The view a host agent cannot give you
The Flowtriq agent runs on your server and watches every packet that reaches it. That is the right place to detect a lot of attacks, because it is the ground truth of what your server is actually handling. But it has one structural limit: the agent only sees traffic that has already arrived at the host. By the time a volumetric flood is visible to the agent, it is already consuming your uplink.
Your border routers and switches see the attack earlier and wider. They see traffic across every customer and every segment, they see it before it funnels down to any one host, and they see the flows your servers never receive because a saturated link dropped them upstream. That vantage point is what flow telemetry gives you, and it is exactly what you want when an attack is large enough to be a transit problem rather than a server problem.
Flowtriq has supported native flow ingestion for a while. What is new, and what we are announcing for Toronto Tech Week, is that flow sources are now fully self-serve. You no longer need to talk to anyone to turn on router-level visibility.
What changed
Previously, adding flow-based visibility to a Flowtriq workspace involved a conversation: scoping the number of sources, arranging billing, getting the collector details. That is a reasonable process, but it is also friction, and friction is the enemy of getting protected quickly.
As of now, flow sources are a self-serve product. Inside your Flowtriq workspace you add a flow source, billing is handled through Stripe like every other part of the plan, and you receive the collector address to point your router at. The whole path from deciding you want edge visibility to actually having it is measured in minutes, not procurement cycles.
The point of self-serve is not just convenience. It is that the moment you realize you need router-level visibility is often the moment you are already under pressure. Removing the sales step means you can act on that realization the same day.
Four protocols, no third-party collector
Flowtriq runs its own flow collection listener. It speaks the four flow protocols your network gear already exports, so there is no separate collector software to install and maintain:
- sFlow v5 (RFC 3176), the packet-sampling standard, on UDP port 6343
- NetFlow v5, the original fixed-format Cisco export, on UDP port 2055
- NetFlow v9 (RFC 3954), the template-based export, on UDP port 2055
- IPFIX (RFC 7011), the IETF standard evolution of NetFlow v9, on UDP port 4739
If your routers or switches are from the last fifteen years, they export at least one of these. You configure the export, point it at the Flowtriq collector, and the data starts flowing.
The flow-plus-kernel merge
A common worry with mixing flow data and host data is double counting: if the router reports a flood and the host also reports it, do you end up with an inflated number that triggers false alarms?
Flowtriq avoids that with a deliberate merge rule. For each one-second window, it takes the higher of the flow reading and the host kernel reading, not the sum. That single rule gives you the best of both vantage points without distortion. When an attack is visible at the host, the kernel reading leads. When an attack is being absorbed or dropped upstream and barely reaches the host, the flow reading leads. You always see the attack at its true size, measured from whichever vantage point can see it most completely.
This is why flow-based and agent-based deployment are complementary rather than competing. The agent gives you precise, packet-level host visibility. Flow sources give you wide, early, edge visibility. Run both and the merge gives you one coherent picture.
How flow sources are priced
Flow sources are billed separately from nodes, and the per-source price drops as you add more, so a larger network is not penalized for having more routers to watch:
- 1 to 2 sources: $49 per source per month
- 3 to 10 sources: $39 per source per month
- 11 to 20 sources: $29 per source per month
- More than 20 sources: $19 per source per month
The node plan is unchanged at $9.99 per node per month. It is worth being clear about the distinction between the two: a node-level flow adapter is already included with the node plan, and the separate flow source plan is specifically for router-level, network-wide visibility from your border gear. If you simply want to detect attacks on individual servers, the node plan covers it. If you want to see traffic across your whole edge, flow sources are the product for that, and now you can turn them on yourself.
Getting started
After you add a flow source in your workspace, the only remaining step is configuring the export on your router. The exact syntax depends on the platform, but the shape is always the same: choose a protocol, set the collector address and port, and enable export on the interfaces you care about.
On a Cisco-style platform exporting NetFlow v9, the configuration looks roughly like this:
flow exporter FLOWTRIQ destination 203.0.113.10 transport udp 2055 export-protocol netflow-v9 flow monitor FT-MONITOR exporter FLOWTRIQ record netflow ipv4 original-input interface TenGigabitEthernet0/0/0 ip flow monitor FT-MONITOR input ip flow monitor FT-MONITOR output
On a switch or router exporting sFlow, the equivalent is a sampling configuration pointed at the same kind of collector address:
sflow collector 203.0.113.10 udp 6343 sflow sampling-rate 4096 sflow polling-interval 30 sflow enable
Replace the collector address with the one shown in your Flowtriq workspace. Within a minute or two of enabling export, the source goes active and the flow data starts merging into your detection.
Turn on router-level visibility yourself. Flow sources are now self-serve, billed per source from $19 to $49 per month, with sFlow, NetFlow v5/v9, and IPFIX supported natively. See the flow source pricing tiers at flowtriq.com/pricing.