// Product · Network protection

3.5 Tbps of mitigation. Always on. Always included.

Layer 3, 4, and 7 attack mitigation absorbed at the network edge before it reaches your stack. No scrubbing fees, no surprise overage on your invoice when an attacker shows up.

Capacity 3.5 Tbps + 480 Mpps SLA < 3 s detection, < 8 s mitigation Pricing $0 — included on every plan
// What's protected

Every IP we route, by default.

Protection turns on the moment an IP is allocated to your account. No DNS rerouting, no proxy, no re-issued certificates. Just clean traffic to your origin.
Layer 3
Volumetric
SYN floods, UDP floods, ICMP, fragmented packets, DNS / NTP / Memcached / CLDAP / SSDP amplification — absorbed at the edge.
Layer 4
Stateful
SYN-ACK reflection, ACK floods, RST floods, slow-loris variants, exhaustion attacks against TCP state.
Layer 7
Application
HTTP(S) floods, slow-POST, low-and-slow, cache-busting, credential-stuffing waves. Per-route rate limits configurable in dashboard.
// How it works

Mitigation runs in the data plane.

Detection happens in hardware on the edge routers. Suspect flows divert to in-line scrubbing within 3 seconds. Clean traffic continues forwarding without a hop.
EDGE
Anycast scrubbing at 6 PoPs
DAL, FRA, SGP, TYO, AMS, ASH. Attack traffic is absorbed by the closest PoP — the rest of the network never sees it.
DETECTION
Sub-3-second alarms
NetFlow telemetry into our anomaly engine. Volumetric attacks are flagged and mitigated within the first 3 seconds, well before TCP retransmits notice.
VISIBILITY
Real-time attack feed
Per-IP graphs, top attack vectors, geo breakdown, historical incident archive. WebSocket stream for SIEM integration.
L7 WAF
Optional managed WAF
CRS-based rule packs, custom rules, bot management. Add-on at $19/mo per protected hostname — TLS terminates at the edge.
FAILSAFE
No silent drops
If our scrubbing path goes down, traffic transparently bypasses to a secondary cluster. We page on-call before you notice.
PRICING
No per-attack billing
A 600 Gbps reflection attack costs you the same as a quiet day: nothing. We don't charge for the bytes we drop on your behalf.
// Recent

A few attacks we caught this quarter.

812 Gbps DNS amplification — gaming customer
2026-04-22
Layer 3 Mitigated · 0 ms impact
Anycast absorbed the volumetric flood at the FRA, DAL, and SGP PoPs simultaneously. Customer's match servers stayed online; tick-rate variance held within 2%.
14 Mrps HTTP/2 RST flood — fintech API
2026-03-09
Layer 7 Mitigated · < 4 s
Continuation of the HTTP/2 Rapid Reset class. Mitigated by per-stream rate cap and connection refusal at the edge. Origin TLS handshake load returned to baseline within 11 s.
2.1 Tbps mixed UDP / SYN — multi-tenant
2026-02-17
Layer 3 Layer 4 Mitigated · 1 s detection
Largest attack of the quarter. 4 customers targeted concurrently across 3 regions. Edge capacity utilization peaked at 60% — comfortably within headroom.

Currently being attacked?

Call our NOC: (214) 940-0408. We can BGP-announce your prefix and absorb traffic within 15 minutes — even if you're not a customer yet.

Emergency onboarding