Detect. Mitigate.
Stay online.
Flowtriq detects attacks in under a second, tells you exactly what they are, and stops them automatically. Cloud scrubbing, BGP mitigation, Layer 7 detection, PCAP forensics, automated runbooks, multi-channel alerts. Everything from the first packet to the post-incident report, handled.
Real-Time Response
Attack detected and mitigated in under a second
How It Works
Up and running in four steps
From install to first mitigation in under five minutes. No manual threshold tuning needed.
Deploy the Agent
Two commands. The FTAgent installs on any Linux server, reads packets directly from the NIC, and connects to your Flowtriq workspace.
sudo ftagent --setup
Detect & Classify
Flowtriq learns your baseline, then detects and classifies attacks (UDP flood, SYN flood, DNS amp, HTTP flood) with confidence scoring and IOC matching.
Auto-Mitigate
BGP FlowSpec rate-limits, RTBH blackholes, and cloud scrubbing deploy automatically based on escalation policies you define. No manual intervention.
Alert & Communicate
Your team gets alerts on Slack, Discord, or PagerDuty in under a second. Your customers see live status on a branded page. By the time anyone checks, you're already handling it.
Proven in Production
Real attacks. Real infrastructure. Real results.
NTP amplification + SYN flood hit a 240-person cybersecurity training event. Detected in 0.9 seconds. BGP FlowSpec and cloud scrubbing active by T+11s. Zero participants disconnected.
DNS amplification + TCP ACK flood from 91,400 source IPs hit a mid-size operator's transit edge. Detected in 0.7 seconds. FlowSpec pushed upstream, scrubbing activated. Every downstream prefix stayed clean.
Our team discovered a critical kill switch in the Mirai botnet CNC server that allows defenders to crash active botnets. Published as CVE-2024-45163. The same team that builds the product does the research.
Features
Built for infrastructure teams
who run real servers.
Purpose-built for NOC teams, hosting providers, game server operators, and infrastructure engineers who need detection, mitigation, and clarity during an attack, not noise.
Sub-Second Detection
L3/L4 volumetric floods caught in under a second via kernel-level PPS sampling. L7 application-layer attacks detected in real-time from access logs. No polling intervals.
Learn more →Auto-Mitigation
BGP FlowSpec rate-limits, RTBH blackholes, and cloud scrubbing deploy automatically via escalation policies you define.
Learn more →Attack Classification
Automatically identifies UDP floods, SYN floods, HTTP floods, ICMP floods, DNS amplification, and multi-vector attacks.
Learn more →Full Packet Capture
PCAP files include pre-attack traffic so you can see the ramp-up. Stream captures to the dashboard during active attacks.
Learn more →30+ Firewall Rule Types
iptables, nftables, ipset, ufw, firewalld, XDP/eBPF, nginx, apache, fail2ban, and more. Rules generated for 12 firewall platforms including Cisco, Juniper, and MikroTik.
Learn more →Multi-Channel Alerts
Route alerts to Discord, Slack, PagerDuty, OpsGenie, SMS, email, or webhooks. Digest modes, quiet hours, and per-severity routing.
Learn more →ISP Abuse Auto-Notify
Automatically send RFC-compliant abuse reports to source network operators when attacks resolve. RDAP contact lookup, rate-limited, fully auditable.
Learn more →SIEM Integrations
Push incidents to Splunk, Elasticsearch, Microsoft Sentinel, Wazuh, MISP, or any CEF-compatible SIEM. All 6 integrations included.
Learn more →Cloud Scrubbing
Trigger Cloudflare, OVH, Hetzner, Path.net, Voxility, G-Core, and 8 more providers automatically when attacks escalate.
Learn more →IDS/IPS Feeds
Live Suricata, Snort, and Zeek threat intelligence feeds generated from cross-network attacker data. Pull via API on any schedule.
Learn more →Audit + Compliance
Hash-chained audit log, 2FA, IP allowlist, GDPR data export, PDF incident reports, and scheduled weekly/monthly summaries.
