Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Integrations 18
Learn
Free Tools 37 Free Certifications State of DDoS 2026 REPORT DDoS Protection Landscape Buyer's Guide PDF Hackathon Sponsorships DDoS Protection Facts
Company
About Us Become a Consultant 30% Partners White Label Managed Protection Contact Us System Status
Open Source
ftagent-lite MIT NetHawk MIT
Legal
Security Trust Center Terms & Privacy
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →
Live Detection & Mitigation

Detect. Mitigate.
Stay online.

Flowtriq detects attacks in under a second, tells you exactly what they are, and stops them automatically. Cloud scrubbing, BGP mitigation, Layer 7 detection, PCAP forensics, automated runbooks, multi-channel alerts. Everything from the first packet to the post-incident report, handled.

14-day free trial From $7.99 / node / month No credit card required
ftagent: nyc-edge-01
09:41:02Agent started on eth0 · threshold 10,000 PPS
09:41:03Remote config: 290+ IOC patterns loaded
09:41:03L7: tailing /var/log/nginx/access.log
09:44:17PPS=1,204 BPS=42Mbps NORMAL
09:44:18PPS=8,409 BPS=290Mbps ELEVATED
09:44:19PPS=211M BPS=847Gbps ATTACK DETECTED
09:44:19Incident opened · UUID: a3f7c2b1
09:44:19PCAP capture started · IOC: UDP Flood
09:44:20FlowSpec rule deployed · rate-limit UDP/53
09:44:20Alert fired · Discord · Slack · PagerDuty
09:48:02Attack mitigated · 3m43s · PCAP uploaded
09:48:02_
211MPeak PPS
847GbpsPeak BPS
< 1sDetect Time
SYN Flood detected·nyc-edge-01·211M PPS
IOC match·mirai-variant·confidence 94%
Attack resolved·lon-cdn-02·3m 41s duration
DNS Amplification·fra-core-01·Peak 220Gbps
PCAP captured·tok-edge-01·10,000 packets
Botnet detected·syd-relay-03·3,241 source IPs
Baseline updated·ams-proxy-02·p99 = 2,100 PPS
HTTP Flood·sfo-api-01·92,000 req/s
Alert sent·all nodes·Discord · Slack · PD
FlowSpec deployed·fra-core-01·rate-limit UDP/53
Cloud scrub active·lon-cdn-02·Cloudflare Magic Transit
SYN Flood detected·nyc-edge-01·211M PPS
IOC match·mirai-variant·confidence 94%
Attack resolved·lon-cdn-02·3m 41s duration
DNS Amplification·fra-core-01·Peak 220Gbps
PCAP captured·tok-edge-01·10,000 packets
Botnet detected·syd-relay-03·3,241 source IPs
Baseline updated·ams-proxy-02·p99 = 2,100 PPS
HTTP Flood·sfo-api-01·92,000 req/s
Alert sent·all nodes·Discord · Slack · PD
FlowSpec deployed·fra-core-01·rate-limit UDP/53
Cloud scrub active·lon-cdn-02·Cloudflare Magic Transit
AP News USA TODAY AWS Partner Network Google CloudGoogle Cloud Y CombinatorY Combinator KTLA NIST.gov DigitalOceanDigitalOcean VultrVultr LinodeLinode OVHOVH PagerDutyPagerDuty pfSensepfSense MikroTikMikroTik ProxmoxProxmox cPanel WHMCS AP News USA TODAY AWS Partner Network Google CloudGoogle Cloud Y CombinatorY Combinator KTLA NIST.gov DigitalOceanDigitalOcean VultrVultr LinodeLinode OVHOVH PagerDutyPagerDuty pfSensepfSense MikroTikMikroTik ProxmoxProxmox cPanel WHMCS

Real-Time Response

Attack detected and mitigated in under a second

Inbound PPS Clean Traffic Attack Traffic
nyc-edge-01 · Last 5 minutes
200K 150K 100K 0 Threshold
DETECTED 211M PPS · UDP Flood
MITIGATED FlowSpec deployed · 0.71s

How It Works

Up and running in four steps

From install to first mitigation in under five minutes. No manual threshold tuning needed.

