData(serializedBody)
+			if err != nil {
+				return true, nil, err
+			}
+		}
+
+		req, err = http.NewRequest(config.Method, config.URL, bytes.NewBuffer(serializedBody))
+		if err != nil {
+			return true, nil, err
+		}
+		if config.Format == FormatJSON {
+			req.Header.Set(HeaderContentType, ContentTypeJSON)
+		}
+		if config.Compressed {
+			req.Header.Set(HeaderContentEncoding, ContentEncodingGzip)
+		}
+	} else {
+		// Handle requests without a body (e.g., GET requests)
+		var err error
+		req, err = http.NewRequest(config.Method, config.URL, nil)
+		if err != nil {
+			return true, nil, err
+		}
+	}
+
+	// Set that is possible to handle gzip responses
+	req.Header.Set(HeaderAcceptEncoding, ContentEncodingGzip)
+
+	// Add custom headers if provided
+	for key, value := range config.Headers {
+		req.Header.Set(key, value)
+	}
+
+	resp, err := rh.Client.Do(req)
+	if err != nil {
+		log.Debug("ciVisibilityHttpClient: error [%v].", err)
+		// Retry if there's an error
+		exponentialBackoff(attempt, config.Backoff)
+		return false, nil, nil
+	}
+	// Close response body
+	defer resp.Body.Close()
+
+	// Capture the status code
+	statusCode := resp.StatusCode
+	log.Debug("ciVisibilityHttpClient: response status code [%v]", resp.StatusCode)
+
+	// Check for rate-limiting (HTTP 429)
+	if resp.StatusCode == HTTPStatusTooManyRequests {
+		rateLimitReset := resp.Header.Get(HeaderRateLimitReset)
+		if rateLimitReset != "" {
+			if resetTime, err := strconv.ParseInt(rateLimitReset, 10, 64); err == nil {
+				var waitDuration time.Duration
+				if resetTime > time.Now().Unix() {
+					// Assume it's a Unix timestamp
+					waitDuration = time.Until(time.Unix(resetTime, 0))
+				} else {
+					// Assume it's a duration in seconds
+					waitDuration = time.Duration(resetTime) * time.Second
+				}
+				if waitDuration > 0 {
+					time.Sleep(waitDuration)
+				}
+				return false, nil, nil
+			}
+		}
+
+		// Fallback to exponential backoff if header is missing or invalid
+		exponentialBackoff(attempt, config.Backoff)
+		return false, nil, nil
+	}
+
+	// Check status code for retries
+	if statusCode >= 406 {
+		// Retry if the status code is >= 406
+		exponentialBackoff(attempt, config.Backoff)
+		return false, nil, nil
+	}
+
+	responseBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return true, nil, err
+	}
+
+	// Decompress response if it is gzip compressed
+	if resp.Header.Get(HeaderContentEncoding) == ContentEncodingGzip {
+		responseBody, err = decompressData(responseBody)
+		if err != nil {
+			return true, nil, err
+		}
+	}
+
+	// Determine response format from headers
+	responseFormat := "unknown"
+	mediaType, _, err := mime.ParseMediaType(resp.Header.Get(HeaderContentType))
+	if err == nil {
+		if mediaType == ContentTypeJSON || mediaType == ContentTypeJSONAlternative {
+			responseFormat = FormatJSON
+			if log.DebugEnabled() {
+				log.Debug("ciVisibilityHttpClient: serialized response [%v]", string(responseBody))
+			}
+		}
+	}
+
+	// Determine if we can unmarshal based on status code (2xx)
+	canUnmarshal := statusCode >= 200 && statusCode < 300
+
+	// Return the successful response with status code and unmarshal capability
+	return true, &Response{Body: responseBody, Format: responseFormat, StatusCode: statusCode, CanUnmarshal: canUnmarshal}, nil
+}
+
+// Helper functions for data serialization, compression, and handling multipart form data
+
+// serializeData serializes the data based on the format.
+func serializeData(data interface{}, format string) ([]byte, error) {
+	switch v := data.(type) {
+	case []byte:
+		// If it's already a byte array, use it directly
+		return v, nil
+	default:
+		// Otherwise, serialize it according to the specified format
+		if format == FormatJSON {
+			return json.Marshal(data)
+		}
+	}
+	return nil, fmt.Errorf("unsupported format '%s' for data type '%T'", format, data)
+}
+
+// compressData compresses the data using gzip.
+func compressData(data []byte) ([]byte, error) {
+	if data == nil {
+		return nil, errors.New("attempt to compress a nil data array")
+	}
+
+	var buf bytes.Buffer
+	writer := gzip.NewWriter(&buf)
+	_, err := writer.Write(data)
+	if err != nil {
+		return nil, err
+	}
+	writer.Close()
+	return buf.Bytes(), nil
+}
+
+// decompressData decompresses gzip data.
+func decompressData(data []byte) ([]byte, error) {
+	reader, err := gzip.NewReader(bytes.NewReader(data))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create gzip reader: %v", err)
+	}
+	defer reader.Close()
+	decompressedData, err := io.ReadAll(reader)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decompress data: %v", err)
+	}
+	return decompressedData, nil
+}
+
+// exponentialBackoff performs an exponential backoff with retries.
+func exponentialBackoff(retryCount int, initialDelay time.Duration) {
+	maxDelay := 30 * time.Second
+	delay := initialDelay * (1 << uint(retryCount)) // Exponential backoff
+	if delay > maxDelay {
+		delay = maxDelay
+	}
+	time.Sleep(delay)
+}
+
+// prepareContent prepares the content for a FormFile by serializing it if needed.
+func prepareContent(content interface{}, contentType string) ([]byte, error) {
+	if contentType == ContentTypeJSON {
+		return serializeData(content, FormatJSON)
+	} else if contentType == ContentTypeOctetStream {
+		// For binary data, ensure it's already in byte format
+		if data, ok := content.([]byte); ok {
+			return data, nil
+		}
+		return nil, errors.New("content must be []byte for octet-stream content type")
+	}
+	return nil, errors.New("unsupported content type for serialization")
+}
+
+// createMultipartFormData creates a multipart form data request body with the given files.
+// It also compresses the data using gzip if compression is enabled.
+func createMultipartFormData(files []FormFile, compressed bool) ([]byte, string, error) {
+	var buf bytes.Buffer
+	writer := multipart.NewWriter(&buf)
+
+	for _, file := range files {
+		partHeaders := textproto.MIMEHeader{}
+		if file.FileName == "" {
+			partHeaders.Set("Content-Disposition", fmt.Sprintf(`form-data; name="%s"`, file.FieldName))
+		} else {
+			partHeaders.Set("Content-Disposition", fmt.Sprintf(`form-data; name="%s"; filename="%s"`, file.FieldName, file.FileName))
+		}
+		partHeaders.Set("Content-Type", file.ContentType)
+
+		part, err := writer.CreatePart(partHeaders)
+		if err != nil {
+			return nil, "", err
+		}
+
+		// Prepare the file content (serialize if necessary based on content type)
+		fileContent, err := prepareContent(file.Content, file.ContentType)
+		if err != nil {
+			return nil, "", err
+		}
+
+		if _, err := part.Write(fileContent); err != nil {
+			return nil, "", err
+		}
+	}
+
+	// Close the writer to set the terminating boundary
+	err := writer.Close()
+	if err != nil {
+		return nil, "", err
+	}
+
+	// Compress the multipart form data if compression is enabled
+	if compressed {
+		compressedData, err := compressData(buf.Bytes())
+		if err != nil {
+			return nil, "", err
+		}
+		return compressedData, writer.FormDataContentType(), nil
+	}
+
+	return buf.Bytes(), writer.FormDataContentType(), nil
+}
diff --git a/internal/civisibility/utils/net/http_test.go b/internal/civisibility/utils/net/http_test.go
new file mode 100644
index 0000000000..45a6c167bc
--- /dev/null
+++ b/internal/civisibility/utils/net/http_test.go
@@ -0,0 +1,896 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+const DefaultMultipartMemorySize = 10 << 20 // 10MB
+
+// Mock server handlers for different test scenarios
+
+// Mock server for basic JSON and MessagePack requests with gzip handling
+func mockJSONMsgPackHandler(w http.ResponseWriter, r *http.Request) {
+	var body []byte
+	var err error
+
+	// Check if the request is gzip compressed and decompress it
+	if r.Header.Get(HeaderContentEncoding) == ContentEncodingGzip {
+		gzipReader, err := gzip.NewReader(r.Body)
+		if err != nil {
+			http.Error(w, "failed to decompress gzip", http.StatusBadRequest)
+			return
+		}
+		defer gzipReader.Close()
+		body, err = io.ReadAll(gzipReader)
+	} else {
+		body, err = io.ReadAll(r.Body)
+	}
+
+	if err != nil {
+		http.Error(w, "failed to read body", http.StatusBadRequest)
+		return
+	}
+
+	// Process JSON based on Content-Type
+	if r.Header.Get(HeaderContentType) == ContentTypeJSON {
+		var data map[string]interface{}
+		json.Unmarshal(body, &data)
+		w.Header().Set(HeaderContentType, ContentTypeJSON)
+		json.NewEncoder(w).Encode(map[string]interface{}{"received": data})
+	}
+}
+
+// Mock server for multipart form data with gzip handling
+func mockMultipartHandler(w http.ResponseWriter, r *http.Request) {
+	var err error
+
+	// Check if the request is gzip compressed and decompress it
+	if r.Header.Get(HeaderContentEncoding) == ContentEncodingGzip {
+		gzipReader, err := gzip.NewReader(r.Body)
+		if err != nil {
+			http.Error(w, "failed to decompress gzip", http.StatusBadRequest)
+			return
+		}
+		defer gzipReader.Close()
+
+		// Replace the request body with the decompressed body for further processing
+		r.Body = io.NopCloser(gzipReader)
+	}
+
+	// Parse multipart form data
+	err = r.ParseMultipartForm(DefaultMultipartMemorySize)
+	if err != nil {
+		http.Error(w, "cannot parse multipart form", http.StatusBadRequest)
+		return
+	}
+
+	response := make(map[string]string)
+	for key := range r.MultipartForm.File {
+		file, _, _ := r.FormFile(key)
+		content, _ := io.ReadAll(file)
+		response[key] = string(content)
+	}
+
+	w.Header().Set(HeaderContentType, ContentTypeJSON)
+	json.NewEncoder(w).Encode(response)
+}
+
+// Mock server for rate limiting with predictable reset timing
+func mockRateLimitHandler(w http.ResponseWriter, _ *http.Request) {
+	// Set the rate limit reset time to 2 seconds
+	w.Header().Set(HeaderRateLimitReset, "2")
+	http.Error(w, "Too Many Requests", HTTPStatusTooManyRequests)
+}
+
+// Test Suite
+
+func TestSendJSONRequest(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "POST",
+		URL:        server.URL,
+		Body:       map[string]interface{}{"key": "value"},
+		Format:     "json",
+		Compressed: false,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, response.StatusCode)
+	assert.Equal(t, "json", response.Format)
+
+	var result map[string]interface{}
+	err = response.Unmarshal(&result)
+	assert.NoError(t, err)
+	assert.Equal(t, "value", result["received"].(map[string]interface{})["key"])
+}
+
+func TestSendMultipartFormDataRequest(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(mockMultipartHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method: "POST",
+		URL:    server.URL,
+		Files: []FormFile{
+			{
+				FieldName:   "file1",
+				FileName:    "test.json",
+				Content:     map[string]interface{}{"key": "value"},
+				ContentType: ContentTypeJSON,
+			},
+			{
+				FieldName:   "file2",
+				FileName:    "test.bin",
+				Content:     []byte{0x01, 0x02, 0x03},
+				ContentType: ContentTypeOctetStream,
+			},
+		},
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, response.StatusCode)
+	assert.Equal(t, "json", response.Format)
+
+	var result map[string]interface{}
+	err = response.Unmarshal(&result)
+	assert.NoError(t, err)
+	assert.Equal(t, `{"key":"value"}`, result["file1"])
+	assert.Equal(t, "\x01\x02\x03", result["file2"])
+}
+
+func TestSendJSONRequestWithGzipCompression(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "POST",
+		URL:        server.URL,
+		Body:       map[string]interface{}{"key": "value"},
+		Format:     "json",
+		Compressed: true,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, response.StatusCode)
+	assert.Equal(t, "json", response.Format)
+
+	var result map[string]interface{}
+	err = response.Unmarshal(&result)
+	assert.NoError(t, err)
+	assert.NotNil(t, result["received"], "Expected 'received' key to be present in the response")
+	assert.Equal(t, "value", result["received"].(map[string]interface{})["key"])
+}
+
+func TestSendMultipartFormDataRequestWithGzipCompression(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(mockMultipartHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method: "POST",
+		URL:    server.URL,
+		Files: []FormFile{
+			{
+				FieldName:   "file1",
+				FileName:    "test.json",
+				Content:     map[string]interface{}{"key": "value"},
+				ContentType: ContentTypeJSON,
+			},
+			{
+				FieldName:   "file2",
+				FileName:    "test.bin",
+				Content:     []byte{0x01, 0x02, 0x03},
+				ContentType: ContentTypeOctetStream,
+			},
+		},
+		Compressed: true,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, response.StatusCode)
+	assert.Equal(t, "json", response.Format)
+
+	var result map[string]interface{}
+	err = response.Unmarshal(&result)
+	assert.NoError(t, err)
+	assert.Equal(t, `{"key":"value"}`, result["file1"])
+	assert.Equal(t, "\x01\x02\x03", result["file2"])
+}
+
+func TestRateLimitHandlingWithRetries(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(mockRateLimitHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET", // No body needed for GET
+		URL:        server.URL,
+		Compressed: true, // Enable gzip compression for GET
+		MaxRetries: 2,
+		Backoff:    1 * time.Second, // Exponential backoff fallback
+	}
+
+	start := time.Now()
+	response, err := handler.SendRequest(config)
+	elapsed := time.Since(start)
+
+	// Since the rate limit is set to reset after 2 seconds, and we retry twice,
+	// the minimum elapsed time should be at least 4 seconds (2s for each retry).
+	assert.Error(t, err)
+	assert.Nil(t, response)
+	assert.True(t, elapsed >= 4*time.Second, "Expected at least 4 seconds due to rate limit retry delay")
+}
+
+func TestGzipDecompressionError(t *testing.T) {
+	// Simulate corrupted gzip data
+	corruptedData := []byte{0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x03, 0x00}
+
+	_, err := decompressData(corruptedData)
+	assert.Error(t, err)
+}
+
+func TestExponentialBackoffDelays(t *testing.T) {
+	start := time.Now()
+
+	// Simulate exponential backoff with 3 retries and 1-second initial delay
+	for i := 0; i < 3; i++ {
+		exponentialBackoff(i, 1*time.Second)
+	}
+
+	elapsed := time.Since(start)
+	assert.True(t, elapsed >= 7*time.Second, "Expected at least 7 seconds due to exponential backoff")
+}
+
+func TestCreateMultipartFormDataWithUnsupportedContentType(t *testing.T) {
+	files := []FormFile{
+		{
+			FieldName:   "file1",
+			FileName:    "test.unknown",
+			Content:     map[string]interface{}{"key": "value"},
+			ContentType: "unsupported/content-type", // Unsupported content type
+		},
+	}
+
+	_, _, err := createMultipartFormData(files, false)
+	assert.Error(t, err)
+}
+
+func TestRateLimitHandlingWithoutResetHeader(t *testing.T) {
+	// Mock server without 'x-ratelimit-reset' header
+	mockRateLimitHandlerWithoutHeader := func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "Too Many Requests", HTTPStatusTooManyRequests)
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(mockRateLimitHandlerWithoutHeader))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET", // No body needed for GET
+		URL:        server.URL,
+		Compressed: false,
+		MaxRetries: 2,
+		Backoff:    1 * time.Second,
+	}
+
+	start := time.Now()
+	response, err := handler.SendRequest(config)
+	elapsed := time.Since(start)
+
+	// With exponential backoff fallback, the minimum elapsed time should be at least 3 seconds (1s + 2s)
+	assert.Error(t, err)
+	assert.Nil(t, response)
+	assert.True(t, elapsed >= 3*time.Second, "Expected at least 3 seconds due to exponential backoff delay")
+}
+
+func TestSendRequestWithInvalidURL(t *testing.T) {
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET",
+		URL:        "http://[::1]:namedport", // Invalid URL
+		Compressed: false,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.Error(t, err)
+	assert.Nil(t, response)
+}
+
+func TestSendEmptyBodyWithGzipCompression(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "POST",
+		URL:        server.URL,
+		Body:       nil, // Empty body
+		Format:     "json",
+		Compressed: true,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, response.StatusCode)
+}
+
+func TestCompressDataWithInvalidInput(t *testing.T) {
+	// Attempt to compress an invalid data type (e.g., an empty interface{})
+	_, err := compressData(nil)
+	assert.Error(t, err)
+}
+
+func TestSendPUTRequestWithJSONBody(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "PUT",
+		URL:        server.URL,
+		Body:       map[string]interface{}{"key": "value"},
+		Format:     "json",
+		Compressed: false,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, response.StatusCode)
+}
+
+func TestSendDELETERequest(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "DELETE",
+		URL:        server.URL,
+		Compressed: false,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, response.StatusCode)
+}
+
+func TestSendHEADRequest(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "HEAD",
+		URL:        server.URL,
+		Compressed: false,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, response.StatusCode)
+}
+
+func TestSendRequestWithCustomHeaders(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(mockJSONMsgPackHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	customHeaderKey := "X-Custom-Header"
+	customHeaderValue := "CustomValue"
+
+	config := RequestConfig{
+		Method: "POST",
+		URL:    server.URL,
+		Headers: map[string]string{
+			customHeaderKey: customHeaderValue,
+		},
+		Body:       map[string]interface{}{"key": "value"},
+		Format:     "json",
+		Compressed: false,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, response.StatusCode)
+
+	// Verify that the custom header was correctly set
+	assert.Equal(t, customHeaderValue, config.Headers[customHeaderKey])
+}
+
+func TestSendRequestWithTimeout(t *testing.T) {
+	// Mock server that delays response
+	mockSlowHandler := func(w http.ResponseWriter, r *http.Request) {
+		time.Sleep(5 * time.Second) // Delay longer than the client timeout
+		w.WriteHeader(http.StatusOK)
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(mockSlowHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	handler.Client.Timeout = 2 * time.Second // Set client timeout to 2 seconds
