We sell Flowtriq, a per-node DDoS detection and mitigation platform. Kentik is a network observability platform that includes DDoS detection as part of its broader analytics offering. This post compiles real user feedback and explains where the two platforms diverge.
Where Kentik genuinely wins
Let's be direct about what Kentik does better than Flowtriq. Kentik has superior NetFlow analytics. Their flow ingestion and query engine processes massive volumes of flow data with a flexibility and depth that purpose-built DDoS tools do not match. The ability to slice traffic data by any combination of dimensions, run ad-hoc queries across historical flow records, and build custom dashboards for network planning is genuinely impressive.
Kentik also excels at network-wide visibility. They see traffic across your entire network, across all routers and switches that export flow data. Their BGP analysis and route visualization tools help operators understand peering dynamics, routing decisions, and traffic engineering in ways that a per-server DDoS tool cannot.
If your primary need is network observability with DDoS detection as a secondary feature, Kentik is a strong platform. The issue comes when DDoS detection and response is the primary requirement.
The mitigation gap
The most consistent feedback from Kentik users who need DDoS protection is that detection alone is not enough.
"[This platform] detects attacks well, but then you need to find a way to make it actionable. Detection without mitigation means you see the attack happening and still have to manually push BGP routes or call your scrubbing provider."
"We use [this platform] for visibility, but when we get hit, the response workflow is still manual. See the alert, SSH into the router, push the blackhole route. That takes minutes we do not have."
Kentik positions itself as a detection and analytics platform, not a mitigation platform. That is an honest positioning, but it means operators need to build or buy the mitigation layer separately. For many operators, that means custom scripts, manual BGP commands, or a separate mitigation product.
Flowtriq includes automated mitigation out of the box. When an attack is detected, the system can trigger BGP FlowSpec, RTBH, firewall rules (iptables, nftables, XDP), cloud scrubbing (Cloudflare Magic Transit, Path.net, Voxility), and router integrations (pfSense, MikroTik). The detection-to-mitigation path is automated and fires within seconds. There is no manual step between seeing an attack and responding to it.
Pricing
Kentik is not cheap. Multiple users mention the cost as a factor, particularly for smaller networks.
"[This platform] is not cheap. The pricing is based on flow volume, and as our network grows, the cost grows with it. For a mid-sized ISP, the annual cost is significant."
"The value is there for large networks, but for smaller operators, the price point makes it hard to justify when you still need additional tooling for mitigation."
Flowtriq pricing is flat at $9.99 per node per month regardless of traffic volume. A 200-server deployment costs $1,998/month. There is no flow-volume pricing, no bandwidth tiers, and no scaling surprises. For mid-market operators, the cost difference between flow-volume pricing and per-node pricing can be substantial, especially as traffic grows.
API usability
Kentik has a comprehensive API, but users report that the developer experience has room for improvement.
"The API is powerful but the documentation could be better. We spent significant time figuring out how to pull the specific data we needed. The query syntax has a learning curve."
"API usability was poor for our use case. Simple tasks like pulling attack summary data required understanding their query language. We ended up writing a wrapper library just to make it usable."
Flowtriq's REST API follows standard REST conventions with straightforward endpoints for attack data, node status, and configuration. The API documentation includes working examples for common integrations. This is a simpler API than Kentik's because it does less, as Flowtriq's API covers DDoS detection data specifically, while Kentik's API covers the full network observability stack.
Data storage and retention
"Data retention has limits. Historical flow data beyond a certain window requires higher-tier plans. If you need to go back and investigate an attack from three months ago, you might find the detailed data is gone."
For compliance, forensics, and post-incident investigation, data retention matters. If you need to reconstruct an attack timeline for an insurance claim or SLA dispute and the data has been purged, the detection is retroactively worthless. Flowtriq retains attack records, classification data, and PCAP references for all detected incidents, and operators can configure retention policies based on their compliance requirements.
Alerting as the main weakness
"Alerting was the main weakness. Setting up meaningful DDoS alerts that do not false-alarm on normal traffic spikes was harder than it should have been. The alerting engine is generic, not DDoS-specific."
"We wanted severity-based routing: critical attacks page the on-call, minor anomalies go to Slack. Getting that configured properly took more effort than expected."
Kentik's alerting is built for general network observability use cases, which means DDoS-specific alerting requires configuration that maps network anomaly patterns to DDoS attack types. Flowtriq's alerting is purpose-built for DDoS. Attack classification determines severity automatically, and alert routing by severity is a first-class configuration option. SYN floods page the on-call. Port scans go to Slack. DNS amplification triggers a webhook. This is configurable per attack vector without building custom alert logic.
Support response
"Support is generally good, but response times during urgent situations could be faster. When you are under attack and need help understanding what Kentik is showing you, waiting for support is stressful."
Flowtriq includes unlimited support with no ticket caps. During active DDoS incidents, support is available without worrying about whether your support contract covers the interaction. DDoS attacks create urgency that does not align well with tiered support response times.
Add the mitigation layer Kentik lacks
Flowtriq detects attacks in 1-2 seconds and triggers BGP FlowSpec, RTBH, firewall rules, and cloud scrubbing automatically. Per-node detection at $9.99/month.
Start Free Trial →When Kentik is the right call (and Flowtriq is not)
If you need full network observability: Kentik is a network observability platform that happens to include DDoS detection. If your primary need is traffic analytics, capacity planning, peering analysis, and BGP visibility with DDoS detection as a bonus, Kentik delivers more network intelligence than Flowtriq.
If you need deep flow analytics across your entire network: Kentik's flow query engine is the best in the industry for ad-hoc network analysis. Slicing traffic by any dimension, across any time range, with sub-minute granularity is something Kentik does exceptionally well. Flowtriq's flow ingestion is designed for DDoS detection, not general analytics.
If you already have mitigation automation built: Some operators have already built custom mitigation automation (BGP scripts, cloud scrubbing API integrations, firewall orchestration). If your mitigation pipeline is solved and you need better detection and network analytics, Kentik fills that role well.
The bottom line
Kentik is a best-in-class network observability platform. Its DDoS detection capabilities are real, but they live inside a platform designed primarily for network analytics. The gap users consistently identify is the same: detection without automated mitigation means seeing the attack but still responding manually.
Flowtriq is narrower. It does DDoS detection and automated mitigation. It does not do network-wide flow analytics, peering analysis, or capacity planning. For operators who need detection plus automated response in a single platform, Flowtriq closes the mitigation gap. For operators who need full network observability with DDoS detection as part of a broader toolkit, Kentik provides more value across the network operations stack.
Some operators run both. Kentik for network-wide visibility and planning, Flowtriq for per-server DDoS detection and automated mitigation. The tools complement each other well because they solve different layers of the same problem.