Back to Blog

Different Tools for Different Problems

Kentik and Flowtriq are not direct competitors in the traditional sense. Kentik is a network observability platform that happens to include DDoS detection as one of its many modules. Flowtriq is a DDoS detection and forensics platform that does one thing and does it deep. Comparing them requires acknowledging this fundamental difference up front, because it shapes every tradeoff in the evaluation.

Kentik was founded in 2014 by former engineers from Netflix, Akamai, and CloudFlare. It built its reputation as a modern replacement for legacy NetFlow collectors, offering a cloud-based analytics engine that ingests flow data (NetFlow, sFlow, IPFIX, VPC Flow Logs), BGP data, SNMP, and streaming telemetry from network devices. Over time, Kentik has expanded into cloud observability, synthetic monitoring, performance management, and capacity planning. DDoS detection is a feature within this broader platform.

Flowtriq was built from the ground up for one purpose: detecting DDoS attacks on individual servers with maximum depth and minimum latency. It runs a per-server agent that monitors every packet, classifies attacks into eight families, captures PCAP evidence, and triggers firewall rules — all within one to two seconds of attack onset. It does not do network planning, cloud cost optimization, synthetic monitoring, or BGP analytics. It detects DDoS attacks and gives you everything you need to respond to them.

The question is not which product is "better" — it is which problem you are trying to solve and how deep you need to solve it.

What Kentik Does

Kentik's core value proposition is network-wide visibility. It ingests flow data from routers, switches, firewalls, and cloud VPC flow logs, enriches that data with BGP routing tables, GeoIP, and business metadata, and provides a query engine for ad hoc traffic analysis. If you want to answer questions like "which ASN is sending the most traffic to my CDN edge this week" or "what is the traffic split between IPv4 and IPv6 across my backbone," Kentik is built for that.

Kentik's DDoS detection module, called Kentik Protect, analyzes flow data for volumetric anomalies against baseline traffic profiles. When an attack is detected, Kentik can trigger automated mitigation through integrations with RTBH, Flowspec, scrubbing center APIs (Cloudflare, Akamai Prolexic, Radware), or custom webhooks. This is a meaningful capability for service providers and enterprises that need network-wide attack visibility and automated upstream mitigation orchestration.

Beyond DDoS, Kentik provides:

  • Traffic analysis and reporting: Top talkers, application mix, traffic matrices, and trend analysis across your entire network.
  • BGP analytics: Route origin monitoring, AS path analysis, peer traffic distribution, and ROA/RPKI validation.
  • Cloud observability: VPC flow log ingestion for AWS, Azure, and GCP, with cross-cloud traffic visualization and cloud cost correlation.
  • Synthetic monitoring: Active probes for latency, packet loss, and path analysis between distributed agents.
  • Capacity planning: Interface utilization forecasting, growth trending, and what-if modeling for network upgrades.
  • Network performance management: Application-level traffic analysis, latency attribution, and service-level monitoring.

This breadth is Kentik's strength. For network engineering teams that need a single platform for traffic analysis, BGP operations, capacity planning, and security monitoring, Kentik consolidates multiple tools into one. The DDoS detection module benefits from this context — Kentik can correlate an attack with routing changes, peer traffic shifts, or capacity constraints in ways that a standalone DDoS tool cannot.

What Flowtriq Does

Flowtriq focuses exclusively on DDoS detection, classification, forensics, and response. The agent runs on each server and monitors traffic at the host level with zero sampling — every packet header is inspected, traffic profiles are built at one-second resolution, and anomalies are detected against a continuously adapting baseline.

When an attack is detected, Flowtriq produces an incident record with:

  • Attack classification across eight families (UDP flood, SYN flood, DNS amplification, NTP amplification, ICMP flood, HTTP flood, TCP ACK flood, multi-vector) with confidence scoring for each vector
  • Per-second time series of PPS and Mbps for the full incident duration
  • Source IP census — not sampled, exact — with AS number, country, and diversity metrics
  • Target port and protocol breakdown
  • Average packet size and packet size distribution
  • PCAP file with pre-attack buffer, downloadable from the incident page
  • Comparison against historical baseline showing deviation percentage

Alerts fire within one to two seconds of attack onset and are delivered through seven native channels: Discord, Slack, email, SMS, PagerDuty, OpsGenie, and custom webhooks. Auto-mitigation rules can trigger any of 22 action types based on attack classification, severity, target port, or custom conditions.

Flowtriq does not do network planning, BGP analytics, synthetic monitoring, or cloud cost analysis. It detects DDoS attacks on your servers and gives you every piece of data you need to understand, respond to, and document those attacks.