+
+	config := RequestConfig{
+		Method: "GET",
+		URL:    server.URL,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.Error(t, err)
+	assert.Nil(t, response)
+}
+
+func TestSendRequestWithMaxRetriesExceeded(t *testing.T) {
+	// Mock server that always returns a 500 error
+	mockAlwaysFailHandler := func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(mockAlwaysFailHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET",
+		URL:        server.URL,
+		Compressed: false,
+		MaxRetries: 2, // Only retry twice
+		Backoff:    500 * time.Millisecond,
+	}
+
+	start := time.Now()
+	response, err := handler.SendRequest(config)
+	elapsed := time.Since(start)
+
+	// Ensure retries were attempted
+	assert.Error(t, err)
+	assert.Nil(t, response)
+	assert.True(t, elapsed >= 1*time.Second, "Expected at least 1 second due to retry delay")
+}
+
+func TestGzipResponseDecompressionHandling(t *testing.T) {
+	// Mock server that returns a gzip-compressed response
+	mockGzipResponseHandler := func(w http.ResponseWriter, r *http.Request) {
+		originalResponse := `{"message": "Hello, Gzip!"}`
+		var buf bytes.Buffer
+		gzipWriter := gzip.NewWriter(&buf)
+		_, err := gzipWriter.Write([]byte(originalResponse))
+		if err != nil {
+			http.Error(w, "Failed to compress response", http.StatusInternalServerError)
+			return
+		}
+		gzipWriter.Close()
+
+		// Set headers and write compressed data
+		w.Header().Set(HeaderContentEncoding, ContentEncodingGzip)
+		w.Header().Set(HeaderContentType, ContentTypeJSON)
+		w.Write(buf.Bytes())
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(mockGzipResponseHandler))
+	defer server.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET",
+		URL:        server.URL,
+		Compressed: false, // Compression not needed for request, only testing response decompression
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, response.StatusCode)
+	assert.Equal(t, "json", response.Format)
+
+	// Check that the response body was correctly decompressed
+	var result map[string]string
+	err = response.Unmarshal(&result)
+	assert.NoError(t, err)
+	assert.Equal(t, "Hello, Gzip!", result["message"])
+}
+
+func TestSendRequestWithUnsupportedFormat(t *testing.T) {
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "POST",
+		URL:        "http://example.com",
+		Body:       map[string]interface{}{"key": "value"},
+		Format:     "unsupported_format", // Unsupported format
+		Compressed: false,
+	}
+
+	response, err := handler.SendRequest(config)
+	assert.Error(t, err) // Unsupported format error
+	assert.Nil(t, response)
+}
+
+func TestSendRequestWithInvalidMethod(t *testing.T) {
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method: "",
+		URL:    "http://example.com",
+	}
+
+	_, err := handler.SendRequest(config)
+	assert.Error(t, err)
+	assert.EqualError(t, err, "HTTP method is required")
+}
+
+func TestSendRequestWithEmptyURL(t *testing.T) {
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method: "GET",
+		URL:    "",
+	}
+
+	_, err := handler.SendRequest(config)
+	assert.Error(t, err)
+	assert.EqualError(t, err, "URL is required")
+}
+
+func TestSendRequestWithNetworkError(t *testing.T) {
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:  "GET",
+		URL:     "http://invalid-url",
+		Backoff: 10 * time.Millisecond,
+	}
+
+	_, err := handler.SendRequest(config)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "max retries exceeded")
+}
+
+func TestSerializeNilDataToJSON(t *testing.T) {
+	data, err := serializeData(nil, FormatJSON)
+	assert.NoError(t, err)
+	assert.Equal(t, []byte("null"), data)
+}
+
+func TestCompressEmptyData(t *testing.T) {
+	data, err := compressData([]byte{})
+	assert.NoError(t, err)
+	assert.NotEmpty(t, data)
+}
+
+func TestDecompressValidGzipData(t *testing.T) {
+	var buf bytes.Buffer
+	writer := gzip.NewWriter(&buf)
+	writer.Write([]byte("test data"))
+	writer.Close()
+
+	data, err := decompressData(buf.Bytes())
+	assert.NoError(t, err)
+	assert.Equal(t, []byte("test data"), data)
+}
+
+func TestExponentialBackoffWithNegativeRetryCount(t *testing.T) {
+	start := time.Now()
+	exponentialBackoff(-1, 100*time.Millisecond)
+	duration := time.Since(start)
+	assert.LessOrEqual(t, duration, 100*time.Millisecond)
+}
+
+func TestResponseUnmarshalWithUnsupportedFormat(t *testing.T) {
+	resp := &Response{
+		Body:         []byte("data"),
+		Format:       "unknown",
+		StatusCode:   http.StatusOK,
+		CanUnmarshal: true,
+	}
+
+	var data interface{}
+	err := resp.Unmarshal(&data)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "unsupported format 'unknown'")
+}
+
+func TestSendRequestWithUnsupportedResponseFormat(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set(HeaderContentType, "application/xml")
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("<data>test</data>"))
+	}))
+	defer ts.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method: "GET",
+		URL:    ts.URL,
+	}
+
+	resp, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, "unknown", resp.Format)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.True(t, resp.CanUnmarshal)
+
+	var data interface{}
+	err = resp.Unmarshal(&data)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "unsupported format 'unknown'")
+}
+
+func TestPrepareContentWithNonByteContentForOctetStream(t *testing.T) {
+	_, err := prepareContent(12345, ContentTypeOctetStream)
+	assert.Error(t, err)
+	assert.EqualError(t, err, "content must be []byte for octet-stream content type")
+}
+
+func TestCreateMultipartFormDataWithCompression(t *testing.T) {
+	files := []FormFile{
+		{
+			FieldName:   "file1",
+			FileName:    "test.txt",
+			Content:     []byte("test content"),
+			ContentType: ContentTypeOctetStream,
+		},
+	}
+
+	data, contentType, err := createMultipartFormData(files, true)
+	assert.NoError(t, err)
+	assert.Contains(t, contentType, "multipart/form-data; boundary=")
+	assert.NotEmpty(t, data)
+
+	// Decompress the data to verify the content
+	decompressedData, err := decompressData(data)
+	assert.NoError(t, err)
+	assert.Contains(t, string(decompressedData), "test content")
+}
+
+func TestSendRequestWithBodySerializationError(t *testing.T) {
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method: "POST",
+		URL:    "http://example.com",
+		Body:   make(chan int), // Channels cannot be serialized
+		Format: FormatJSON,
+	}
+
+	_, err := handler.SendRequest(config)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "unsupported type: chan int")
+}
+
+func TestSendRequestWithCompressedResponse(t *testing.T) {
+	// Server that returns a compressed response
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set(HeaderContentType, ContentTypeJSON)
+		w.Header().Set(HeaderContentEncoding, ContentEncodingGzip)
+		var buf bytes.Buffer
+		writer := gzip.NewWriter(&buf)
+		writer.Write([]byte(`{"message": "compressed response"}`))
+		writer.Close()
+		w.WriteHeader(http.StatusOK)
+		w.Write(buf.Bytes())
+	}))
+	defer ts.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET",
+		URL:        ts.URL,
+		Compressed: true,
+	}
+
+	resp, err := handler.SendRequest(config)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Equal(t, FormatJSON, resp.Format)
+	assert.True(t, resp.CanUnmarshal)
+
+	var data map[string]string
+	err = resp.Unmarshal(&data)
+	assert.NoError(t, err)
+	assert.Equal(t, "compressed response", data["message"])
+}
+
+func TestSendRequestWithRetryAfterHeader(t *testing.T) {
+	attempts := 0
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if attempts == 0 {
+			w.Header().Set(HeaderRateLimitReset, "1") // Wait 1 second
+			w.WriteHeader(HTTPStatusTooManyRequests)
+			attempts++
+			return
+		}
+		w.Header().Set(HeaderContentType, ContentTypeJSON)
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(`{"success": true}`))
+	}))
+	defer ts.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET",
+		URL:        ts.URL,
+		MaxRetries: 2,
+		Backoff:    100 * time.Millisecond,
+	}
+
+	start := time.Now()
+	resp, err := handler.SendRequest(config)
+	duration := time.Since(start)
+
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.True(t, resp.CanUnmarshal)
+	assert.GreaterOrEqual(t, duration, time.Second) // Ensures wait time was respected
+
+	var data map[string]bool
+	err = resp.Unmarshal(&data)
+	assert.NoError(t, err)
+	assert.True(t, data["success"])
+}
+
+func TestSendRequestWithInvalidRetryAfterHeader(t *testing.T) {
+	attempts := 0
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if attempts == 0 {
+			w.Header().Set(HeaderRateLimitReset, "invalid") // Invalid value
+			w.WriteHeader(HTTPStatusTooManyRequests)
+			attempts++
+			return
+		}
+		w.Header().Set(HeaderContentType, ContentTypeJSON)
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(`{"success": true}`))
+	}))
+	defer ts.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET",
+		URL:        ts.URL,
+		MaxRetries: 2,
+		Backoff:    100 * time.Millisecond,
+	}
+
+	start := time.Now()
+	resp, err := handler.SendRequest(config)
+	duration := time.Since(start)
+
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.True(t, resp.CanUnmarshal)
+	assert.GreaterOrEqual(t, duration, 100*time.Millisecond) // Backoff was used
+
+	var data map[string]bool
+	err = resp.Unmarshal(&data)
+	assert.NoError(t, err)
+	assert.True(t, data["success"])
+}
+
+func TestExponentialBackoffWithMaxDelay(t *testing.T) {
+	start := time.Now()
+	exponentialBackoff(10, 1*time.Second) // Should be limited to maxDelay (30s)
+	duration := time.Since(start)
+	assert.LessOrEqual(t, duration, 31*time.Second)
+}
+
+func TestSendRequestWithContextTimeout(t *testing.T) {
+	handler := &RequestHandler{
+		Client: &http.Client{
+			Timeout: 50 * time.Millisecond,
+		},
+	}
+
+	// Server that sleeps longer than client timeout
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		time.Sleep(100 * time.Millisecond)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer ts.Close()
+
+	config := RequestConfig{
+		Method: "GET",
+		URL:    ts.URL,
+	}
+
+	_, err := handler.SendRequest(config)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "max retries exceeded")
+}
+
+func TestSendRequestWithRateLimitButNoResetHeader(t *testing.T) {
+	attempts := 0
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if attempts < 2 {
+			w.WriteHeader(HTTPStatusTooManyRequests)
+			attempts++
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("OK"))
+	}))
+	defer ts.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET",
+		URL:        ts.URL,
+		MaxRetries: 3,
+		Backoff:    100 * time.Millisecond,
+	}
+
+	start := time.Now()
+	resp, err := handler.SendRequest(config)
+	duration := time.Since(start)
+
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.GreaterOrEqual(t, duration, 300*time.Millisecond)
+	assert.Equal(t, []byte("OK"), resp.Body)
+}
+
+func TestSendRequestWhenServerClosesConnection(t *testing.T) {
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h1 := w.(http.Hijacker)
+		conn, _, _ := h1.Hijack()
+		conn.Close()
+	}))
+	ts.EnableHTTP2 = false // Disable HTTP/2 to allow hijacking
+	ts.Start()
+	defer ts.Close()
+
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET",
+		URL:        ts.URL,
+		MaxRetries: 1,
+		Backoff:    100 * time.Millisecond,
+	}
+
+	_, err := handler.SendRequest(config)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "max retries exceeded")
+}
+
+func TestSendRequestWithInvalidPortAndMaxRetriesExceeded(t *testing.T) {
+	handler := NewRequestHandler()
+	config := RequestConfig{
+		Method:     "GET",
+		URL:        "http://localhost:0", // Invalid port to force error
+		MaxRetries: 2,
+		Backoff:    10 * time.Millisecond,
+	}
+
+	_, err := handler.SendRequest(config)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "max retries exceeded")
+}
+
+func TestPrepareContentWithNilContent(t *testing.T) {
+	data, err := prepareContent(nil, ContentTypeJSON)
+	assert.NoError(t, err)
+	assert.Equal(t, []byte("null"), data)
+}
+
+func TestSerializeDataWithInvalidDataType(t *testing.T) {
+	_, err := serializeData(make(chan int), FormatJSON)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "unsupported type: chan int")
+}
diff --git a/internal/civisibility/utils/net/searchcommits_api.go b/internal/civisibility/utils/net/searchcommits_api.go
new file mode 100644
index 0000000000..2aa787b77b
--- /dev/null
+++ b/internal/civisibility/utils/net/searchcommits_api.go
@@ -0,0 +1,62 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"fmt"
+)
+
+const (
+	searchCommitsType    string = "commit"
+	searchCommitsURLPath string = "api/v2/git/repository/search_commits"
+)
+
+type (
+	searchCommits struct {
+		Data []searchCommitsData `json:"data"`
+		Meta searchCommitsMeta   `json:"meta"`
+	}
+	searchCommitsData struct {
+		ID   string `json:"id"`
+		Type string `json:"type"`
+	}
+	searchCommitsMeta struct {
+		RepositoryURL string `json:"repository_url"`
+	}
+)
+
+func (c *client) GetCommits(localCommits []string) ([]string, error) {
+	body := searchCommits{
+		Data: []searchCommitsData{},
+		Meta: searchCommitsMeta{
+			RepositoryURL: c.repositoryURL,
+		},
+	}
+
+	for _, localCommit := range localCommits {
+		body.Data = append(body.Data, searchCommitsData{
+			ID:   localCommit,
+			Type: searchCommitsType,
+		})
+	}
+
+	response, err := c.handler.SendRequest(*c.getPostRequestConfig(searchCommitsURLPath, body))
+	if err != nil {
+		return nil, fmt.Errorf("sending search commits request: %s", err.Error())
+	}
+
+	var responseObject searchCommits
+	err = response.Unmarshal(&responseObject)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshalling search commits response: %s", err.Error())
+	}
+
+	var commits []string
+	for _, commit := range responseObject.Data {
+		commits = append(commits, commit.ID)
+	}
+	return commits, nil
+}
diff --git a/internal/civisibility/utils/net/searchcommits_api_test.go b/internal/civisibility/utils/net/searchcommits_api_test.go
new file mode 100644
index 0000000000..ec0e612fcd
--- /dev/null
+++ b/internal/civisibility/utils/net/searchcommits_api_test.go
@@ -0,0 +1,105 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSearchCommitsApiRequest(t *testing.T) {
+	var c *client
+	expectedResponse := searchCommits{
+		Data: []searchCommitsData{
+			{
+				ID:   "commit3",
+				Type: searchCommitsType,
+			},
+			{
+				ID:   "commit4",
+				Type: searchCommitsType,
+			},
+		},
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			http.Error(w, "failed to read body", http.StatusBadRequest)
+			return
+		}
+
+		if r.Header.Get(HeaderContentType) == ContentTypeJSON {
+			var request searchCommits
+			json.Unmarshal(body, &request)
+			assert.Equal(t, c.repositoryURL, request.Meta.RepositoryURL)
+			assert.Equal(t, "commit1", request.Data[0].ID)
+			assert.Equal(t, searchCommitsType, request.Data[0].Type)
+			assert.Equal(t, "commit2", request.Data[1].ID)
+			assert.Equal(t, searchCommitsType, request.Data[1].Type)
+
+			w.Header().Set(HeaderContentType, ContentTypeJSON)
+			json.NewEncoder(w).Encode(expectedResponse)
+		}
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	c = cInterface.(*client)
+	remoteCommits, err := cInterface.GetCommits([]string{"commit1", "commit2"})
+	assert.Nil(t, err)
+	assert.Equal(t, []string{"commit3", "commit4"}, remoteCommits)
+}
+
+func TestSearchCommitsApiRequestFailToUnmarshal(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "failed to read body", http.StatusBadRequest)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	remoteCommits, err := cInterface.GetCommits([]string{"commit1", "commit2"})
+	assert.Nil(t, remoteCommits)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "cannot unmarshal response")
+}
+
+func TestSearchCommitsApiRequestFailToGet(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "internal processing error", http.StatusInternalServerError)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	remoteCommits, err := cInterface.GetCommits([]string{"commit1", "commit2"})
+	assert.Nil(t, remoteCommits)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "sending search commits request")
+}
diff --git a/internal/civisibility/utils/net/sendpackfiles_api.go b/internal/civisibility/utils/net/sendpackfiles_api.go
new file mode 100644
index 0000000000..71970e34bc
--- /dev/null
+++ b/internal/civisibility/utils/net/sendpackfiles_api.go
@@ -0,0 +1,88 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+)
+
+const (
+	sendPackFilesURLPath string = "api/v2/git/repository/packfile"
+)
+
+type (
+	pushedShaBody struct {
+		Data pushedShaData `json:"data"`
+		Meta pushedShaMeta `json:"meta"`
+	}
+	pushedShaData struct {
+		ID   string `json:"id"`
+		Type string `json:"type"`
+	}
+	pushedShaMeta struct {
+		RepositoryURL string `json:"repository_url"`
+	}
+)
+
+func (c *client) SendPackFiles(packFiles []string) (bytes int64, err error) {
+	if len(packFiles) == 0 {
+		return 0, nil
+	}
+
+	pushedShaFormFile := FormFile{
+		FieldName: "pushedSha",
+		Content: pushedShaBody{
+			Data: pushedShaData{
+				ID:   c.commitSha,
+				Type: searchCommitsType,
+			},
+			Meta: pushedShaMeta{
+				RepositoryURL: c.repositoryURL,
+			},
+		},
+		ContentType: ContentTypeJSON,
+	}
+
+	for _, file := range packFiles {
+		fileContent, fileErr := os.ReadFile(file)
+		if fileErr != nil {
+			err = fmt.Errorf("failed to read pack file: %s", fileErr.Error())
+			return
+		}
+
+		request := RequestConfig{
+			Method:  "POST",
+			URL:     c.getURLPath(sendPackFilesURLPath),
+			Headers: c.headers,
+			Files: []FormFile{
+				pushedShaFormFile,
+				{
+					FieldName:   "packfile",
+					Content:     fileContent,
+					ContentType: ContentTypeOctetStream,
+				},
+			},
+			MaxRetries: DefaultMaxRetries,
+			Backoff:    DefaultBackoff,
+		}
+
+		response, responseErr := c.handler.SendRequest(request)
+		if responseErr != nil {
+			err = fmt.Errorf("failed to send packfile request: %s", responseErr.Error())
+			return
+		}
+
