I believe the company is satisfied with the product, but there have been some changes and challenges. 

Kentik primarily addresses the need for information from NetFlow data. It offers a simple yet powerful feature of classifying applications, going beyond basic statistics. There is more focus on track ID and basic static applications.

Before using this solution, there was a lack of good visibility. So, our clients had to use workarounds to gain insights. With Kentik, they have better planning and programmability in the network.

Using the drill-down into detailed views of network activity, we can see where we might have bad performance. Maybe it's in the US and is from a specific ISP. Seeing that we have general bad performance from them doesn't help us that much when troubleshooting with them. When we drill down, we can see that the users we have the most problems with are from this city or that state.

Also, some of these tools can be pretty complex, but what I really like is that when we get new team members we can easily onboard them into the tool. They can be up and running and doing fairly advanced queries very quickly. That's been a positive for us.

Kentik's API has really helped us as well. We have tooling where we can look at a certain POP and then pull the data out of Kentik and make decisions on that in another application. We also use it for cost calculations, since we have the real-time traffic data and we have a pretty good understanding of what the different links cost, and what the data costs on those links. The tooling pulls real-time data or weekly averages and we do calculations on how we're doing per gigabyte in cost.

I can only guess at how much the solution decreases our mean time to remediation, compared to if we had written our own tools. We have had Kentik from day one. I can only imagine a world where we had tried to develop this ourselves and how that would have looked. Compared to what we would have had, I would say it has decreased our MTTR by three times. It all comes down to the drill-down functionality and how easy it is to use the interface; all of the data that you can get out of it very quickly, with all the different graphing options. I would guess if we had developed our own tool, it wouldn't be nearly that advanced where we could add multiple datasets and do graphing. We probably would have had to do a lot of SQL queries ourselves to get to whatever we wanted, especially if we had trickier things to try and remediate. But it's hard for me to say since we've used it for so long.

It also helps with our total network uptime. The anomaly detector is pretty good at detecting weird things, like when traffic drops. But we also have a lot of our own tooling for this. Kentik is not a monitoring solution for us in that sense. It's more on top of what we have. But we have seen weird things where traffic has moved, situations which we probably wouldn't have caught with our own systems. So it gives additional benefits on top of the more rudimentary or standard tooling that we have.

We had an event with one of our service centers, internally, and we were able to get them to understand that they were causing adverse effects for our customers on our circuits because they were over-utilizing circuits when they should not have been doing so. Kentik allowed us to peel back the entire network aspect of what they were doing and it allowed us to get an agreement from them that they would police themselves regarding their traffic, so that we did not have to do so for them.

And it allowed us to continue to have shared resources rather than duplicating everything. We were able to continue to allow them to utilize our transit, or our shared network connections, rather than saying, "Okay, you can't use this anymore. You have to duplicate everything." As a result, we're saving, in this case, about $40,000 a year, because we're not duplicating the network. If you understand what's happening, you can say, "Okay, this is what you can do, this is what you can't do." You can't get to that point unless you understand what's happening first, and Kentik allowed us to do that.

The solution has proactively detected network performance degradation or anomalies. For instance, right now I'm tracking another service center that is trying to provide a backup solution going to one of the cloud providers. What's happening is that their traffic is not hashing, it's not load-balancing over multiple circuits. I can easily prove that because I can pull up the circuits and see all of the flows from this particular service owner going over one circuit. That's an anomaly Kentik detected and I can go back to the service center and tell them. And it alerts me when it's happening, when it's getting too high, when it's about to saturate the circuit. It then tells me, "Oh, by the way, they're doing it again." That is very helpful.

The drill-down into detailed views of network activity help to quickly pinpoint locations and causes, especially if you set it up properly so you have all your routers and your interfaces. It's super-easy. In this case, it sends me an alert. I pull up the dashboard and it's all right there. It tells me everything. For example, when I pull up the alert that I got this morning it gives me a traffic overview and tells me, before I've done anything in the source or destination ASNs, which service center it is, if I have a separate ASN for them. It shows where it's going and how much traffic is spiking. It gives me the total traffic hits per second and packets per second, as well as source country, destination country, subnet — everything. It's telling me exactly who, what ports, and everything that is causing the anomalous traffic. If you have it pre-set-up, it just takes you through to the dashboard with everything already there. That's super-helpful because I can go back to the service center and tell them that they're saturating the link and this is how they're saturating it. I have proof.

