Flowtriq now offers Managed DDoS Protection:
SOC/NOC as a Service

Back to Blog

What We Are Announcing

Today Flowtriq is shipping Managed DDoS Protection: a service that places certified network security analysts on top of your existing Flowtriq deployment. Analysts monitor your dashboards around the clock, respond to incidents as they unfold, tune detection thresholds to match your traffic baselines, and trigger mitigations so you do not have to be awake at 3am to do it yourself.

The service is available to every Flowtriq customer regardless of plan. Whether you are running node-based detection at $9.99/node/month, flow-based detection, or a combination of both, you can add managed coverage today. There are three tiers, billed monthly with no long-term contracts required.

The 3am Problem

DDoS attacks do not wait for business hours. Volumetric floods, protocol exhaustion attacks, and multi-vector campaigns routinely launch in the middle of the night, on weekends, and during holidays. The timing is not accidental. Threat actors know that most organizations run lean on-call rotations, and that the gap between an attack starting and an engineer picking up a pager notification can be 10 to 30 minutes or more. A 400 Gbps flood that saturates your transit link in under a minute does not give you 30 minutes to respond.

For many teams, the honest answer to "who is watching for DDoS right now?" is: nobody. Flowtriq's detection engine runs 24/7 and will fire alerts the moment traffic deviates from baseline. But an alert sitting in a Slack channel at 2:47am is only useful if someone is awake, has context, knows the escalation runbook, and has the authority to trigger a BGP null-route or upstream scrubbing request. Building that staffing capability from scratch is expensive. Hiring certified network security engineers with DDoS response experience, BGP operations background, and network forensics skills is a months-long recruiting effort even for well-funded teams.

Managed DDoS Protection exists for organizations that want the detection capability of Flowtriq and the response capability of an experienced analyst, without the overhead of building and maintaining that analyst function in-house.

Alert Fatigue and the Cost of Tuning

Even teams that do have on-call engineers face a second problem: alert fatigue. A new Flowtriq deployment starts with sensible default detection thresholds, but every network is different. A content delivery network sees traffic spikes that would look like attacks on a SaaS product. An online gaming platform has burst patterns during tournament launches that no generic baseline would anticipate. A hosting provider carries a mix of tenants whose aggregate traffic makes individual-tenant anomalies harder to surface.

Tuning detection thresholds is an ongoing process. It requires understanding your traffic patterns at a technical level, correlating false positives with known legitimate events, and adjusting per-node baselines over weeks rather than days. Teams that do not invest time in tuning end up in one of two failure modes: too many alerts (engineers learn to ignore them) or too few alerts (real attacks go undetected because thresholds are set too high to avoid noise).

Managed analysts handle threshold tuning as part of their ongoing engagement. They review false positive patterns, correlate alert history with your traffic data, and keep your detection calibrated to your actual network behavior. This is not a one-time setup task. It is a continuous operational function that compounds in value over time.

The Three Tiers

Managed DDoS Protection ships with three tiers. All three are month-to-month with no long-term commitment required.

Watch: $499/month

Watch is 24/7 on-call monitoring of your Flowtriq deployment. Analysts watch your dashboards, review incident alerts as they fire, and escalate to your engineering team when action is required. If an attack starts at 3am, your on-call engineer receives a call with a situation report already prepared: attack type, affected nodes, estimated volume, and a recommended response. Your team makes the call; the analyst provides the briefing so you can act faster.

Watch is the right tier for teams that already have incident response capabilities but want to close the gap between "alert fires" and "engineer has full context." It reduces mean time to acknowledge and gives your team the visibility they need to make good decisions quickly, even when they are being woken from sleep.

Respond: $1,499/month

Respond adds active incident response and ongoing tuning to the 24/7 monitoring in Watch. When an attack starts, the analyst does not just prepare a briefing. They execute the response directly: modifying detection thresholds in real time, adjusting firewall rules, and triggering BGP announcements to divert or null-route attack traffic. Your team is notified and kept in the loop, but the analyst handles the technical response without waiting for your on-call engineer to be fully awake and at a keyboard.

Between incidents, Respond analysts continuously tune your detection thresholds, review your traffic baselines, and produce written summaries of any incidents that occurred. The tuning work reduces false positives, improves detection sensitivity for the attack types most likely to target your infrastructure, and builds a documented baseline of your normal traffic patterns that accelerates future incident analysis.

Respond is the right tier for hosting providers, gaming companies, financial services operators, and any organization that has previously experienced attacks and knows that the difference between a 5-minute response and a 30-minute response has direct revenue and reputation consequences.

Dedicated: $3,999/month

Dedicated provides a named analyst assigned specifically to your account. Rather than drawing from the shared on-call pool, you have a primary analyst who knows your infrastructure, your traffic patterns, your escalation contacts, and your organizational preferences. They attend your operational reviews, contribute to your incident runbooks, and coordinate directly with your engineering team during major events.