+		if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusNoContent {
+			err = fmt.Errorf("unexpected response code %d: %s", response.StatusCode, string(response.Body))
+		}
+
+		bytes += int64(len(fileContent))
+	}
+
+	return
+}
diff --git a/internal/civisibility/utils/net/sendpackfiles_api_test.go b/internal/civisibility/utils/net/sendpackfiles_api_test.go
new file mode 100644
index 0000000000..bfc5288cca
--- /dev/null
+++ b/internal/civisibility/utils/net/sendpackfiles_api_test.go
@@ -0,0 +1,152 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSendPackFilesApiRequest(t *testing.T) {
+	var c *client
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		reader, err := r.MultipartReader()
+		if err != nil {
+			http.Error(w, "failed to read body", http.StatusBadRequest)
+			return
+		}
+
+		containsPushedSha := false
+		containsPackFile := false
+		for {
+			part, errPart := reader.NextPart()
+			if errPart == io.EOF {
+				break
+			}
+			partName := part.FormName()
+			buf := new(bytes.Buffer)
+			buf.ReadFrom(part)
+			if partName == "pushedSha" {
+				assert.Equal(t, ContentTypeJSON, part.Header.Get(HeaderContentType))
+				var request pushedShaBody
+				json.Unmarshal(buf.Bytes(), &request)
+				assert.Equal(t, c.repositoryURL, request.Meta.RepositoryURL)
+				assert.Equal(t, c.commitSha, request.Data.ID)
+				assert.Equal(t, searchCommitsType, request.Data.Type)
+				containsPushedSha = true
+			} else if partName == "packfile" {
+				assert.Equal(t, ContentTypeOctetStream, part.Header.Get(HeaderContentType))
+				assert.NotZero(t, buf.Bytes())
+				containsPackFile = true
+			}
+		}
+
+		assert.True(t, containsPushedSha)
+		assert.True(t, containsPackFile)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	c = cInterface.(*client)
+	_, err := cInterface.SendPackFiles([]string{
+		"sendpackfiles_api_test.go",
+	})
+	assert.Nil(t, err)
+}
+
+func TestSendPackFilesApiRequestFailToUnmarshal(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "failed to read body", http.StatusBadRequest)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	_, err := cInterface.SendPackFiles([]string{
+		"sendpackfiles_api_test.go",
+	})
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "unexpected response code")
+}
+
+func TestSendPackFilesApiRequestFailToGet(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "internal processing error", http.StatusInternalServerError)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	bytes, err := cInterface.SendPackFiles([]string{
+		"sendpackfiles_api_test.go",
+	})
+	assert.Zero(t, bytes)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "failed to send packfile request")
+}
+
+func TestSendPackFilesApiRequestFileError(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "internal processing error", http.StatusInternalServerError)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	bytes, err := cInterface.SendPackFiles([]string{
+		"unknown.file",
+	})
+	assert.Zero(t, bytes)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "failed to read pack file")
+}
+
+func TestSendPackFilesApiRequestNoFile(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "internal processing error", http.StatusInternalServerError)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	bytes, err := cInterface.SendPackFiles(nil)
+	assert.Zero(t, bytes)
+	assert.Nil(t, err)
+}
diff --git a/internal/civisibility/utils/net/settings_api.go b/internal/civisibility/utils/net/settings_api.go
new file mode 100644
index 0000000000..effc7b6fc7
--- /dev/null
+++ b/internal/civisibility/utils/net/settings_api.go
@@ -0,0 +1,92 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"fmt"
+)
+
+const (
+	settingsRequestType string = "ci_app_test_service_libraries_settings"
+	settingsURLPath     string = "api/v2/libraries/tests/services/setting"
+)
+
+type (
+	settingsRequest struct {
+		Data settingsRequestHeader `json:"data"`
+	}
+
+	settingsRequestHeader struct {
+		ID         string              `json:"id"`
+		Type       string              `json:"type"`
+		Attributes SettingsRequestData `json:"attributes"`
+	}
+
+	SettingsRequestData struct {
+		Service        string             `json:"service,omitempty"`
+		Env            string             `json:"env,omitempty"`
+		RepositoryURL  string             `json:"repository_url,omitempty"`
+		Branch         string             `json:"branch,omitempty"`
+		Sha            string             `json:"sha,omitempty"`
+		Configurations testConfigurations `json:"configurations,omitempty"`
+	}
+
+	settingsResponse struct {
+		Data struct {
+			ID         string               `json:"id"`
+			Type       string               `json:"type"`
+			Attributes SettingsResponseData `json:"attributes"`
+		} `json:"data,omitempty"`
+	}
+
+	SettingsResponseData struct {
+		CodeCoverage        bool `json:"code_coverage"`
+		EarlyFlakeDetection struct {
+			Enabled         bool `json:"enabled"`
+			SlowTestRetries struct {
+				TenS    int `json:"10s"`
+				ThirtyS int `json:"30s"`
+				FiveM   int `json:"5m"`
+				FiveS   int `json:"5s"`
+			} `json:"slow_test_retries"`
+			FaultySessionThreshold int `json:"faulty_session_threshold"`
+		} `json:"early_flake_detection"`
+		FlakyTestRetriesEnabled bool `json:"flaky_test_retries_enabled"`
+		ItrEnabled              bool `json:"itr_enabled"`
+		RequireGit              bool `json:"require_git"`
+		TestsSkipping           bool `json:"tests_skipping"`
+	}
+)
+
+func (c *client) GetSettings() (*SettingsResponseData, error) {
+	body := settingsRequest{
+		Data: settingsRequestHeader{
+			ID:   c.id,
+			Type: settingsRequestType,
+			Attributes: SettingsRequestData{
+				Service:        c.serviceName,
+				Env:            c.environment,
+				RepositoryURL:  c.repositoryURL,
+				Branch:         c.branchName,
+				Sha:            c.commitSha,
+				Configurations: c.testConfigurations,
+			},
+		},
+	}
+
+	response, err := c.handler.SendRequest(*c.getPostRequestConfig(settingsURLPath, body))
+	if err != nil {
+		return nil, fmt.Errorf("sending get settings request: %s", err.Error())
+	}
+
+	var responseObject settingsResponse
+	err = response.Unmarshal(&responseObject)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshalling settings response: %s", err.Error())
+	}
+
+	return &responseObject.Data.Attributes, nil
+}
diff --git a/internal/civisibility/utils/net/settings_api_test.go b/internal/civisibility/utils/net/settings_api_test.go
new file mode 100644
index 0000000000..92ce8993d9
--- /dev/null
+++ b/internal/civisibility/utils/net/settings_api_test.go
@@ -0,0 +1,111 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024 Datadog, Inc.
+
+package net
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSettingsApiRequest(t *testing.T) {
+	var c *client
+	expectedResponse := settingsResponse{}
+	expectedResponse.Data.Type = settingsRequestType
+	expectedResponse.Data.Attributes.FlakyTestRetriesEnabled = true
+	expectedResponse.Data.Attributes.CodeCoverage = true
+	expectedResponse.Data.Attributes.TestsSkipping = true
+	expectedResponse.Data.Attributes.ItrEnabled = true
+	expectedResponse.Data.Attributes.RequireGit = true
+	expectedResponse.Data.Attributes.EarlyFlakeDetection.FaultySessionThreshold = 30
+	expectedResponse.Data.Attributes.EarlyFlakeDetection.Enabled = true
+	expectedResponse.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.FiveS = 25
+	expectedResponse.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.TenS = 20
+	expectedResponse.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.ThirtyS = 10
+	expectedResponse.Data.Attributes.EarlyFlakeDetection.SlowTestRetries.FiveM = 5
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			http.Error(w, "failed to read body", http.StatusBadRequest)
+			return
+		}
+
+		if r.Header.Get(HeaderContentType) == ContentTypeJSON {
+			var request settingsRequest
+			json.Unmarshal(body, &request)
+			assert.Equal(t, c.id, request.Data.ID)
+			assert.Equal(t, settingsRequestType, request.Data.Type)
+			assert.Equal(t, settingsURLPath, r.URL.Path[1:])
+			assert.Equal(t, c.commitSha, request.Data.Attributes.Sha)
+			assert.Equal(t, c.branchName, request.Data.Attributes.Branch)
+			assert.Equal(t, c.environment, request.Data.Attributes.Env)
+			assert.Equal(t, c.repositoryURL, request.Data.Attributes.RepositoryURL)
+			assert.Equal(t, c.serviceName, request.Data.Attributes.Service)
+			assert.Equal(t, c.testConfigurations, request.Data.Attributes.Configurations)
+
+			w.Header().Set(HeaderContentType, ContentTypeJSON)
+			expectedResponse.Data.ID = request.Data.ID
+			json.NewEncoder(w).Encode(expectedResponse)
+		}
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	c = cInterface.(*client)
+	settings, err := cInterface.GetSettings()
+	assert.Nil(t, err)
+	assert.Equal(t, expectedResponse.Data.Attributes, *settings)
+}
+
+func TestSettingsApiRequestFailToUnmarshal(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "failed to read body", http.StatusBadRequest)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	settings, err := cInterface.GetSettings()
+	assert.Nil(t, settings)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "cannot unmarshal response")
+}
+
+func TestSettingsApiRequestFailToGet(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "internal processing error", http.StatusInternalServerError)
+	}))
+	defer server.Close()
+
+	origEnv := saveEnv()
+	path := os.Getenv("PATH")
+	defer restoreEnv(origEnv)
+
+	setCiVisibilityEnv(path, server.URL)
+
+	cInterface := NewClient()
+	settings, err := cInterface.GetSettings()
+	assert.Nil(t, settings)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "sending get settings request")
+}
diff --git a/internal/civisibility/utils/testdata/fixtures/github-event.json b/internal/civisibility/utils/testdata/fixtures/github-event.json
new file mode 100644
index 0000000000..b9fe79f2aa
--- /dev/null
+++ b/internal/civisibility/utils/testdata/fixtures/github-event.json
@@ -0,0 +1,490 @@
+{
+  "action": "synchronize",
+  "after": "df289512a51123083a8e6931dd6f57bb3883d4c4",
+  "before": "f659d2fdd7bedffb40d9ab223dbde6afa5eadc32",
+  "number": 1,
+  "pull_request": {
+    "_links": {
+      "comments": {
+        "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/1/comments"
+      },
+      "commits": {
+        "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1/commits"
+      },
+      "html": {
+        "href": "https://github.com/nikita-tkachenko-datadog/ci-test-project/pull/1"
+      },
+      "issue": {
+        "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/1"
+      },
+      "review_comment": {
+        "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/comments{/number}"
+      },
+      "review_comments": {
+        "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1/comments"
+      },
+      "self": {
+        "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1"
+      },
+      "statuses": {
+        "href": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/statuses/df289512a51123083a8e6931dd6f57bb3883d4c4"
+      }
+    },
+    "active_lock_reason": null,
+    "additions": 2,
+    "assignee": null,
+    "assignees": [],
+    "author_association": "OWNER",
+    "auto_merge": null,
+    "base": {
+      "label": "nikita-tkachenko-datadog:main",
+      "ref": "main",
+      "repo": {
+        "allow_auto_merge": false,
+        "allow_forking": true,
+        "allow_merge_commit": true,
+        "allow_rebase_merge": true,
+        "allow_squash_merge": true,
+        "allow_update_branch": false,
+        "archive_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/{archive_format}{/ref}",
+        "archived": false,
+        "assignees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/assignees{/user}",
+        "blobs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/blobs{/sha}",
+        "branches_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/branches{/branch}",
+        "clone_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+        "collaborators_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/collaborators{/collaborator}",
+        "comments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/comments{/number}",
+        "commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/commits{/sha}",
+        "compare_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/compare/{base}...{head}",
+        "contents_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contents/{+path}",
+        "contributors_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contributors",
+        "created_at": "2023-01-09T10:24:06Z",
+        "default_branch": "main",
+        "delete_branch_on_merge": false,
+        "deployments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/deployments",
+        "description": null,
+        "disabled": false,
+        "downloads_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/downloads",
+        "events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/events",
+        "fork": false,
+        "forks": 0,
+        "forks_count": 0,
+        "forks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/forks",
+        "full_name": "nikita-tkachenko-datadog/ci-test-project",
+        "git_commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/commits{/sha}",
+        "git_refs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/refs{/sha}",
+        "git_tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/tags{/sha}",
+        "git_url": "git://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+        "has_discussions": false,
+        "has_downloads": true,
+        "has_issues": true,
+        "has_pages": false,
+        "has_projects": true,
+        "has_wiki": false,
+        "homepage": null,
+        "hooks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/hooks",
+        "html_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+        "id": 586827266,
+        "is_template": false,
+        "issue_comment_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/comments{/number}",
+        "issue_events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/events{/number}",
+        "issues_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues{/number}",
+        "keys_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/keys{/key_id}",
+        "labels_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/labels{/name}",
+        "language": "Shell",
+        "languages_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/languages",
+        "license": null,
+        "merge_commit_message": "PR_TITLE",
+        "merge_commit_title": "MERGE_MESSAGE",
+        "merges_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/merges",
+        "milestones_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/milestones{/number}",
+        "mirror_url": null,
+        "name": "ci-test-project",
+        "node_id": "R_kgDOIvpGAg",
+        "notifications_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/notifications{?since,all,participating}",
+        "open_issues": 1,
+        "open_issues_count": 1,
+        "owner": {
+          "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+          "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+          "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+          "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+          "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+          "gravatar_id": "",
+          "html_url": "https://github.com/nikita-tkachenko-datadog",
+          "id": 121111529,
+          "login": "nikita-tkachenko-datadog",
+          "node_id": "U_kgDOBzgD6Q",
+          "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+          "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+          "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+          "site_admin": false,
+          "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+          "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+          "type": "User",
+          "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+        },
+        "private": true,
+        "pulls_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls{/number}",
+        "pushed_at": "2024-09-11T15:12:25Z",
+        "releases_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/releases{/id}",
+        "size": 90,
+        "squash_merge_commit_message": "COMMIT_MESSAGES",
+        "squash_merge_commit_title": "COMMIT_OR_PR_TITLE",
+        "ssh_url": "git@github.com:nikita-tkachenko-datadog/ci-test-project.git",
+        "stargazers_count": 0,
+        "stargazers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/stargazers",
+        "statuses_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/statuses/{sha}",
+        "subscribers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscribers",
+        "subscription_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscription",
+        "svn_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+        "tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/tags",
+        "teams_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/teams",
+        "topics": [],
+        "trees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/trees{/sha}",
+        "updated_at": "2024-09-11T13:41:11Z",
+        "url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project",
+        "use_squash_pr_title_as_default": false,
+        "visibility": "private",
+        "watchers": 0,
+        "watchers_count": 0,
+        "web_commit_signoff_required": false
+      },
+      "sha": "52e0974c74d41160a03d59ddc73bb9f5adab054b",
+      "user": {
+        "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+        "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+        "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+        "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+        "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+        "gravatar_id": "",