I have also used Kentik's months of historical data for forensic work, especially with my old job. I was at a service provider previously and we got DDoS'd all the time, constantly. It was much easier for me to go back in time and look at some of these DDoS events and look at the signatures so I could just figure out which buckets most of them fit into. I could say, "Okay, I had these many incidents, these are the different types of issues I saw, and maybe if we take these actions we might be able to stop this kind and that kind of DDoS." It was much easier for me to go back and look at it as a holistic view.

In addition, it has decreased our mean to time remediation for anomalous traffic moments. For instance — and I'm not in the operations team — it has certainly allowed the operations team to detect and figure out what's happening much more quickly than they previously were.

At my previous company, it probably went from about a 30-minute detection to about a ten-minute detection, and that included making sure we understood which IP address was being attacked. As a service provider you can see what the interface is, but the question is which IP address on the interface is being attacked. That's the thing that you get much faster and you're able to surgically black hole that IP address, as opposed to shutting down the entire port for the customer. That kind of thing is huge.

Kentik has also improved our total network uptime. We're able to check the customer-effecting incidents much faster than we previously were. And at my previous company I can say wholeheartedly that it improved uptime because when you can detect so that you're not shutting down ports, you can get to the router faster, and the router is not falling over anymore because it's being attacked.

In terms of improving on the number of attacks we have to defend, at the previous company I would say it did because I did all the analytical work, and we were able to determine a couple of different types of attack that we might be able to defend a little bit better. Here, it has reduced the number of internal incidents we've had. Service owners are not really thinking properly about how they're using the network and have service-effecting incidences that they didn't know about. If you point it out, they stop doing it, if you have data for that. Before, we weren't really able to point it out in a way that they understood. Now, it's much easier for us to detect it, clearly determine that it was them, and then say, "Could you stop this? Don't do that."

One of our Network Operations Centers has a large overview screen with a web browser that shows Kentik and the data explorer running. This provides a constant overview of live traffic sorted by the source port.

We use Kentik to monitor the network and get alerts from its alert module if there is a DDoS or other attack on our network.

Kentik is constantly improving. I have seen their alert portion grow this year to include a new Beta that allows you to use automatic mitigation with multiple platforms.

Kentik is used when customers call in to troubleshoot their internet service and to decide on new peering partners.

We're the third-largest tier-one in the world but, prior to deploying Kentik, we were flying largely blind regarding our IP traffic. We didn't have any kind of visibility into where we should be upgrading capacities. Gaining visibility into the traffic with a network at our scale has been huge.

We've been able to do traffic analysis when we're looking at bringing on a customer or, more specifically, when renewing and re-terming a customer. We can take a look at their traffic profiles and put dollars and cents around it. What does it cost us to haul this customer's traffic? Are we making money on this customer's traffic? How much are we making? That allows us to gauge where we can do things, re-term-wise, and still make money. 

We can also do customer prospecting. We can look at our traffic and say, "Hey, here's traffic, either to or from networks, that aren't on net. If we were to bring them on net we would be monetizing traffic that we're currently handling either for free or in some other way. If we were to bring it on, we'd be making money from it.

It has also helped our organization to save money in backbone planning. Previously, if a specific path was full, we would have to throw more bandwidth at it. I think that's what a lot of networks still do. Kentik allows us to see where traffic is really going and coming from. So we've been able to be much smarter about where we choose to upgrade paths. Throwing bandwidth at it costs adding however many more waves. If the traffic goes between A and C instead of A and B and that path happens to be $1,000 a month cheaper, we can make those kinds of changes. We've definitely been able to save money that way.

In addition, the drill-down into detailed views of network activity very much helps to quickly pinpoint locations and causes. We have a handful of saved queries, especially for some of our guys in the NOC who may not be senior-network-engineering-level types, that can be run. It lets them see things at a high level and say, "Okay, there's a spike here." They can drill in from there and get what they're actually after. It's generally DDoS-related in that specific scenario.

We have also used Kentik's months of historical data for forensic work. It tells us what the heck happened. When you're in it, you're just trying to do what you can to get things working again. That historical view allows us to go back and say, "Okay, we had this major outage last week. We know that it was partially due to this, but what actually happened and what was impacted by what was going on?"

Kentik has also decreased our mean time to remediation, with DDoS especially, but also with peering-related issues. We're able to identify and do stuff there as well, more quickly than we were previously. Shooting from the hip, I would say it has decreased our MTTR by 20 percent.

