Category 1: Detection Speed
Detection speed is the single most important differentiator in DDoS protection. Every second of detection delay translates directly into seconds of unmitigated attack impact. Yet most vendors describe their detection as "real-time" without defining what that means in measurable terms.
Questions to Ask
- What is your P50 detection latency? This is the median time from attack start to alert. Anything above 5 seconds is not real-time by any engineering standard.
- What is your P99 detection latency? The P99 tells you how detection performs under worst-case conditions. Some vendors detect common volumetric attacks quickly but take minutes to identify application-layer or protocol-specific attacks.
- What polling interval do you use? SNMP-based solutions poll every 1 to 5 minutes. Flow-based solutions (NetFlow, sFlow, IPFIX) typically operate on 30-second to 5-minute export intervals. Agent-based solutions can analyze traffic every second or faster. The polling interval sets a hard floor on detection speed.
- Can you provide detection latency data from a live POC? Any vendor confident in their detection speed will be willing to demonstrate it against real or simulated attack traffic during an evaluation.
Scoring Criteria
| Detection Latency | Score | Notes |
|---|---|---|
| Sub-second (P50 < 1s) | 5/5 | Agent-based, per-second analysis |
| 1-10 seconds | 4/5 | Fast flow analysis or inline |
| 10-60 seconds | 3/5 | Standard flow-based detection |
| 1-5 minutes | 2/5 | SNMP polling or slow flow exports |
| >5 minutes | 1/5 | Unacceptable for production use |
"Real-time" is a marketing term, not a technical specification. Always ask for P50 and P99 detection latency measured in seconds, not vague claims about speed.
Category 2: Classification Depth
Detecting that an attack is happening is step one. Classifying what type of attack it is determines whether your response will be effective. A vendor that detects "high traffic" but cannot tell you whether it is a SYN flood, DNS amplification, or HTTP slowloris is not providing actionable intelligence.
Questions to Ask
- How many distinct attack types can you classify? Basic solutions detect volumetric floods only. Advanced solutions classify dozens of attack vectors including SYN floods, UDP amplification (DNS, NTP, CLDAP, memcached), TCP state exhaustion, HTTP floods, slowloris, RUDY, DNS water torture, GRE floods, and protocol-specific anomalies.
- Do you operate at the protocol level or just volumetric? Volumetric-only detection misses application-layer attacks entirely. If the vendor cannot explain how they detect a 500 req/s HTTP flood against a login endpoint versus a 100 Gbps UDP reflection, that is a significant gap.
- How do you handle multi-vector attacks? Modern attacks frequently combine multiple vectors simultaneously. The vendor should be able to classify and report each vector independently within a single incident.
- Do you provide per-protocol and per-port breakdown during an attack? Granular visibility into which protocols and destination ports are being targeted is essential for effective mitigation. Without it, your team is guessing.
Scoring Criteria
| Classification Capability | Score | Notes |
|---|---|---|
| Protocol-level, 30+ attack types | 5/5 | Full packet or detailed flow analysis |
| Protocol-level, 10-30 types | 4/5 | Good coverage of common vectors |
| Basic protocol, <10 types | 3/5 | Misses application-layer attacks |
| Volumetric only | 2/5 | Cannot classify attack type |
| Binary (attack/no attack) | 1/5 | Useless for response planning |
Category 3: Forensics and Evidence
After an attack, you need evidence. For incident reports, for insurance claims, for law enforcement, and for improving your defenses. The quality of forensic data a vendor provides varies enormously.
Questions to Ask
- Do you capture PCAPs during attacks? Packet capture is the gold standard of forensic evidence. It provides complete, undeniable proof of what traffic hit your network and when. Not all vendors offer this, and some that do charge extra for it.
- What is the retention period for forensic data? Some vendors retain attack data for 7 days. Others for 90 days or a year. For compliance and insurance purposes, you typically need at least 90 days of retention.
- Can you export raw data? If the vendor holds your forensic data in a proprietary format with no export capability, you are dependent on them for every analysis, report, and legal proceeding. Ensure you can export PCAPs, flow records, and incident timelines in standard formats.
- Do you provide automated incident reports? Post-attack documentation should be generated automatically with timeline, attack classification, peak metrics, source analysis, and mitigation actions taken. Manual report generation is a time sink that delays response and introduces human error.