+        "html_url": "https://github.com/nikita-tkachenko-datadog",
+        "id": 121111529,
+        "login": "nikita-tkachenko-datadog",
+        "node_id": "U_kgDOBzgD6Q",
+        "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+        "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+        "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+        "site_admin": false,
+        "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+        "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+        "type": "User",
+        "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+      }
+    },
+    "body": "# What Does This Do\r\n\r\n# Motivation\r\n\r\n# Additional Notes\r\n",
+    "changed_files": 3,
+    "closed_at": null,
+    "comments": 0,
+    "comments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/1/comments",
+    "commits": 2,
+    "commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1/commits",
+    "created_at": "2024-09-11T15:08:02Z",
+    "deletions": 0,
+    "diff_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project/pull/1.diff",
+    "draft": false,
+    "head": {
+      "label": "nikita-tkachenko-datadog:test-branch",
+      "ref": "test-branch",
+      "repo": {
+        "allow_auto_merge": false,
+        "allow_forking": true,
+        "allow_merge_commit": true,
+        "allow_rebase_merge": true,
+        "allow_squash_merge": true,
+        "allow_update_branch": false,
+        "archive_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/{archive_format}{/ref}",
+        "archived": false,
+        "assignees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/assignees{/user}",
+        "blobs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/blobs{/sha}",
+        "branches_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/branches{/branch}",
+        "clone_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+        "collaborators_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/collaborators{/collaborator}",
+        "comments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/comments{/number}",
+        "commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/commits{/sha}",
+        "compare_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/compare/{base}...{head}",
+        "contents_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contents/{+path}",
+        "contributors_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contributors",
+        "created_at": "2023-01-09T10:24:06Z",
+        "default_branch": "main",
+        "delete_branch_on_merge": false,
+        "deployments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/deployments",
+        "description": null,
+        "disabled": false,
+        "downloads_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/downloads",
+        "events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/events",
+        "fork": false,
+        "forks": 0,
+        "forks_count": 0,
+        "forks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/forks",
+        "full_name": "nikita-tkachenko-datadog/ci-test-project",
+        "git_commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/commits{/sha}",
+        "git_refs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/refs{/sha}",
+        "git_tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/tags{/sha}",
+        "git_url": "git://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+        "has_discussions": false,
+        "has_downloads": true,
+        "has_issues": true,
+        "has_pages": false,
+        "has_projects": true,
+        "has_wiki": false,
+        "homepage": null,
+        "hooks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/hooks",
+        "html_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+        "id": 586827266,
+        "is_template": false,
+        "issue_comment_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/comments{/number}",
+        "issue_events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/events{/number}",
+        "issues_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues{/number}",
+        "keys_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/keys{/key_id}",
+        "labels_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/labels{/name}",
+        "language": "Shell",
+        "languages_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/languages",
+        "license": null,
+        "merge_commit_message": "PR_TITLE",
+        "merge_commit_title": "MERGE_MESSAGE",
+        "merges_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/merges",
+        "milestones_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/milestones{/number}",
+        "mirror_url": null,
+        "name": "ci-test-project",
+        "node_id": "R_kgDOIvpGAg",
+        "notifications_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/notifications{?since,all,participating}",
+        "open_issues": 1,
+        "open_issues_count": 1,
+        "owner": {
+          "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+          "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+          "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+          "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+          "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+          "gravatar_id": "",
+          "html_url": "https://github.com/nikita-tkachenko-datadog",
+          "id": 121111529,
+          "login": "nikita-tkachenko-datadog",
+          "node_id": "U_kgDOBzgD6Q",
+          "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+          "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+          "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+          "site_admin": false,
+          "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+          "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+          "type": "User",
+          "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+        },
+        "private": true,
+        "pulls_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls{/number}",
+        "pushed_at": "2024-09-11T15:12:25Z",
+        "releases_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/releases{/id}",
+        "size": 90,
+        "squash_merge_commit_message": "COMMIT_MESSAGES",
+        "squash_merge_commit_title": "COMMIT_OR_PR_TITLE",
+        "ssh_url": "git@github.com:nikita-tkachenko-datadog/ci-test-project.git",
+        "stargazers_count": 0,
+        "stargazers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/stargazers",
+        "statuses_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/statuses/{sha}",
+        "subscribers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscribers",
+        "subscription_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscription",
+        "svn_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+        "tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/tags",
+        "teams_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/teams",
+        "topics": [],
+        "trees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/trees{/sha}",
+        "updated_at": "2024-09-11T13:41:11Z",
+        "url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project",
+        "use_squash_pr_title_as_default": false,
+        "visibility": "private",
+        "watchers": 0,
+        "watchers_count": 0,
+        "web_commit_signoff_required": false
+      },
+      "sha": "df289512a51123083a8e6931dd6f57bb3883d4c4",
+      "user": {
+        "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+        "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+        "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+        "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+        "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+        "gravatar_id": "",
+        "html_url": "https://github.com/nikita-tkachenko-datadog",
+        "id": 121111529,
+        "login": "nikita-tkachenko-datadog",
+        "node_id": "U_kgDOBzgD6Q",
+        "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+        "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+        "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+        "site_admin": false,
+        "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+        "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+        "type": "User",
+        "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+      }
+    },
+    "html_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project/pull/1",
+    "id": 2066570986,
+    "issue_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/1",
+    "labels": [],
+    "locked": false,
+    "maintainer_can_modify": false,
+    "merge_commit_sha": "d9a3212d0d5d1483426dbbdf0beea32ee50abcde",
+    "mergeable": null,
+    "mergeable_state": "unknown",
+    "merged": false,
+    "merged_at": null,
+    "merged_by": null,
+    "milestone": null,
+    "node_id": "PR_kwDOIvpGAs57LV7q",
+    "number": 1,
+    "patch_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project/pull/1.patch",
+    "rebaseable": null,
+    "requested_reviewers": [],
+    "requested_teams": [],
+    "review_comment_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/comments{/number}",
+    "review_comments": 0,
+    "review_comments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1/comments",
+    "state": "open",
+    "statuses_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/statuses/df289512a51123083a8e6931dd6f57bb3883d4c4",
+    "title": "Test commit",
+    "updated_at": "2024-09-11T15:12:26Z",
+    "url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls/1",
+    "user": {
+      "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+      "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+      "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+      "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+      "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+      "gravatar_id": "",
+      "html_url": "https://github.com/nikita-tkachenko-datadog",
+      "id": 121111529,
+      "login": "nikita-tkachenko-datadog",
+      "node_id": "U_kgDOBzgD6Q",
+      "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+      "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+      "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+      "site_admin": false,
+      "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+      "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+      "type": "User",
+      "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+    }
+  },
+  "repository": {
+    "allow_forking": true,
+    "archive_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/{archive_format}{/ref}",
+    "archived": false,
+    "assignees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/assignees{/user}",
+    "blobs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/blobs{/sha}",
+    "branches_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/branches{/branch}",
+    "clone_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+    "collaborators_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/collaborators{/collaborator}",
+    "comments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/comments{/number}",
+    "commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/commits{/sha}",
+    "compare_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/compare/{base}...{head}",
+    "contents_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contents/{+path}",
+    "contributors_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/contributors",
+    "created_at": "2023-01-09T10:24:06Z",
+    "default_branch": "main",
+    "deployments_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/deployments",
+    "description": null,
+    "disabled": false,
+    "downloads_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/downloads",
+    "events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/events",
+    "fork": false,
+    "forks": 0,
+    "forks_count": 0,
+    "forks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/forks",
+    "full_name": "nikita-tkachenko-datadog/ci-test-project",
+    "git_commits_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/commits{/sha}",
+    "git_refs_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/refs{/sha}",
+    "git_tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/tags{/sha}",
+    "git_url": "git://github.com/nikita-tkachenko-datadog/ci-test-project.git",
+    "has_discussions": false,
+    "has_downloads": true,
+    "has_issues": true,
+    "has_pages": false,
+    "has_projects": true,
+    "has_wiki": false,
+    "homepage": null,
+    "hooks_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/hooks",
+    "html_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+    "id": 586827266,
+    "is_template": false,
+    "issue_comment_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/comments{/number}",
+    "issue_events_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues/events{/number}",
+    "issues_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/issues{/number}",
+    "keys_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/keys{/key_id}",
+    "labels_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/labels{/name}",
+    "language": "Shell",
+    "languages_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/languages",
+    "license": null,
+    "merges_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/merges",
+    "milestones_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/milestones{/number}",
+    "mirror_url": null,
+    "name": "ci-test-project",
+    "node_id": "R_kgDOIvpGAg",
+    "notifications_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/notifications{?since,all,participating}",
+    "open_issues": 1,
+    "open_issues_count": 1,
+    "owner": {
+      "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+      "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+      "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+      "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+      "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+      "gravatar_id": "",
+      "html_url": "https://github.com/nikita-tkachenko-datadog",
+      "id": 121111529,
+      "login": "nikita-tkachenko-datadog",
+      "node_id": "U_kgDOBzgD6Q",
+      "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+      "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+      "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+      "site_admin": false,
+      "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+      "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+      "type": "User",
+      "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+    },
+    "private": true,
+    "pulls_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/pulls{/number}",
+    "pushed_at": "2024-09-11T15:12:25Z",
+    "releases_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/releases{/id}",
+    "size": 90,
+    "ssh_url": "git@github.com:nikita-tkachenko-datadog/ci-test-project.git",
+    "stargazers_count": 0,
+    "stargazers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/stargazers",
+    "statuses_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/statuses/{sha}",
+    "subscribers_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscribers",
+    "subscription_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/subscription",
+    "svn_url": "https://github.com/nikita-tkachenko-datadog/ci-test-project",
+    "tags_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/tags",
+    "teams_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/teams",
+    "topics": [],
+    "trees_url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project/git/trees{/sha}",
+    "updated_at": "2024-09-11T13:41:11Z",
+    "url": "https://api.github.com/repos/nikita-tkachenko-datadog/ci-test-project",
+    "visibility": "private",
+    "watchers": 0,
+    "watchers_count": 0,
+    "web_commit_signoff_required": false
+  },
+  "sender": {
+    "avatar_url": "https://avatars.githubusercontent.com/u/121111529?v=4",
+    "events_url": "https://api.github.com/users/nikita-tkachenko-datadog/events{/privacy}",
+    "followers_url": "https://api.github.com/users/nikita-tkachenko-datadog/followers",
+    "following_url": "https://api.github.com/users/nikita-tkachenko-datadog/following{/other_user}",
+    "gists_url": "https://api.github.com/users/nikita-tkachenko-datadog/gists{/gist_id}",
+    "gravatar_id": "",
+    "html_url": "https://github.com/nikita-tkachenko-datadog",
+    "id": 121111529,
+    "login": "nikita-tkachenko-datadog",
+    "node_id": "U_kgDOBzgD6Q",
+    "organizations_url": "https://api.github.com/users/nikita-tkachenko-datadog/orgs",
+    "received_events_url": "https://api.github.com/users/nikita-tkachenko-datadog/received_events",
+    "repos_url": "https://api.github.com/users/nikita-tkachenko-datadog/repos",
+    "site_admin": false,
+    "starred_url": "https://api.github.com/users/nikita-tkachenko-datadog/starred{/owner}{/repo}",
+    "subscriptions_url": "https://api.github.com/users/nikita-tkachenko-datadog/subscriptions",
+    "type": "User",
+    "url": "https://api.github.com/users/nikita-tkachenko-datadog"
+  }
+}
diff --git a/internal/datastreams/processor.go b/internal/datastreams/processor.go
index 1585deb221..0f0bc38faa 100644
--- a/internal/datastreams/processor.go
+++ b/internal/datastreams/processor.go
@@ -340,7 +340,11 @@ func (p *Processor) Start() {
 	}
 	p.stop = make(chan struct{})
 	p.flushRequest = make(chan chan<- struct{})
-	go p.reportStats()
+	p.wg.Add(1)
+	go func() {
+		defer p.wg.Done()
+		p.reportStats()
+	}()
 	p.wg.Add(1)
 	go func() {
 		defer p.wg.Done()
@@ -372,7 +376,14 @@ func (p *Processor) Stop() {
 }
 