DDoS Detection: Depth Comparison

When you compare these products specifically on DDoS detection — the overlap point — the differences are significant and stem from the same architectural divergence: flow sampling versus per-packet monitoring.

Detection Granularity

Kentik ingests flow data at whatever export interval your network equipment provides — typically 10 to 60 seconds for NetFlow, 1 to 5 seconds for sFlow at common sampling rates. Kentik's anomaly detection runs on this flow data, meaning its effective detection resolution is bounded by the flow export cadence. For most deployments, Kentik detects attacks within 30 to 90 seconds of onset, depending on the flow source and detection algorithm configuration.

Flowtriq evaluates traffic every second with zero sampling. Detection latency is one to two seconds. For a 20-second attack, Flowtriq detects at second one and provides a full incident record with 20 seconds of per-second data. Kentik may detect the same attack at second 30-60, by which time the attack has already ended. This is not a theoretical difference — short-duration, high-intensity attacks are an increasingly common pattern, particularly in gaming, financial services, and competitive DDoS scenarios.

Attack Classification

Kentik's DDoS detection identifies attacks primarily by traffic volume anomaly and can provide protocol-level breakdown (TCP vs UDP vs ICMP) based on flow data. It does not perform deep attack family classification with confidence scoring. You can see that an attack was primarily UDP, but the distinction between a generic UDP flood, DNS amplification, NTP amplification, or CLDAP reflection requires packet-level analysis that flow data cannot provide — the sampled flow records do not contain enough payload information to differentiate amplification sources.

Flowtriq classifies attacks into eight families with confidence percentages by analyzing packet headers, port distributions, packet sizes, and traffic patterns at the host level. A DNS amplification attack is identified not just as "UDP traffic" but specifically as DNS amplification, because the agent can see the source port 53 responses, the characteristic packet sizes, and the spoofed-source IP pattern. This classification drives targeted mitigation — you can write rules that respond differently to DNS amplification versus SYN floods versus NTP reflection.

PCAP and Packet-Level Evidence

Kentik does not capture or provide PCAP data. It is a flow analytics platform, and flow data is metadata about traffic, not the traffic itself. If you need packet captures for forensic analysis, abuse reports, or post-incident review, you need a separate solution alongside Kentik.

Flowtriq captures PCAP automatically for every detected incident, with a pre-attack buffer that preserves packets from before the attack trigger. This is a qualitative difference for incident response workflows. PCAP evidence transforms a DDoS report from "we saw elevated traffic" to "here are the actual packets, source IPs, and attack signatures" — which is the difference between your upstream provider taking your mitigation request seriously and sending you a template response.

The depth gap between flow-based and per-packet DDoS detection is not a vendor limitation — it is a physics constraint. Flow data is sampled metadata. Per-packet monitoring is a census. Both approaches have valid use cases, but for DDoS forensics and rapid response, the census wins.

Purpose-built DDoS detection, not a module

Flowtriq detects in 1 second, classifies 8 attack families, captures PCAP, and triggers firewall rules. $9.99/node/month. 7-day free trial.

Start Free Trial →

Same Attack, Different Data: A Side-by-Side Scenario

Consider a multi-vector DDoS attack targeting a bare-metal server: an initial SYN flood at 200,000 PPS on port 443 for 15 seconds, followed by a DNS amplification wave at 500,000 PPS lasting 45 seconds, with a low-rate TCP ACK flood at 30,000 PPS persisting throughout. Total attack duration: 60 seconds.

Kentik: Flow data from the upstream router (sFlow at 1:2000 sampling) shows a traffic anomaly beginning approximately 30-45 seconds after attack onset. The anomaly is classified as elevated traffic to the target IP, with protocol breakdown showing mixed TCP and UDP. Peak magnitude is estimated from sampled flows. No distinction between the SYN flood phase, DNS amplification phase, and ACK flood component. No source IP census (sampled top talkers only). No PCAP. The alert fires via Slack integration, and the Kentik dashboard shows the event as a single traffic spike with aggregate metrics. A RTBH or scrubbing center trigger can be configured for automated response.

Flowtriq: Alert fires at second 1 when the SYN flood begins. Incident record shows three vectors: SYN Flood (confidence 91%, seconds 0-60, peak 203,411 PPS on port 443), DNS Amplification (confidence 97%, seconds 15-60, peak 512,384 PPS from source port 53), TCP ACK Flood (confidence 78%, seconds 0-60, steady 29,847 PPS). Each vector has its own source IP distribution — the SYN flood shows 847 source IPs across 12 ASNs, the DNS amplification shows 6,234 unique resolver IPs across 190+ ASNs, and the ACK flood shows 312 source IPs in 3 ASNs. PCAP captures the full 60-second attack plus 10 seconds of pre-attack baseline. Auto-mitigation applies SYN cookies on port 443 at second 1 and rate-limits inbound UDP from port 53 at second 16, keeping the server online for legitimate HTTPS traffic throughout the attack. Alerts sent to PagerDuty, Discord, and email within 3 seconds.

