Back to Blog

The Regulatory Landscape Has Changed

If you run infrastructure for a payment processor, neobank, trading platform, or insurance tech company, your compliance obligations around DDoS protection have tightened significantly in the past two years. Three frameworks now explicitly require network-level threat detection, incident documentation, and operational resilience testing:

  • PCI DSS 4.0 — enforced from March 2025, Requirement 11.4 mandates intrusion-detection and intrusion-prevention techniques at the network perimeter and at critical points within the cardholder data environment. You must monitor all traffic, detect attacks, and alert personnel.
  • SOC 2 (Trust Services Criteria) — CC7.1 through CC7.5 cover monitoring, detection, incident response, and recovery. Auditors expect to see evidence that you can detect DDoS attacks, respond to them within defined SLAs, and produce incident records.
  • DORA (EU Digital Operational Resilience Act) — effective January 2025, DORA requires financial entities in the EU to maintain ICT risk management frameworks, conduct resilience testing, and report major ICT-related incidents to regulators within strict timelines.

The common thread: regulators now treat availability as a security control. A DDoS attack that takes your payment API offline for 30 minutes is not just an operations problem — it is a compliance incident that requires documentation, root-cause analysis, and potentially a regulatory filing.

Why DDoS Detection Is a Compliance Requirement

Historically, compliance frameworks focused on confidentiality and integrity. Availability was an afterthought — something covered by generic "business continuity" language. That era is over.

PCI DSS 4.0 Requirement 11.4 is explicit: organizations must implement intrusion-detection and/or intrusion-prevention techniques that detect and alert on network attacks. The requirement specifically calls out monitoring "all traffic at the perimeter of the cardholder data environment" and "at critical points in the cardholder data environment."

SOC 2's CC7.1 requires that organizations "use defined configuration standards and detection and monitoring procedures to identify anomalies." CC7.2 goes further: you must monitor system components for anomalies that are indicative of malicious acts, natural disasters, and errors. A volumetric DDoS attack is exactly the kind of anomaly your auditor will ask about.

DORA raises the bar even higher. Article 9 requires financial entities to implement ICT security management with capabilities for "detection of anomalous activities" and "response and recovery." Article 17 mandates classification of ICT-related incidents by severity and impact, with major incidents reported to regulators within 4 hours of determination.

The question from your auditor is no longer "do you have DDoS protection?" It is "show me the detection logs, the incident timeline, the escalation actions, and the post-incident report for the last 12 months." If you cannot produce these artifacts, you have a finding.

Audit Trail: Every Action Logged

Every compliance framework requires an audit trail. For DDoS protection, that means logging not just that an attack occurred, but who was notified, what actions were taken, when mitigation was activated, and who made each decision.

Flowtriq's audit log captures every action in the system with four fields that map directly to audit requirements:

  • Who: The user or system that performed the action (e.g., "auto-mitigation engine" or "[email protected]").
  • What: The specific action taken (e.g., "Activated FlowSpec rule for UDP flood on 198.51.100.10/32").
  • When: Precise timestamp with timezone.
  • Context: Associated incident ID, node ID, and workspace — linking every action to the specific event that triggered it.

This is accessible via the Dashboard > Audit Log page, where you can filter by date range, user, and action type. For audit preparation, export the full log as a CSV or PDF that maps directly to PCI DSS 10.2 (audit log requirements) and SOC 2 CC7.3 (incident response documentation).

PCI DSS 10.2 mapping: PCI DSS 4.0 Requirement 10.2 requires audit logs for all system components that process, store, or transmit cardholder data. Since DDoS protection systems touch network traffic in the cardholder data environment, their actions must be logged. Flowtriq's audit log satisfies this requirement out of the box.

Incident Evidence: PCAP Captures for Regulators

When a regulator or auditor asks "what did the attack look like?", you need more than a log line that says "DDoS detected." You need forensic evidence of the attack traffic — the actual packets, headers, and patterns that constituted the incident.

Flowtriq captures PCAP (packet capture) data during incidents automatically. These captures provide:

  • Attack signature proof: The exact packet patterns, protocols, source IPs, and payload characteristics of the attack traffic.
  • Timeline reconstruction: Packet-level timestamps showing exactly when the attack started, peaked, and ended.
  • Mitigation verification: Evidence that filtering rules were effective — showing attack traffic before and after mitigation was activated.
  • False positive analysis: Ability to verify that no legitimate traffic was blocked during mitigation.