 func (p *Processor) reportStats() {
-	for range time.NewTicker(time.Second * 10).C {
+	tick := time.NewTicker(time.Second * 10)
+	defer tick.Stop()
+	for {
+		select {
+		case <-p.stop:
+			return
+		case <-tick.C:
+		}
 		p.statsd.Count("datadog.datastreams.processor.payloads_in", atomic.SwapInt64(&p.stats.payloadsIn, 0), nil, 1)
 		p.statsd.Count("datadog.datastreams.processor.flushed_payloads", atomic.SwapInt64(&p.stats.flushedPayloads, 0), nil, 1)
 		p.statsd.Count("datadog.datastreams.processor.flushed_buckets", atomic.SwapInt64(&p.stats.flushedBuckets, 0), nil, 1)
diff --git a/internal/exectracetest/go.mod b/internal/exectracetest/go.mod
index 59bef79243..21f78dc032 100644
--- a/internal/exectracetest/go.mod
+++ b/internal/exectracetest/go.mod
@@ -1,6 +1,6 @@
 module github.com/DataDog/dd-trace-go/internal/exectracetest/v2
 
-go 1.21
+go 1.22.0
 
 require (
 	github.com/DataDog/dd-trace-go/contrib/database/sql/v2 v2.0.0-20240909105439-c452671ebc14
@@ -11,28 +11,35 @@ require (
 )
 
 require (
-	github.com/DataDog/appsec-internal-go v1.7.0 // indirect
-	github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 // indirect
-	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 // indirect
-	github.com/DataDog/datadog-go/v5 v5.5.0 // indirect
-	github.com/DataDog/go-libddwaf/v3 v3.3.0 // indirect
-	github.com/DataDog/go-sqllexer v0.0.11 // indirect
+	github.com/DataDog/appsec-internal-go v1.8.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 // indirect
+	github.com/DataDog/datadog-go/v5 v5.3.0 // indirect
+	github.com/DataDog/go-libddwaf/v3 v3.4.0 // indirect
 	github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
 	github.com/DataDog/sketches-go v1.4.5 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/ebitengine/purego v0.7.1 // indirect
-	github.com/google/uuid v1.6.0 // indirect
+	github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 // indirect
+	github.com/ebitengine/purego v0.6.0-alpha.5 // indirect
+	github.com/google/uuid v1.5.0 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/outcaste-io/ristretto v0.2.3 // indirect
-	github.com/philhofer/fwd v1.1.2 // indirect
+	github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
-	github.com/tinylib/msgp v1.1.9 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
+	github.com/tinylib/msgp v1.2.1 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.23.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/protobuf v1.34.1 // indirect
 )
diff --git a/internal/exectracetest/go.sum b/internal/exectracetest/go.sum
index 5afa9af863..c090132bc8 100644
--- a/internal/exectracetest/go.sum
+++ b/internal/exectracetest/go.sum
@@ -1,15 +1,13 @@
-github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
-github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
-github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 h1:/oxF4p/4XUGNpNw2TE7vDu/pJV3elEAZ+jES0/MWtiI=
-github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1/go.mod h1:AVPQWekk3h9AOC7+plBlNB68Sy6UIGFoMMVUDeSoNoI=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 h1:mmkGuCHBFuDBpuwNMcqtY1x1I2fCaPH2Br4xPAAjbkM=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1/go.mod h1:JhAilx32dkIgoDkFXquCTfaWDsAOfe+vfBaxbiZoPI0=
-github.com/DataDog/datadog-go/v5 v5.5.0 h1:G5KHeB8pWBNXT4Jtw0zAkhdxEAWSpWH00geHI6LDrKU=
-github.com/DataDog/datadog-go/v5 v5.5.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
-github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
-github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
-github.com/DataDog/go-sqllexer v0.0.11 h1:OfPBjmayreblOXreszbrOTICNZ3qWrA6Bg4sypvxpbw=
-github.com/DataDog/go-sqllexer v0.0.11/go.mod h1:KwkYhpFEVIq+BfobkTC1vfqm4gTi65skV/DpDBXtexc=
+github.com/DataDog/appsec-internal-go v1.8.0 h1:1Tfn3LEogntRqZtf88twSApOCAAO3V+NILYhuQIo4J4=
+github.com/DataDog/appsec-internal-go v1.8.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 h1:LplNAmMgZvGU7kKA0+4c1xWOjz828xweW5TCi8Mw9Q0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0/go.mod h1:4Vo3SJ24uzfKHUHLoFa8t8o+LH+7TCQ7sPcZDtOpSP4=
+github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8=
+github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q=
+github.com/DataDog/go-libddwaf/v3 v3.4.0 h1:NJ2W2vhYaOm1OWr1LJCbdgp7ezG/XLJcQKBmjFwhSuM=
+github.com/DataDog/go-libddwaf/v3 v3.4.0/go.mod h1:n98d9nZ1gzenRSk53wz8l6d34ikxS+hs62A31Fqmyi4=
 github.com/DataDog/go-tuf v1.1.0-0.5.2 h1:4CagiIekonLSfL8GMHRHcHudo1fQnxELS9g4tiAupQ4=
 github.com/DataDog/go-tuf v1.1.0-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
 github.com/DataDog/gostackparse v0.7.0 h1:i7dLkXHvYzHV308hnkvVGDL3BR4FWl7IsXNPz/IGQh4=
@@ -17,8 +15,10 @@ github.com/DataDog/gostackparse v0.7.0/go.mod h1:lTfqcJKqS9KnXQGnyQMCugq3u1FP6UZ
 github.com/DataDog/sketches-go v1.4.5 h1:ki7VfeNz7IcNafq7yI/j5U/YCkO3LJiMDtXz9OMQbyE=
 github.com/DataDog/sketches-go v1.4.5/go.mod h1:7Y8GN8Jf66DLyDhc94zuWA3uHEt/7ttt8jHOBWWrSOg=
 github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
-github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -35,8 +35,9 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 h1:8EXxF+tCLqaVk8AOC29zl2mnhQjwyLxxOTuhUazWRsg=
 github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4/go.mod h1:I5sHm0Y0T1u5YjlyqC5GVArM7aNZRUYtTjmJ8mPJFds=
-github.com/ebitengine/purego v0.7.1 h1:6/55d26lG3o9VCZX8lping+bZcmShseiqlh2bnUDiPA=
-github.com/ebitengine/purego v0.7.1/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ=
+github.com/ebitengine/purego v0.6.0-alpha.5 h1:EYID3JOAdmQ4SNZYJHu9V6IqOeRQDBYxqKAg9PyoHFY=
+github.com/ebitengine/purego v0.6.0-alpha.5/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
@@ -48,10 +49,13 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBBos92HalKpaGKHrp+3Uo6yTodo=
 github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
+github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
 github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
@@ -64,27 +68,32 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8=
 github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.18 h1:JL0eqdCOq6DJVNPSvArO/bIV9/P7fbGrV00LZHc+5aI=
 github.com/mattn/go-sqlite3 v1.14.18/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
 github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
-github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
-github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 h1:jYi87L8j62qkXzaYHAQAhEapgukhenIMZRBKTNRLHJ4=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY=
 github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3/go.mod h1:vl5+MqJ1nBINuSsUI2mGgH79UweUT/B5Fy8857PqyyI=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=
@@ -105,8 +114,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=
-github.com/tinylib/msgp v1.1.9/go.mod h1:BCXGB54lDD8qUEPmiG0cQQUANC4IUQyB2ItS2UDlO/k=
+github.com/tinylib/msgp v1.2.1 h1:6ypy2qcCznxpP4hpORzhtXyTqrBs7cfM9MCCWY8zsmU=
+github.com/tinylib/msgp v1.2.1/go.mod h1:2vIGs3lcUo8izAATNobrCHevYZC/LMsJtw4JPiYPHro=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -115,22 +124,21 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -139,25 +147,27 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
-golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/grpc v1.57.1 h1:upNTNqv0ES+2ZOOqACwVtS3Il8M12/+Hz41RCPzAjQg=
+google.golang.org/grpc v1.57.1/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/internal/log/log.go b/internal/log/log.go
index 49083164f8..3471d3d28b 100644
--- a/internal/log/log.go
+++ b/internal/log/log.go
@@ -58,6 +58,40 @@ type Logger interface {
 	Log(msg string)
 }
 
+// File name for writing tracer logs, if DD_TRACE_LOG_DIRECTORY has been configured
+const LoggerFile = "ddtrace.log"
+
+// ManagedFile functions like a *os.File but is safe for concurrent use
+type ManagedFile struct {
+	mu     sync.RWMutex
+	file   *os.File
+	closed bool
+}
+
+// Close closes the ManagedFile's *os.File in a concurrent-safe manner, ensuring the file is closed only once
+func (m *ManagedFile) Close() error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.file == nil || m.closed {
+		return nil
+	}
+	err := m.file.Close()
+	if err != nil {
+		return err
+	}
+	m.closed = true
+	return nil
+}
+
+func (m *ManagedFile) Name() string {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	if m.file == nil {
+		return ""
+	}
+	return m.file.Name()
+}
+
 var (
 	mu             sync.RWMutex // guards below fields
 	levelThreshold              = LevelWarn
@@ -77,6 +111,25 @@ func UseLogger(l Logger) (undo func()) {
 	}
 }
 
