Why the DDoS detection industry shifted to SaaS pricing
Five years ago, DDoS detection meant buying a hardware appliance or negotiating an annual software license with a 30-minute sales call as a prerequisite. Both models required significant upfront commitment, long-term contracts, and pricing opacity designed to capture as much budget as the sales team could justify.
The shift to SaaS per-node pricing has changed this substantially. A per-node subscription means you pay a fixed monthly amount for each server, router, or network device running the detection agent. You can add nodes instantly as your infrastructure grows, remove them when you decommission hardware, and see exactly what you are paying without a procurement process.
This model works because modern DDoS detection does not require dedicated hardware. A lightweight agent running on existing infrastructure produces better detection results (lower latency, higher granularity) than a centralized appliance processing sampled flow data.
How per-node pricing works in practice
A node is typically defined as a single server, virtual machine, or network device running the detection agent. For a hosting provider with 50 VPS nodes, 50 nodes times the per-node rate equals the monthly bill. Some vendors define nodes differently (by IP count, by throughput capacity, or by location), which makes comparison harder. Look for transparent per-server or per-instance pricing.
Typical per-node pricing tiers in 2026:
| Nodes | Flowtriq (monthly) | Flowtriq (annual) | Typical enterprise alternative |
|---|---|---|---|
| 1-10 | $9.99/node | $7.99/node | $500-2,000/month flat fee |
| 11-50 | $9.99/node | $7.99/node | $2,000-5,000/month |
| 51-100 | $9.99/node | $7.99/node | $5,000-15,000/month |
| 100+ | Contact for volume pricing | Contact | $15,000-50,000+/month |
At 10 nodes, the annual cost difference between per-node SaaS and entry-level enterprise tools is roughly $800/year vs. $6,000-24,000/year. At 50 nodes, that gap widens further while enterprise alternatives typically offer no proportional value increase.
NetFlow-based detection: what per-node means at the router level
NetFlow-based tools like FastNetMon and Wanguard work differently. Rather than running an agent on each server, they receive flow exports from routers and switches. "Per node" in this context sometimes means per monitored IP prefix, per BGP peer, or per licensed flow export source.
The pricing model for NetFlow tools tends to be flat annual licenses rather than per-node subscriptions, because the monitoring architecture is centralized. A single Wanguard or FastNetMon installation monitors all flows from all connected routers. This creates a different cost structure: the tool is cheap per protected IP, but requires dedicated server infrastructure and manual setup.
For operators with 10-100 servers behind a small number of routers, per-node server-level agents are both cheaper and more accurate than NetFlow tools. For operators protecting hundreds or thousands of IPs through a few upstream BGP peers, NetFlow-based tools may offer better cost efficiency at scale, at the cost of detection speed.
What is included in a per-node DDoS SaaS subscription
Not all per-node pricing is equivalent. At minimum, a per-node subscription should include:
- The detection agent with automatic updates
- Dashboard access with real-time and historical incident data
- Alerting (email, Slack, webhook)
- Automated mitigation (iptables/nftables rule injection or BGP trigger)
- PCAP capture for forensic analysis
- Support via email or chat
Items that are sometimes sold as add-ons and should be scrutinized: PCAP retention (should be included), BGP mitigation integration (should be included), multi-user access (should be included), API access (legitimate add-on for enterprise integrations).
Cloud hosting and per-node DDoS pricing
Cloud-hosted infrastructure adds a wrinkle: cloud providers (AWS, GCP, Azure, Hetzner, OVH) offer varying levels of built-in DDoS protection, but it is typically limited to layer 3/4 volumetric attacks at the network edge and does not provide per-instance visibility or automated response at the server level.
AWS Shield Standard is free but provides no alerting, no forensics, and no per-instance insight. AWS Shield Advanced adds alerting and DRT access at $3,000/month minimum, regardless of how many instances you protect. For a 10-server deployment, that is $300/server/month versus $9.99/server/month for a dedicated per-node SaaS.
The practical recommendation for cloud hosting operators: use the cloud provider's built-in DDoS protection for edge-level volumetric attack absorption, and add per-node detection agents for instance-level visibility, sub-second detection, and automated iptables/nftables response that the cloud provider's tooling does not offer.
Evaluating per-node SaaS tools: what questions to ask
- Is there a free trial with no credit card required? (This is a strong signal of product confidence.)
- What is the detection latency, and is it bounded by sampling rates?
- What does automated mitigation actually do? (Injecting iptables rules vs. triggering BGP null-route have very different implications.)
- How is "node" defined for billing purposes? (Server, IP, throughput tier?)
- Is there a minimum commitment? (Avoid annual contracts without a trial period.)
- What happens if a node goes offline for a month? (Good SaaS tools only charge for active nodes.)
Detect DDoS attacks in under 1 second
Deploy Flowtriq on your infrastructure and get real-time detection, auto-mitigation, and instant alerts. $9.99/node/month.
Start Free Trial