Site going down right now?
Skip the ticket queue. Tell us your domain and what you're seeing — we start pulling your traffic onto our edge and soaking up the flood immediately.
A small team that has been doing this since 2017.
We are not a reseller dashboard with a support bot. TCPGuard is run by people who have spent years on the wrong end of a 600 Gbps flood at 3 in the morning — and learned exactly which knobs to turn.
We have opinions. We do not null-route you to make an attack "go away." We do not hide your origin behind a single CNAME and call it protection. We architect the stack around what you are actually defending, and we stay on the line until the graphs go flat.
If you have ever been told "just upgrade your plan" by a provider who clearly was not watching the traffic — you will understand why we built this.
// House rules
- We pick up. Real engineers, not a queue.
- No null-routes. No blackholes. We filter.
- Your origin IP is sacred — it never leaks.
- Rules are hand-tuned per target, not copy-pasted.
- If we can't protect it well, we tell you straight.
One provider can't cover everything. So we don't pretend to.
A layered defense built from carrier-grade networks and dedicated mitigation platforms — Voxility for Layer 3-4, Path for Layer 7, filtration tuned against Arbor PeakFlow telemetry, and custom ModSecurity rules to keep the naughty guys out.
Volumetric Mitigation — Voxility
Carrier-grade absorption of SYN floods, UDP amplification and reflection attacks across up to 100 Gbps ports. The flood never reaches your origin.
voxility.com ↗
Application Defense — Path
Dedicated Layer 7 filtering for HTTP/S floods and bot traffic. Real mitigation — no null-routing, no blackholes, no downtime windows.
path.net ↗
Advanced Firewall — RoyaleHosting
2.5 Tbps+ of upstream DDoS mitigation and managed firewall policy in front of your infrastructure, tuned per deployment.
royalehosting.net ↗
Custom ModSecurity Rules
Hand-written WAF rules on top of the OWASP Core Rule Set to block exploit attempts and keep you operational around the clock.
owasp crs ↗Every packet earns its way to your origin.
Traffic lands on our scrubbing edge, gets inspected and filtered layer by layer, and only clean requests are proxied through to you.
edge ~$ ingest --proto any --port 0-65535
[L3-4] voxility → SYN/UDP/reflection .......... SCRUBBED
[L7] path → http/s flood + bots ........... FILTERED
[WAF] modsec → owasp crs + custom rules ...... ENFORCED
[FW] arbor → peakflow telemetry ............ CLEAN
edge ~$ proxy --to origin --tls passthrough
# your origin only ever sees legitimate traffic.
However you run, we sit in front of it.
Point your DNS at us, or let us host the whole thing. Either way the attack stops at our edge, not yours.
Reverse Proxy
Keep your existing host. Route traffic through our protected edge and hide your origin IP from the world.
Protected Virtual Machines
Spin up VMs that live behind our mitigation from day one — nothing exposed, nothing to leak.
Dedicated Servers
Full bare-metal performance with carrier-grade DDoS protection baked into the network it lives on.
Make a smarter security decision today.
Reverse proxy, virtual machine or dedicated server — tell us what you're defending and we'll architect the right stack for it.
GET IN TOUCH →