diff --git a/packages/dd-trace/src/appsec/api_security_sampler.js b/packages/dd-trace/src/appsec/api_security_sampler.js
index d6b190d554..f2bfb7a699 100644
--- a/packages/dd-trace/src/appsec/api_security_sampler.js
+++ b/packages/dd-trace/src/appsec/api_security_sampler.js
@@ -36,6 +36,7 @@ function sampleRequest (req, res) {
   return shouldSample
 }
 
+// rfc mentions using a hash
 function getKey (req = {}, res = {}) {
   return `${req.method}-${req.url}-${res.statusCode}`
 }
diff --git a/packages/dd-trace/src/appsec/index.js b/packages/dd-trace/src/appsec/index.js
index e779553f13..effebbad2a 100644
--- a/packages/dd-trace/src/appsec/index.js
+++ b/packages/dd-trace/src/appsec/index.js
@@ -134,6 +134,9 @@ function incomingHttpEndTranslator ({ req, res }) {
 
   if (apiSecuritySampler.sampleRequest(req, res)) {
     persistent[addresses.WAF_CONTEXT_PROCESSOR] = EXTRACT_SCHEMA
+
+    const rootSpan = web.root(req)
+    rootSpan?.setTag(MANUAL_KEEP, 'true')
   }
 
   waf.run({ persistent }, req)
@@ -198,7 +201,6 @@ function onRequestCookieParser ({ req, res, abortController, cookies }) {
   handleResults(results, req, res, rootSpan, abortController)
 }
 
-// can we assume res.statusCode is fixed here?
 function onResponseBody ({ req, res, body }) {
   if (!body || typeof body !== 'object') return
 
diff --git a/packages/dd-trace/test/appsec/index.spec.js b/packages/dd-trace/test/appsec/index.spec.js
index 0c8448d0d0..5309246ed6 100644
--- a/packages/dd-trace/test/appsec/index.spec.js
+++ b/packages/dd-trace/test/appsec/index.spec.js
@@ -280,7 +280,8 @@ describe('AppSec Index', () => {
       sinon.stub(waf, 'run')
 
       const rootSpan = {
-        addTags: sinon.stub()
+        addTags: sinon.stub(),
+        setTag: sinon.stub()
       }
 
       web.root.returns(rootSpan)