PCAP files can be downloaded from the dashboard and analyzed with standard tools like Wireshark or tshark. For compliance purposes, they serve as forensic-grade evidence that can be attached to incident reports, provided to auditors, or submitted alongside regulatory filings under DORA's incident reporting requirements.

Under DORA Article 17, major ICT-related incidents must be reported with detailed information including "the type of incident, the nature and impact, and the measures taken." PCAP data provides the technical evidence that supports each of these reporting fields.

Automated Compliance Reports

Producing incident reports manually is time-consuming and error-prone. When your PCI QSA asks for a summary of all network security incidents in the assessment period, you should not be spending hours compiling spreadsheets.

Flowtriq's reporting engine generates compliance-ready incident reports that include:

  • Incident summary: Attack type, target, duration, peak volume (PPS/BPS), and classification.
  • Timeline: Detection time, escalation steps, mitigation activation, and resolution — all with precise timestamps.
  • Actions taken: Every mitigation action from the audit log, linked to the specific incident.
  • Impact assessment: Whether services were degraded, for how long, and which nodes were affected.
  • Evidence references: Links to PCAP captures and traffic graphs for the incident period.

These reports can be generated on demand from Dashboard > Reports or scheduled for automatic generation. They map to the documentation requirements across all three frameworks — PCI DSS Requirement 12.10 (incident response plan), SOC 2 CC7.4 (incident analysis), and DORA Article 17 (incident reporting).

4-Level Auto-Escalation: Meeting Uptime SLAs

Fintech uptime SLAs are not aspirational — they are contractual. When your payment gateway promises 99.99% availability to merchant partners, a 15-minute outage from an unmitigated DDoS attack can trigger SLA penalties, reputational damage, and compliance questions.

Flowtriq's 4-tier automatic escalation ensures the right mitigation response activates within seconds, without waiting for a human to page in:

Tier   Method              Response Time   Impact on Legitimate Traffic
───────────────────────────────────────────────────────────────────────────
1      Local firewall      1-2 seconds     None — host-level iptables/nftables
2      BGP FlowSpec        3-5 seconds     None — surgical filtering at edge
3      BGP RTBH            3-5 seconds     Target IP goes offline
4      Cloud scrubbing     10-30 seconds   Minimal — traffic is cleaned

The escalation is automatic and bidirectional. When a small UDP flood hits, Tier 1 handles it silently with host-level firewall rules. If the volume exceeds the host threshold, Flowtriq escalates to Tier 2 (FlowSpec) to filter the attack at the network edge. If even that is insufficient, Tier 3 (RTBH) sacrifices the target IP to protect the rest of the infrastructure. For attacks that demand continuous service, Tier 4 redirects traffic to cloud scrubbing.

From a compliance perspective, this automated escalation maps directly to SOC 2 CC7.4 ("The entity responds to identified security incidents") and DORA Article 11 (ICT response and recovery). Auditors want to see that your response is not dependent on a single engineer answering their phone at 3 AM.

Data Residency: Your Data Stays With You

Data residency is a critical concern for fintech companies. PCI DSS requires that cardholder data be protected in transit and at rest. DORA requires financial entities to understand where their ICT data is processed and stored. Many enterprise DDoS solutions route your traffic through their scrubbing centers — which means your network data leaves your infrastructure and transits through third-party systems in potentially unknown jurisdictions.

Flowtriq takes a fundamentally different approach. The Flowtriq agent runs directly on your infrastructure. Network telemetry is processed locally on your nodes. Detection, classification, and mitigation decisions happen within your network perimeter.

  • No traffic rerouting: Unlike cloud-based solutions, Flowtriq does not proxy or redirect your production traffic through external servers.
  • No third-party data storage: Your packet captures, flow data, and incident logs stay on your servers.
  • Jurisdiction control: You know exactly where your data is because it never leaves your infrastructure.
  • PCI DSS scope reduction: Because Flowtriq does not handle, transit, or store cardholder data externally, it does not expand your CDE (Cardholder Data Environment) scope to a third-party provider.

DORA data residency: DORA Article 28 requires financial entities to assess concentration risk in their ICT third-party dependencies. By running on your own infrastructure, Flowtriq eliminates one more third-party dependency from your ICT risk register — simplifying your DORA compliance posture.

Alert Channels: Incident Response SLAs

Every compliance framework requires defined incident response procedures with clear notification and escalation paths. SOC 2 CC7.3 specifically requires "procedures for responding to and communicating security incidents." DORA demands incident classification and escalation within hours.