Scoring Criteria
| Forensic Capability | Score | Notes |
|---|---|---|
| PCAP capture + auto reports + export | 5/5 | Full evidence chain |
| Flow records + auto reports | 4/5 | Good but missing packet-level detail |
| Basic logs + manual reports | 3/5 | Adequate for simple incidents |
| Dashboard only, no export | 2/5 | Vendor lock-in on your own data |
| No forensic data retained | 1/5 | Cannot prove what happened |
Category 4: Mitigation Automation
Detection without mitigation is an expensive alert generator. The vendor's mitigation capabilities and the degree of automation they support determines how quickly an attack moves from "detected" to "neutralized."
Questions to Ask
- What mitigation methods are supported? Common options include BGP blackhole, BGP FlowSpec, upstream scrubbing center diversion, on-premise filtering, API-triggered firewall rules, and webhook-based automation. The more options available, the more flexibility you have.
- What level of automation is available? Manual mitigation means a human must decide and act. Semi-automated means the system recommends an action and a human approves. Fully automated means the system detects, decides, and acts without human intervention. Each level has trade-offs, and the right answer depends on your risk tolerance.
- Can you define escalation levels? Ideally, the system should support tiered responses: small attacks get automated mitigation, medium attacks get automated mitigation plus team notification, and large attacks trigger full incident response. One-size-fits-all mitigation is rarely appropriate.
- What is the time from detection to mitigation activation? If detection takes 1 second but mitigation takes 10 minutes to activate, you still have 10 minutes of unmitigated attack. The end-to-end response time is what matters.
Category 5: Alerting and Integrations
Your DDoS detection system needs to plug into your existing operational workflow. An alert that nobody sees is the same as no alert at all.
Questions to Ask
- What alerting channels are supported? At minimum: email, webhook, Slack, PagerDuty, and syslog. Bonus points for Microsoft Teams, OpsGenie, Telegram, and custom API integrations.
- Can alerts be customized per threshold, per target, and per attack type? You do not want the same alert for a 1 Gbps volumetric probe and a 100 Gbps sustained flood. Granular alert configuration prevents alert fatigue.
- Is there a documented API? A REST API allows you to integrate detection data into your SIEM, SOAR platform, or custom dashboards. Without an API, the vendor is a silo.
Category 6: Multi-Tenancy and Scalability
If you manage infrastructure for multiple customers, business units, or environments, multi-tenancy is not optional. It is a core requirement.
Questions to Ask
- Can you create isolated tenants with separate dashboards and alerting? MSPs, hosting providers, and enterprises with multiple business units need per-tenant visibility without cross-tenant data exposure.
- Is there role-based access control? Different team members need different levels of access. A NOC operator needs alert visibility. A security analyst needs forensic data. An executive needs summary reports.
- How does the platform scale? Ask about the maximum number of monitored nodes, sources, or interfaces. Ask about horizontal scaling. Ask about performance degradation under load. A platform that works for 10 nodes but struggles at 500 is not ready for production.
Category 7: Pricing Model
DDoS protection pricing varies wildly and the pricing model itself reveals a lot about how the vendor views the relationship.
Questions to Ask
- What is the pricing unit? Per-node, per-Gbps, per-source, flat rate, or bandwidth-based? Each model has different cost scaling characteristics. Per-node pricing scales linearly with infrastructure size. Bandwidth-based pricing can spike unpredictably during attacks (when you need protection most).
- Are there overage charges? Some vendors charge extra when attack traffic exceeds a threshold. This means you pay more precisely when you are under attack, which is the opposite of how protection should work.
- Are there per-attack fees? Some scrubbing services charge per mitigation event. If you face 20 attacks per month, per-attack fees add up quickly.
- What is the minimum commitment? Annual contracts with auto-renewal are standard, but some vendors require multi-year commitments with substantial early termination fees.
- Is there a free trial or POC period? Any vendor confident in their product will offer a meaningful evaluation period. If a vendor will not let you test before committing, treat that as a red flag.
| Pricing Model | Pros | Cons |
|---|---|---|
| Per-node (e.g., $9.99/node/mo) | Predictable, scales with infrastructure | Cost increases with node count |
| Per-source (e.g., $19/source/mo) | Predictable, good for flow monitoring | Cost increases with source count |
| Bandwidth-based | Aligns with network size | Spikes during attacks, unpredictable |
| Flat rate | Simple budgeting | Often expensive, overpay at small scale |
| Enterprise custom | Tailored to needs | Opaque pricing, long sales cycle |
Category 8: Data Ownership
This category is frequently overlooked and it should not be. Your traffic data, PCAPs, flow records, and incident logs are your data. Not the vendor's.
