DDoS Shield

Always-on, 2 Tbps. No overage, ever.

DDoS protection that does not wait for the alarm — every byte routes through scrubbing in steady state, so mitigations apply the moment an attack arrives.

Deploy in 60 seconds View pricing

No credit card to start
Free migrations
Cancel any time

attack 92ce41 · in progress

mitigated 4s

412 Gbps

peak inbound

99.97%

scrubbed

overage

2 Tbps

Aggregate scrubbing capacity

Always on

Inline, never bypassed

L3 / L4 / L7

Volumetric to app layer

Overage. Ever.

Volumetric

2 Tbps of distributed scrubbing capacity.

Capacity is sized against historical peak attacks plus 4x headroom. Every PoP runs scrubbing in-line, so traffic does not have to be diverted before it cleans up.

Anycast + per-PoP scrubbing nodes
SYN, UDP, ICMP, amplification and reflection filters baked in
BGP / GRE protection for non-HostEngine origins

Last quarter — attacks scrubbed

Mar 19 2.1 Tbps UDP amp · NTP

mitigated

Feb 04 1.4 Tbps TCP SYN · IoT botnet

mitigated

Jan 28 880 Gbps DNS reflection

mitigated

Jan 09 640 Gbps L7 GET flood

mitigated

Jan 03 412 Gbps Mixed L3/L4

mitigated

Application layer

L7 challenges that don't punish real users.

A challenge ladder that escalates only when needed: invisible JS first, hCaptcha second, WebAuthn third. Real users sail through; bots get filtered by signal strength.

Invisible JS challenge for low-confidence bots
hCaptcha or our own challenge for medium signal
WebAuthn challenge for high-trust shopping carts and admin

1 Score < 0.2
Invisible JS challenge
2 Score 0.2 – 0.5
hCaptcha
3 Score 0.5 – 0.8
Rate-limit + log
4 Score > 0.8
Block + alert

Custom rules

A rule language for the messy real world.

Mix HTTP fields, geo, ASN, behavioural signals and cookie state. Test in shadow mode, promote to enforcing with a single toggle, audit with full request capture.

Shadow / enforcing modes with attack-time replay
Behavioural fingerprints (TLS JA4, mouse jitter, hop pattern)
Per-rule false-positive rate surfaced daily

// block crypto-trade endpoint scrapers
when request.path == "/api/trade"
  and request.method == "POST"
  and request.score > 0.6
  and request.geo.country not in ["US", "GB", "DE"]
then
  challenge("webauthn") // step-up the trader
  log("siem://datadog/trade")

Plans

Standard is on the house.

Standard

Always-on baseline protection.

Included with every product

L3/L4 mitigation up to 200 Gbps per asset
Generic SYN, UDP, ICMP, amp filters
GeoIP and IP reputation feed
Real-time attack timeline + alerts

Start with Standard

Pro

When the threat model is real, not theoretical.

Multiplayer game ops

UDP flood from a botnet at 380 Gbps

Mitigation kicked in within 4 seconds, players saw a 2-tick blip. Custom rate-limit on game ports kept legitimate traffic flowing throughout the 6-hour attack.

E-commerce on Black Friday

Scraper bots + L7 floods

Bot scoring + JS challenge separated 92% of bot traffic from real shoppers. Origin VPS load stayed flat through 14k legit RPS while 31k bot RPS got challenged at the edge.

Crypto exchange

Targeted L7 attack on /trade API

Custom rule looking at the trade-volume signature stopped the attack in under a minute. SIEM export gave the security team a packet capture for the post-mortem.

Stack

Plays nicely with the security tools you ship.

Integrates with the stack you already use

Datadog
Splunk
Sumo Logic
Elastic SIEM
PagerDuty
Slack
OpsGenie
OWASP CRS 4
hCaptcha
Cloudflare DNS
Route53
Terraform

FAQ

Security questions, plain answers.

Is the shield really always on?

Yes. Every byte routes through the scrubbing layer in normal operation, so when an attack starts there is no detect-then-divert delay — the rules already apply.

What is the no-overage promise?

We never bill you extra because someone attacked you. Capacity is included with the asset. The biggest single-asset attack we have absorbed in the last 12 months was 2.1 Tbps; that customer paid the same as in any other month.

How do you handle false positives?

Every block carries a request hash you can replay in the dashboard. You can suppress a rule for a single IP, ASN or path with one click, and we surface false-positive rate per rule on a daily report.

Can I protect non-HostEngine origins?

Yes — bring your own origin via DNS, a GRE tunnel or BGP announcement. The shield will scrub before forwarding cleaned traffic to your existing infrastructure.

What about L7 application attacks?

Layer-7 mitigations include JS challenges, WebAuthn ladder, bot scoring, hCaptcha integration, and full custom rule language with regex, geo and behavioural primitives.

Do you publish attack stats?

Yes — every customer can export an annual transparency report for their assets, and we publish a global threat report each quarter on the blog.

Trusted by 180,000+ teams in 140 countries

Northwind

Cobalt Studio

Volcrest

Northbeam AI

Halcyon

Acme Cloud

Pinepoint

Verdant

Helix Labs

Riverstone

Iron Forge

Beacon

Northwind

Cobalt Studio

Volcrest

Northbeam AI

Halcyon

Acme Cloud

Pinepoint

Verdant

Helix Labs

Riverstone

Iron Forge

Beacon

Ready when you are

Make the next attack a non-event.

Standard always-on shield is included on every HostEngine product. Upgrade to Pro for $49/mo and bring your custom rules with you.

Enable Pro Shield Talk to a security engineer

No credit card to start
Free migration from any provider
99.99% uptime SLA, in writing

Frankfurt · 3 nodes · healthy

38ms p99

# spin up a 4 vCPU / 8 GB cloud VPS in 55s
$ hostengine vps create --plan "performance-4x8" --region "fra1"
✓ provisioned vps_2x9k1q  (172.247.18.42)
✓ image debian-12 ready · ssh keys attached
✓ snapshot policy: hourly · backups: 30 days

$ hostengine domain attach "trading.acme.io" --ssl
✓ DNS verified · Let's Encrypt cert issued in 6.4s

55s

median provision

global regions

$200

welcome credit