+// OpenFileAtPath creates a new file at the specified dirPath and configures the logger to write to this file. The dirPath must already exist on the underlying os.
+// It returns the file that was created, or nil and an error if the file creation was unsuccessful.
+// The caller of OpenFileAtPath is responsible for calling Close() on the ManagedFile
+func OpenFileAtPath(dirPath string) (*ManagedFile, error) {
+	path, err := os.Stat(dirPath)
+	if err != nil || !path.IsDir() {
+		return nil, fmt.Errorf("file path %v invalid or does not exist on the underlying os; using default logger to stderr", dirPath)
+	}
+	filepath := dirPath + "/" + LoggerFile
+	f, err := os.OpenFile(filepath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
+	if err != nil {
+		return nil, fmt.Errorf("using default logger to stderr due to error creating or opening log file: %v", err)
+	}
+	UseLogger(&defaultLogger{l: log.New(f, "", log.LstdFlags)})
+	return &ManagedFile{
+		file: f,
+	}, nil
+}
+
 // SetLevel sets the given lvl as log threshold for logging.
 func SetLevel(lvl Level) {
 	mu.Lock()
diff --git a/internal/log/log_test.go b/internal/log/log_test.go
index 61690a0c25..ed2c88f8f1 100644
--- a/internal/log/log_test.go
+++ b/internal/log/log_test.go
@@ -6,7 +6,9 @@
 package log
 
 import (
+	"bytes"
 	"fmt"
+	"os"
 	"strings"
 	"sync"
 	"testing"
@@ -44,6 +46,76 @@ func (tp *testLogger) Reset() {
 	tp.mu.Unlock()
 }
 
+func TestLogDirectory(t *testing.T) {
+	t.Run("invalid", func(t *testing.T) {
+		f, err := OpenFileAtPath("/some/nonexistent/path")
+		assert.Nil(t, f)
+		assert.Error(t, err)
+	})
+	t.Run("valid", func(t *testing.T) {
+		// ensure File is created successfully
+		dir, err := os.MkdirTemp("", "example")
+		if err != nil {
+			t.Fatalf("Failure creating directory %v", err)
+		}
+		f, err := OpenFileAtPath(dir)
+		assert.Nil(t, err)
+		fp := dir + "/" + LoggerFile
+		assert.NotNil(t, f.file)
+		assert.Equal(t, fp, f.file.Name())
+		assert.False(t, f.closed)
+
+		// ensure this setting plays nicely with other log features
+		oldLvl := level
+		SetLevel(LevelDebug)
+		defer func() {
+			SetLevel(oldLvl)
+		}()
+		Info("info!")
+		Warn("warn!")
+		Debug("debug!")
+		// shorten errrate to test Error() behavior in a reasonable amount of time
+		oldRate := errrate
+		errrate = time.Microsecond
+		defer func() {
+			errrate = oldRate
+		}()
+		Error("error!")
+		time.Sleep(1 * time.Second)
+
+		b, err := os.ReadFile(fp)
+		if err != nil {
+			t.Fatalf("Failure reading file: %v", err)
+		}
+		// convert file content to []string{}, split by \n, to easily check its contents
+		lines := bytes.Split(b, []byte{'\n'})
+		var logs []string
+		for _, line := range lines {
+			logs = append(logs, string(line))
+		}
+
+		assert.True(t, containsMessage("INFO", "info!", logs))
+		assert.True(t, containsMessage("WARN", "warn!", logs))
+		assert.True(t, containsMessage("DEBUG", "debug!", logs))
+		assert.True(t, containsMessage("ERROR", "error!", logs))
+
+		f.Close()
+		assert.True(t, f.closed)
+
+		//ensure f.Close() is concurrent-safe and free of deadlocks
+		var wg sync.WaitGroup
+		for i := 0; i < 100; i++ {
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				f.Close()
+			}()
+		}
+		wg.Wait()
+		assert.True(t, f.closed)
+	})
+}
+
 func TestLog(t *testing.T) {
 	defer func(old Logger) { UseLogger(old) }(logger)
 	tp := &testLogger{}
@@ -197,3 +269,12 @@ func hasMsg(lvl, m string, lines []string) bool {
 func msg(lvl, msg string) string {
 	return fmt.Sprintf("%s %s: %s", prefixMsg, lvl, msg)
 }
+
+func containsMessage(lvl, m string, lines []string) bool {
+	for _, line := range lines {
+		if strings.Contains(line, msg(lvl, m)) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/internal/remoteconfig/remoteconfig.go b/internal/remoteconfig/remoteconfig.go
index dd3c06f5eb..5a2a5076d0 100644
--- a/internal/remoteconfig/remoteconfig.go
+++ b/internal/remoteconfig/remoteconfig.go
@@ -70,16 +70,48 @@ const (
 	APMTracingHTTPHeaderTags
 	// APMTracingCustomTags enables APM client to set custom tags on all spans
 	APMTracingCustomTags
-	// ASMRASPSSRF enables ASM support for runtime protection against SSRF attacks
-	ASMRASPSSRF = 23
-)
-
-// Additional capability bit index values that are non-consecutive from above.
-const (
+	// ASMProcessorOverrides adds support for processor overrides through the ASM RC Product
+	ASMProcessorOverrides
+	// ASMCustomDataScanners adds support for custom data scanners through the ASM RC Product
+	ASMCustomDataScanners
+	// ASMExclusionData adds support configurable exclusion filter data from the ASM_DATA Product
+	ASMExclusionData
 	// APMTracingEnabled enables APM tracing
-	APMTracingEnabled Capability = 19
+	APMTracingEnabled
+	// APMTracingDataStreamsEnabled enables Data Streams Monitoring
+	APMTracingDataStreamsEnabled
+	// ASMRASPSQLI enables ASM support for runtime protection against SQL Injection attacks
+	ASMRASPSQLI
+	// ASMRASPLFI enables ASM support for runtime protection against Local File Inclusion attacks
+	ASMRASPLFI
+	// ASMRASPSSRF enables ASM support for runtime protection against SSRF attacks
+	ASMRASPSSRF
+	// ASMRASPSHI enables ASM support for runtime protection against XSS attacks
+	ASMRASPSHI
+	// ASMRASPXXE enables ASM support for runtime protection against XXE attacks
+	ASMRASPXXE
+	// ASMRASPRCE enables ASM support for runtime protection against Remote Code Execution
+	ASMRASPRCE
+	// ASMRASPNOSQLI enables ASM support for runtime protection against NoSQL Injection attacks
+	ASMRASPNOSQLI
+	// ASMRASPXSS enables ASM support for runtime protection against Cross Site Scripting attacks
+	ASMRASPXSS
 	// APMTracingSampleRules represents the sampling rate using matching rules from APM client libraries
-	APMTracingSampleRules = 29
+	APMTracingSampleRules
+	// CSMActivation represents the capability to activate CSM through remote configuration
+	CSMActivation
+	// ASMAutoUserInstrumMode represents the capability to enable the automatic user instrumentation mode
+	ASMAutoUserInstrumMode
+	// ASMEndpointFingerprinting represents the capability to enable endpoint fingerprinting
+	ASMEndpointFingerprinting
+	// ASMSessionFingerprinting represents the capability to enable session fingerprinting
+	ASMSessionFingerprinting
+	// ASMNetworkFingerprinting represents the capability to enable network fingerprinting
+	ASMNetworkFingerprinting
+	// ASMHeaderFingerprinting represents the capability to enable header fingerprinting
+	ASMHeaderFingerprinting
+	// ASMTruncationRules is the support for truncation payload rules
+	ASMTruncationRules
 )
 
 // ErrClientNotStarted is returned when the remote config client is not started.
diff --git a/internal/apps/setup-smoke-test/Dockerfile b/internal/setup-smoke-test/Dockerfile
similarity index 88%
rename from internal/apps/setup-smoke-test/Dockerfile
rename to internal/setup-smoke-test/Dockerfile
index 059adafb84..764c793188 100644
--- a/internal/apps/setup-smoke-test/Dockerfile
+++ b/internal/setup-smoke-test/Dockerfile
@@ -17,7 +17,7 @@
 #      select one by default, but also allows to provide a --build-arg option
 #      too instead of relying on the --target option. This way, the CI matrix
 #      can systematically use --build-arg for all of the parameters.
-ARG go="1.21" # golang docker image parameter in `golang:{go}-{buildenv}`
+ARG go="1.22" # golang docker image parameter in `golang:{go}-{buildenv}`
 ARG build_env="bookworm" # golang docker image parameter in `golang:{go}-{buildenv}`
 ARG build_with_cgo="0" # 0 or 1
 ARG build_with_vendoring="" # y or empty
@@ -30,7 +30,7 @@ FROM golang:$go-$build_env AS build-env
 
 WORKDIR /src
 COPY . .
-WORKDIR /src/internal/apps/setup-smoke-test
+WORKDIR /src/internal/setup-smoke-test
 
 ARG build_with_cgo
 RUN go env -w CGO_ENABLED=$build_with_cgo
@@ -72,7 +72,7 @@ RUN ldd smoke-test || true
 # this image to preperly highlight the fact that the compiled program is running
 # out of the box in it without any further installation.
 FROM debian:11 AS debian11
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
 CMD /usr/local/bin/smoke-test
 
 # debian12 deployment environment
@@ -80,7 +80,7 @@ CMD /usr/local/bin/smoke-test
 # this image to preperly highlight the fact that the compiled program is running
 # out of the box in it without any further installation.
 FROM debian:12 AS debian12
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
 CMD /usr/local/bin/smoke-test
 
 # alpine deployment environment
@@ -92,7 +92,7 @@ ARG build_with_cgo
 RUN set -ex; if [ "$build_with_cgo" = "1" ]; then \
       apk update && apk add libc6-compat; \
     fi
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
 CMD /usr/local/bin/smoke-test
 
 # amazonlinux:2 deployment environment
@@ -100,7 +100,7 @@ CMD /usr/local/bin/smoke-test
 # this image to preperly highlight the fact that the compiled program is running
 # out of the box in it without any further installation.
 FROM amazonlinux:2 AS al2
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
 CMD /usr/local/bin/smoke-test
 
 # amazonlinux:2023 deployment environment
@@ -108,7 +108,7 @@ CMD /usr/local/bin/smoke-test
 # this image to preperly highlight the fact that the compiled program is running
 # out of the box in it without any further installation.
 FROM amazonlinux:2023 AS al2023
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
 CMD /usr/local/bin/smoke-test
 
 # busybox deployment environment
@@ -117,7 +117,7 @@ CMD /usr/local/bin/smoke-test
 # out of the box in it without any further installation.
 FROM busybox AS busybox
 RUN mkdir -p /usr/local/bin
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /usr/local/bin
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /usr/local/bin
 CMD /usr/local/bin/smoke-test
 
 # scratch deployment environment - meant to be used with CGO_ENABLED=0
@@ -125,7 +125,7 @@ CMD /usr/local/bin/smoke-test
 # this image to preperly highlight the fact that the compiled program is running
 # out of the box in it without any further installation.
 FROM scratch AS scratch
-COPY --from=build-env /src/internal/apps/setup-smoke-test/smoke-test /
+COPY --from=build-env /src/internal/setup-smoke-test/smoke-test /
 ENTRYPOINT [ "/smoke-test" ]
 
 # Final deployment environment - helper target to end up a single one
diff --git a/internal/setup-smoke-test/go.mod b/internal/setup-smoke-test/go.mod
new file mode 100644
index 0000000000..81da442cc8
--- /dev/null
+++ b/internal/setup-smoke-test/go.mod
@@ -0,0 +1,40 @@
+module github.com/DataDog/dd-trace-go/internal/setup-smoke-test
+
+go 1.22.0
+
+require (
+	github.com/DataDog/appsec-internal-go v1.7.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 // indirect
+	github.com/DataDog/datadog-go/v5 v5.3.0 // indirect
+	github.com/DataDog/go-libddwaf/v3 v3.3.0 // indirect
+	github.com/DataDog/go-tuf v1.0.2-0.5.2 // indirect
+	github.com/DataDog/gostackparse v0.7.0 // indirect
+	github.com/DataDog/sketches-go v1.4.5 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 // indirect
+	github.com/ebitengine/purego v0.6.0-alpha.5 // indirect
+	github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b // indirect
+	github.com/google/uuid v1.5.0 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/outcaste-io/ristretto v0.2.3 // indirect
+	github.com/philhofer/fwd v1.1.2 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
+	github.com/spaolacci/murmur3 v1.1.0 // indirect
+	github.com/tinylib/msgp v1.1.8 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+)
diff --git a/internal/setup-smoke-test/go.sum b/internal/setup-smoke-test/go.sum
new file mode 100644
index 0000000000..b19c19b177
--- /dev/null
+++ b/internal/setup-smoke-test/go.sum
@@ -0,0 +1,203 @@
+github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
+github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 h1:bUMSNsw1iofWiju9yc1f+kBd33E3hMJtq9GuU602Iy8=
+github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 h1:5nE6N3JSs2IG3xzMthNFhXfOaXlrsdgqmJ73lndFf8c=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1/go.mod h1:Vc+snp0Bey4MrrJyiV2tVxxJb6BmLomPvN1RgAvjGaQ=
+github.com/DataDog/datadog-go/v5 v5.3.0 h1:2q2qjFOb3RwAZNU+ez27ZVDwErJv5/VpbBPprz7Z+s8=
+github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q=
+github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
+github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
+github.com/DataDog/go-tuf v1.0.2-0.5.2 h1:EeZr937eKAWPxJ26IykAdWA4A0jQXJgkhUjqEI/w7+I=
+github.com/DataDog/go-tuf v1.0.2-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0=
+github.com/DataDog/gostackparse v0.7.0 h1:i7dLkXHvYzHV308hnkvVGDL3BR4FWl7IsXNPz/IGQh4=
+github.com/DataDog/gostackparse v0.7.0/go.mod h1:lTfqcJKqS9KnXQGnyQMCugq3u1FP6UZMfWR0aitKFMM=
+github.com/DataDog/sketches-go v1.4.5 h1:ki7VfeNz7IcNafq7yI/j5U/YCkO3LJiMDtXz9OMQbyE=
+github.com/DataDog/sketches-go v1.4.5/go.mod h1:7Y8GN8Jf66DLyDhc94zuWA3uHEt/7ttt8jHOBWWrSOg=
+github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA=
+github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
+github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 h1:8EXxF+tCLqaVk8AOC29zl2mnhQjwyLxxOTuhUazWRsg=
+github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4/go.mod h1:I5sHm0Y0T1u5YjlyqC5GVArM7aNZRUYtTjmJ8mPJFds=
+github.com/ebitengine/purego v0.6.0-alpha.5 h1:EYID3JOAdmQ4SNZYJHu9V6IqOeRQDBYxqKAg9PyoHFY=
+github.com/ebitengine/purego v0.6.0-alpha.5/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
+github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBBos92HalKpaGKHrp+3Uo6yTodo=
+github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
+github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
+github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
+github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
+github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
+github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
+github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
+github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
+github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
+github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
+github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY=
+github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3/go.mod h1:vl5+MqJ1nBINuSsUI2mGgH79UweUT/B5Fy8857PqyyI=
+github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
+github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
+github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
+github.com/secure-systems-lab/go-securesystemslib v0.7.0 h1:OwvJ5jQf9LnIAS83waAjPbcMsODrTQUpJ02eNLUoxBg=
+github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xeGtfIqFy7Do03K4cdCY0A/GlJLDKLHI=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=
+github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tinylib/msgp v1.1.8 h1:FCXC1xanKO4I8plpHGH2P7koL/RzZs12l/+r7vakfm0=
+github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
+golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
+google.golang.org/grpc v1.57.1 h1:upNTNqv0ES+2ZOOqACwVtS3Il8M12/+Hz41RCPzAjQg=
+google.golang.org/grpc v1.57.1/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+gopkg.in/DataDog/dd-trace-go.v1 v1.67.1 h1:frgcpZ18wmpj+/TwyDJM8057M65aOdgaxLiZ8pb1PFU=
+gopkg.in/DataDog/dd-trace-go.v1 v1.67.1/go.mod h1:6DdiJPKOeJfZyd/IUGCAd5elY8qPGkztK6wbYYsMjag=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+modernc.org/libc v1.37.6 h1:orZH3c5wmhIQFTXF+Nt+eeauyd+ZIt2BX6ARe+kD+aw=
+modernc.org/libc v1.37.6/go.mod h1:YAXkAZ8ktnkCKaN9sw/UDeUVkGYJ/YquGO4FTi5nmHE=
+modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
+modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
+modernc.org/memory v1.7.2 h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E=
+modernc.org/memory v1.7.2/go.mod h1:NO4NVCQy0N7ln+T9ngWqOQfi7ley4vpwvARR+Hjw95E=
+modernc.org/sqlite v1.28.0 h1:Zx+LyDDmXczNnEQdvPuEfcFVA2ZPyaD7UCZDjef3BHQ=
+modernc.org/sqlite v1.28.0/go.mod h1:Qxpazz0zH8Z1xCFyi5GSL3FzbtZ3fvbjmywNogldEW0=
diff --git a/internal/apps/setup-smoke-test/main.go b/internal/setup-smoke-test/main.go
similarity index 100%
rename from internal/apps/setup-smoke-test/main.go
rename to internal/setup-smoke-test/main.go
diff --git a/internal/stacktrace/event.go b/internal/stacktrace/event.go
index f2800b3886..421f152ecb 100644
--- a/internal/stacktrace/event.go
+++ b/internal/stacktrace/event.go
@@ -27,6 +27,8 @@ const (
 	ExploitEvent EventCategory = "exploit"
 )
 
