MSPs
DDoS Protection
as a Managed Service
MSPs protect dozens of clients without dedicated security staff per account. Flowtriq gives you a single platform to monitor every client's infrastructure, detect attacks in under one second, and automate response -- all from one login.
The Problem
You manage dozens of clients. One of them just got DDoS'd.
MSPs manage infrastructure across many clients, each with different server counts, network configurations, and SLA requirements. When a client gets hit with a volumetric attack, the MSP is the first call. The client doesn't know what's happening -- they just know their site is down and they're losing money.
Without automated detection, your team is reactive. Someone notices high CPU or packet loss, logs into the server, runs tcpdump, tries to identify the attack vector, and eventually applies a manual firewall rule. By the time you've mitigated, the client has been down for 20 minutes and your SLA is blown.
Flowtriq turns DDoS response from a fire drill into an automated workflow. Detection fires in under one second, your team gets alerted instantly, the client's status page updates automatically, and the full mitigation chain — from local firewall rules through BGP FlowSpec to cloud scrubbing — triggers without human intervention.
- Client calls before you even know there's an attack
- Manual tcpdump analysis wastes critical minutes
- No visibility across clients from a single pane of glass
- Every attack is a scramble with no playbook
- SLA breaches erode trust and cost you contracts
- No forensic data to share in post-incident reports
Architecture
One workspace per client. Full isolation. Central oversight.
Flowtriq's multi-workspace architecture is purpose-built for MSPs. Create a separate workspace for each client with their own nodes, incidents, alert channels, and status page. Your MSP team gets admin access to every workspace while clients see only their own data.
Each workspace is fully isolated -- Client A never sees Client B's traffic data, incidents, or PCAPs. But your NOC team can switch between workspaces in one click, giving you a unified view of every client's security posture without any data leakage.
━━━━━━━━━━━━━━━━━━━━━━
├─ Workspace: acme-corp
│ ├─ acme-web-01 1,204 PPS
│ ├─ acme-web-02 892 PPS
│ └─ acme-db-01 340 PPS
├─ Workspace: globex-hosting
│ ├─ glx-edge-01 47,821 PPS ▲ ATTACK
│ └─ glx-edge-02 2,100 PPS
└─ Workspace: pinnacle-saas
├─ pin-app-01 3,401 PPS
├─ pin-app-02 2,880 PPS
└─ pin-cdn-01 5,120 PPS
Workflow
What happens when a client gets attacked
From detection to resolution, Flowtriq handles the entire incident lifecycle. Your NOC team stays informed without needing to intervene manually.
Attack hits Client B's web server
A 2.4 Gbps UDP amplification flood targets glx-edge-01 in the Globex workspace. PPS spikes from 2,100 to 47,000 in under a second.
Flowtriq detects and classifies the attack
The FTAgent on glx-edge-01 detects the anomaly, classifies the traffic as NTP amplification with 97% confidence, and fires an incident in the Globex workspace.
Alerts fire to your NOC and the client
Your NOC team gets a Discord alert. Globex's ops team gets a Slack notification and an email. The Globex status page updates to show an active incident. All automatic, all simultaneous.
Auto-escalation activates
Flowtriq applies local firewall rules instantly, then escalates to BGP FlowSpec filtering at the network edge. For this 2.4 Gbps flood, cloud scrubbing via OVH VAC activates as the final tier. Traffic is cleaned upstream. The server stays online. No manual intervention required.
Attack subsides, normal routing restores
Seven minutes later, attack traffic drops below threshold. Flowtriq auto-withdraws the OVH mitigation, resolves the incident, and updates the status page. A full incident report with PCAP data is available for Globex's post-mortem.
Features
Built for multi-client operations
Everything an MSP needs to deliver DDoS protection as a managed service, without building it from scratch.
Multi-Workspace Management
Create a separate workspace for each client. Full data isolation, independent baselines, and per-client incident histories. Switch between workspaces in one click from the dashboard top bar.
Role-Based Access Control
Give your NOC team admin access across all workspaces. Invite client staff with read-only access so they can view their status page and incident history without touching configurations.
White-Label Status Pages
Every workspace gets its own public status page with a custom slug. Clients share their status page with their own customers, branded to their identity -- no mention of your MSP or Flowtriq.
