This article discusses Kentik’s Alerting systems, which analyze your network traffic and detect anomalous patterns that might represent threats to availability or performance.
.png?sv=2026-02-06&spr=https&st=2026-07-17T21%3A01%3A18Z&se=2026-07-17T21%3A13%3A18Z&sr=c&sp=r&sig=CeveDawUN5i5jXIZnASafd8zXWR4l07HeYuXH2B7w%2FE%3D)
Triggered based on policy settings, alerts provide details on anomalous network activity or state.
Kentik’s Alerting systems include both the main policy-based alerting system, which is the focus of this set of articles, and a synthetics-specific alerting system:
Policy-Based Alerting: Uses policies of various types to define conditions for alerting:
Policies are managed with the portal’s Alert Policies settings page, accessed via Settings » Alert Policies in the portal’s main nav menu.
Includes thresholds for triggering an alarm and actions (notifications and/or mitigations) when “alarm state” is entered.
View and manage policy-based alerts on the Alerting Page, accessed via the portal’s main nav menu.
Synthetics Alerting: Kentik’s Synthetics testing includes an alerting system that generates alerts based on test results:
Set thresholds for a tested entity’s health status on the Health tab of the Tests page when adding or editing a test (see Health Settings Tab).
Specify alert conditions on the Alerting and Notifications tab.
Policy Types
When a policy is created, either by a Kentik user or automatically via Alert Policy Templates, it is categorized into one of two primary architectures: Flow or NMS policy types.
The policy type dictates what data is evaluated, how it triggers, and where the resulting alerts appears in the portal. All policies are managed (added, cloned, edited) via the Settings » Alert Policies page in the Kentik portal.
Flow Policies
Flow policies (Protect and Traffic) use comparative evaluations to monitor network traffic data, such as NetFlow or VPC flow logs. When the current traffic matches the conditions defined in your policy thresholds, it triggers an alert (entering an ALARM state) and can initiate automated actions like notifications and DDoS mitigations.
Policy Type | Description | Where Created | Appears on DDoS Defense Page? |
|---|---|---|---|
Protect | Detects traffic patterns indicating potential attacks (e.g., SYN floods, amplified reflections). | Add Alert Policy page | Yes |
Traffic | Detects standard traffic patterns, flow rate thresholds, and fluctuations. | No |
NMS Policies
NMS (Network Monitoring System) policies are metrics-based and built on Kentik NMS. They evaluate performance data to alert you when a monitored entity, such as a device, interface, or BGP neighbor, becomes unhealthy or drops below a specific baseline.
Note: All NMS policies are created on the Add Alert Policy page and only appear on the main Alert Policies list, never on the DDoS Defense page.
Policy Type | Description |
|---|---|
Agent | Agent health (e.g., resource usage, status). |
Agent Capability | Capability health (e.g., enablement, status). |
BGP Neighbor | BGP peering session states and metrics (e.g., session state changes, advertised prefixes). |
Component | Device component states and metrics (e.g., CPU, power supply). |
Device | System-level device states and metrics (e.g., up/down status, CPU/memory). |
Event | SNMP traps or syslog messages filtered via regex. |
Interface | Interface states and counter metrics (e.g., oper status, traffic spikes). |
Classic Threshold | Rolling window aggregations and classic baselines (average-over-time thresholds). |
Custom | Any NMS measurement, including cloud and custom metrics from integrations. |
Note: The filters on the Alert Policies and Alert Policy Templates pages determine which of these policy types appear in your active lists.
