Flowtriq vs Cloudflare DDoS Protection:
what each product actually sees

Back to Blog

Why This Comparison Exists

Cloudflare is mentioned in nearly every DDoS protection conversation, and for good reason. With a global anycast network spanning over 310 data centers and an estimated 321 Tbps of network capacity, Cloudflare operates one of the largest traffic-scrubbing networks on the planet. Their free tier includes basic DDoS protection, and their paid plans add WAF rules, rate limiting, bot management, and increasingly sophisticated L7 filtering. For many organizations, Cloudflare is the first line of defense they deploy.

Flowtriq occupies an entirely different position in the stack. It is a lightweight detection agent that runs on your servers, monitors traffic at the network interface level, classifies attacks in real time, captures forensic PCAP data, and sends alerts through multiple channels within seconds. It does not absorb or scrub traffic. It does not sit in the traffic path at all.

This is not a contest between two products fighting for the same budget line. They solve different problems with different architectures. The question is not which one to buy — it is whether you understand what each one does and does not do, and whether you have the visibility gaps that Flowtriq was built to fill.

How Cloudflare DDoS Protection Works

Cloudflare operates as a reverse proxy. When you put your domain behind Cloudflare, your DNS records point to Cloudflare's IP addresses instead of your origin server's. All traffic destined for your domain passes through Cloudflare's network first. Their systems inspect, filter, and forward legitimate traffic to your origin. Attack traffic is dropped at the edge before it reaches you.

This architecture gives Cloudflare several powerful advantages:

• Massive absorption capacity: 321 Tbps of network capacity means they can absorb volumetric attacks that would saturate any single server or datacenter link. Multi-terabit attacks are within their operating envelope.
• Layer 7 intelligence: Because they terminate HTTP/HTTPS connections, Cloudflare can inspect request headers, query parameters, cookie behavior, and JavaScript execution — allowing sophisticated bot detection and application-layer filtering.
• Global anycast distribution: Attack traffic is absorbed at the nearest Cloudflare PoP, distributing the load across 310+ locations rather than concentrating it at your origin.
• WAF integration: Custom rules, managed rulesets, rate limiting, and browser integrity checks operate in the same pipeline as DDoS mitigation.
• Free tier availability: Basic DDoS protection is included on all plans, including the free plan. This is a genuine advantage for small sites and startups.

Cloudflare's DDoS mitigation is unmetered — they do not charge based on attack size. This is important because some scrubbing services charge per-gigabit overage fees that can become expensive during sustained attacks.

Let us be clear: Cloudflare's DDoS mitigation capacity is exceptional. For HTTP/HTTPS workloads behind their proxy, the volumetric protection is among the best available at any price point. This comparison is not about questioning that capability.

What Cloudflare Cannot See

Cloudflare's architecture creates a fundamental blind spot: it only protects traffic that flows through its proxy. This means several categories of attack traffic are invisible to Cloudflare.

Direct-to-Origin Attacks

If an attacker discovers your origin server's real IP address — through historical DNS records, SSL certificate transparency logs, email headers, server-side request forgery, or any number of information leakage vectors — they can send attack traffic directly to your origin, bypassing Cloudflare entirely. Cloudflare's network never sees this traffic, so it cannot mitigate it. Your server absorbs the full impact.

Origin IP exposure is more common than most people realize. Services like Censys, Shodan, and SecurityTrails maintain historical DNS databases that often contain pre-Cloudflare IP records. If your server sends outbound email, SMTP headers may reveal the origin IP. If your application makes outbound HTTP requests (webhooks, API calls, fetching remote resources), the destination can log your real IP. Server-side vulnerabilities that trigger outbound connections (SSRF) can also leak the origin.

Cloudflare themselves acknowledge this risk and recommend using Cloudflare Tunnel (formerly Argo Tunnel) to lock down origin access. But many organizations proxy their domains through Cloudflare without implementing strict origin lockdown, leaving themselves exposed to direct-to-origin attacks that Cloudflare cannot protect against.

Non-HTTP/HTTPS Protocol Attacks

Cloudflare's standard DDoS protection operates on HTTP and HTTPS traffic. If your servers run game servers (UDP-based), voice/video services (RTP, SIP), DNS authoritative servers, custom TCP protocols, or any other non-HTTP service, those ports and protocols are not covered by the standard reverse proxy. Cloudflare Spectrum extends protection to arbitrary TCP and UDP protocols, but it is only available on Enterprise plans and requires additional configuration per port.

For organizations running mixed workloads — web applications alongside game servers, voice infrastructure, or custom protocols — the standard Cloudflare plan leaves significant gaps.