Per-Client Alert Routing
Configure separate notification channels for each workspace. Route Client A's alerts to their Slack channel and your NOC Discord. Route Client B's alerts to PagerDuty and their ops email. Fully independent.
SLA Reporting
Generate incident reports with detection timestamps, classification data, MTTR, and resolution details. Share branded PDF reports with clients to prove your SLA compliance and justify your service fees.
Multi-Layer Mitigation Per Client
Configure the full mitigation stack per workspace: local firewall rules, BGP FlowSpec adapters, RTBH communities, and cloud scrubbing credentials for Cloudflare Magic Transit, OVH VAC, Path.net, or Hetzner. When Client A gets attacked, Flowtriq auto-escalates through all tiers. Other clients are unaffected.
Onboarding
Add a new client in under 10 minutes
Onboarding a new client to Flowtriq takes three steps: create a workspace, install the agent on their servers, and configure alert channels. The entire process takes less than 10 minutes per client, regardless of how many servers they have.
Once onboarded, the agent begins learning the client's traffic baseline immediately. Within 24 hours, Flowtriq has a statistical model of normal traffic patterns for every monitored interface. No tuning, no manual threshold setting, no per-client configuration files.
Name: delta-logistics
Slug: delta-logistics
OK workspace created
Step 2: Deploy agents
delta-web-01: agent installed
delta-web-02: agent installed
delta-db-01: agent installed
Step 3: Configure alerts
NOC Discord: connected
Client email: connected
Baseline learning started.
Full protection in ~24 hours.
_
Revenue
Turn DDoS detection into a profit center
DDoS monitoring is a natural upsell in any managed services contract. Your clients already trust you with their infrastructure -- adding real-time attack detection to your service catalog is a straightforward value-add that most clients will accept without hesitation.
You pay Flowtriq $9.99 per node per month (or $7.99/node on annual billing). You set your own pricing to clients. Most MSPs charge $15-30 per server per month for DDoS monitoring, creating healthy margin on every node.
With 50 client servers, that's $500/month to Flowtriq and $750-1,500/month from clients. The service runs itself -- fully automated detection, alerting, and mitigation with zero manual overhead per incident.
Example: 50-Node MSP Portfolio
| Line Item | Monthly |
|---|---|
| Flowtriq cost (50 nodes) | -$499.50 |
| Client billing @ $20/server | +$1,000.00 |
| Client billing @ $30/server | +$1,500.00 |
| Net margin (@ $20) | +$500.50/mo |
| Net margin (@ $30) | +$1,000.50/mo |
Annual billing reduces your cost to $7.99/node. Volume discounts available at 50+ nodes.
Comparison
Managing attacks manually vs. with Flowtriq
Manual DDoS Response
- Client calls you before you know there's an attack
- SSH into server, run tcpdump, analyze manually
- 20-40 minutes to identify attack vector
- Write iptables rules by hand under pressure
- No forensic data for post-mortem reports
- SLA breach on every significant attack
Automated with Flowtriq
- Alert fires in under 1 second -- before the client notices
- Attack classified automatically (SYN, UDP, DNS, etc.)
- Cloud scrubbing triggers without human intervention
- Client status page updates in real time
- Full PCAP capture and incident forensics
- SLA compliance with sub-minute MTTR
FAQ
Common questions from MSPs
Can each client have their own workspace?
Yes. There is no limit on the number of workspaces you can create. Each workspace is fully isolated with its own nodes, incidents, alert channels, status page, and team members. Your MSP staff can be members of every workspace with admin privileges, while client staff only see their own workspace.
Can we brand the status pages for each client?
Yes. Every workspace has access to the public status page at flowtriq.com/status. Clients can share this URL with their own customers. The status page shows real-time node health and incident history -- no MSP branding or cross-client data is exposed.
How do we bill our clients?
You set your own pricing. Flowtriq bills you per active node at $9.99/month (or $7.99 on annual billing). How you package and price this for your clients is entirely up to you. Most MSPs bundle DDoS monitoring into their managed services contract or offer it as an add-on line item at $15-30 per server per month.
Can we invite client staff to their workspace?
Yes. Each workspace supports unlimited team members with role-based permissions. Invite client staff with the read-only role so they can view their status page, incident history, and analytics without being able to modify configurations or alert channels. Your MSP team retains admin or owner access.
Related Use Cases