We sell Flowtriq, a per-node DDoS detection platform. Andrisoft Wanguard is a competitor. This post compiles real user feedback from public review platforms and forums, combined with our honest take on where Wanguard works well and where Flowtriq does things differently.
Where Wanguard genuinely works well
Wanguard deserves credit for what it does right. It is a capable on-premises DDoS detection and traffic analysis tool that costs significantly less than appliance vendors like Arbor or Corero. For operators who want to own their detection infrastructure, run it on their own hardware, and avoid cloud dependencies, Wanguard offers a self-hosted option with flow analysis, packet inspection, BGP integration, and filtering capabilities all in one package.
The per-component licensing model lets you buy exactly what you need. You can start with just the flow sensor and add packet filtering or BGP integration later. For budget-conscious operators, this modularity is genuinely useful.
Support is the most common complaint
Across review platforms and community forums, support quality is the number one issue Wanguard users raise. The feedback is blunt.
"Support is terrible. Response times are slow, and when you do get an answer, it's often a link to documentation you've already read."
"We had a critical issue during an active attack and waited over 24 hours for a response. That's not acceptable for a DDoS product."
Andrisoft is a small company, which means support capacity is limited. Priority support costs extra, and even then, response times depend on timezone alignment. For operators in North America or Asia-Pacific, getting support from a European vendor during their business hours can mean waiting until the next day.
Flowtriq includes unlimited support with no ticket caps and no priority tiers. During an active incident, support response time matters more than anything else in your detection stack. A tool that works perfectly 99% of the time but leaves you without support during the 1% that matters is not a reliable operational dependency.
BGP integration headaches
BGP integration is central to any DDoS mitigation workflow. Several Wanguard users report that getting BGP working correctly is harder than expected.
"BGP integration was a nightmare to set up. The documentation assumes you already know exactly how [this vendor] expects BGP sessions to be configured. If your router setup differs from their example, you're on your own."
"We spent two weeks getting RTBH working properly. The BGP daemon configuration is finicky and errors are not always clear."
Flowtriq supports multiple BGP adapters out of the box, including ExaBGP, BIRD, GoBGP, FRRouting, and native integrations with router vendors. The BGP session configuration is handled through the dashboard, not through manual daemon configuration files. This does not eliminate all BGP complexity, as your upstream still needs to accept your communities, but it removes the friction of manually configuring a BGP daemon and hoping the detection tool talks to it correctly.
Flow analysis speed
Flow analysis performance is another recurring concern, particularly for operators processing high volumes of NetFlow or sFlow data.
"Flow analysis is just not fast enough. When we're processing data from multiple routers, the analysis lags behind real-time. During high-traffic periods, the delay between traffic arriving and detection firing can stretch to minutes."
This is a fundamental architectural challenge for any centralized flow collector. The collector needs to ingest, parse, correlate, and analyze flow records from every router in your network. As traffic volume grows, processing time grows with it. Flowtriq takes a hybrid approach: per-node agents monitor kernel counters at the server level for sub-second detection, and flow sources (sFlow, NetFlow, IPFIX) provide network-wide context. The per-node agents do not wait for flow data to detect attacks.
Error tracking and diagnostics
Users report that when Wanguard encounters problems, diagnosing the root cause is difficult.
"When something goes wrong, there's no clear error tracking. Logs are verbose but not helpful. You end up searching through log files trying to figure out why a filter rule didn't apply or why a BGP announcement didn't fire."
Flowtriq surfaces error states in the dashboard. If a BGP session drops, an agent goes offline, or a mitigation action fails, the issue appears in the web interface with context about what went wrong. Operators should not need to SSH into a server and grep through log files to understand why their detection platform is not working.
Hardware requirements
Wanguard requires dedicated server hardware. The performance of your detection depends directly on the hardware you provision for it.
"You need serious hardware to run [this vendor] properly. We started with a modest server and quickly hit CPU and memory limits when processing flows from our full network."
"The hardware requirements are higher than advertised. For reliable operation at our traffic levels, we ended up running it on a machine that costs more per month than the software license."
Flowtriq agents are lightweight processes that run on your existing infrastructure. There is no dedicated server to provision, no collector hardware to maintain, and no scaling concerns as your network grows. You add agents to servers as you add servers. The processing happens at the node level, so there is no central bottleneck.
Community and ecosystem
The Wanguard user community is small compared to other DDoS tools, which affects the availability of third-party resources, integrations, and peer support.
"The community around [this vendor] is minimal. When you hit an issue, there's no Stack Overflow thread or forum post to reference. It's you and the vendor documentation."
A small community is not necessarily a fault of the product. Wanguard serves a niche market and does it with a small team. But the practical effect is that operators are more dependent on vendor support, which circles back to the support quality issue described above.
Timezone and availability challenges
"Support is based in Europe and follows European business hours. If you're running infrastructure in North America and something breaks at 3 PM Eastern, you might be waiting until the next morning for a response."
DDoS attacks do not respect business hours. Operators need support that is available when incidents happen, not when a specific timezone's workday permits. Flowtriq's support does not have timezone-based availability windows.
Looking for SaaS DDoS detection without the server management?
Flowtriq runs on your existing infrastructure with no dedicated hardware. Per-node detection at $9.99/month, unlimited support, and a web dashboard included at no extra cost.
Start Free Trial →When Wanguard is the right call (and Flowtriq is not)
If you want full ownership of your detection infrastructure: Wanguard runs on your hardware, in your datacenter, with no cloud dependency. Some operators, particularly those with data sovereignty requirements, prefer this model. Flowtriq's agents run on your servers, but the dashboard and data pipeline are SaaS.
If you need deep packet filtering on-premise: Wanguard includes a packet filtering engine that can drop traffic at the server level using hardware-accelerated filtering. Flowtriq triggers mitigation actions (firewall rules, BGP, cloud scrubbing) but does not include a dedicated packet filtering engine.
If your budget allows dedicated hardware but not SaaS subscriptions: Some organizations have CapEx budgets that can absorb a server purchase but cannot add recurring SaaS charges. Wanguard fits that procurement model better than Flowtriq.
The bottom line
Wanguard is a solid on-prem detection tool that fills a real gap between free community tools and six-figure appliance vendors. The complaints from users are real but predictable for a small-team product: support limitations, community size, and the operational overhead of managing dedicated hardware.
Flowtriq approaches the same problem differently. SaaS delivery, per-node agents on existing infrastructure, built-in dashboard, and unlimited support. Neither approach is universally better. The right choice depends on whether you want to own and operate your detection infrastructure or prefer to deploy agents and let the platform handle the rest.