@quaint-candle-18606 Yes, an implicit deny is true for any specific workload for which we have explicitly defined an allow list. But imagine any unintentional workload that might straightway get introduced into production in the usual discover mode. I wonder if new services mode being "protect" would be the way to achieve the same blocking mode functionality that a default deny all K8s netpol provides.