Internal and Lateral Attack Traffic

Cloudflare sits at the network edge. It cannot see traffic between your servers within a datacenter, traffic from compromised internal hosts, or traffic that arrives through VPN tunnels, direct peering arrangements, or private network interconnects. If your infrastructure spans multiple providers or includes on-premises equipment with private connectivity, Cloudflare has no visibility into those traffic paths.

What Flowtriq Sees That Cloudflare Does Not

Flowtriq's detection agent runs on the server itself, monitoring traffic at the network interface. This means it sees every packet that arrives at the server, regardless of how it got there — through Cloudflare, direct to origin, through a VPN, from internal hosts, or through any other network path.

This architectural difference translates into several concrete capabilities that Cloudflare does not provide:

• Direct-to-origin attack detection: If attack traffic bypasses Cloudflare and hits your server directly, Flowtriq detects it, classifies it, and alerts your team within seconds. This is the single most important gap Flowtriq fills for Cloudflare users.
• Per-server traffic visibility: Flowtriq gives you per-server PPS and Mbps metrics with per-second granularity. Cloudflare's analytics show aggregate traffic at the domain or zone level — useful for capacity planning but not for identifying which specific server is taking the hit.
• Attack classification with confidence scoring: Flowtriq classifies attacks by type — SYN flood, UDP flood, DNS amplification, NTP amplification, ICMP flood, HTTP flood, TCP ACK flood, and multi-vector combinations — with a confidence percentage. Cloudflare's security events log shows mitigation actions but does not provide the same level of attack-type granularity at the server level.
• PCAP forensics: Flowtriq captures a PCAP file of the first 60 seconds of every detected attack. This packet-level data is invaluable for post-incident analysis, for proving to upstream providers what you are experiencing, and for identifying attack signatures that can inform future filtering rules. Cloudflare does not provide PCAP downloads.
• Multi-channel alerting: Flowtriq sends alerts through Discord, Slack, email, SMS, PagerDuty, OpsGenie, and custom webhooks — within seconds of detection. Cloudflare's alerting is primarily email-based through their notification system, with webhook support on Business and Enterprise plans. Real-time Discord and Slack integration is not a native Cloudflare feature.
• Source IP analysis: Flowtriq's incident reports include top source IPs, source AS numbers, source country distribution, and source diversity scoring. This data helps your team understand the attack infrastructure, identify botnet characteristics, and make informed decisions about upstream filtering or law enforcement reporting.

Side-by-Side: Same Attack, Different Data

Consider a realistic scenario: an attacker sends a 180-second UDP flood at 420,000 PPS directly to your origin server's IP address, bypassing Cloudflare. Here is what each product provides.

Now consider the reverse: a large HTTP flood hits your domain through Cloudflare at 2.1 million requests per second.

This is the honest picture. Each product has scenarios where it is the right tool and scenarios where it is irrelevant. The question is whether you have coverage for both scenarios.

Pricing Comparison

Cloudflare's pricing is zone-based, not per-server. Their plans as of early 2026:

• Free: Basic DDoS protection, limited WAF rules, no advanced analytics. Suitable for personal sites and small projects.
• Pro ($20/month/zone): Enhanced WAF, basic bot management, faster support. Includes DDoS protection with some analytics.
• Business ($200/month/zone): Custom WAF rules, advanced DDoS analytics, SLA guarantees, priority support.
• Enterprise (custom pricing): Full feature set including Spectrum for non-HTTP protocols, advanced bot management, dedicated support, and custom configurations. Typically $5,000-$15,000+/month depending on requirements.

Flowtriq's pricing is per-server:

• $9.99/node/month on monthly billing
• $7.99/node/month on annual billing ($95.88/node/year)
• 7-day free trial on all plans

A typical deployment of 15 servers with Flowtriq costs $149.85/month or $119.85/month on annual billing. This is less than a single Cloudflare Business zone, but the comparison is misleading because they serve different purposes. Cloudflare's value proposition is traffic scrubbing and CDN performance — Flowtriq's is detection visibility and forensics. You would not replace Cloudflare with Flowtriq or vice versa any more than you would replace a firewall with a security camera.

The more relevant pricing question is: what does it cost to add Flowtriq on top of your existing Cloudflare deployment? For most organizations, the answer is a modest addition to the security budget that fills a significant visibility gap.

