Back to Blog

The Revenue Opportunity

Most SMBs know they need DDoS protection but lack the expertise and tooling to implement it. They rely on their MSP to solve that problem. This creates a natural revenue opportunity: you provide the service, and they pay a monthly fee that covers detection, mitigation, and 24/7 monitoring.

Flowtriq charges $9.99 per node per month ($7.99/node on an annual plan). As an MSP, you mark that up to whatever the market supports. A common model is to charge clients $25-$50 per node per month for a fully managed DDoS protection service. At 300 nodes across 50 clients, that is $7,500-$15,000 in monthly revenue against a Flowtriq cost of roughly $2,400-$3,000 (depending on monthly vs annual billing). Your margin sits comfortably between 60% and 80%.

The economics get even better on annual billing. Locking your clients into 12-month contracts while paying Flowtriq's annual rate ($7.99/node) maximizes your margin per node. And because Flowtriq includes unlimited seats per workspace, you do not pay extra for your NOC analysts, your client's IT team, or anyone else who needs dashboard access.

Unlimited seats: Flowtriq's billing is strictly per-node. Add as many team members as you need to each client workspace - your NOC staff, the client's IT team, escalation contacts - at no additional cost. This makes the per-node pricing predictable and easy to resell.

Multi-Tenant Architecture: One Platform, Many Clients

Flowtriq is built around workspaces. Each workspace is a fully isolated tenant with its own nodes, incidents, analytics, escalation policies, notification channels, and team members. As an MSP, you create one workspace per client. Your NOC analysts can be members of every workspace, while each client's IT contacts see only their own data.

The workspace model gives you clean separation:

  • Data isolation: Each client's traffic data, incident history, PCAP captures, and analytics are scoped to their workspace. Client A cannot see Client B's data, even if your NOC analysts can see both.
  • Role-based access: Each workspace supports four roles - owner, admin, analyst, and readonly. You hold owner/admin on every workspace. Your client's IT lead gets analyst or readonly access depending on their involvement.
  • Independent configuration: Detection thresholds, escalation policies, mitigation rules, and maintenance windows are all per-workspace. A gaming client with aggressive thresholds does not affect a healthcare client with conservative ones.
  • Workspace switcher: Your NOC analysts switch between client workspaces with a single click in the dashboard top bar. No logging out, no separate accounts - one login, all workspaces.

White-Label Potential

Every workspace has its own name, and all alerts, reports, and notifications are scoped to that workspace. When a client receives an incident alert email, it references their workspace name and their infrastructure. You can name workspaces to match your branding or the client's company name - whichever aligns with how you position the service.

Reports generated from the dashboard carry the workspace name and can be exported as PDFs for client-facing reviews. This makes it straightforward to deliver branded monthly security reports without manual effort.

Per-Client Escalation Policies and Notification Channels

Every client has different escalation requirements. A financial services client may need PagerDuty alerts that wake up on-call staff at 2 AM. A small e-commerce client may only need a Slack message in their channel. Flowtriq handles this with per-workspace notification channels and escalation policies.

You configure each workspace independently:

  • Notification channels: Email, Slack, Discord, SMS, PagerDuty, OpsGenie, and generic webhooks. Each workspace gets its own set of channels. Point Client A's alerts to their Slack channel and your NOC's PagerDuty. Point Client B's alerts to their IT lead's email and your NOC's OpsGenie.
  • Escalation policies: Define who gets notified, when, and how urgently. Set initial notification, repeat intervals, and escalation to secondary contacts if the incident is not acknowledged within a defined window.
  • Maintenance windows: Schedule maintenance windows per client to suppress alerts during planned downtime. No more false-alarm pages at 3 AM because a client rebooted their router.

A common MSP pattern: configure two notification channels per client workspace. The first sends alerts to the client's preferred channel (Slack, email, or Teams via webhook). The second sends the same alerts to your internal NOC channel. This ensures your team always sees every incident, regardless of the client's notification preferences.

4-Level Auto-Escalation

Flowtriq's automatic escalation chain is what makes the service truly hands-off for most incidents. When an attack is detected, Flowtriq escalates through four progressive mitigation tiers:

  1. Tier 1 - Local firewall: iptables/nftables rules deployed directly on the target node. Handles small attacks (under 100 Kpps) without involving the network layer. Fast, surgical, zero collateral impact.
  2. Tier 2 - BGP FlowSpec: Surgical traffic filtering rules injected via BGP to upstream routers. Stops attack traffic at the network edge while keeping the target IP fully reachable. Effective for attacks with identifiable protocol/port/packet-size signatures.
  3. Tier 3 - RTBH (Remotely Triggered Black Hole): Full blackhole of the target IP when FlowSpec cannot contain the attack. Used when volume exceeds link capacity or traffic is too generic to filter surgically.
  4. Tier 4 - Cloud scrubbing: Traffic diversion to a cloud-based scrubbing service for deep inspection. The last resort for massive, sophisticated attacks that require application-layer analysis.

Each tier's thresholds are configurable per workspace. A client running latency-sensitive game servers might escalate from Tier 1 to Tier 2 at 50 Kpps, while a client hosting static content might tolerate 200 Kpps before escalation. You tune these thresholds during onboarding and adjust them as you learn each client's traffic patterns.