Dedicated is the right tier for enterprises, large hosting providers, and MSPs who manage DDoS protection on behalf of their own customers and need a direct partner relationship rather than a shared service model.

All three tiers work with any Flowtriq plan. There is no minimum node count, no minimum contract length, and no requirement to change your existing Flowtriq subscription to add managed coverage.

Who Are the Analysts

Managed DDoS Protection analysts come from a partner network that includes Lorikeet Security, certified network security professionals with hands-on experience in DDoS incident response, BGP operations, and network forensics. These are not generalist security analysts who learned DDoS from documentation. They have worked live incidents, operated scrubbing infrastructure, configured BGP communities under attack conditions, and built detection logic for real-world traffic.

Specific areas of expertise in the analyst network include:

• DDoS incident response and escalation: identifying attack type, coordinating with upstream providers, managing BGP null-routing and RTBH procedures
• BGP operations: prefix announcements, community-based traffic engineering, and blackhole routing coordination with upstream transit providers
• Network forensics: PCAP analysis, flow record interpretation, attack attribution, and evidence packaging for upstream scrubbing providers
• Detection tuning: threshold calibration, baseline analysis, false positive reduction, and per-node sensitivity adjustment

The analyst network will expand over time. As Flowtriq grows, additional certified partners will be onboarded through a structured qualification process. All analysts, regardless of which partner organization they come from, operate under the same Flowtriq access control model described in the next section.

Security and Access Control

Giving a third party access to your network protection infrastructure is a serious trust decision. Flowtriq's Managed DDoS Protection is built around a purpose-built access control model that gives analysts exactly the access they need to do their job, and nothing more.

The Analyst RBAC Role

All managed analysts operate under Flowtriq's Analyst RBAC role. This is a distinct role in the platform's access control system, separate from the Owner, Admin, Analyst (self-managed), and Read-Only roles available to your own team members. The Analyst role grants:

• Full read access to all dashboards, incident timelines, traffic graphs, and node metrics
• Ability to modify detection thresholds and per-node sensitivity settings
• Ability to adjust firewall rules and mitigation configurations
• Ability to trigger BGP announcements for attack mitigation

The Analyst role explicitly cannot:

• Access billing information, subscription details, or payment methods
• View or rotate node API keys
• Manage user accounts, invite team members, or change role assignments
• Access account settings or workspace configuration

This scope is intentional. An analyst responding to a 400 Gbps flood at 3am needs to be able to act immediately. They do not need access to your credit card number or the ability to create new user accounts. The Analyst role is scoped to operational network security functions and nothing else.

The Tamper-Evident Audit Log

Every action taken by a managed analyst is recorded in Flowtriq's audit log. The audit log uses a hash-chain structure: each entry includes a cryptographic hash of the previous entry, making it tamper-evident. Any attempt to delete or modify an audit log entry would break the chain and be immediately detectable.

The audit trail covers every analyst action with full detail:

# Example audit log entries (Analyst RBAC actions)
[2026-05-18 03:14:22 UTC] analyst:lorikeet-001  VIEW       dashboard:nodes
[2026-05-18 03:14:31 UTC] analyst:lorikeet-001  VIEW       incident:4b7d2aa7
[2026-05-18 03:15:02 UTC] analyst:lorikeet-001  MODIFY     node:core-nyc-01  threshold.pps_warn=850000
[2026-05-18 03:15:44 UTC] analyst:lorikeet-001  MODIFY     node:core-nyc-01  firewall.block_udp_3702=true
[2026-05-18 03:16:11 UTC] analyst:lorikeet-001  TRIGGER    bgp.announce  prefix=198.51.100.0/24 community=blackhole
[2026-05-18 03:22:48 UTC] analyst:lorikeet-001  MODIFY     node:core-nyc-01  firewall.block_udp_3702=false
[2026-05-18 03:23:05 UTC] analyst:lorikeet-001  TRIGGER    bgp.withdraw  prefix=198.51.100.0/24

# Each entry includes:
#   - Timestamp (UTC, millisecond precision)
#   - Analyst identifier (anonymized partner + session ID)
#   - Action type and resource
#   - Before/after values for any configuration change
#   - Chain hash linking to previous entry

You can review the audit log at any time from your Flowtriq dashboard. Every managed engagement includes a written incident summary that references specific audit log entries, so you always have a complete record of what your analysts did, why they did it, and what the outcome was. There are no black boxes.

Who This Is For

Managed DDoS Protection is not a replacement for running Flowtriq yourself. Many customers have capable in-house teams who handle DDoS incidents as a matter of routine. Those teams should keep doing what they are doing. The self-serve platform is built precisely for organizations that want full control over their detection and response workflow.

Managed protection is designed for teams in a different position. The most common fits are:

Hosting Providers and Data Centers

Hosting providers carry DDoS risk on behalf of their customers. When a customer is attacked, the provider's transit links and infrastructure are at risk too. Hosting providers typically have network operations teams, but those teams are stretched across many responsibilities. Managed DDoS Protection gives hosting providers dedicated analyst capacity focused on DDoS specifically, without requiring them to hire and retain specialist DDoS analysts as full-time employees.

