We sell Flowtriq, a per-node DDoS detection platform. Arbor (NETSCOUT) is a competitor. This post compiles real user feedback from public review platforms and forums, combined with our honest assessment of where Arbor excels and where Flowtriq takes a different approach. We name Arbor directly in our own analysis but censor the vendor name inside user quotes.
Where Arbor genuinely wins
Before we get into what users complain about, it is worth being honest about what Arbor does well. Arbor has carrier-grade TMS scrubbing that can clean traffic inline at massive scale. Their ATLAS intelligence network aggregates threat data from hundreds of service provider deployments worldwide. And they have decades of trust with Tier-1 carriers who need battle-tested infrastructure. If you are a large carrier processing hundreds of gigabits through a dedicated scrubbing center, Arbor remains the default choice for good reason.
The complaints we are about to cover do not change that. They come from operators who need something different: per-server visibility, faster deployment, and pricing that does not require board-level approval.
The $250K question
The most consistent feedback about Arbor is the cost. Review after review mentions it.
"The pricing model of [this vendor] can be a barrier, particularly for smaller organizations. The initial investment for hardware, software licenses, and ongoing maintenance can be substantial, often running into six figures."
Multiple users peg the starting cost at $250K or higher once you factor in the appliance, licensing, professional services for deployment, and the annual maintenance contract. For a Tier-1 carrier doing $500M in annual revenue, that is a rounding error. For a 200-server hosting provider or a regional ISP, it is the entire annual IT budget.
"Pricing could be more competitive. It's on the higher end compared to some alternatives."
Flowtriq takes a fundamentally different approach. At $9.99 per node per month, a 200-server deployment costs $1,998/month. There is no CapEx, no appliance procurement, no professional services engagement. You install agents on your existing Linux servers and start building baselines immediately. That does not make Flowtriq better than Arbor. It makes it accessible to a different market.
Support quality after the NETSCOUT acquisition
Several users report that support quality declined after NETSCOUT acquired Arbor Networks. The specialized DDoS team that operators trusted got absorbed into a larger corporate support structure.
"Support has degraded since [this vendor] was acquired. You used to get engineers who knew the product inside out. Now you get generalists who escalate everything."
"Response times have gotten longer. What used to be a quick call is now a ticket that sits for days."
This pattern is common when a specialized product gets acquired by a larger company. The domain expertise that made the support great gets diluted across a broader portfolio. Flowtriq includes unlimited support with no ticket caps, no per-incident fees, and no tiered response times. During an active DDoS incident, you should not be wondering whether your support contract covers one more ticket this month.
The UI problem
The Arbor interface is a recurring source of frustration. Users describe it as functional but dated, with workflows that feel like they were designed a decade ago.
"The interface feels like technology from five or six years ago. It works, but it's not intuitive, and training new staff takes weeks."
"The web UI is clunky. Simple tasks require too many clicks. Generating a report that should take 30 seconds takes five minutes of navigating menus."
A dated UI is not just a cosmetic problem. It slows down incident response. When you are under a multi-vector attack and need to understand what is happening in seconds, an interface that buries critical data behind nested menus costs you time. Flowtriq's dashboard was designed for incident response first: attack classification, volume data, source distribution, and mitigation status are visible immediately without drilling through layers of navigation.
False positives and detection accuracy
Several reviewers flag false positive rates as a persistent issue, particularly after initial deployment or after software updates.
"False positives were a real problem in the first few months. We spent more time tuning thresholds than we did responding to actual attacks."
"After a major update, our false positive rate spiked. It took weeks of working with support to get it back to acceptable levels."
Arbor uses flow-based detection, which means it samples traffic at configurable intervals. Sampling inherently trades accuracy for scale. Flowtriq uses per-node kernel-level monitoring that reads every packet, combined with dynamic baselines that adapt to each server's traffic patterns. This does not eliminate false positives entirely, but it reduces them because the baselines are per-server rather than per-network-segment.