Before using the solution, we had to do all these manual tasks, such as running all these queries manually, and building our tech cost-report used to be a two or two-and-a-half-week effort. Using Kentik, and the automation that it provides us, we've brought that down to a day or two, which is a massive time savings.

Our capacity managers would say the visibility and the dashboards have improved the way our organization functions. They can see, at a glance, which of our data centers is serving which countries, and that really helps them in their planning.

In terms of the solution's months of historical data for forensic work, we reformulated the way we calculate costs so we had to go back into the historical data and use that raw data to calculate the costs again. It wasn't necessarily forensic networking, but it was forensic cost and business work.

For our organization, the sales-prospecting is really invaluable. We had a previous tool that I wasn't really involved with but which was, to my understanding, very hard to use and which was — I won't say misdesigned — but designed strangely. With this tool I have been able to work with some of the front-end sales-developer people to tighten down the queries that they wanted to use to get the information out. Once they had that, they could go into their sales portal and put them in there. I can help them with the information because I know what it's coming from. I help them make queries: for example, "The customers in New York who are going to Chicago." Whatever that turns out to be, I know what it is. Whereas, with the other tool I didn't really know necessarily how it was working along its model.

We also have alerting from it for attacks and capacity utilization, which we didn't have before. The great thing about it is that it doesn't say, "Okay, this link overloaded," but it does what's called planning or trending. It says, "Hey, this IP usually has ten hosts talking to it. In the past hour, it has had 10,000 hosts talking to it." It will show things that might not necessarily be a situation where something is being overloaded, but which are still events that happened on the network and which we wouldn't have seen before at all.

Kentik has also helped to decrease our meantime to remediation in the case of attacks. We're able to pull out the IP that's being attacked and take action on it. Before we couldn't find that out easily. That process has gone from slow to fast. Attacks happen no matter what. We have a lot more visibility into them, we can see where they're coming from and that has definitely helped us take action against some of our customers who are continually launching attacks. Maybe it's decreased the number of attacks in that we have found out the customers who were doing them and terminated them. But the tool itself doesn't help us reduce the number.

We now have real metrics on DDoS attack vectors and use the alerting dashboard to gather information used in CLI filters and eventually in RTBH.

We can actually see what we're doing now. When it comes to making an educated decision on a number of things, if you have no visibility into what you're doing, you really can't make that decision. Collecting that data and having those metrics first-hand, in real-time, allows us to make an educated decision, versus an uneducated guess.

Kentik has proactively detected network performance degradation, availability issues, and anomalies. When we had no visibility. When we had congestion, things would actually happen and it was hard to troubleshoot as to where they were coming from. That was one of the first things we were able to do. 

A specific example is where we had a number of tenants that were created that were getting DDoS'ed. We couldn't understand how or why we were getting DDoS'ed because we had no visibility. We were guessing. Kentik opened up and showed us where the traffic was coming from and how we could go about mitigating.

It lets us understand what those attacks are, versus not actually knowing where they're coming from or how they're affecting us. It cuts down the time it takes for us to troubleshoot and actually mitigate by about 50 percent, guaranteed, if not more. But we're running a bunch of GRE IP sectionals. It's not like we have huge amounts of capacity. But for some of our large customers, it really has helped us detect what the problem is, instead of guessing.

At my previous company, it improved our total network uptime by about 20 percent. I wouldn't correlate that back to Kentik in my current company.

The drill-down into detailed views of network activity helps us to quickly pinpoint locations and causes. Anecdotally, it has decreased our mean time to remediation. On a per-incident basis, it could save anywhere from five minutes to 60 minutes.

We also believe it has improved our total network uptime. We haven't done any direct before-and-after comparison, though.

Again, anecdotally, it has sped up our security team's ability to respond to attacks that did not surface as readily, prior to having the flow log data.

I find it very useful to see when traffic destined for a prefix that we prefer ingress on in the East Coast actually ingresses or egresses on the West Coast. It shows the difference between BGP paths vs. regional expectations.

We have put it on half of our large monitoring screens. Sometimes, it is actually easier to identify and attack incoming traffic using Kentik, than it is to use our own gear.

Even when we know what the traffic is, it allows us to jump directly into the next steps of our process more quickly, since we can visually see everything in one place and on one screen through the customizable dashboards.

Instead of just total traffic in bits or packets, we can get protocol, destination port, TCP flags; everything you might want.