What Wanguard Is
Wanguard is on-premises software by Andrisoft. It is not SaaS — you license it, deploy it on your own servers, and maintain it yourself. Its primary targets are telecom operators and ISPs managing large WAN networks, hosting providers, data centers, and MSSPs.
The Multi-Component Architecture
Wanguard is not a single binary. It ships as three separately licensed components:
- Wanguard Sensor — the detection engine. Ingests NetFlow/sFlow/IPFIX or packet capture data and identifies anomalies.
- Wanguard Filter — the mitigation engine. Applies BGP FlowSpec, RTBH, or scrubbing diversion.
- Wanguard Console — centralized web-based management with multi-tenant support.
Single site: manageable. Multi-site ISP: each site may require its own Sensor instance (and potentially a Filter instance), each carrying its own license. The cost compounds with site count in a way that per-node SaaS pricing does not.
Detection — NetFlow vs. Packet Capture
In NetFlow/sFlow mode, detection latency is 30-60 seconds — the same as all flow-based systems. Wanguard handles the analysis well, but the upstream data source limits detection speed.
In packet capture mode (40/100 Gbps), dedicated capture hardware at each monitored segment enables faster detection. This requires dedicated servers or capture cards at your network taps.
For operators investing in packet capture infrastructure, Wanguard gets considerably faster. For operators on NetFlow/sFlow — the more common deployment — the detection window is the same as any other flow-based system.
Operational Overhead at Scale
Self-hosted architecture compounds with scale in three specific ways:
- Maintenance — software updates, security patches, and version upgrades are your responsibility across every instance at every site.
- Hardware lifecycle — replacement cycles across all components become your team's project, not the vendor's.
- No vendor-managed uptime — when Wanguard goes down due to server failure or misconfiguration, your detection gap is real and unrecoverable until your team resolves it.
For large telecoms with dedicated NOC teams, these are expected costs of doing business. For lean ISP teams, the overhead compounds meaningfully as site count grows.
Per-Server Visibility Gap
Wanguard sees traffic at the points where your NetFlow exporters or packet capture taps are deployed. It does not provide:
- Packet-level visibility into individual server behavior
- Per-server PCAP forensics
- Host-side CPU, connection table, or application metrics during an attack
Wanguard + Flowtriq: Some operators run both tools. Wanguard provides network-aggregate visibility and BGP-based mitigation at the network level; Flowtriq adds per-server sub-second detection and PCAP forensics at the host level. The two tools cover different layers of the detection stack.
Wanguard vs. Flowtriq
| Feature | Wanguard | Flowtriq |
|---|---|---|
| Deployment | On-premises licensed software | SaaS agent |
| Detection source | NetFlow/sFlow or packet capture hardware | Per-packet (all traffic) |
| Detection speed | 30-60 sec (NetFlow) or faster with packet capture HW | Under 1 second |
| Per-server visibility | No | Yes |
| PCAP forensics | No (network-level only) | Yes (host-level) |
| Licensing model | Per-component, per-site | Per-node SaaS |
| Maintenance | Self-managed | Vendor-managed |
| Console | Web-based (self-hosted) | Hosted dashboard |
Evaluation Checklist
- Count your sites and multiply by component licenses to model total cost
- Assess packet capture hardware requirements for sub-60-second detection
- Evaluate team capacity for multi-component maintenance across sites
- Identify per-server forensic requirements
- Run Wanguard and Flowtriq side-by-side at one site to compare coverage
Need sub-second per-server detection without per-component licensing?
Flowtriq is a single agent, single subscription, vendor-managed updates. $9.99/node/month.
Start free 7-day trialFrequently Asked Questions
What is Andrisoft Wanguard?
Wanguard is enterprise on-premises DDoS detection and mitigation software by Andrisoft. It deploys as multiple licensed components (Sensor, Filter, Console) on operator-managed servers and supports both NetFlow/sFlow analysis and direct 40/100Gbps packet capture.
Does Wanguard support sub-second detection?
In packet capture mode with dedicated capture hardware, Wanguard can achieve faster detection. In NetFlow/sFlow mode — the more common deployment — detection latency is 30-60 seconds, consistent with all flow-based systems.
Is Wanguard cloud-based?
No. Wanguard is on-premises software. Operators license, deploy, and maintain it on their own servers. There is no cloud management plane or vendor-managed infrastructure.
Does Wanguard protect individual servers?
Wanguard detects at the network level — where your NetFlow exporters or packet capture taps are deployed. It does not provide per-server host-level packet visibility or PCAP forensics at the individual server level.
What is an alternative to Wanguard for ISPs who want sub-second detection?
ISPs who need sub-second per-server detection, PCAP forensics, and a SaaS model without per-component licensing often evaluate Flowtriq alongside or instead of Wanguard. Some operators run both: Wanguard for network aggregate visibility and Flowtriq for per-server detection.
Back to Blog