Back to Blog

We sell Flowtriq at $9.99/node/month, so this post describes our product's positioning for the ISP market. Competitive pricing data comes from published vendor pages and public documentation.

The pricing gap in DDoS detection

A 200-customer ISP running 50 servers generates enough revenue to operate, grow slowly, and maintain its infrastructure. It does not generate enough revenue to drop $100K on an Arbor TMS appliance or $80K on a Corero SmartWall deployment. These solutions are built for carriers processing hundreds of gigabits. They assume dedicated NOC staff, rackspace for hardware, and annual maintenance contracts that cost more than some small ISPs earn in a quarter.

The mid-market is not much better. FastNetMon Advanced starts at $115/month for a 10 Gbps license, but requires a dedicated server to run on (add $60-$150/month), produces no web dashboard without an additional LiveView license ($70/user/month), and caps support at 1-3 tickets per month depending on tier. For a small ISP that needs detection across 50 servers, you are looking at either one central collector (which misses per-server granularity) or per-instance licensing that adds up quickly.

The result is predictable: small ISPs either run nothing, rely on upstream provider detection (which is often slow and coarse), or deploy FastNetMon Community with threshold-only detection and no dashboard. None of these options provide the visibility that modern attack patterns demand. A 200-customer ISP with 50 servers should not need a $100K appliance to know when a SYN flood hits one of its edge servers.

The gap exists because the DDoS detection market was built top-down. Vendors designed for carriers first, then tried to scale pricing down. Per-node pricing works the opposite direction: it starts at the server level and scales up with your infrastructure.

What per-node pricing changes

Traditional DDoS detection is a CapEx decision. You buy hardware, sign a multi-year contract, and depreciate it over time. For a small ISP, this means a board-level approval, a procurement cycle, and a commitment that outlasts the typical planning horizon. Per-node pricing converts this into OpEx: a predictable monthly line item that scales with your actual infrastructure.

The math is straightforward. At $9.99/node/month:

  • 50 servers: $499.50/month
  • 100 servers: $999/month
  • 150 servers: $1,498.50/month

Compare this to a single FastNetMon Advanced deployment with dashboard access: $115/month license + $70/month LiveView + $80-$150/month dedicated server = $265-$335/month for centralized detection on one instance. That covers your network as a whole via sFlow/NetFlow, but gives you no per-server baselines, no per-server PCAP, and no granularity below the flow level. If you want detection that knows which server is under attack (not just which /24), you need agents on each server regardless.

Per-node pricing also eliminates the bandwidth-tier trap. FastNetMon prices by throughput: 10 Gbps, 40 Gbps, 100 Gbps. As your ISP grows and adds capacity, your detection cost jumps at each tier boundary. Per-node pricing grows linearly with server count. Add 10 servers, add $99.90/month. No tier jumps, no contract renegotiation, no activation fees.

There is no minimum commitment. If you decommission servers, you remove agents and stop paying for those nodes the next billing cycle. This flexibility matters for ISPs with seasonal demand or those scaling into new markets.

What small ISPs get at $9.99/node

Per-node does not mean per-node-lite. Each $9.99/month node includes the full detection stack:

  • Real-time detection (1-2 seconds): Attack identification within seconds of onset, not the 30-60 second windows common in flow-based detection
  • Automatic attack classification: SYN flood, UDP amplification, DNS reflection, NTP monlist, ICMP flood, HTTP flood, fragmentation attacks, and multi-vector combinations identified automatically
  • Per-server dynamic baselines: Each server learns its own traffic patterns. A mail server and a web server on the same subnet have different baselines and different thresholds
  • PCAP capture on every attack: Full packet captures during attack windows for forensics, upstream reporting, and law enforcement cooperation
  • Multi-channel alerting: Slack, Discord, PagerDuty, OpsGenie, SMS, email, and generic webhooks. Configure per-severity routing so SYN floods page the on-call while port scans go to Slack
  • BGP blackhole integration: Trigger RTBH or FlowSpec announcements to upstream providers automatically when attacks exceed local mitigation capacity
  • Web dashboard (no extra fee): Full dashboard with attack timelines, traffic graphs, classification breakdowns, and historical data. Unlimited users, no per-seat charges
  • REST API for automation: Pull attack data into your existing monitoring, ticketing, or billing systems
  • No hardware, no dedicated server: The agent runs on your existing Linux infrastructure. No appliances to rack, no collectors to maintain

Every item in that list is included at $9.99/node. There are no add-on fees for PCAP storage, no per-user dashboard charges, no premium support tiers with different response times. The pricing model is intentionally flat because small ISPs should not need to choose between detection features based on budget constraints.

How it works for ISPs specifically

The deployment model is designed for ISP infrastructure patterns. You install the Flowtriq agent on customer-facing servers and Linux-based edge routers. Each agent is a lightweight process that monitors inbound and outbound traffic on the interfaces you specify. There is no central collector to maintain, no span ports to configure, no flow export to set up.