Hybrid Deployment: Running Cloudflare + Flowtriq Together

The strongest security posture uses both products in their respective roles. Here is how this works in practice:

Cloudflare handles:

• Volumetric L3/L4 absorption at the network edge — multi-terabit capacity that no single origin server could survive
• L7 HTTP/HTTPS filtering — WAF rules, rate limiting, bot detection, JavaScript challenges
• CDN and performance optimization — caching, minification, image optimization, Argo smart routing
• SSL/TLS termination and certificate management
• DNS resolution and DNSSEC

Flowtriq handles:

• Detecting attacks that bypass Cloudflare and reach the origin directly — the critical blind spot
• Per-server traffic monitoring with per-second granularity — seeing exactly what hits each server
• Attack classification and confidence scoring — knowing what type of attack you are dealing with in seconds
• PCAP capture and forensics — packet-level evidence for incident response, upstream provider communication, and post-mortem analysis
• Multi-channel real-time alerting — Discord, Slack, PagerDuty, OpsGenie, SMS, email, and webhooks
• Coverage for non-HTTP services — game servers, voice/video, custom protocols on any port
• Coverage for infrastructure not behind Cloudflare — bare-metal servers, internal services, private network segments

In this model, Cloudflare is the shield and Flowtriq is the sensor array. Cloudflare absorbs what it can see. Flowtriq detects and reports on everything that reaches the server, including traffic Cloudflare never touched.

A Cloudflare deployment without origin-level monitoring is like a castle with a moat but no watchtower. The moat stops most threats, but you need to know about the ones that find a way through — and you need to know immediately.

When to Use Each Product

Cloudflare is the right choice when:

• You need to absorb large volumetric attacks that would overwhelm your origin server or datacenter uplink. No per-server agent can substitute for upstream scrubbing capacity.
• Your primary workload is HTTP/HTTPS and you need L7 inspection, WAF rules, and bot management.
• You want CDN performance benefits alongside DDoS protection.
• You are on a tight budget and need free-tier DDoS protection for a small site.

Flowtriq is the right choice when:

• You need to detect attacks that bypass your upstream protection and reach the server directly.
• You need per-server, per-second visibility into traffic patterns and attack characteristics.
• You need PCAP evidence for incident response, compliance, or upstream provider communication.
• You run non-HTTP services (game servers, DNS, VoIP, custom protocols) that Cloudflare's standard plans do not cover.
• You need real-time alerts through Discord, Slack, PagerDuty, or other channels beyond email.
• Your infrastructure includes servers that are not behind Cloudflare — bare metal, multi-cloud, or on-premises.

Use both when:

• You run production infrastructure where downtime has material business impact.
• Your threat model includes targeted attackers who may discover and attack your origin IPs.
• You need both mitigation capacity (Cloudflare) and detection depth (Flowtriq).
• Compliance or incident response requirements demand packet-level forensic data that Cloudflare does not provide.

Common Misconceptions

"Cloudflare protects everything." Cloudflare protects traffic that flows through their network. If traffic reaches your server through any other path — direct IP, VPN, internal network — Cloudflare never sees it. This is not a criticism of Cloudflare; it is an architectural fact of how reverse proxies work.

"If I use Cloudflare, I do not need server-level monitoring." This is the most dangerous assumption. Cloudflare dramatically reduces the attack surface, but does not eliminate it. Origin IP discovery is an active area of attacker research, and techniques for bypassing CDN protection are well-documented in security literature. Server-level monitoring is your last line of visibility.

"Flowtriq can replace Cloudflare." No. Flowtriq is a detection and alerting platform, not a mitigation service. It cannot absorb a 500 Gbps volumetric attack — no per-server agent can. What it can do is detect the attack in 2 seconds, classify it, capture forensic evidence, and alert your team through the right channels so they can respond. Mitigation and detection are complementary functions.

"Cloudflare's analytics give me all the data I need." Cloudflare's analytics are excellent for understanding traffic patterns at the CDN layer. They do not give you per-server PPS metrics, packet-level forensic captures, source IP analysis for direct-to-origin attacks, or real-time alerting through operational channels like Discord and PagerDuty. Different data, different purpose.

The Practical Reality

Most organizations that contact us about Flowtriq are already using Cloudflare. They come to us not because Cloudflare failed, but because they discovered a gap. Sometimes it is a direct-to-origin attack that Cloudflare never saw. Sometimes it is an incident response situation where they needed PCAP data that did not exist. Sometimes it is a game server or voice service running on UDP that their Cloudflare plan does not cover.

The pattern is consistent: Cloudflare handles the upstream scrubbing and L7 filtering well. Flowtriq fills the visibility gap at the server level. Neither product is redundant in this configuration because they monitor different points in the traffic path and provide different types of data.

If you are currently running Cloudflare without any origin-level detection, you have a blind spot. It may never be exploited. But if it is, you will not know about it until your users tell you — and by then, you will be doing incident response without any forensic data.

Flowtriq was built specifically to close that gap. Not to replace Cloudflare, but to see what Cloudflare cannot.

Back to Blog

Related Articles