+const SpanKey = "_dd.stack"
+
 // Event is the toplevel structure to contain a stacktrace and the additional information needed to correlate it with other data
 type Event struct {
 	// Category is a well-known type of the event, not optional
@@ -82,25 +84,32 @@ func WithID(id string) Options {
 	}
 }
 
-// AddToSpan adds the event to the given span's root span as a tag if stacktrace collection is enabled
-func AddToSpan(span, root trace.TagSetter, events ...*Event) {
+// GetSpanValue returns the value to be set as a tag on a span for the given stacktrace events
+func GetSpanValue(events ...*Event) any {
 	if !Enabled() {
-		return
+		return nil
 	}
 
-	// TODO(eliott.bouhana): switch to a map[EventCategory][]*Event type when the tinylib/msgp@1.1.10 is out
-	groupByCategory := make(map[string]any, 3)
-
+	groupByCategory := make(map[string][]*Event, 3)
 	for _, event := range events {
 		if _, ok := groupByCategory[string(event.Category)]; !ok {
 			groupByCategory[string(event.Category)] = []*Event{event}
 			continue
 		}
+		groupByCategory[string(event.Category)] = append(groupByCategory[string(event.Category)], event)
+	}
 
-		groupByCategory[string(event.Category)] = append(groupByCategory[string(event.Category)].([]*Event), event)
+	return internal.MetaStructValue{Value: groupByCategory}
+}
+
+// AddToSpan adds the event to the given span's root span as a tag if stacktrace collection is enabled
+func AddToSpan(span ddtrace.Span, events ...*Event) {
+	value := GetSpanValue(events...)
+	type rooter interface {
+		Root() ddtrace.Span
 	}
-	if root != nil {
-		span = root
+	if lrs, ok := span.(rooter); ok {
+		span = lrs.Root()
 	}
-	span.SetTag("_dd.stack", internal.MetaStructValue{Value: groupByCategory})
+	span.SetTag(SpanKey, value)
 }
diff --git a/internal/stacktrace/event_test.go b/internal/stacktrace/event_test.go
index 7eaef6d445..71bb9be7d9 100644
--- a/internal/stacktrace/event_test.go
+++ b/internal/stacktrace/event_test.go
@@ -26,40 +26,29 @@ func TestNewEvent(t *testing.T) {
 }
 
 func TestEventToSpan(t *testing.T) {
-	mt := mocktracer.Start()
-	defer mt.Stop()
+	event1 := NewEvent(ExceptionEvent, WithMessage("message1"))
+	event2 := NewEvent(ExploitEvent, WithMessage("message2"))
+	spanValue := GetSpanValue(event1, event2)
 
-	span := ddtracer.StartSpan("op")
-	event := NewEvent(ExceptionEvent, WithMessage("message"))
-	AddToSpan(span, span.Root(), event)
-	span.Finish()
+	eventsMap := spanValue.(internal.MetaStructValue).Value.(map[string][]*Event)
+	require.Len(t, eventsMap, 2)
 
-	spans := mt.FinishedSpans()
-	require.Len(t, spans, 1)
-	require.Equal(t, "op", spans[0].OperationName())
+	eventsCat := eventsMap[string(ExceptionEvent)]
+	require.Len(t, eventsCat, 1)
 
-	eventsMap := spans[0].Tag("_dd.stack").(map[string]any)
-	require.Len(t, eventsMap, 1)
+	require.Equal(t, *event1, *eventsCat[0])
 
-	eventsCat := eventsMap[string(ExceptionEvent)].([]*Event)
+	eventsCat = eventsMap[string(ExploitEvent)]
 	require.Len(t, eventsCat, 1)
 
-	require.Equal(t, *event, *eventsCat[0])
+	require.Equal(t, *event2, *eventsCat[0])
 }
 
 func TestMsgPackSerialization(t *testing.T) {
-	mt := mocktracer.Start()
-	defer mt.Stop()
-
-	span := ddtracer.StartSpan("op")
 	event := NewEvent(ExceptionEvent, WithMessage("message"), WithType("type"), WithID("id"))
-	AddToSpan(span, span.Root(), event)
-	span.Finish()
-
-	spans := mt.FinishedSpans()
-	require.Len(t, spans, 1)
+	spanValue := GetSpanValue(event)
 
-	eventsMap := spans[0].Tag("_dd.stack").(map[string]any)
+	eventsMap := spanValue.(internal.MetaStructValue).Value
 
 	_, err := msgp.AppendIntf(nil, eventsMap)
 	require.NoError(t, err)
diff --git a/internal/stacktrace/stacktrace.go b/internal/stacktrace/stacktrace.go
index dd983876d1..72b5a97abc 100644
--- a/internal/stacktrace/stacktrace.go
+++ b/internal/stacktrace/stacktrace.go
@@ -33,6 +33,7 @@ var (
 		"github.com/DataDog/datadog-agent",
 		"github.com/DataDog/appsec-internal-go",
 		"github.com/datadog/orchestrion",
+		"github.com/DataDog/orchestrion",
 	}
 )
 
diff --git a/internal/telemetry/telemetry_test.go b/internal/telemetry/telemetry_test.go
index cad9cd43ea..87d40ff02a 100644
--- a/internal/telemetry/telemetry_test.go
+++ b/internal/telemetry/telemetry_test.go
@@ -112,6 +112,7 @@ func TestProductChange(t *testing.T) {
 				GlobalClient.ProductChange(NamespaceProfilers, true, []Configuration{{Name: "key", Value: "value"}})
 			},
 		},
+		/* This case is flaky (see #2688)
 		{
 			name:           "profiler start, tracer start",
 			wantedMessages: []RequestType{RequestTypeAppStarted, RequestTypeDependenciesLoaded, RequestTypeAppClientConfigurationChange},
@@ -120,6 +121,7 @@ func TestProductChange(t *testing.T) {
 				GlobalClient.ProductChange(NamespaceTracers, true, []Configuration{{Name: "key", Value: "value"}})
 			},
 		},
+		*/
 	}
 
 	for _, test := range tests {
diff --git a/profiler/metrics.go b/profiler/metrics.go
index 2c60bff410..ec68c38592 100644
--- a/profiler/metrics.go
+++ b/profiler/metrics.go
@@ -61,12 +61,18 @@ func (m *metrics) reset(now time.Time) {
 
 func (m *metrics) report(now time.Time, buf *bytes.Buffer) error {
 	period := now.Sub(m.collectedAt)
-
-	if period < time.Second {
-		// Profiler could be mis-configured to report more frequently than every second
-		// or a system clock issue causes time to run backwards.
-		// We can't emit valid metrics in either case.
-		return collectionTooFrequent{min: time.Second, observed: period}
+	if period <= 0 {
+		// It is technically possible, though very unlikely, for period
+		// to be 0 if the monotonic clock did not advance at all or if
+		// we somehow collected two metrics profiles closer together
+		// than the clock can measure. If the period is negative, this
+		// might be a Go runtime bug, since time.Time.Sub is supposed to
+		// work with monotonic time. Either way, bail out since
+		// something is probably going wrong
+		return fmt.Errorf(
+			"unexpected duration %v between metrics collections, first at %v, second at %v",
+			period, m.collectedAt, now,
+		)
 	}
 
 	previousStats := m.snapshot
@@ -74,34 +80,31 @@ func (m *metrics) report(now time.Time, buf *bytes.Buffer) error {
 
 	points := m.compute(&previousStats, &m.snapshot, period, now)
 	data, err := json.Marshal(removeInvalid(points))
-
 	if err != nil {
-		// NB the minimum period check and removeInvalid ensures we don't hit this case
-		return err
-	}
-
-	if _, err := buf.Write(data); err != nil {
+		// NB removeInvalid ensures we don't hit this case by dropping inf/NaN
 		return err
 	}
 
-	return nil
+	_, err = buf.Write(data)
+	return err
 }
 
 func computeMetrics(prev *metricsSnapshot, curr *metricsSnapshot, period time.Duration, now time.Time) []point {
+	periodSeconds := float64(period) / float64(time.Second)
 	return []point{
-		{metric: "go_alloc_bytes_per_sec", value: rate(curr.TotalAlloc, prev.TotalAlloc, period/time.Second)},
-		{metric: "go_allocs_per_sec", value: rate(curr.Mallocs, prev.Mallocs, period/time.Second)},
-		{metric: "go_frees_per_sec", value: rate(curr.Frees, prev.Frees, period/time.Second)},
-		{metric: "go_heap_growth_bytes_per_sec", value: rate(curr.HeapAlloc, prev.HeapAlloc, period/time.Second)},
-		{metric: "go_gcs_per_sec", value: rate(uint64(curr.NumGC), uint64(prev.NumGC), period/time.Second)},
-		{metric: "go_gc_pause_time", value: rate(curr.PauseTotalNs, prev.PauseTotalNs, period)}, // % of time spent paused
+		{metric: "go_alloc_bytes_per_sec", value: rate(curr.TotalAlloc, prev.TotalAlloc, periodSeconds)},
+		{metric: "go_allocs_per_sec", value: rate(curr.Mallocs, prev.Mallocs, periodSeconds)},
+		{metric: "go_frees_per_sec", value: rate(curr.Frees, prev.Frees, periodSeconds)},
+		{metric: "go_heap_growth_bytes_per_sec", value: rate(curr.HeapAlloc, prev.HeapAlloc, periodSeconds)},
+		{metric: "go_gcs_per_sec", value: rate(uint64(curr.NumGC), uint64(prev.NumGC), periodSeconds)},
+		{metric: "go_gc_pause_time", value: rate(curr.PauseTotalNs, prev.PauseTotalNs, float64(period))}, // % of time spent paused
 		{metric: "go_max_gc_pause_time", value: float64(maxPauseNs(&curr.MemStats, now.Add(-period)))},
 		{metric: "go_num_goroutine", value: float64(curr.NumGoroutine)},
 	}
 }
 
-func rate(curr, prev uint64, period time.Duration) float64 {
-	return float64(int64(curr)-int64(prev)) / float64(period)
+func rate(curr, prev uint64, period float64) float64 {
+	return float64(int64(curr)-int64(prev)) / period
 }
 
 // maxPauseNs returns maximum pause time within the recent period, assumes stats populated at period end
diff --git a/profiler/metrics_test.go b/profiler/metrics_test.go
index 2c7e4cbe92..37d1d29d6c 100644
--- a/profiler/metrics_test.go
+++ b/profiler/metrics_test.go
@@ -143,22 +143,3 @@ func TestMetricsReport(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "[[\"metric_name\",1.1]]", buf.String())
 }
-
-func TestMetricsCollectFrequency(t *testing.T) {
-	now := now()
-	var err error
-	var buf bytes.Buffer
-	m := newTestMetrics(now)
-
-	err = m.report(now.Add(-time.Second), &buf)
-	assert.Error(t, err, "collection call times must be monotonically increasing")
-	assert.Empty(t, buf)
-
-	err = m.report(now.Add(time.Second-1), &buf)
-	assert.Error(t, err, "must be at least one second between collection calls")
-	assert.Empty(t, buf)
-
-	err = m.report(now.Add(time.Second), &buf)
-	assert.NoError(t, err, "one second between calls should work")
-	assert.NotEmpty(t, buf)
-}
diff --git a/profiler/profile.go b/profiler/profile.go
index 336b96b14b..269c094d6e 100644
--- a/profiler/profile.go
+++ b/profiler/profile.go
@@ -177,8 +177,11 @@ var profileTypes = map[ProfileType]profileType{
 		Filename: "metrics.json",
 		Collect: func(p *profiler) ([]byte, error) {
 			var buf bytes.Buffer
-			p.interruptibleSleep(p.cfg.period)
+			interrupted := p.interruptibleSleep(p.cfg.period)
 			err := p.met.report(now(), &buf)
+			if err != nil && interrupted {
+				err = errProfilerStopped
+			}
 			return buf.Bytes(), err
 		},
 	},
diff --git a/profiler/profiler.go b/profiler/profiler.go
index fba7a5e61b..505d53fdcd 100644
--- a/profiler/profiler.go
+++ b/profiler/profiler.go
@@ -36,6 +36,10 @@ var (
 	activeProfiler *profiler
 	containerID    = internal.ContainerID() // replaced in tests
 	entityID       = internal.EntityID()    // replaced in tests
+
+	// errProfilerStopped is a sentinel for suppressng errors if we are
+	// about to stop the profiler
+	errProfilerStopped = errors.New("profiler stopped")
 )
 