Reporting gaps
For the price operators pay, reporting capabilities get surprisingly mixed reviews.
"Reporting is weak for a product at this price point. Custom reports are painful to build, and the canned reports do not always show what we need for customer-facing SLA documentation."
"Attack data seems to vanish from the system after a certain retention period. We needed historical data for a compliance audit and it was gone."
Flowtriq generates per-attack incident reports automatically with classification, volume metrics, duration, source distribution, and PCAP references. Every attack is documented without manual effort. For operators who need to show customers or auditors exactly what happened, automated incident documentation removes the operational burden of building reports from raw data.
Closed ecosystem
Multiple users mention frustration with Arbor's ecosystem lock-in.
"Integrating [this vendor] with our existing monitoring stack was painful. The API is limited, and you basically have to live inside their ecosystem."
"We wanted to push alert data to our SIEM and our Slack channels. Getting that working required custom scripts and a lot of trial and error."
Flowtriq takes the opposite approach. The platform ships with native integrations for Slack, Discord, PagerDuty, OpsGenie, generic webhooks, Prometheus metrics, and a full REST API. If your monitoring stack can accept a webhook or scrape a Prometheus endpoint, Flowtriq plugs in without custom scripting.
Upgrade complexity
Users consistently report that software upgrades are painful and occasionally break things.
"Upgrades are complex and require careful planning. We've had upgrades break functionality that was working fine before."
"Every major version upgrade feels like a project. You need to schedule downtime, have support on standby, and hope nothing breaks in production."
Flowtriq agents update automatically with zero downtime. The agent process handles its own updates in the background, and the detection pipeline continues running during the update cycle. There is no scheduled maintenance window, no manual intervention, and no risk of breaking a production appliance.
Looking for Arbor-level detection without the Arbor price tag?
Flowtriq gives mid-market operators per-server DDoS detection, PCAP forensics, and automated BGP mitigation at $9.99/node/month. No hardware, no six-figure contracts.
Start Free Trial →When Arbor is the right call (and Flowtriq is not)
We are not trying to replace Arbor in every deployment. There are scenarios where Arbor is clearly the better fit.
If you need inline scrubbing at carrier scale: Arbor TMS sits inline and scrubs traffic in real time at tens or hundreds of gigabits. Flowtriq detects attacks and triggers mitigation (BGP FlowSpec, RTBH, cloud scrubbing, firewall rules), but it does not sit inline and filter packets at line rate. If your requirement is a hardware scrubbing center, that is Arbor's core strength.
If you need ATLAS threat intelligence: Arbor's ATLAS network is fed by hundreds of carrier deployments worldwide. That level of global threat intelligence is genuinely valuable for proactive defense, and Flowtriq does not have an equivalent data set.
If your upstream requires Arbor compatibility: Some transit providers and IXPs have built their mitigation workflows around Arbor's signaling. If your upstream peering agreements assume Arbor-compatible APIs or management planes, switching to a different detection platform may create friction.
Flowtriq targets operators who need per-server visibility without the $250K price tag. Regional ISPs, hosting providers, game server operators, and mid-market networks that cannot justify an appliance-based deployment but still need real detection, classification, and forensics on every server.
The bottom line
Arbor is a proven platform with carrier-grade capabilities. The complaints from users are real, but they are complaints that come with the territory of enterprise infrastructure: high cost, complex upgrades, support that depends on vendor priorities, and interfaces that evolve slowly. These are trade-offs that Tier-1 carriers accept because the mitigation capability is worth it.
For operators outside that Tier-1 bracket, the trade-offs stop making sense. If you need DDoS detection across 50-500 servers, want PCAP forensics on every attack, and cannot wait months for a hardware procurement cycle, Flowtriq offers a different path. Per-node pricing, automated agent deployment, and a dashboard designed for speed during incident response.
Both tools have their place. The question is which set of trade-offs matches your infrastructure, your team, and your budget.