Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode NEW
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All Use Cases → Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense Proxy Providers VPN Providers
Gaming & Entertainment
Game Server Hosting Game Studios Esports Platforms iGaming & Sportsbooks
Business & Emerging
SaaS Platforms E-Commerce Financial Services Compliance VoIP & Cloud Calling GPU & AI Cloud
Home/Tools/DDoS Incident Response Plan

Free Template

DDoS Incident Response Plan Template

A professional, fill-in-the-blank DDoS incident response plan that satisfies cyber insurance requirements and maps to NIST, ISO 27001, SOC 2, and CCCS frameworks. Download it, fill it in, hand it to your insurer.

NIST CSF 2.0 ISO 27001:2022 SOC 2 TSC CCCS Baseline NIST 800-61r3 Cyber Insurance

Download Template

10-section document with fill-in-the-blank fields for roles, escalation chains, mitigation playbooks, communication templates, and post-incident review procedures.

Markdown format · ~10 pages · No signup required
Download Template (.md)

What's Inside

  • 1Purpose & ScopeCoverage, compliance references, infrastructure checklist
  • 2Roles & ResponsibilitiesContact table, RACI matrix, external vendor contacts
  • 3Detection & MonitoringPPS/BPS monitoring, L7 detection, alert channels, PCAP capture
  • 4Classification & SeverityS1-S4 severity matrix, attack type classification
  • 5Escalation ProceduresAutomated first response, manual escalation ladder, ISP engagement
  • 6Mitigation PlaybooksVolumetric, protocol, and application-layer attack runbooks
  • 7Communication PlanInternal notification matrix, customer templates, status page
  • 8Evidence PreservationPCAP retention, attack logs, forensic timeline, compliance
  • 9Post-Incident ReviewForensics analysis, lessons learned, action item tracking
  • 10Plan MaintenanceQuarterly review, tabletop exercises, version history

Compliance Frameworks Covered

This template maps detection, response, and recovery procedures to specific controls across four major frameworks. Hand the completed document to your auditor or insurance broker with the control references already filled in.

NIST CSF 2.0

8 controls mapped
  • DE.AE - Adverse Events
  • DE.CM - Continuous Monitoring
  • RS.AN - Analysis
  • RS.MI - Mitigation
  • RS.CO - Communications
  • RC.RP - Recovery Planning

ISO 27001:2022

8 Annex A controls
  • A.5.24 - Incident planning
  • A.5.25 - Event assessment
  • A.5.26 - Incident response
  • A.5.28 - Evidence collection
  • A.8.16 - Monitoring
  • A.8.20 - Network security

SOC 2 TSC

7 criteria addressed
  • CC6.6 - External threats
  • CC7.1 - Detection
  • CC7.2 - Anomaly monitoring
  • CC7.3 - Event evaluation
  • CC7.4 - Incident response
  • A1.2 - Recovery

CCCS Baseline

6 controls mapped
  • SC-1 - Network monitoring
  • SC-2 - Intrusion detection
  • IR-1 - Incident response plan
  • IR-2 - Detection & analysis
  • SR-1 - System recovery
  • AU-1 - Audit logging

Need a monitoring tool that checks every box?

Flowtriq provides per-second PPS monitoring, adaptive baselines, L7 detection, PCAP forensics, automated FlowSpec/RTBH deployment, and 12+ alert channels. Every capability referenced in this template, covered out of the box.

Start Free Trial

Frequently Asked Questions

Why do I need a DDoS incident response plan?
Cyber insurance carriers in 2026 require documented incident response plans that include SOC/security monitoring escalation procedures. Without one, hosting providers and ISPs face higher premiums or outright denial of coverage. Beyond insurance, frameworks like NIST CSF, ISO 27001, SOC 2, and CCCS baselines all require documented incident response procedures.
What does this template cover?
The template has 10 sections: Purpose & Scope, Roles & Responsibilities (with RACI matrix), Detection & Monitoring, Classification & Severity Levels, Escalation Procedures, Mitigation Playbooks (volumetric, protocol, and application-layer attacks), Communication Plan (with customer notification templates), Evidence Preservation, Post-Incident Review, and Plan Maintenance.
Which compliance frameworks does this satisfy?
The template maps to NIST CSF 2.0 (DE.AE, DE.CM, RS.AN, RS.MI, RS.CO, RC.RP), ISO 27001:2022 (A.5.24-A.5.28, A.8.16, A.8.20), SOC 2 TSC (CC6.6, CC7.1-CC7.4, A1.2), CCCS Baseline Controls (SC-1, SC-2, IR-1, IR-2, SR-1, AU-1), and NIST SP 800-61r3 incident handling guidelines.
Can I use this template with any DDoS detection tool?
Yes. Every section is written as a fill-in-the-blank field. You can use it with any monitoring and mitigation tooling. The recommended monitoring capabilities described in each section (per-second PPS monitoring, adaptive baselines, PCAP forensics, automated FlowSpec deployment) represent industry best practices.
How often should I review this plan?
Quarterly for contact lists and threshold values, after every major incident, and annually for a full plan review including tabletop exercises. The template includes a maintenance schedule section to track this.
Will this help with my cyber insurance renewal?
Yes. Insurance underwriters look for documented DDoS detection capabilities, defined escalation procedures, automated mitigation workflows, evidence preservation policies, and post-incident review processes. This template covers all of these. Hand it to your broker as part of your renewal package.