The difference is not just data volume — it is actionability. Kentik tells you an attack happened and approximately how big it was. Flowtriq tells you exactly what happened, when each phase started and stopped, where the traffic came from, and gives you the packet evidence to prove it. For incident response, forensics, and upstream mitigation requests, this depth determines whether your team can resolve the incident in minutes or hours.

Pricing Comparison

Kentik's pricing is enterprise-oriented and not publicly listed. Based on available market data and customer reports, typical Kentik deployments start at approximately $2,000-3,000 per month for smaller network environments and scale significantly higher for large networks with high flow volumes. Pricing is based on flow volume (flows per second ingested), the number of devices, and which modules are enabled. Enterprise contracts are typically annual with custom pricing. Kentik offers a free tier (Kentik Free) with limited data retention and features, suitable for evaluation but not production monitoring.

Flowtriq is $9.99 per node per month on monthly billing, or $7.99 per node per month on annual billing. All features are included at every node — classification, PCAP, firewall rules, all seven alert channels, full dashboard access. There are no feature tiers, no per-module pricing, and no volume-based scaling.

Cost comparison for a 30-node deployment:

  • Kentik (estimated): $2,000-5,000+/month depending on flow volume, modules, and contract terms. Includes network observability, BGP analytics, capacity planning, synthetic monitoring, and DDoS detection. Annual contract typical.
  • Flowtriq: $299.70/month ($239.70/month annual). DDoS detection only, but with full classification, PCAP, firewall rules, and all alert channels on every node. No minimum commitment on monthly billing.

The pricing comparison is misleading if taken at face value, because these products provide different value. Kentik's price includes an entire network observability platform — comparing its cost to a DDoS-only tool is like comparing the cost of an SUV to a motorcycle. The motorcycle is cheaper, but it does not carry a family of five. The relevant question is whether you need the SUV.

If your primary need is DDoS detection and you do not need network observability, traffic planning, BGP analytics, or synthetic monitoring, spending $2,000+/month on Kentik for DDoS detection that is less granular than what Flowtriq provides at $300/month is hard to justify. If you genuinely need the full observability platform, Kentik's DDoS module is a reasonable add-on to capabilities you are already paying for — but you should understand that its DDoS detection depth will not match a purpose-built tool.

Mitigation Capabilities

Kentik's mitigation approach focuses on orchestration. When Kentik Protect detects an attack, it can automatically trigger mitigation through integrations with upstream scrubbing services (Cloudflare Magic Transit, Akamai Prolexic, Radware DefensePro), BGP RTBH, or BGP Flowspec. Kentik acts as the brain that detects the attack and signals the mitigation infrastructure to act. This model works well for organizations that already have scrubbing service contracts and need automated activation.

Flowtriq's mitigation is host-local and immediate. The firewall rules system applies actions directly on the server where the attack is detected — iptables/nftables rules, rate limiting, traffic shaping, connection limits — within one to two seconds of detection. This does not replace upstream scrubbing for attacks that saturate your inbound bandwidth, but it handles the vast majority of attacks that reach the server without saturating the link. Flowtriq also supports webhook-based mitigation triggers for upstream orchestration, so it can signal scrubbing centers or SDN controllers when local mitigation is insufficient.

The practical difference: Kentik's mitigation requires external infrastructure (scrubbing services, BGP-capable routers) and introduces latency from the detection-to-orchestration-to-mitigation chain. Flowtriq's local mitigation is instant and self-contained but limited to what can be done at the host level. For organizations with scrubbing service contracts, Kentik's orchestration is valuable. For organizations that need fast, self-contained protection on each server, Flowtriq's local mitigation is more practical.

Deployment and Operational Overhead

Kentik deployment involves configuring flow exports from your network devices (routers, switches, firewalls), setting up BGP peering for routing visibility, configuring cloud integrations (VPC flow logs, cloud APIs), and deploying synthetic monitoring agents if desired. For organizations with mature network infrastructure and dedicated network engineering teams, this is standard work. For smaller teams or organizations without flow-exporting infrastructure, the prerequisite investment is significant.

Flowtriq deployment is a single command per server. The agent installs, auto-detects interfaces, builds a baseline, and starts detecting. Configuration and management are through the cloud dashboard. There are no network infrastructure prerequisites, no flow exports to configure, and no BGP sessions to establish. A 50-node deployment can be completed in an afternoon by a single engineer.

