We sell Flowtriq, which includes unlimited support, so we have a position on this topic. The ticket limits cited below come from vendor pricing pages linked in context.
The anatomy of support during a DDoS incident
A DDoS attack is not a single event that requires a single response. It is a sequence of decisions under time pressure, and each decision may require vendor input. Here is what a typical multi-vector incident looks like from the support perspective:
- Initial detection and triage. The alert fires. The NOC confirms it is a real attack. If automated mitigation does not fully resolve it, the first support interaction is: "We are seeing X attack type at Y volume. Our automated rules caught part of it but Z is getting through. What do we adjust?"
- Mitigation tuning. The vendor suggests a threshold change or additional FlowSpec rule. The NOC applies it. This may resolve the issue, or it may create a new one (false positives on legitimate traffic). If there are false positives, that is a second support interaction.
- Vector rotation. Sophisticated attackers rotate vectors mid-attack. The NOC sees a new attack pattern that the current rules do not cover. Third support interaction.
- Post-incident review. After the attack ends, the NOC needs to tune thresholds to prevent the same false positives from recurring and document what happened. Fourth interaction.
Four interactions. One incident. On FastNetMon's 10 Gbps plan, which includes 1 ticket per month according to their pricing page, you are three tickets over your allocation from a single event.
How ticket caps interact with attack frequency
Attack frequency varies by industry, but even conservative estimates create problems with capped support:
- Hosting providers: Commonly see 5-20 attack events per month across their customer base. Even if 80% are handled fully by automation, the remaining 20% generate support needs. At 15 attacks per month, that is 3 events needing support -- already at the limit of FastNetMon's $350/month plan.
- Game server operators: Daily attacks are common during competitive seasons. Even one per week that requires support interaction exceeds the 1-3 ticket monthly allocation.
- ISPs: Transit providers see attacks targeting downstream customers regularly. Each unique target may require different mitigation tuning.
The behavioral impact of ticket caps
Ticket caps do not just limit support access. They change how operators behave, and the behavioral changes have their own costs:
Ticket hoarding
Operators with limited tickets learn to conserve them. They save their monthly allocation for emergencies instead of using them for proactive optimization. A threshold that is slightly off, a FlowSpec rule that could be improved, a configuration question that would take support 5 minutes to answer -- all of these go unaddressed because the operator is saving their ticket for a real emergency.
The result is a detection system that runs on default or suboptimal configuration because the operator cannot afford to use their limited support to tune it.
Extended self-troubleshooting
When a problem arises, operators on capped plans spend more time troubleshooting independently before opening a ticket. During an active attack, every minute spent self-troubleshooting instead of getting vendor assistance is a minute of customer impact. The rational behavior under the ticket cap constraint directly conflicts with the operational requirement of fast incident resolution.
Delayed incident reporting
If an operator has already used their monthly ticket on a configuration question, they may delay reporting a new issue or attempt to resolve it without support. This is the exact opposite of what you want during a DDoS incident, where early engagement with support can prevent escalation.
What the alternatives look like
Different vendors handle support differently. The spectrum runs from hard caps to unlimited access:
- Hard ticket caps: FastNetMon includes 1-3 tickets per month depending on the bandwidth tier. Additional tickets require a custom sales quote. Source: FastNetMon pricing page.
- Tiered response times: Andrisoft Wanguard includes Standard Support with no published ticket cap, but guaranteed response times (under 1 hour, 24/7/365) require their Enterprise Support add-on at undisclosed pricing. Source: Wanguard product page.
- Unlimited included: Flowtriq includes unlimited support in every plan at $9.99/node/month. No ticket caps, no tiered response times, no paid support upgrades.
- Managed service: Enterprise vendors like NETSCOUT Arbor include support as part of managed service contracts, typically at enterprise-level pricing with annual commitments.
What to negotiate if your vendor caps tickets
If you are already on a plan with ticket limits, or evaluating a vendor that uses them, negotiate these terms:
- Incident exemption: Tickets opened during a verified attack do not count against the monthly cap.
- Published overage rate: Know the per-ticket cost for exceeding your allocation before you need it.
- Self-serve overage purchase: The ability to buy an additional ticket through the portal during an incident, without waiting for a sales call.
- Rollover: Unused tickets carry forward to the next month.
No ticket caps. No paid support tiers.
Flowtriq includes unlimited support from the team that built the product. Detection, mitigation, dashboard, and support at $9.99/node/month.
Start Free Trial →Frequently asked questions
How many support tickets does a DDoS incident typically require?
Which DDoS vendors limit support tickets per month?
The bottom line
Ticket-limited support is designed for products with predictable, low-frequency support needs. DDoS detection does not fit that pattern. Attacks are unpredictable, they generate multiple support interactions per event, and they concentrate in bursts. A support model that works for a project management tool or a monitoring dashboard does not work for a security product that you depend on during active incidents.