Learn more →Public Status Pages
Customers see real-time server health on a branded page. Incidents auto-publish and auto-resolve. Support tickets drop.
Learn more →Automated Runbooks
Define response playbooks that execute automatically when specific attack types or thresholds trigger. Chain mitigation actions, notifications, and escalations without manual intervention.
Learn more →Maintenance Windows
Schedule planned maintenance periods where detection sensitivity adjusts automatically. Prevent false positives during upgrades, migrations, and planned downtime.
Learn more →Baseline Learning
Flowtriq learns your normal traffic patterns automatically. No manual thresholds to configure. Anomalies are detected by deviation from your actual baseline, not static rules.
Learn more →Why Flowtriq
Detect before the damage lands
Most DDoS tools sit at one end of the stack. Cloud scrubbers absorb floods. Hardware appliances filter at the edge. Nothing in between does both detection and mitigation cleanly — until Flowtriq.
Autonomous Operation
Configure once. It handles the rest.
Set your escalation policy and runbooks during business hours. When an attack hits at 3 AM, Flowtriq detects it, deploys firewall rules, escalates to BGP FlowSpec or cloud scrubbing if needed, updates your status page, and alerts your team. By the time you check Slack, the incident is already resolving.
Automated Runbooks
Chain firewall rules, scrubbing activation, team alerts, and status page updates into playbooks that execute without you.
4-Level Auto-Escalation
Local firewall rules at 100 Mbps, FlowSpec at 500 Mbps, RTBH at 2 Gbps, cloud scrubbing at 5 Gbps. Each level fires automatically.
Self-Updating Status Pages
Customers see live server health at your branded URL. Incidents auto-publish, maintenance windows auto-announce. Zero manual updates.
Inside the Dashboard
See it before you sign up
Integrations
Makes your stack attack-aware
Flowtriq pushes the classified attack, confidence score, peak PPS/BPS, affected node, and mitigation taken to the tools your team already uses. Alerts fire within one second of detection.
Works With Your Stack
Native integrations for firewalls, panels, and platforms
Deploy on your infrastructure the way it already runs. No middleware, no proxying.
The Ecosystem
Programs, tools, and resources
Flowtriq is more than a detection platform. Free tools, certifications, managed services, partner programs, and open-source projects for the network security community.
Let our analysts watch your network
24/7 monitoring, active incident response, custom runbooks. Three tiers from $499/mo. No long-term contracts.
See plans →37 network security tools, no account needed
Risk calculators, PCAP analyzer, BGP FlowSpec builder, iptables generator, attack map, IP threat lookup, and more.
Browse tools →Prove your DDoS expertise
Four certification tracks from foundations to incident commander. Verifiable credentials, LinkedIn badges, and a consultant directory listing.
Get certified →Run Flowtriq under your own brand
Custom domain, full visual rebrand, branded login page, API tokens, and multi-tenant architecture for MSPs and hosting providers.
Learn more →Earn 30% recurring commission for life
Help hosting and ISP clients protect their infrastructure. Affiliate dashboard, directory listing, co-marketing, and certified credential.
Start earning →ftagent-lite and NetHawk, MIT licensed
Standalone DDoS monitor and Go-based traffic analyzer. Free forever, no account needed. Use in labs, coursework, or production.
View on GitHub →Managed SOC
Who monitors your network at 3 AM?
A junior SOC analyst costs $60K+ per year. Our Respond plan is $17,988/year with 24/7 coverage, incident response, and threshold tuning included.
Business-hours coverage for teams that want a second set of eyes on their traffic.
- Mon-Fri, 8 AM - 8 PM ET
- Alert review and triage
- Monthly threshold optimization
- Email incident summaries
Round-the-clock on-call analysts who actively respond when attacks hit.
- 24/7 on-call coverage
- 15-minute response SLA
- Active incident response
- Threshold tuning and escalation
- Slack or Teams war room
A named analyst who knows your infrastructure as well as you do.
