Security policy analysis is disclosed. Configuration information, including at least one policy, associated with a live production security appliance, is received. The received configuration information is used to instantiate the policy in a sandbox environment. The sandbox environment is used to evaluate a proposed change to the configuration information, including by building a model using the received configuration information.