Flowtriq integrates with the alerting tools your incident response team already uses:

  • PagerDuty: Trigger PagerDuty incidents with full attack context, enabling on-call rotation and escalation policies that map to your documented IR procedures.
  • OpsGenie: Create OpsGenie alerts with priority levels matching attack severity, feeding into your existing on-call schedules.
  • Slack / Discord: Real-time channel notifications for team awareness during incidents.
  • Email alerts: Branded incident notifications with attack details, sent to security distribution lists.
  • SMS: Critical alerts for high-severity incidents when team members are away from their desks.
  • Webhooks: Custom integrations with your SIEM, SOAR, or ticketing system for automated incident tracking.

For compliance purposes, every alert sent is logged in the notification log with delivery status, timestamp, and recipient — providing auditable proof that your incident response procedures were followed.

Role-Based Access: Separation of Duties

PCI DSS Requirement 7 mandates restricting access to system components by business need-to-know. SOC 2 CC6.1 requires logical access controls. DORA requires "appropriate access management." All three frameworks expect separation of duties — not everyone should be able to modify mitigation rules or dismiss alerts.

Flowtriq implements four predefined roles with granular permissions:

Role        View Data   Manage Nodes   Modify Rules   Manage Team   Billing
──────────────────────────────────────────────────────────────────────────────
Owner       Yes         Yes            Yes            Yes           Yes
Admin       Yes         Yes            Yes            Yes           No
Analyst     Yes         No             No             No            No
Readonly    Yes         No             No             No            No
  • Owner: Full control including billing, team management, and workspace settings. Typically the CTO or VP of Engineering.
  • Admin: Can manage nodes, configure mitigation rules, and invite team members. For senior SREs and security engineers.
  • Analyst: Can view all data, incidents, and reports, but cannot modify configurations. For SOC analysts and compliance officers.
  • Readonly: View-only access to dashboards and reports. For auditors and external reviewers during assessment periods.

The Readonly role is particularly useful during audits. You can invite your PCI QSA or SOC 2 auditor to a read-only workspace where they can independently verify detection logs, incident reports, and audit trails without risk of accidental modifications.

Flowtriq vs Enterprise Solutions

The traditional answer to "we need compliant DDoS protection" has been Arbor (now NETSCOUT), Radware DefensePro, or similar enterprise appliances. These products are proven — but they come with six-figure price tags, multi-month deployments, and hardware dependencies.

Capability                  Arbor/Radware        Flowtriq
────────────────────────────────────────────────────────────────────
Per-second detection        Yes                  Yes
PCAP capture                Yes                  Yes
Audit logging               Yes                  Yes
Automated reports           Yes                  Yes
Auto-escalation             Varies               4-tier (built-in)
PagerDuty/OpsGenie          Add-on               Built-in
Role-based access           Yes                  Yes (4 roles)
Data residency              On-prem appliance    On-prem agent
FlowSpec automation         Yes                  Yes
RTBH automation             Yes                  Yes
Typical deployment          6-12 weeks           Under 1 hour
Annual cost (50 nodes)      $150,000-$400,000+   $4,794 - $5,994
Hardware required            Yes (appliance)      No (software agent)

Flowtriq covers the same compliance requirements at a fraction of the cost. At $7.99/node/month on an annual plan (or $9.99/node/month billed monthly), a 50-node deployment costs $4,794 to $5,994 per year — compared to six figures for enterprise appliance-based solutions. The compliance artifacts are equivalent: audit logs, PCAP captures, incident reports, role-based access, and automated escalation.

Your auditor does not care whether your DDoS detection runs on a $200,000 appliance or a $7.99/month software agent. They care whether you can produce detection logs, incident timelines, and evidence of defined response procedures. Flowtriq provides all of these.

Case Study: Payment Processor PCI DSS Audit

Consider a mid-market payment processor operating 50 servers that handle card-present and card-not-present transactions. They process 2 million transactions per day and are preparing for their annual PCI DSS 4.0 assessment. Their QSA has flagged that the new Requirement 11.4 demands network-level intrusion detection at the CDE perimeter.

The compliance gap

Before deploying DDoS detection, this processor had a significant gap: no automated network-layer threat detection, no PCAP capture capability, and incident response that relied on Nagios availability checks and manual investigation. Their QSA identified three specific findings:

  1. Requirement 11.4: No intrusion-detection system monitoring traffic at the CDE perimeter.
  2. Requirement 10.2: Insufficient audit logging for network security events.
  3. Requirement 12.10: Incident response plan lacked defined procedures for network-layer attacks.