Questions to Ask
- Who owns the data collected by your platform? Read the ToS carefully. Some vendors claim rights to use your traffic data for their own analytics, threat intelligence products, or machine learning training. Your network data should remain yours.
- Can I export all my data at any time? If you decide to switch vendors, can you take your historical data with you? If the answer is no, you are locked in regardless of what the contract says about termination.
- Where is data stored and processed? For organizations with data residency requirements (GDPR, data sovereignty laws), the physical location of data processing matters. Ask specifically where PCAPs and flow records are stored.
Category 9: Deployment Model
How the solution is deployed affects everything from detection speed to operational overhead to failure modes.
Questions to Ask
- Agent-based, flow-based, or inline? Agent-based solutions install software on your servers or network devices and analyze traffic locally, offering the fastest detection. Flow-based solutions analyze NetFlow/sFlow/IPFIX data exported from routers and switches. Inline solutions sit in the traffic path and can filter in real time but add latency and become a single point of failure.
- What is the deployment footprint? How much CPU, memory, and bandwidth does the agent or collector consume? A detection agent that uses 10% of your server's CPU is a non-starter. Lightweight agents that consume minimal resources are essential for production use.
- How long does deployment take? Some solutions require weeks of professional services engagement. Others can be deployed in minutes. Ask for a realistic deployment timeline based on your environment size.
- What happens if the detection system fails? Inline solutions that fail can take your network down. Agent-based and flow-based solutions fail gracefully because they operate out-of-band. Understanding failure modes is critical for production environments.
Category 10: Vendor Lock-in Risks
Vendor lock-in is a real risk in the DDoS protection space. Switching costs can be substantial if your detection, alerting, automation, and forensic workflows are all tied to a single proprietary platform.
Red Flags to Watch For
- Proprietary data formats with no export. If you cannot get your data out, you cannot leave.
- Long-term contracts with early termination fees. Multi-year commitments should come with significant discounts to justify the lock-in.
- No API or limited API. Without an API, all your integrations break when you switch.
- Custom hardware requirements. If the vendor requires their own appliances, you are buying hardware that becomes obsolete or useless if you switch vendors.
- Bundled services that create dependencies. If your DDoS protection is bundled with CDN, WAF, and DNS, switching the DDoS component means untangling everything.
The best DDoS protection vendor is the one that makes it easy to leave. Open data formats, documented APIs, and standard integrations mean you stay because the product is good, not because switching is painful.
The Complete Scoring Checklist
Use this scoring framework to evaluate each vendor on a 1-5 scale across all categories. Weight the categories based on your organization's priorities.
| Category | Weight (Suggested) | Vendor A | Vendor B | Vendor C |
|---|---|---|---|---|
| Detection Speed | 20% | ___/5 | ___/5 | ___/5 |
| Classification Depth | 15% | ___/5 | ___/5 | ___/5 |
| Forensics & Evidence | 15% | ___/5 | ___/5 | ___/5 |
| Mitigation Automation | 15% | ___/5 | ___/5 | ___/5 |
| Alerting & Integrations | 10% | ___/5 | ___/5 | ___/5 |
| Multi-Tenancy & Scale | 5% | ___/5 | ___/5 | ___/5 |
| Pricing Model | 10% | ___/5 | ___/5 | ___/5 |
| Data Ownership | 5% | ___/5 | ___/5 | ___/5 |
| Deployment Model | 5% | ___/5 | ___/5 | ___/5 |
| Vendor Lock-in Risk | 5% (inverse) | ___/5 | ___/5 | ___/5 |
| Weighted Total | 100% | ___ | ___ | ___ |
Adjust the weights for your environment. A financial services company might weight detection speed and forensics at 25% each. An MSP might weight multi-tenancy at 15%. A startup might weight pricing model at 20%. The framework is designed to be adapted, not used rigidly.
Run this checklist against Flowtriq. Sub-second detection (P50 under 1 second). Protocol-level classification across 30+ attack types. PCAP forensics with automated incident reports. Webhook-based mitigation automation. Per-node pricing at $9.99/month with no overage charges. Full API access. No lock-in. Start a free 7-day trial and score it yourself.