01 / INSTALL

Deploy the Agent

Two commands. The FTAgent installs on any Linux server, reads packets directly from the NIC, and connects to your Flowtriq workspace.

pip install ftagent
sudo ftagent --setup
02 / DETECT

Detect & Classify

Flowtriq learns your baseline, then detects and classifies attacks (UDP flood, SYN flood, DNS amp, HTTP flood) with confidence scoring and IOC matching.

03 / MITIGATE

Auto-Mitigate

BGP FlowSpec rate-limits, RTBH blackholes, and cloud scrubbing deploy automatically based on escalation policies you define. No manual intervention.

04 / COMMUNICATE

Alert & Communicate

Your team gets alerts on Slack, Discord, or PagerDuty in under a second. Your customers see live status on a branded page. By the time anyone checks, you're already handling it.

Features

Built for infrastructure teams
who run real servers.

Purpose-built for NOC teams, hosting providers, game server operators, and infrastructure engineers who need detection, mitigation, and clarity during an attack, not noise.

Sub-Second Detection

L3/L4 volumetric floods caught in under a second via kernel-level PPS sampling. L7 application-layer attacks detected in real-time from access logs. No polling intervals.

Learn more →

Auto-Mitigation

BGP FlowSpec rate-limits, RTBH blackholes, and cloud scrubbing deploy automatically via escalation policies you define.

Learn more →

Attack Classification

Automatically identifies UDP floods, SYN floods, HTTP floods, ICMP floods, DNS amplification, and multi-vector attacks.

Learn more →

Full Packet Capture

PCAP files include pre-attack traffic so you can see the ramp-up. Stream captures to the dashboard during active attacks.

Learn more →

30+ Firewall Rule Types

iptables, nftables, ipset, ufw, firewalld, XDP/eBPF, nginx, apache, fail2ban, and more. Rules generated for 12 firewall platforms including Cisco, Juniper, and MikroTik.

Learn more →

Multi-Channel Alerts

Route alerts to Discord, Slack, PagerDuty, OpsGenie, SMS, email, or webhooks. Digest modes, quiet hours, and per-severity routing.

Learn more →

ISP Abuse Auto-Notify

Automatically send RFC-compliant abuse reports to source network operators when attacks resolve. RDAP contact lookup, rate-limited, fully auditable.

Learn more →

SIEM Integrations

Push incidents to Splunk, Elasticsearch, Microsoft Sentinel, Wazuh, MISP, or any CEF-compatible SIEM. All 6 integrations included.

Learn more →

Cloud Scrubbing

Trigger Cloudflare, OVH, Hetzner, Path.net, Voxility, G-Core, and 8 more providers automatically when attacks escalate.

Learn more →

IDS/IPS Feeds

Live Suricata, Snort, and Zeek threat intelligence feeds generated from cross-network attacker data. Pull via API on any schedule.

Learn more →

Audit + Compliance

Hash-chained audit log, 2FA, IP allowlist, GDPR data export, PDF incident reports, and scheduled weekly/monthly summaries.

Learn more →

Public Status Pages

Customers see real-time server health on a branded page. Incidents auto-publish and auto-resolve. Support tickets drop.

Learn more →

Automated Runbooks

Define response playbooks that execute automatically when specific attack types or thresholds trigger. Chain mitigation actions, notifications, and escalations without manual intervention.

Learn more →

Maintenance Windows

Schedule planned maintenance periods where detection sensitivity adjusts automatically. Prevent false positives during upgrades, migrations, and planned downtime.

Learn more →

Baseline Learning

Flowtriq learns your normal traffic patterns automatically. No manual thresholds to configure. Anomalies are detected by deviation from your actual baseline, not static rules.