Tier   Method              Trigger (typical)     Impact on Legit Traffic
────────────────────────────────────────────────────────────────────────────
 1     Local firewall      < 100 Kpps            None
 2     BGP FlowSpec        100 Kpps - 5 Mpps     None (surgical filtering)
 3     RTBH blackhole      5 Mpps - 50 Mpps      Target IP goes offline
 4     Cloud scrubbing     > 50 Mpps             Minimal (scrubbing latency)

Escalation is bidirectional. When attack volume drops below a tier's threshold, Flowtriq automatically de-escalates - removing the blackhole, then the FlowSpec rules, then the host-level filters. Stale mitigation rules do not linger and silently block legitimate traffic.

How to Price Your DDoS Protection Service

Pricing a managed DDoS protection service comes down to three factors: your cost basis (Flowtriq's per-node fee), the value to the client, and what the market supports. Here is a framework:

Cost Basis

Billing Cycle     Flowtriq Cost/Node     Your Price/Node     Margin/Node
──────────────────────────────────────────────────────────────────────────
Monthly           $9.99                  $25 - $50           60% - 80%
Annual            $7.99                  $25 - $50           68% - 84%

Annual billing with Flowtriq while charging clients monthly gives you the best margin. If your clients also commit to annual contracts, you can offer a small discount (say $22/node/month on a 12-month agreement) and still maintain 72%+ margin.

Tiered Pricing Model

Many MSPs bundle DDoS protection into service tiers rather than selling it as a standalone line item. For example:

  • Basic monitoring: $15/node/month. Detection and alerting only. Client gets notified of attacks but mitigation is manual (your NOC responds).
  • Standard protection: $30/node/month. Detection + automatic Tier 1 and Tier 2 mitigation. Most attacks are handled without human intervention.
  • Premium protection: $50/node/month. Full 4-tier auto-escalation, priority NOC response, monthly security reports, and quarterly threshold reviews.

This tiered model lets you capture different client segments. A 5-node startup pays $150/month for standard protection. An enterprise with 40 nodes pays $2,000/month for premium. Your Flowtriq cost for those 45 nodes is $360/month (annual billing), giving you $1,790 in gross margin from just two clients.

Volume leverage: Your cost with Flowtriq stays flat at $7.99-$9.99 per node regardless of volume. As you grow from 50 to 500 nodes, your margin percentage stays the same or improves (through annual billing), while your absolute margin grows linearly. There are no volume-based pricing tiers to negotiate.

Client Onboarding Workflow

Onboarding a new client onto your DDoS protection service follows a repeatable process. Here is the step-by-step workflow:

Step 1: Create the Workspace

Create a new workspace in Flowtriq named after the client (or your white-label brand). This gives the client a fully isolated environment with its own nodes, incidents, analytics, and settings.

Step 2: Invite Team Members

Invite your NOC analysts as admins. Invite the client's IT contacts with analyst or readonly roles, depending on how involved they want to be. Flowtriq sends branded invite emails with a one-click accept flow. If the invitee does not have a Flowtriq account, they create one during acceptance and are automatically added to the workspace.

Step 3: Deploy the Agent

Deploy the Flowtriq agent on each node you are protecting. The agent is a lightweight daemon that monitors traffic patterns and reports to the Flowtriq platform. Installation is a single command using the workspace's API key:

# Install the Flowtriq agent on a client node
pip install ftagent --break-system-packages
sudo ftagent --setup

For clients with configuration management (Ansible, Puppet, Chef, Terraform), provide the API key as a variable and deploy the agent across all nodes in one run.

Step 4: Configure Detection Thresholds

Set per-node or workspace-wide thresholds based on the client's normal traffic patterns. Flowtriq's baseline learning period (typically 24-48 hours) helps establish what "normal" looks like for each node. After the baseline period, tune the thresholds to minimize false positives while catching real attacks.

Step 5: Set Up Escalation Policies

Configure notification channels (Slack, PagerDuty, email, etc.) and escalation policies. Define who gets notified at each severity level and how quickly the system escalates to the next mitigation tier.

Step 6: Configure Mitigation Rules

Set up auto-mitigation rules in the dashboard. Define which attack types trigger automatic response, which tiers are available for this client (some clients may not have FlowSpec-capable upstreams), and any approval requirements before escalation.

Step 7: Verify and Hand Off

Run a test to verify detection and alerting work end-to-end. Confirm the client's team can access the dashboard and see their nodes. Document the escalation contacts and response SLAs. The client is live.