- Named analyst assigned to you
- 5-minute response SLA
- Custom runbooks and playbooks
- Quarterly architecture reviews
- Direct phone escalation
Pricing
Simple, honest pricing
Per-node or per-flow-source pricing. No traffic-volume surcharges, no per-alert fees, no seat limits.
Install our lightweight agent on each server. Kernel-level detection, zero sampling. Includes built-in flow adapter for that node's traffic.
- Sub-second DDoS detection
- Automated mitigation (iptables, nftables, XDP/eBPF, cloud APIs)
- BGP FlowSpec + RTBH + cloud scrubbing
- PCAP capture + AI forensics
- NOC alerts in seconds
- Full dashboard + REST API
- Unlimited incidents, users, support
Send sFlow, NetFlow, or IPFIX from your routers. Pay per source, not per gigabit. Volume discounts from $39 down to $15/source (annual).
- sFlow v5, NetFlow v5/v9, IPFIX
- Unlimited destination IPs
- All features included
- Same dashboard, alerting, API
- Volume pricing (20+ sources = $19/ea)
- Works standalone or alongside agents
Volume discounts, dedicated support, extended retention, SSO, and SLA guarantees.
- Everything in Per Node + Flow Source
- Volume pricing (50+ nodes)
- 365-day PCAP + audit retention
- Dedicated Slack + named CSM
- SSO / SAML
- 99.9% uptime SLA
Don't have a NOC? We'll be yours.
24/7 analyst monitoring, active incident response, custom runbooks. Three tiers from $499/mo. Costs less than a single junior SOC hire.
FAQ
Frequently asked questions
What is Flowtriq?
Flowtriq is a real-time DDoS detection and auto-mitigation platform. It installs as a lightweight agent on your Linux servers, monitors every packet, classifies attack types (SYN flood, UDP amplification, DNS reflection, etc.), and can automatically deploy BGP FlowSpec rules, RTBH, or trigger cloud scrubbing, all within one second of detection.
How does Flowtriq detect DDoS attacks?
Flowtriq monitors network traffic in real time using per-packet inspection. It learns your normal traffic baseline, then detects anomalies like sudden spikes in packets-per-second, unusual protocol distributions, or known attack signatures. It classifies attacks into specific types and alerts your team within one second.
How much does Flowtriq cost?
$7.99 per node per month billed annually, or $9.99 billed monthly. Flow source pricing from $15/source/mo (annual) for router-level sFlow/NetFlow/IPFIX ingestion. No per-seat charges, no traffic-volume surcharges, no per-alert fees. Every plan includes all features. Enterprise and volume pricing available. 14-day free trial, no credit card required.
What alert channels does Flowtriq support?
Discord, Slack, email, SMS, PagerDuty, OpsGenie, and custom webhooks. Alerts fire within one second of detection and include attack type, severity, packets-per-second, and affected node details.
Does Flowtriq offer auto-mitigation?
Yes. Flowtriq can automatically deploy BGP FlowSpec rules, RTBH routing, or trigger cloud scrubbing when an attack is detected. You can configure mitigation rules with thresholds, cooldowns, and specific attack type triggers from the dashboard.
How long does it take to set up?
Under two minutes. Run pip install ftagent, then sudo ftagent --setup with your API key. The agent immediately begins monitoring traffic. You'll see data in your dashboard within seconds of installation.
What is PCAP capture?
When Flowtriq detects an attack, it automatically captures raw packet data (PCAP) for forensic analysis. Download captures from the dashboard, filter by protocol and time range, and use them with tools like Wireshark. Retention is 7 days on standard plans, up to 365 days on enterprise.
Can I monitor multiple servers?
Yes. Install the agent on as many servers as you need and manage them all from one dashboard. Each node is billed independently. You can organize servers into separate workspaces for different teams or clients.
What is the Flowtriq Protected trust badge?
A verified, embeddable badge that hosting providers display on their website, WHMCS order pages, and server listing profiles. It reflects real-time protection status and links to a public verification page where anyone can confirm the provider has active DDoS monitoring. Available to any Flowtriq user with at least one online node.