Ongoing operations follow the same pattern. Kentik requires flow health monitoring, BGP session management, capacity planning for flow ingestion, and periodic recalibration of detection thresholds across a potentially complex network topology. Flowtriq's dynamic baselines adapt automatically, and the operational surface is limited to the agent on each node and the cloud dashboard.

When to Choose Each

Choose Kentik when:

  • Your primary need is network observability — traffic analysis, BGP analytics, capacity planning, performance monitoring — and DDoS detection is one requirement among many.
  • You are a service provider, CDN, or large enterprise with flow-exporting infrastructure already in place and a network engineering team that needs a centralized analytics platform.
  • You need network-wide attack visibility across hundreds of routers and thousands of prefixes, where per-server monitoring is not practical for every endpoint.
  • You have existing scrubbing service contracts and need automated mitigation orchestration that integrates with Cloudflare, Akamai, or Radware APIs.
  • Your budget supports enterprise platform pricing and you will use the broader observability features to justify the cost.

Choose Flowtriq when:

  • Your primary need is DDoS detection and response, and you want the deepest possible detection on each server — one-second granularity, eight-family classification, confidence scoring, and PCAP.
  • You need automatic PCAP capture for every incident without running separate tools or hoping to catch the capture window manually.
  • You want host-local firewall rules that keep servers online during attacks, with 22 action types triggered by attack classification and severity.
  • Your infrastructure is server-based (bare metal, VPS, cloud instances) without dedicated flow-exporting network equipment.
  • You need predictable, transparent pricing at $9.99/node/month without enterprise sales cycles, annual commitments, or volume-based cost scaling.
  • You want modern alert integrations (Discord, Slack, PagerDuty, OpsGenie, SMS, webhooks) natively, without middleware or custom development.
  • You cannot justify $2,000+/month for a full observability platform when your specific problem is DDoS detection.

Using Both Together

For organizations that have Kentik or are evaluating it for network observability, adding Flowtriq alongside it is a legitimate architecture. Kentik provides the network-wide traffic analysis, BGP visibility, capacity planning, and aggregate DDoS detection at the infrastructure level. Flowtriq runs on critical servers to provide the per-host detection depth, attack classification, PCAP capture, and local firewall rules that flow-based detection cannot deliver.

In this model, Kentik is your network-wide observability layer and first-stage DDoS detection with scrubbing center orchestration. Flowtriq is your per-server deep detection layer with instant classification, forensic evidence, and host-local mitigation. Kentik catches large volumetric attacks across your network and triggers upstream scrubbing. Flowtriq catches every attack on each server — including the smaller or shorter attacks that flow sampling misses — classifies them, captures evidence, and applies targeted mitigation to keep the server running.

The two products do not conflict or duplicate effort in a meaningful way. Kentik looks at the network from the top down; Flowtriq looks at each server from the inside out. Together, they eliminate the detection blind spots that either product has alone.

The Bottom Line

Kentik is a best-in-class network observability platform. If you need comprehensive traffic analysis, BGP operations, capacity planning, and synthetic monitoring alongside DDoS detection, Kentik consolidates those needs into a single, powerful platform. Its DDoS detection is solid for network-wide volumetric attacks and integrates well with upstream scrubbing infrastructure. The tradeoff is enterprise pricing, flow-based detection limitations (sampling, latency, no classification depth, no PCAP), and operational complexity.

Flowtriq is purpose-built for DDoS detection and goes deeper on every detection and response dimension: one-second detection vs 30-60 seconds, eight-family classification vs volume anomaly, automatic PCAP vs no packet data, 22 firewall rule actions vs upstream orchestration, and $9.99/node/month vs $2,000+/month. The tradeoff is that Flowtriq does DDoS detection and nothing else — no traffic analysis, no BGP analytics, no capacity planning.

If DDoS detection is your primary problem, Flowtriq solves it with more depth at a fraction of the cost. If network observability is your primary problem and DDoS is one of many requirements, Kentik is the broader platform. If you need both depth and breadth, run both — they complement each other naturally.

Deep DDoS detection at a fraction of enterprise pricing

One-second detection, 8-family classification, automatic PCAP capture, and 22 firewall rule action types. $9.99/node/month with a 7-day free trial.

Start your free trial →
Back to Blog

Related Articles

Comparisons

Flowtriq vs FastNetMon: DDoS detection compared

Flow-based sampling vs per-server monitoring — a detailed comparison of detection methods, classification, and pricing.
Comparisons

Flowtriq vs AWS Shield: comparing DDoS logs and detection data

What AWS Shield Standard, Shield Advanced, and Flowtriq each give you for detection data and incident response.
Comparisons

Cloud DDoS protection comparison: AWS, Cloudflare, and beyond

How the major cloud providers' DDoS protection stacks compare on coverage, data, and cost.