 // Start starts the profiler. If the profiler is already running, it will be
@@ -342,9 +346,12 @@ func (p *profiler) collect(ticker <-chan time.Time) {
 				}
 				profs, err := p.runProfile(t)
 				if err != nil {
-					log.Error("Error getting %s profile: %v; skipping.", t, err)
-					tags := append(p.cfg.tags.Slice(), t.Tag())
-					p.cfg.statsd.Count("datadog.profiling.go.collect_error", 1, tags, 1)
+					if err != errProfilerStopped {
+						log.Error("Error getting %s profile: %v; skipping.", t, err)
+						tags := append(p.cfg.tags.Slice(), t.Tag())
+						p.cfg.statsd.Count("datadog.profiling.go.collect_error", 1, tags, 1)
+					}
+					return
 				}
 				mu.Lock()
 				defer mu.Unlock()
@@ -479,10 +486,13 @@ func (p *profiler) outputDir(bat batch) error {
 
 // interruptibleSleep sleeps for the given duration or until interrupted by the
 // p.exit channel being closed.
-func (p *profiler) interruptibleSleep(d time.Duration) {
+// Returns whether the sleep was interrupted
+func (p *profiler) interruptibleSleep(d time.Duration) bool {
 	select {
 	case <-p.exit:
+		return true
 	case <-time.After(d):
+		return false
 	}
 }
 
diff --git a/profiler/profiler_test.go b/profiler/profiler_test.go
index 23b6b88eca..d3c9720eda 100644
--- a/profiler/profiler_test.go
+++ b/profiler/profiler_test.go
@@ -392,6 +392,7 @@ func TestAllUploaded(t *testing.T) {
 			"delta-mutex.pprof",
 			"goroutines.pprof",
 			"goroutineswait.pprof",
+			"metrics.json",
 		}
 		if executionTraceEnabledDefault {
 			expected = append(expected, "go.trace")
@@ -763,3 +764,58 @@ func TestUDSDefault(t *testing.T) {
 
 	<-profiles
 }
+
+func TestOrchestrionProfileInfo(t *testing.T) {
+	testCases := []struct {
+		env  string
+		want string
+	}{
+		{want: "manual"},
+		{env: "1", want: "manual"},
+		{env: "true", want: "manual"},
+		{env: "auto", want: "auto"},
+	}
+	for _, tc := range testCases {
+		t.Run(fmt.Sprintf("env=\"%s\"", tc.env), func(t *testing.T) {
+			t.Setenv("DD_PROFILING_ENABLED", tc.env)
+			p := doOneShortProfileUpload(t)
+			info := p.event.Info.Profiler
+			t.Logf("%+v", info)
+			if got := info.Activation; got != tc.want {
+				t.Errorf("wanted profiler activation \"%s\", got %s", tc.want, got)
+			}
+			want := "none"
+			if orchestrion.Enabled() {
+				want = "orchestrion"
+			}
+			if got := info.SSI.Mechanism; got != want {
+				t.Errorf("wanted profiler injected = %v, got %v", want, got)
+			}
+		})
+	}
+}
+
+func TestShortMetricsProfile(t *testing.T) {
+	profiles := startTestProfiler(t, 1, WithPeriod(10*time.Millisecond), WithProfileTypes(MetricsProfile))
+	for range 3 {
+		p := <-profiles
+		if _, ok := p.attachments["metrics.json"]; !ok {
+			t.Errorf("didn't get metrics profile, got %v", p.event.Attachments)
+		}
+	}
+}
+
+func TestMetricsProfileStopEarlyNoLog(t *testing.T) {
+	rl := new(log.RecordLogger)
+	defer log.UseLogger(rl)()
+	startTestProfiler(t, 1, WithPeriod(2*time.Second), WithProfileTypes(MetricsProfile))
+	// Stop the profiler immediately
+	Stop()
+	log.Flush()
+	for _, msg := range rl.Logs() {
+		// We should not see any error about stopping the metrics profile short
+		if strings.Contains(msg, "ERROR:") {
+			t.Errorf("unexpected error log: %s", msg)
+		}
+	}
+}
diff --git a/tools/v2check/go.mod b/tools/v2check/go.mod
index 78a17b1417..f6917f63e0 100644
--- a/tools/v2check/go.mod
+++ b/tools/v2check/go.mod
@@ -1,36 +1,43 @@
 module github.com/DataDog/dd-trace-go/v2/tools/v2check
 
-go 1.21
+go 1.22.0
+
+toolchain go1.23.1
 
 require (
 	github.com/DataDog/dd-trace-go/v2 v2.0.0-20240909105439-c452671ebc14
-	golang.org/x/tools v0.20.0
-	gopkg.in/DataDog/dd-trace-go.v1 v1.67.0
+	golang.org/x/tools v0.22.0
 )
 
 require (
-	github.com/DataDog/appsec-internal-go v1.7.0 // indirect
+	github.com/DataDog/appsec-internal-go v1.8.0 // indirect
 	github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 // indirect
-	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 // indirect
+	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 // indirect
 	github.com/DataDog/datadog-go/v5 v5.5.0 // indirect
-	github.com/DataDog/go-libddwaf/v3 v3.3.0 // indirect
+	github.com/DataDog/go-libddwaf/v3 v3.4.0 // indirect
 	github.com/DataDog/go-sqllexer v0.0.11 // indirect
 	github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
 	github.com/DataDog/sketches-go v1.4.5 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 // indirect
 	github.com/ebitengine/purego v0.7.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/outcaste-io/ristretto v0.2.3 // indirect
-	github.com/philhofer/fwd v1.1.2 // indirect
+	github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
-	github.com/tinylib/msgp v1.1.9 // indirect
+	github.com/tinylib/msgp v1.2.1 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/mod v0.18.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/sys v0.23.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
diff --git a/tools/v2check/go.sum b/tools/v2check/go.sum
index e1d629a336..9194914cd4 100644
--- a/tools/v2check/go.sum
+++ b/tools/v2check/go.sum
@@ -1,13 +1,13 @@
-github.com/DataDog/appsec-internal-go v1.7.0 h1:iKRNLih83dJeVya3IoUfK+6HLD/hQsIbyBlfvLmAeb0=
-github.com/DataDog/appsec-internal-go v1.7.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
+github.com/DataDog/appsec-internal-go v1.8.0 h1:1Tfn3LEogntRqZtf88twSApOCAAO3V+NILYhuQIo4J4=
+github.com/DataDog/appsec-internal-go v1.8.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g=
 github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1 h1:/oxF4p/4XUGNpNw2TE7vDu/pJV3elEAZ+jES0/MWtiI=
 github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.1/go.mod h1:AVPQWekk3h9AOC7+plBlNB68Sy6UIGFoMMVUDeSoNoI=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1 h1:mmkGuCHBFuDBpuwNMcqtY1x1I2fCaPH2Br4xPAAjbkM=
-github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.52.1/go.mod h1:JhAilx32dkIgoDkFXquCTfaWDsAOfe+vfBaxbiZoPI0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0 h1:LplNAmMgZvGU7kKA0+4c1xWOjz828xweW5TCi8Mw9Q0=
+github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.57.0/go.mod h1:4Vo3SJ24uzfKHUHLoFa8t8o+LH+7TCQ7sPcZDtOpSP4=
 github.com/DataDog/datadog-go/v5 v5.5.0 h1:G5KHeB8pWBNXT4Jtw0zAkhdxEAWSpWH00geHI6LDrKU=
 github.com/DataDog/datadog-go/v5 v5.5.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
-github.com/DataDog/go-libddwaf/v3 v3.3.0 h1:jS72fuQpFgJZEdEJDmHJCPAgNTEMZoz1EUvimPUOiJ4=
-github.com/DataDog/go-libddwaf/v3 v3.3.0/go.mod h1:Bz/0JkpGf689mzbUjKJeheJINqsyyhM8p9PDuHdK2Ec=
+github.com/DataDog/go-libddwaf/v3 v3.4.0 h1:NJ2W2vhYaOm1OWr1LJCbdgp7ezG/XLJcQKBmjFwhSuM=
+github.com/DataDog/go-libddwaf/v3 v3.4.0/go.mod h1:n98d9nZ1gzenRSk53wz8l6d34ikxS+hs62A31Fqmyi4=
 github.com/DataDog/go-sqllexer v0.0.11 h1:OfPBjmayreblOXreszbrOTICNZ3qWrA6Bg4sypvxpbw=
 github.com/DataDog/go-sqllexer v0.0.11/go.mod h1:KwkYhpFEVIq+BfobkTC1vfqm4gTi65skV/DpDBXtexc=
 github.com/DataDog/go-tuf v1.1.0-0.5.2 h1:4CagiIekonLSfL8GMHRHcHudo1fQnxELS9g4tiAupQ4=
@@ -19,6 +19,8 @@ github.com/DataDog/sketches-go v1.4.5/go.mod h1:7Y8GN8Jf66DLyDhc94zuWA3uHEt/7ttt
 github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -31,11 +33,11 @@ github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUn
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc=
 github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 h1:8EXxF+tCLqaVk8AOC29zl2mnhQjwyLxxOTuhUazWRsg=
 github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4/go.mod h1:I5sHm0Y0T1u5YjlyqC5GVArM7aNZRUYtTjmJ8mPJFds=
 github.com/ebitengine/purego v0.7.1 h1:6/55d26lG3o9VCZX8lping+bZcmShseiqlh2bnUDiPA=
 github.com/ebitengine/purego v0.7.1/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -45,8 +47,11 @@ github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBB
 github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
 github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
@@ -55,23 +60,28 @@ github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
-github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
 github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
-github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
-github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 h1:jYi87L8j62qkXzaYHAQAhEapgukhenIMZRBKTNRLHJ4=
+github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY=
 github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3/go.mod h1:vl5+MqJ1nBINuSsUI2mGgH79UweUT/B5Fy8857PqyyI=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=
@@ -92,8 +102,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=
-github.com/tinylib/msgp v1.1.9/go.mod h1:BCXGB54lDD8qUEPmiG0cQQUANC4IUQyB2ItS2UDlO/k=
+github.com/tinylib/msgp v1.2.1 h1:6ypy2qcCznxpP4hpORzhtXyTqrBs7cfM9MCCWY8zsmU=
+github.com/tinylib/msgp v1.2.1/go.mod h1:2vIGs3lcUo8izAATNobrCHevYZC/LMsJtw4JPiYPHro=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -102,20 +112,21 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -124,8 +135,8 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -134,17 +145,17 @@ golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY=
-golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
+google.golang.org/grpc v1.57.1 h1:upNTNqv0ES+2ZOOqACwVtS3Il8M12/+Hz41RCPzAjQg=
+google.golang.org/grpc v1.57.1/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-gopkg.in/DataDog/dd-trace-go.v1 v1.67.0 h1:3Cb46zyKIlEWac21tvDF2O4KyMlOHQxrQkyiaUpdwM0=
-gopkg.in/DataDog/dd-trace-go.v1 v1.67.0/go.mod h1:6DdiJPKOeJfZyd/IUGCAd5elY8qPGkztK6wbYYsMjag=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/tools/v2check/v2check/known_change.go b/tools/v2check/v2check/known_change.go
index c9e6d3f55e..0b9dd793f2 100644
--- a/tools/v2check/v2check/known_change.go
+++ b/tools/v2check/v2check/known_change.go
@@ -13,9 +13,9 @@ import (
 	"go/types"
 	"strings"
 
+	"github.com/DataDog/dd-trace-go/v2/ddtrace"
 	"github.com/DataDog/dd-trace-go/v2/ddtrace/tracer"
 	"golang.org/x/tools/go/analysis"
-	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace"
 )
 
 // KnownChange models code expressions that must be changed to migrate to v2.
@@ -115,7 +115,7 @@ func (c V1ImportURL) Fixes() []analysis.SuggestedFix {
 	if path == "" {
 		return nil
 	}
-	path = strings.Replace(path, "gopkg.in/DataDog/dd-trace-go.v1", "github.com/DataDog/dd-trace-go/v2", 1)
+	path = strings.Replace(path, "github.com/DataDog/dd-trace-go/v2", "github.com/DataDog/dd-trace-go/v2", 1)
 	return []analysis.SuggestedFix{
 		{
 			Message: "update import URL to v2",
@@ -133,7 +133,7 @@ func (c V1ImportURL) Fixes() []analysis.SuggestedFix {
 func (V1ImportURL) Probes() []Probe {
 	return []Probe{
 		IsImport,
-		HasPackagePrefix("gopkg.in/DataDog/dd-trace-go.v1/"),
+		HasPackagePrefix("github.com/DataDog/dd-trace-go/v2/"),
 	}
 }
 
@@ -173,7 +173,7 @@ func (DDTraceTypes) Probes() []Probe {
 			Is[*ast.ValueSpec],
 			Is[*ast.Field],
 		),
-		ImportedFrom("gopkg.in/DataDog/dd-trace-go.v1"),
+		ImportedFrom("github.com/DataDog/dd-trace-go/v2"),
 		Not(DeclaresType[ddtrace.SpanContext]()),
 	}
 }
diff --git a/tools/v2check/v2check/v2check_test.go b/tools/v2check/v2check/v2check_test.go
index 31df482fbf..5445fa1e74 100644
--- a/tools/v2check/v2check/v2check_test.go
+++ b/tools/v2check/v2check/v2check_test.go
@@ -41,7 +41,7 @@ func (c V1Usage) Fixes() []analysis.SuggestedFix {
 func (c V1Usage) Probes() []v2check.Probe {
 	return []v2check.Probe{
 		v2check.IsFuncCall,
-		v2check.HasPackagePrefix("gopkg.in/DataDog/dd-trace-go.v1/"),
+		v2check.HasPackagePrefix("github.com/DataDog/dd-trace-go/v2/"),
 	}
 }