Each server builds its own traffic baseline over 24-72 hours. The baseline adapts continuously, accounting for time-of-day patterns, day-of-week variations, and gradual growth. When traffic deviates from the baseline in ways that match known attack signatures or statistical anomalies, detection fires within 1-2 seconds.

For ISPs, the attack response chain matters as much as detection. When an attack is confirmed, Flowtriq can trigger BGP announcements to your upstream providers within seconds. This means attack traffic is dropped at the upstream edge before it saturates your transit links. For attacks within your local mitigation capacity, the agent can apply local firewall rules to drop traffic at the server level without involving BGP at all.

Customer-visible incident data is generated automatically. Each attack produces a timestamped record with vector classification, volume data, duration, source distribution, and PCAP reference. This data supports SLA compliance reporting and gives your support team concrete answers when customers ask what happened. You are not telling customers "we saw some high traffic" -- you are showing them a classified incident with packet-level evidence.

The deployment works alongside your existing infrastructure. If you already have Nagios, Zabbix, LibreNMS, or Prometheus monitoring your network, Flowtriq operates independently. It does not replace your network monitoring stack. It adds a dedicated DDoS detection layer that your general-purpose monitoring tools are not designed to provide.

Comparison: detection solutions for small ISPs

Feature FastNetMon Community FastNetMon Advanced Arbor TMS Flowtriq
Starting cost $0 + server ($60-150/mo) $115/mo + server $50K-$100K+ (CapEx) $9.99/node/mo
Hardware required Dedicated server Dedicated server Proprietary appliance None (runs on existing infra)
Detection speed 30-60 seconds (flow-based) 10-30 seconds (flow-based) 5-15 seconds 1-2 seconds (packet-level)
Web dashboard None (CLI only) $70/user/mo add-on Included Included, unlimited users
PCAP forensics No No Yes Yes, every attack
BGP integration RTBH only RTBH + FlowSpec RTBH + FlowSpec + scrubbing RTBH + FlowSpec
Multi-tenant No No Yes Yes
Deploy time Hours (config-heavy) Hours Weeks (hardware + professional services) Minutes per node

Sources: FastNetMon pricing, Arbor pricing from published case studies and reseller documentation.

See if Flowtriq fits your ISP - 14-day free trial

$9.99/node/month. Real-time detection, PCAP forensics, BGP integration, web dashboard, unlimited users and support. No hardware, no CapEx, no minimum commitment. Deploy on your first server in under 5 minutes.

Start Free Trial →

When Flowtriq is not the right fit

Per-node detection is not the answer to every DDoS problem. There are scenarios where other solutions serve you better, and it is worth being direct about them.

If you need inline packet filtering and scrubbing: Flowtriq detects attacks and triggers mitigation actions (BGP, firewall rules, webhooks). It does not sit inline and scrub traffic in real-time. If your requirement is an inline appliance that drops malicious packets while passing clean traffic at line rate, that is Corero SmartWall or Arbor TMS territory. These cost $80K+ for a reason: they are purpose-built hardware doing packet inspection at 10-100 Gbps.

If you need centralized sFlow/NetFlow collection: Some ISPs prefer a central collector that ingests flow data from all routers and switches. Flowtriq uses per-node agents rather than flow collection. If your architecture requires a single pane of glass over NetFlow exports from Cisco/Juniper hardware, FastNetMon Advanced or nfdump-based tooling may align better with your existing workflow.

If you only have 1-2 servers: At $9.99/node, a single-server ISP pays $9.99/month. That still works, but if your entire operation is one or two servers, you may find that your hosting provider's built-in DDoS protection (if they offer it) covers your needs without additional tooling.

For a full breakdown of where Flowtriq fits and where it does not, see our honest assessment page.

Frequently asked questions

Can a small ISP afford DDoS detection?
Yes. The perception that DDoS detection requires $50K+ in hardware comes from the enterprise appliance market (Arbor, Corero, A10). Per-node pricing at $9.99/month lets a 50-server ISP deploy full detection for $499.50/month. That is less than a single month of FastNetMon Advanced with LiveView dashboard access on a dedicated server, and it covers every server individually rather than relying on centralized flow sampling.
Does Flowtriq work with BGP for ISP mitigation?
Yes. Flowtriq integrates with BGP for both RTBH (Remote Triggered Black Hole) and FlowSpec-based mitigation. When an attack exceeds local mitigation capacity, the agent triggers BGP announcements to your configured upstream peers within seconds. This drops attack traffic at the upstream edge before it saturates your transit links. Configuration requires your upstream to accept BGP communities for blackhole or FlowSpec routes, which most transit providers support.

The bottom line

Small ISPs face real DDoS threats. A 500 Mbps UDP amplification attack is enough to degrade service for every customer on an affected segment. The detection market has historically priced these ISPs out of real solutions, leaving them with either nothing or community tools that require significant operational overhead to maintain.

Per-node pricing at $9.99/month closes that gap. Fifty servers cost $499.50/month, with detection speed, forensics capability, and dashboard access that matches or exceeds what centralized solutions provide. No hardware procurement, no multi-year contracts, no per-Gbps tiers that punish growth. Deploy the agent, build baselines, and start detecting within 72 hours.