Back to Blog

The MSP Opportunity

Most small and mid-size businesses have no DDoS detection at all. They rely on their hosting provider or ISP to handle it, and when an attack hits, they have zero visibility into what is happening or what is being done about it. For an MSP that already manages their servers, firewalls, and monitoring, adding DDoS detection is a natural upsell with strong margins.

The economics are simple. Flowtriq costs $9.99/node/month at base pricing, with volume discounts for larger deployments. MSPs typically resell DDoS monitoring at $25 to $75 per node per month, depending on the client's industry and the level of service wrapped around it. That is a 2.5x to 7.5x markup on a service that requires minimal ongoing labor once configured.

The value proposition to clients is equally straightforward: "We monitor your servers for DDoS attacks 24/7. When an attack hits, our automated systems mitigate it in seconds, update your status page, and document everything. You get a monthly report showing what we stopped."

Why clients buy this

  • Insurance requirements. Cyber insurance policies increasingly require documented DDoS detection and response capabilities. Your clients may need this for policy renewal.
  • Compliance mandates. NIS2, DORA, PCI DSS, and SOC 2 all reference availability protection. DDoS detection provides auditable evidence of security controls.
  • Past incidents. Clients who have been DDoSed before need no convincing. They just need a solution that works.
  • Competitive pressure. If their competitors advertise "DDoS protected infrastructure" and they do not, they are at a disadvantage in sales conversations.

White-Label Setup

White-labeling means your clients interact with a DDoS detection platform that carries your brand, not Flowtriq's. The dashboard, status pages, email notifications, and reports all use your logo, colors, and domain.

What gets white-labeled

  • Dashboard: Your logo in the header, your brand colors in the UI, your company name in the page title. Clients who log in see your brand everywhere.
  • Status pages: Each client gets a status page on your domain (e.g., status.yourmsp.com/clientname or clientname-status.yourmsp.com). No Flowtriq branding visible.
  • Email notifications: Alert emails come from your domain (e.g., [email protected]) with your logo and branding in the template.
  • Reports: Monthly and incident reports carry your logo and are formatted as deliverables from your company to the client.

Setting up white-label

From the MSP admin panel, navigate to Branding. Upload your logo (SVG or PNG), set your primary brand color, configure your notification email domain (requires DNS verification), and set up your status page domain (CNAME record).

White-label configuration:
  Logo:           your-logo.svg (uploaded)
  Primary color:  #2563eb (your brand blue)
  Email domain:   alerts.yourmsp.com
    DNS: CNAME alerts.yourmsp.com -> mail.flowtriq.com
    DNS: TXT   _dmarc.alerts.yourmsp.com -> ...
  Status domain:  status.yourmsp.com
    DNS: CNAME status.yourmsp.com -> pages.flowtriq.com

Once configured, everything client-facing carries your brand. The only place clients see "Flowtriq" is nowhere.

Multi-Workspace Management

Each client in your MSP gets their own workspace. Workspaces are completely isolated: a client's nodes, alerts, runbooks, status pages, and incident history are invisible to every other client. Your MSP admin account has a master view across all workspaces.

Workspace isolation

Isolation is not just a UI concern. It is a security boundary. Each workspace has its own API tokens, its own agent enrollment keys, its own webhook endpoints, and its own data retention. A compromised API token in one client workspace cannot access another client's data.

Master dashboard

Your MSP team sees a unified dashboard that shows all client workspaces in one view. From the master dashboard, you can:

  • See active incidents across all clients on a single screen.
  • Drill into any workspace without re-authenticating.
  • Compare metrics across clients (useful for identifying coordinated attacks targeting multiple clients).
  • Manage agent enrollment and deploy new agents to client nodes.
  • Generate cross-client reports for your own internal analytics (attack frequency, mitigation success rate, etc.).

Role-based access

You control what each client user can see and do within their workspace:

Role: Client Admin
  - View dashboard and incident history
  - View status page configuration
  - Subscribe to notifications
  - Cannot modify detection thresholds
  - Cannot modify runbooks
  - Cannot access agent configuration

Role: Client Viewer
  - View dashboard (read-only)
  - View incident history
  - Cannot modify anything

Role: MSP Operator
  - Full access to all client workspaces
  - Can modify thresholds, runbooks, and status pages
  - Cannot modify billing or white-label settings

Role: MSP Admin
  - Full access to everything
  - Billing, white-label, workspace creation

Most MSPs keep runbook and threshold management in-house (MSP Operator role) and give clients read-only access (Client Viewer role). This prevents clients from accidentally disabling detection or misconfiguring mitigation, while still giving them full visibility into what is happening on their infrastructure.

Per-Client Alerting

Each client workspace has its own notification channels. Your client's alerts go to their team. Your MSP's internal alerts go to your NOC. Both fire simultaneously.

Client-facing notifications

Configure each client workspace with the notification channels their team uses:

  • Email: Client's operations team email addresses.
  • Slack: Client's Slack workspace (via webhook URL). The client provides you with a webhook URL for their #incidents channel, and you configure it in their workspace.
  • PagerDuty/Opsgenie: Client's on-call system integration key.
  • Status page: Auto-publish incidents to the client's branded status page.

