Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Integrations 18
Learn
Free Tools 37 Free Certifications State of DDoS 2026 REPORT DDoS Protection Landscape Buyer's Guide PDF Hackathon Sponsorships DDoS Protection Facts
Company
About Us Become a Consultant 30% Partners White Label Managed Protection Contact Us System Status
Open Source
ftagent-lite MIT NetHawk MIT
Legal
Security Trust Center Terms & Privacy
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →

Escalation Policies

Multi-step notification chains with delay and severity routing

What Escalation Policies Are

By default, Flowtriq sends incident notifications to all active channels immediately when an attack is detected. Escalation policies let you override this behavior with a structured chain of steps: notify specific channels at specific times, only for specific severity levels.

This is how you implement workflows like "Slack the NOC immediately, page the on-call engineer after 5 minutes if the attack is still active, and email the VP of Engineering after 15 minutes for critical incidents."

Creating an Escalation Policy

Go to Dashboard → Settings → Escalation Policies and click Create Policy. Each workspace has one default policy. The default policy applies to all incidents unless overridden by a runbook.

Policy Structure

A policy is a JSON array of steps. Each step has three properties:

PropertyTypeDescription
delay_minutes intRequiredMinutes after incident detection before this step fires. Use 0 for immediate.
severity_min stringOptionalMinimum severity for this step to fire. One of: low, medium, high, critical. Default: low (all severities).
channels arrayRequiredArray of channel types to notify at this step. Values: discord, slack, pagerduty, opsgenie, telegram, email, sms, webhook, teams.

Example Policy JSON

// Escalation policy: 3-step chain [ { "delay_minutes": 0, "severity_min": "low", "channels": ["slack", "discord"] }, { "delay_minutes": 5, "severity_min": "medium", "channels": ["pagerduty"] }, { "delay_minutes": 15, "severity_min": "critical", "channels": ["email", "sms"] } ]

How Steps Execute

When an incident fires, the dispatch engine loads the default escalation policy and walks the steps in order. For each step:

  1. Check if the incident's age (in minutes since detection) is greater than or equal to delay_minutes
  2. Check if the incident's severity meets or exceeds severity_min
  3. If both conditions pass, send notifications to all active channels matching the types listed in channels

Steps are re-evaluated on every incident update (every 5 seconds during an active attack). A step only fires once per incident per channel thanks to built-in deduplication.

Severity Ordering

Severity levels are ordered: low < medium < high < critical. A step with severity_min: "medium" fires for medium, high, and critical incidents but not for low.

Examples

Page NOC on Critical Only, Slack for Everything

[ {"delay_minutes": 0, "severity_min": "low", "channels": ["slack"]}, {"delay_minutes": 0, "severity_min": "critical", "channels": ["pagerduty"]} ]

Result: Slack gets every incident immediately. PagerDuty only fires for critical incidents.

Gradual Escalation with Delays

[ {"delay_minutes": 0, "severity_min": "low", "channels": ["discord"]}, {"delay_minutes": 3, "severity_min": "medium", "channels": ["slack", "telegram"]}, {"delay_minutes": 10, "severity_min": "high", "channels": ["pagerduty", "sms"]}, {"delay_minutes": 30, "severity_min": "critical", "channels": ["email"]} ]

Result: Discord fires immediately for everything. After 3 minutes, Slack and Telegram fire for medium+. After 10 minutes, PagerDuty and SMS fire for high+. After 30 minutes, email fires for critical only.

Webhook-Only (External SOAR Integration)

[ {"delay_minutes": 0, "severity_min": "low", "channels": ["webhook"]} ]

Result: All incidents are sent to your webhook endpoint immediately, with no human-facing notifications. Use this when your SOAR platform (Splunk SOAR, Cortex XSOAR, Tines) handles all alerting internally.

Without an Escalation Policy

If no escalation policy is configured (the default for new workspaces), all active channels receive notifications for all incidents immediately. This is equivalent to a single step:

[{"delay_minutes": 0, "severity_min": "low", "channels": ["*"]}]

Interaction with Runbooks

Runbooks execute independently from escalation policies. A runbook can send its own notifications to specific channels as part of its action steps, regardless of what the escalation policy does. This means you can have an escalation policy that pages PagerDuty after 5 minutes AND a runbook that sends a Slack message immediately with auto-mitigation details.

Maintenance Window Suppression

During a scheduled maintenance window, notification dispatch is suppressed for all channels. Escalation policy steps that would have fired during the window are silently skipped. Incidents are still created and visible in the dashboard for post-maintenance review.

ESC