Deployment

The processor deploys Flowtriq agents on all 50 nodes. Deployment takes less than an hour — install the agent, configure the API key from the dashboard, and nodes begin reporting traffic data immediately. No hardware procurement, no rack space, no network redesign.

Compliance mapping

PCI DSS 4.0 Requirement    Flowtriq Capability
──────────────────────────────────────────────────────────────────────
11.4  IDS/IPS at perimeter   Per-second traffic analysis on every node
10.2  Audit logging          Full audit log (who, what, when, context)
10.7  Log retention          Configurable retention period
12.10 Incident response      4-tier auto-escalation + PagerDuty/OpsGenie
7.1   Access controls        4 roles: owner, admin, analyst, readonly
11.5  Change detection       Mitigation rule changes logged in audit trail

The audit

During the assessment, the QSA is given a readonly role in the Flowtriq workspace. They independently verify:

  • All 50 nodes are actively monitored with per-second detection.
  • The audit log shows 6 months of detection events, mitigation actions, and user activity.
  • Two DDoS incidents from the assessment period have complete incident reports with PCAP evidence.
  • Auto-escalation is configured with PagerDuty integration, mapping to the documented incident response plan.
  • Role-based access is enforced — the SOC team has analyst access, infrastructure team has admin, and management has readonly.

The three findings are closed. Total cost: $4,794/year on the annual plan. Time to compliance: under a day.

Cost breakdown

Item                           Cost
─────────────────────────────────────────────
50 nodes x $7.99/mo (annual)   $4,794/year
Hardware                       $0
Professional services          $0
Additional licenses            $0
──────────────────────────────────
Total                          $4,794/year

Compliance Checklist: Framework Mapping

For CISOs and compliance teams evaluating DDoS detection solutions, here is how Flowtriq maps to each framework's key requirements:

PCI DSS 4.0

  • Req 7.1-7.3 (Access controls): Owner, admin, analyst, readonly roles with separation of duties.
  • Req 10.2-10.7 (Audit logging): Complete audit trail with who/what/when/context, configurable retention.
  • Req 11.4 (IDS/IPS): Per-second traffic analysis and attack detection at every monitored node.
  • Req 11.5 (Change detection): All configuration and mitigation rule changes logged.
  • Req 12.10 (Incident response): Automated escalation, PagerDuty/OpsGenie integration, incident reports.

SOC 2 (Trust Services Criteria)

  • CC6.1 (Logical access): Role-based access controls with four permission levels.
  • CC7.1 (Monitoring): Continuous per-second monitoring of all network traffic.
  • CC7.2 (Anomaly detection): Automated attack detection and classification (35+ attack types).
  • CC7.3 (Incident response): Defined escalation procedures, alerting integrations, notification logging.
  • CC7.4 (Incident analysis): PCAP captures, incident reports, and post-incident review data.
  • CC7.5 (Recovery): Auto-de-escalation ensures mitigation is removed when attacks end.

DORA

  • Art. 9 (ICT security): Network monitoring and anomaly detection capabilities.
  • Art. 10 (Detection): Real-time detection with sub-second response times.
  • Art. 11 (Response/recovery): 4-tier auto-escalation with automated mitigation and de-escalation.
  • Art. 17 (Incident reporting): Incident reports with timeline, impact, and evidence for regulatory filings.
  • Art. 28 (Third-party risk): On-prem agent reduces third-party dependency and concentration risk.

Getting Started

If your fintech company has an upcoming PCI DSS assessment, SOC 2 audit, or DORA compliance deadline, DDoS detection should be on your implementation list — not as a nice-to-have, but as a regulatory requirement.

Flowtriq deploys in under an hour, costs $7.99/node/month on the annual plan, and produces the audit artifacts your assessor will ask for. Start with a free 7-day trial — no credit card required — and have your compliance evidence ready before your next audit window.

Back to Blog

Related Articles

Mitigations

Auto-escalation for DDoS mitigation

How Flowtriq's 4-tier escalation chain automatically selects the right mitigation level.
Mitigations

BGP FlowSpec for DDoS mitigation

Surgical traffic filtering at the network edge — keeping legitimate users online while blocking attacks.
Fundamentals

PCAP analysis for DDoS forensics

Using packet captures to reconstruct attack timelines and provide forensic evidence.