I've been reading the help and looking at the existing rules, and it is still unclear. Are these policy enforcements for how we build tests? A lot of the existing rules are web based, so my impression it looks at the web page that is served and scans that. But I also saw some web services rules and XML rules, which may mean that it scans traffic with the rules. However, there are no examples that I can run to show me what it does. I tried to build an example where it auto generated a rule based on some literal XML I gave it, but it doesn't appear to do anything.