MSP internal notifications

Separately, configure your own MSP notifications that fire for events across all client workspaces:

MSP internal alerting:
  All clients, severity >= High:
    -> Slack #msp-noc-critical
    -> PagerDuty (MSP on-call rotation)

  All clients, severity >= Medium:
    -> Slack #msp-noc-general

  Client "Acme Corp", any severity:
    -> Slack #acme-dedicated (for premium clients
       with dedicated NOC attention)

This dual notification model means the client's team and your MSP team both learn about incidents simultaneously. For clients on premium support tiers, your team may respond before the client even sees the notification.

Billing and Volume Pricing

Flowtriq bills MSPs at a flat per-node rate with volume discounts. You bill your clients at whatever rate makes sense for your market and service level.

Flowtriq MSP pricing

Volume tiers (per node/month):
  1-25 nodes:     $9.99/node
  26-100 nodes:   $7.99/node
  101-500 nodes:  $5.99/node
  500+ nodes:     Contact sales

Resale pricing guidance

Based on what we see across our MSP partners, typical resale pricing depends on the service tier you offer:

  • Basic monitoring (alerts only): $25 to $35/node/month. You deploy the agent, configure detection, and forward alerts to the client. The client handles their own response.
  • Managed detection + response: $45 to $65/node/month. You deploy, configure, build runbooks, handle incident response, and provide monthly reports. The client gets a branded dashboard and status page.
  • Premium (dedicated NOC): $75 to $150/node/month. Everything in managed, plus dedicated NOC attention, custom runbooks, quarterly security reviews, and 15-minute SLA for human acknowledgment of any incident.

The margin at every tier is healthy. At 100 nodes on the managed tier ($55/node average), your monthly Flowtriq cost is $799 and your revenue is $5,500. That is $4,701 in margin before labor, and the labor for a well-automated 100-node deployment is minimal.

Client Onboarding Flow

A streamlined onboarding process is critical for MSP profitability. Every hour you spend onboarding a client is an hour you cannot bill. Here is the onboarding workflow we recommend:

  1. Create workspace (2 minutes). From the MSP admin panel, create a new client workspace. Set the client name, assign a workspace slug, and configure initial branding.
  2. Deploy agents (5 minutes per node). Generate the client's enrollment token and deploy the agent to each server. For clients where you have existing configuration management (Ansible, Puppet), this is a playbook run.
  3. Baseline period (48 to 72 hours, no labor). Let the agents run in observation mode to build traffic baselines. No action required during this period.
  4. Configure detection (15 minutes). Review the baselines, set appropriate thresholds, and assign node tags.
  5. Build runbooks (20 minutes). Start with a standard runbook template (most clients need the same basic flow: detect, mitigate, notify, document) and customize for client-specific requirements.
  6. Set up status page (10 minutes). Create the client's branded status page with appropriate components and subscriber settings.
  7. Client handoff (30 minutes). Walk the client through their dashboard, show them the status page, explain the notification channels, and set expectations for incident response.

Total active labor: approximately 90 minutes per client (plus 5 minutes per additional node). After onboarding, the ongoing management overhead is typically 15 to 30 minutes per client per month for threshold tuning, runbook updates, and monthly reporting.

Billing System Integration

If you use WHMCS or Blesta for client billing, you can sync Flowtriq node counts to your billing platform to automate usage-based invoicing.

Flowtriq exposes a billing API that returns the current node count per workspace:

GET /api/v1/msp/workspaces/{workspace_id}/billing
Authorization: Bearer {msp_api_token}

Response:
{
  "workspace_id": "ws_acme",
  "client_name": "Acme Corp",
  "active_nodes": 12,
  "period_start": "2026-06-01",
  "period_end": "2026-06-30",
  "incidents_this_period": 3,
  "total_attack_volume_gb": 847
}

Use this API to build a WHMCS provisioning module or Blesta plugin that automatically creates and adjusts line items based on active node counts. When a client adds a server and you deploy the agent, the node count increments and the next invoice reflects the addition.

Monthly reports for upselling: Every workspace automatically generates a monthly summary: number of attacks detected, total attack volume mitigated, and uptime percentage. Send these to clients as branded PDF reports. They serve dual duty as proof of value (justifying the monthly fee) and as upsell opportunities ("Your attack frequency increased 40% this quarter. Let us discuss upgrading to the premium tier with dedicated NOC coverage").

Getting Started as an MSP Partner

The MSP deployment path starts with your own infrastructure. Deploy Flowtriq on your internal nodes first. Build confidence in the detection accuracy, tune your standard runbook templates, and develop your onboarding process. Then start offering it to clients.

Flowtriq MSP pricing starts at $9.99/node/month with volume discounts from 26 nodes. Start your free 14-day trial to deploy across your first few client nodes, or review pricing tiers to model your margins.

Back to Blog

Related Articles

Fundamentals

How MSPs can offer DDoS protection as a managed service

Multi-tenant architecture, per-client escalation, and pricing models for managed DDoS services.
Fundamentals

How automated runbooks replace your 3 AM war room

Build runbooks that handle detection, mitigation, and documentation without human intervention.
Fundamentals

Announcing managed DDoS protection

Flowtriq's managed protection offering for providers who want turnkey DDoS defense.