NOC Integration

For MSPs running a 24/7 NOC, Flowtriq integrates with the tools your analysts already use:

  • PagerDuty: Create a PagerDuty service per client. Flowtriq sends incidents directly to the correct service, triggering your on-call rotation. When Flowtriq auto-mitigates, the incident is tagged as auto-resolved.
  • OpsGenie: Same pattern as PagerDuty. Each client workspace points to a different OpsGenie team or service, ensuring the right on-call analyst is paged.
  • Slack: Create a Slack channel per client (e.g., #noc-clientname-ddos). Flowtriq sends real-time incident notifications including attack type, volume, target IP, and mitigation status. Your analysts monitor a single Slack workspace with per-client channels.
  • Discord: If your NOC or client community uses Discord, Flowtriq supports webhook-based notifications to any Discord channel.
  • Email: Branded incident alerts sent to any email address. Useful for clients who prefer inbox notifications over chat tools.
  • SMS: For critical alerts that need to reach someone immediately, regardless of whether they are at a computer.
  • Generic webhooks: For integration with any other tool - ITSM platforms, custom dashboards, ticketing systems, or SIEM solutions. Send JSON payloads to any HTTP endpoint.

Use webhooks to automatically create tickets in your PSA (ConnectWise, Autotask, Halo, etc.) when Flowtriq detects an incident. This keeps your ticketing system in sync with DDoS events and gives you a clean audit trail for client billing and SLA reporting.

Case Study: 50 Clients, 300 Nodes

Let us walk through a realistic scenario. You are an MSP managing 50 clients with a total of 300 nodes across their infrastructure.

Infrastructure Breakdown

Client Segment          Clients     Avg Nodes/Client     Total Nodes
──────────────────────────────────────────────────────────────────────
Small business          30          3                    90
Mid-market              15          8                    120
Enterprise              5           18                   90
──────────────────────────────────────────────────────────────────────
Total                   50          6 avg                300

Revenue Model

Segment         Nodes    Your Price/Node    Monthly Revenue    Flowtriq Cost*
────────────────────────────────────────────────────────────────────────────────
Small biz       90       $25/node           $2,250             $719
Mid-market      120      $35/node           $4,200             $959
Enterprise      90       $50/node           $4,500             $719
────────────────────────────────────────────────────────────────────────────────
Total           300                         $10,950            $2,397
                                            Gross margin:      $8,553 (78%)

* Flowtriq annual billing at $7.99/node/month

That is $8,553 in monthly gross margin - over $102,000 annually - from a service that runs almost entirely on autopilot. The 4-tier auto-escalation handles most incidents without NOC intervention. Your analysts spend their time on threshold tuning, monthly reporting, and the occasional manual investigation for complex attacks.

Operational Overhead

With 300 nodes, you can expect roughly 20-40 incidents per month across all clients (depending on how exposed their infrastructure is). Of those, 80-90% are automatically mitigated by Tier 1 and Tier 2 escalation. Your NOC manually reviews the remaining 2-8 incidents per month, most of which are already mitigated by the time an analyst looks at them.

The operational overhead is low enough that you do not need a dedicated DDoS analyst. Your existing NOC team handles DDoS alongside their other responsibilities. The Flowtriq dashboard and Slack/PagerDuty integration keeps them informed without requiring proactive monitoring.

Billing and Licensing

Flowtriq's billing model is built for MSPs:

  • Per-node pricing: You pay only for the nodes you deploy. No minimum commitments, no platform fees, no per-user charges. Add nodes as clients grow, remove them when they churn.
  • Unlimited seats: Every workspace supports unlimited team members at no extra cost. Add your NOC analysts, the client's IT team, their CTO - it does not change your bill.
  • Annual discount: $7.99/node/month on annual billing vs $9.99/month-to-month. That 20% savings goes straight to your margin if you charge clients the same rate regardless of your billing cycle.
  • 7-day free trial: Every new workspace starts with a 7-day free trial. Use this to onboard clients with zero upfront cost - let them see the value before they commit.
  • No bandwidth charges: Unlike cloud scrubbing providers that charge per Gbps of clean traffic, Flowtriq's pricing is strictly per-node. A node handling 100 Mbps costs the same as one handling 10 Gbps.

Billing Your Clients

You handle client billing through your own invoicing. Flowtriq does not bill your clients directly. This means you control the relationship, the pricing, and the payment terms. Most MSPs add DDoS protection as a line item on their existing monthly invoices alongside other managed services.

For clients who want to see usage data, the Flowtriq dashboard provides per-node uptime, incident counts, and traffic volume that you can reference in your invoices or monthly reports.

Getting Started

Adding DDoS protection to your MSP portfolio does not require building new infrastructure, hiring specialized staff, or negotiating complex vendor contracts. Flowtriq gives you the platform; you provide the service wrapper, the client relationships, and the NOC oversight.

Start by onboarding one or two clients to prove the model. Create their workspaces, deploy agents, configure escalation policies, and set up your NOC integration. Once you see how little operational overhead is involved, expand to your full client base.

The math is straightforward: $7.99 per node in, $25-$50 per node out, 60-80% margin, and a service that practically runs itself.

Get started with Flowtriq's free 7-day trial and deploy your first client workspace today.

Back to Blog

Related Articles

Mitigations

BGP FlowSpec for DDoS mitigation

Surgical traffic filtering at the network edge using FlowSpec and Flowtriq's auto-escalation.
Mitigations

Auto-escalation for DDoS mitigation

How Flowtriq's 4-tier escalation chain automatically selects the right mitigation level.
Fundamentals

DDoS detection fundamentals

Understanding traffic baselines, anomaly detection, and real-time alerting for DDoS attacks.