Learn more →

Why Flowtriq

Detect before the damage lands

Most DDoS tools sit at one end of the stack. Cloud scrubbers absorb floods. Hardware appliances filter at the edge. Nothing in between does both detection and mitigation cleanly — until Flowtriq.

NetFlow / sFlow polling
Routers export sampled flow data every 1-5 minutes. Your collector aggregates, correlates, and fires an alert. By then, upstream links are saturated and customers are calling.
1-5 minute detection lag
Sampled — misses short bursts
No built-in mitigation
Separate tools for alert + response
Flowtriq real-time
A lightweight agent on each node reads kernel-level traffic stats every second. Detection, classification, mitigation, and alerting all happen before a NetFlow interval even starts.
Under 1 second from attack to mitigation
Every packet — no sampling
BGP FlowSpec + RTBH + cloud scrubbing built in
Detection and mitigation in one platform
Auto-reports abuse to source networks after mitigation
< 1s
Detect & mitigate
5,079
Threat intel indicators
4
Escalation levels
7
Attack families classified
100%
Packet-level visibility
Coming soon: Flowtriq Shield Managed scrubbing that detects, routes, scrubs, and returns clean traffic. No BGP expertise required. Join the waitlist →

Autonomous Operation

Configure once. It handles the rest.

Set your escalation policy and runbooks during business hours. When an attack hits at 3 AM, Flowtriq detects it, deploys firewall rules, escalates to BGP FlowSpec or cloud scrubbing if needed, updates your status page, and alerts your team. By the time you check Slack, the incident is already resolving.

Automated Runbooks

Chain firewall rules, scrubbing activation, team alerts, and status page updates into playbooks that execute without you.

4-Level Auto-Escalation

Local firewall rules at 100 Mbps, FlowSpec at 500 Mbps, RTBH at 2 Gbps, cloud scrubbing at 5 Gbps. Each level fires automatically.

Self-Updating Status Pages

Customers see live server health at your branded URL. Incidents auto-publish, maintenance windows auto-announce. Zero manual updates.

Inside the Dashboard

See it before you sign up

CRITICALINC-4821
UDP Flood
Confidence 94% · Mirai variant · 2,847 source IPs
211MPeak PPS
847GPeak BPS
0.71sResponse
Auto-mitigating · FlowSpec deployed
ONLINEnyc-edge-01
4,218PPS
148MBPS
99.98%Uptime
New York · eth0 · Agent v2.4.1
#incidents
DDoS Attack Detected
UDP Flood on nyc-edge-01 (203.0.113.5)
Peak211M PPS
FamilyUDP Flood
StatusMitigating
ActionFlowSpec
Today at 09:44 AM

Integrations

Makes your stack attack-aware

Flowtriq pushes the classified attack, confidence score, peak PPS/BPS, affected node, and mitigation taken to the tools your team already uses. Alerts fire within one second of detection.

Cloudflare
Scrubbing + WAF
BGP / ExaBGP
FlowSpec & RTBH
Discord
Attack Alerts
Slack
Attack Alerts
PagerDuty
On-Call Escalation
OpsGenie
Alert Management
Grafana
Live Dashboards
Datadog
Metrics Export
Prometheus
Metrics Scraping
SMS
Text Alerts
Webhooks
Custom Automation

Managed SOC

Who monitors your network at 3 AM?

A junior SOC analyst costs $60K+ per year. Our Respond plan is $17,988/year with 24/7 coverage, incident response, and threshold tuning included.

Watch
$499/mo

Business-hours coverage for teams that want a second set of eyes on their traffic.

  • Mon-Fri, 8 AM - 8 PM ET
  • Alert review and triage
  • Monthly threshold optimization
  • Email incident summaries
Learn More
Dedicated
$3,999/mo

A named analyst who knows your infrastructure as well as you do.

  • Named analyst assigned to you
  • 5-minute response SLA
  • Custom runbooks and playbooks
  • Quarterly architecture reviews
  • Direct phone escalation
Talk to Sales

Pricing

Simple, honest pricing

Per-node or per-flow-source pricing. No traffic-volume surcharges, no per-alert fees, no seat limits.

