The Support Ticket Problem
When a DDoS attack hits one of your servers, the first sign is usually a wave of support tickets. "My site is down." "My server is not responding." "Is there a network issue?" By the time your team reads the tickets, investigates, and confirms it is a DDoS attack, the client has been waiting 15-30 minutes with no information.
Automated notifications flip this. The moment Flowtriq detects an attack, the affected client gets an email or webhook notification explaining what is happening, what type of attack it is, and what your systems are doing about it. The client knows before they think to open a ticket.
WHMCS Email Templates
The Flowtriq WHMCS module ships with three email templates that hook into the WHMCS notification system:
Attack Detected
Sent within seconds of detection. The template includes:
Subject: DDoS Attack Detected on {$server_hostname}
Dear {$client_name},
We detected a DDoS attack targeting your server at {$server_ip}.
Attack details:
Type: {$attack_type}
Target: {$target_ip}:{$target_port}
Severity: {$severity}
Started: {$start_time}
Our automated mitigation systems are responding.
We will notify you when the attack ends.
You can view live status at: {$status_url}
Mitigation Active
Sent when automated firewall rules or upstream scrubbing is deployed:
Subject: DDoS Mitigation Active for {$server_hostname}
Automated mitigation is now filtering attack traffic
targeting your server at {$server_ip}.
Mitigation details:
Method: {$mitigation_method}
Rules: {$rule_count} firewall rules deployed
Status: Attack traffic is being filtered
Your legitimate traffic should be unaffected.
We will notify you when the attack ends.
Attack Ended
Sent when the incident concludes:
Subject: DDoS Attack Ended - {$server_hostname}
The DDoS attack on your server at {$server_ip} has ended.
Summary:
Duration: {$duration}
Peak: {$peak_pps} PPS / {$peak_bps}
Type: {$attack_type}
Outcome: {$outcome}
View the full incident report: {$report_url}
All three templates are editable in WHMCS Admin > Setup > Email Templates. You can customize the wording, add your branding, and include additional merge fields from the Flowtriq API payload.
Configuration Options
Per-client notification preferences
Not every client wants email notifications for every incident. The module adds notification preferences to the client area where clients can configure:
- Email notifications: On/off, with optional severity threshold (e.g., only notify for high-severity attacks)
- Webhook URL: Client-provided webhook for integration with their own monitoring
- Discord/Slack: Direct integration for clients who prefer chat notifications
Admin notification routing
Separate from client notifications, configure admin alerts so your NOC team knows about attacks across all clients:
# In the Flowtriq WHMCS module settings: Admin Alert Email: [email protected] Admin Slack Webhook: https://hooks.slack.com/services/... Severity Threshold: Medium (skip low-severity events) Include Client Info: Yes (which client, which server)
Webhook Integration
For hosting providers with custom dashboards or ticketing systems, the module fires webhooks on every incident state change. The webhook payload includes:
{
"event": "incident.detected",
"incident_id": "inc_a1b2c3d4",
"node_id": "node_e5f6g7h8",
"whmcs_service_id": 1234,
"whmcs_client_id": 567,
"target_ip": "203.0.113.50",
"attack_type": "UDP Amplification (DNS)",
"severity": "high",
"pps": 847000,
"bps": 2147483648,
"started_at": "2026-06-22T14:30:00Z"
}
Use this webhook to trigger custom workflows: auto-open a support ticket, post to an internal Slack channel, update a status page, or trigger escalation in your own ITSM tool.
Status Page Integration
The module can publish incident data to a client-facing status page. When a client receives a "DDoS Attack Detected" email, the included status URL shows a live view of the incident with traffic graphs, attack classification, and mitigation status.
This is more effective than a generic "we are experiencing network issues" status update. Clients see exactly what is happening to their server and can make informed decisions about their own communication to their users.
Measuring the Impact
After deploying automated notifications, hosting providers typically see:
- 60-80% fewer DDoS-related support tickets: Clients get answers before they ask
- Faster incident resolution perception: Even if mitigation takes the same time, informed clients are more patient
- Higher DDoS addon conversion: Clients who receive an attack notification for the first time often upgrade to paid protection
- Lower churn after incidents: Transparent communication during attacks builds trust
FAQ
Do clients get notified for false positives?
Flowtriq uses dynamic baselines that adapt to each server's traffic pattern. False positive rates are low. You can also set a minimum severity threshold so only confirmed attacks trigger client notifications.
Can I test the notification flow?
Yes. The module includes a "Send Test Notification" button in the admin area that fires a sample incident through the full notification pipeline so you can verify templates, formatting, and delivery.
What if a client has multiple servers?
Notifications are per-server. If a client has three servers and one is attacked, they receive a notification about that specific server with the correct IP and hostname.
Set up automated notifications today. The Flowtriq WHMCS module includes all notification templates and webhook integrations. Start your free 14-day trial.