Managed Service Providers

MSPs that offer network security services to their own customers can use Flowtriq's managed tier as the analyst layer behind their own offering. The Analyst RBAC model and audit log provide the accountability and transparency that MSP customers expect. White-label deployments are also supported through Flowtriq's White Label Program, allowing MSPs to present managed DDoS protection under their own brand.

Lean Engineering Teams

SaaS companies, fintech operators, and online platforms with small but capable engineering teams often find that DDoS response is a low-frequency, high-stakes event that is difficult to staff for. The skills required for DDoS incident response, particularly BGP operations and network forensics, are not commonly found in software engineering teams. Managed protection fills this gap without requiring the team to hire a network security specialist who would be underutilized between incidents.

Organizations in High-Risk Verticals

Online gaming, financial services, cryptocurrency infrastructure, and government-adjacent organizations face elevated DDoS risk from both financially motivated actors and hacktivist groups. These organizations often have compliance or contractual requirements around incident response time. Managed protection provides documented response SLAs and audit trail evidence that satisfies both operational and compliance requirements.

How Managed Coverage Works in Practice

When you activate managed coverage, Flowtriq provisions an Analyst RBAC account for your assigned analyst team and adds them to your workspace. You will see their account listed in your team management page with the Analyst role clearly indicated. From that point, the analyst team has access to your deployment and begins the onboarding process.

Onboarding

The first week of a managed engagement is spent on onboarding. Analysts review your node configuration, establish your baseline traffic patterns, document your escalation contacts and communication preferences, and set initial threshold targets based on your traffic history. For Respond and Dedicated tiers, analysts conduct a live walkthrough of your current detection configuration and note any immediate tuning opportunities.

You receive a written onboarding summary at the end of week one. This document captures your baseline, the threshold settings the analyst team is working toward, and the escalation procedures agreed to for your account. It is the foundation of your incident response runbook for managed engagements.

During an Incident

When Flowtriq detects an attack, the analyst on duty is notified simultaneously with your configured alert channels. On the Watch tier, the analyst prepares a situation report and contacts your escalation point with full context. On Respond and Dedicated, the analyst begins executing the response immediately and notifies your team in parallel.

Throughout the incident, the analyst maintains a running log of actions taken. When the attack subsides, they produce a written post-incident summary covering:

• Attack timeline: when it started, peak volume, when it ended
• Attack classification: protocol, vector type, estimated source geography
• Actions taken: threshold changes, firewall rules applied, BGP announcements triggered
• Outcome: whether the response was effective and any residual exposure
• Recommendations: any configuration changes suggested based on the attack pattern

Between Incidents

On the Respond and Dedicated tiers, analysts are not idle between incidents. They review your detection logs for false positive patterns, adjust thresholds based on traffic evolution, and monitor threat intelligence feeds for attack campaigns targeting your industry or infrastructure type. On the Dedicated tier, they also participate in your operational reviews and keep your runbooks current as your infrastructure changes.

The audit log entry exists for every action we take. Nothing happens without a record. That is the foundation of the trust model that makes managed analyst access workable for security-conscious organizations.

Self-Serve and Managed: Two Approaches, One Platform

A question worth addressing directly: does adding managed analysts mean Flowtriq is moving away from the self-serve model? No. The self-serve platform is the foundation of everything Flowtriq builds. Managed protection is an additional layer for teams that want it, not a direction change for the product.

Running Flowtriq yourself gives you full control over every threshold, every firewall rule, and every escalation decision. Your team knows your infrastructure better than any analyst ever will. If you have experienced network engineers who enjoy hands-on incident response, self-serve is the right model and will remain fully supported.

Managed protection is for teams in a different operational position: organizations that want Flowtriq's detection quality and response tooling, but where the staffing required for 24/7 coverage is not a good fit for their size, budget, or organizational structure. Both approaches use the same platform, the same detection engine, and the same data. The difference is who is watching the dashboard at 3am.

How to Get Started

Managed DDoS Protection is available now. You do not need to change your existing Flowtriq plan or commit to a contract to get started. The process is straightforward:

1. Visit flowtriq.com/managed and review the tier options. If you have questions about which tier fits your situation, the managed page includes a comparison table and a contact form for the managed team.
2. Activate the tier that matches your coverage needs. Billing is monthly and can be adjusted or cancelled at any time from your dashboard.
3. Complete onboarding. Your analyst team will reach out within one business day to schedule the onboarding review and establish your escalation preferences.
4. Get covered. Once onboarding is complete, the analyst team is on watch. Your first post-incident summary, or your first monthly operational review if no incidents occur, will be delivered on schedule.

If you are not yet a Flowtriq customer, you can start a free 7-day trial of the platform at any time. Managed coverage can be added on top of any active subscription, including during a trial period.

Back to Blog

Related Articles