Per Flow Source
from $19/source/mo

Send sFlow, NetFlow, or IPFIX from your routers. Pay per source, not per gigabit. Volume discounts from $39 down to $15/source (annual).

  • sFlow v5, NetFlow v5/v9, IPFIX
  • Unlimited destination IPs
  • All features included
  • Same dashboard, alerting, API
  • Volume pricing (20+ sources = $19/ea)
  • Works standalone or alongside agents
Start Free Trial →
Enterprise
Custom

Volume discounts, dedicated support, extended retention, SSO, and SLA guarantees.

  • Everything in Per Node + Flow Source
  • Volume pricing (50+ nodes)
  • 365-day PCAP + audit retention
  • Dedicated Slack + named CSM
  • SSO / SAML
  • 99.9% uptime SLA
Talk to Sales →
Managed Protection

Don't have a NOC? We'll be yours.

24/7 analyst monitoring, active incident response, custom runbooks. Three tiers from $499/mo. Costs less than a single junior SOC hire.

5-min response (Dedicated) Named analyst No long-term contracts
from $499/mo
vs. $60K+/yr for one SOC analyst
See Managed Plans →

FAQ

Frequently asked questions

What is Flowtriq?

Flowtriq is a real-time DDoS detection and auto-mitigation platform. It installs as a lightweight agent on your Linux servers, monitors every packet, classifies attack types (SYN flood, UDP amplification, DNS reflection, etc.), and can automatically deploy BGP FlowSpec rules, RTBH, or trigger cloud scrubbing, all within one second of detection.

How does Flowtriq detect DDoS attacks?

Flowtriq monitors network traffic in real time using per-packet inspection. It learns your normal traffic baseline, then detects anomalies like sudden spikes in packets-per-second, unusual protocol distributions, or known attack signatures. It classifies attacks into specific types and alerts your team within one second.

How much does Flowtriq cost?

$7.99 per node per month billed annually, or $9.99 billed monthly. Flow source pricing from $15/source/mo (annual) for router-level sFlow/NetFlow/IPFIX ingestion. No per-seat charges, no traffic-volume surcharges, no per-alert fees. Every plan includes all features. Enterprise and volume pricing available. 14-day free trial, no credit card required.

What alert channels does Flowtriq support?

Discord, Slack, email, SMS, PagerDuty, OpsGenie, and custom webhooks. Alerts fire within one second of detection and include attack type, severity, packets-per-second, and affected node details.

Does Flowtriq offer auto-mitigation?

Yes. Flowtriq can automatically deploy BGP FlowSpec rules, RTBH routing, or trigger cloud scrubbing when an attack is detected. You can configure mitigation rules with thresholds, cooldowns, and specific attack type triggers from the dashboard.

How long does it take to set up?

Under two minutes. Run pip install ftagent, then sudo ftagent --setup with your API key. The agent immediately begins monitoring traffic. You'll see data in your dashboard within seconds of installation.

What is PCAP capture?

When Flowtriq detects an attack, it automatically captures raw packet data (PCAP) for forensic analysis. Download captures from the dashboard, filter by protocol and time range, and use them with tools like Wireshark. Retention is 7 days on standard plans, up to 365 days on enterprise.

Can I monitor multiple servers?

Yes. Install the agent on as many servers as you need and manage them all from one dashboard. Each node is billed independently. You can organize servers into separate workspaces for different teams or clients.

What is the Flowtriq Protected trust badge?

A verified, embeddable badge that hosting providers display on their website, WHMCS order pages, and server listing profiles. It reflects real-time protection status and links to a public verification page where anyone can confirm the provider has active DDoS monitoring. Available to any Flowtriq user with at least one online node.

Get Started

Your servers are under attack right now.
Would you know? Would they survive?

Install the agent in 60 seconds. Get real-time DDoS detection and auto-mitigation free for 14 days. No credit card, no commitment.