Akamai Technologies Ltd

Akamai Prolexic - Distributed Denial of Service (DDoS)

Prolexic Routed offers broad and rapid protection against both network- and application-layer DDoS attacks with the scale to handle the largest attacks seen today. Organisations benefit from Akamai's global 24/7 SOC which includes 150 staff in five locations around the world dedicated to responding to DDoS attacks against Akamai customers.


  • DDoS Mitigation against the largest of attacks
  • 3.5Tbps of dedicated network attack capacity
  • Fast and effective mitigation of attacks backed by industry-leading SLAs
  • Direct physical connection (optional) to Akamai scrubbing centers
  • 24/7 dedicated SOC's to mitigate attacks
  • Agnostic platform
  • Data centre and network infrastructure protection
  • Robust network connectivity and carrier diversity
  • Flexible deployment models
  • Web based portal for real-time visibility


  • Mitigate business risk with fast and effective responses to DDoS
  • Reduce capital costs by leveraging cloud-based DDoS protection
  • Reduce operational costs by leveraging our 24x7 global SOC
  • Reduce downtime and business risk associated with DDoS attacks
  • Flexible deployment to fit with customer specific requirements
  • Time to mitigate and consistency of mitigation SLA's
  • Utilise dedicated security professional who mitigate over 200 weekly attacks


£5000 per unit per month

Service documents

G-Cloud 10


Akamai Technologies Ltd

Mike Havelock

07711 424216


Service scope

Service scope
Service constraints Customers are required to have their own /24 IP subnet as a minimum to enable BGP advertising
System requirements The ability to advertise a /24 subnet

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Customers have 24/7 access to our Security Operations Command Center for urgent matters. An Akamai representative will be available live on the phone to respond to Severity 1 (Critical Impact) and Severity 2 (Major Impact) Service issues 24 hours a day, 7 days a week and 365 days a year. Live Support Availability for severity 3 (Low Impact) cases will be available during normal business hours, Monday through Friday, excluding local holidays, 08:00 am to 5:00 pm GMT. Email support should only be used for low severity cases, or should be followed up with a phone call.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels By default, the Akamai Prolexic service includes 24/7 support for severity 1 and 2 cases. We also provide specific time-to-mitigate SLAs in relation to DDOS attack mitigations. There are no support upgrades for this service. A technical account manager will be provided.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Before starting service, a comprehensive technical assessment is carried out to ensure compatibility with the Prolexic system. Customers will need to connect to the platform using a dedicated Layer 2 link, or via a GRE tunnel. Our integration team will work with customers to facilitate the connection of our networks by one of these methods. As part of the on-boarding process, will provide online training on the service and its control panel. We will establish runbooks to follow in case of a DDOS attack event. We will ensure customers are fully aware of the support contact methods.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The Akamai Prolexic service does not store any client owned data. As a DDOS scrubbing service, we act as an intermediary for packets that are destined to your router / network. We allow legitimate packets to pass through, while we drop malicious packets that are considered part of a DDOS attack on your infrastructure. We do store meta data for the purpose of logging and analysis, to help us better understand your clean traffic profile and to analyse DDOS events. This data cannot be exported or retained at the end of the contract.
End-of-contract process The service will be disabled.

Using the service

Using the service
Web browser interface Yes
Using the web interface The web interface is primarily for service monitoring. Once your Prolexic service is live, users can view the state of the connectivity between their routers / infrastructure and that of Akamai. Users can also view traffic and attack mitigation information.
Web interface accessibility standard None or don’t know
How the web interface is accessible TBC
Web interface accessibility testing None
Command line interface No


Scaling available No
Independence of resources Akamai Prolexic has significant over-capacity in order to handle the largest DDOS attacks. We operate from 16 scrubbing centres around the world, with a total network capacity of 7.2 Tbps. The largest DDOS attack ever observed was 1.3 Tbps.
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types Network
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Hardware containing data is completely destroyed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery No

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • Other
Other protection between networks GRE tunnel
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We offer specific Time to Mitigate (TTM) SLAs depending on the nature of the DDOS attacks. The Prolexic platform is designed to be highly available with large amounts of redundancy. Should our platform fail to be available, the customer shall be entitled to receive a service credit.
Approach to resilience We operate from 16 different scrubbing centres around the world. In the unlikely event one facility has a technical problem, then we will route traffic via the other facilities.
Outage reporting Akamai will send notifications via the Luna Portal (customer control panel), Akamai Community, email and/or any other pre-established channels of communication.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication Our web interface authenticates using username and password, with optional multi-factor authentication. There is also SAML support and IP restricted login. Our APIs use standard authentication methods. There are various user profile settings that can be put in place to control user access to certain elements of the service.
Access restrictions in management interfaces and support channels Customers can configure IP restricted login. Access requires providing valid credentials, including optional multi-factor authentication. Customer can manage users in the web interface, determining their details and authorisation level. This information is then used in support channels, to identify the user, authenticate the user (e.g. by calling back the number provided in the web interface) and authorise the user (check whether they are entitled to request change or access to resources).
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Devices users manage the service through Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Cisco Systems Inc
PCI DSS accreditation date 28/06/2017
What the PCI DSS doesn’t cover Customers are instructed that only products running on the Secure Content Delivery Network, and Enterprise Application Access are in-scope for PCI and that no other systems are intended or should be used for the transmission, processing, or storage of cardholder data. Nevertheless, Akamai's products and services running on the Secure Content Delivery Network, and Enterprise Application Access may be configured to be used by customers in their cardholder data environment, and may be included in the scope of customers' PCI assessments.
Other security certifications Yes
Any other security certifications
  • FedRAMP
  • ISO 27002
  • SOC 2 Type II

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards PCI DSS
SOC 2 Type II
Information security policies and processes Akamai follows its Information Security Program. Redacted version can be shared with our customers if desired. Akamai is also assessed and compliant with various security standards.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The change management process for software changes is chaired by the Director of Operations and the Release Manager. The process reviews all changes and potential customer impact. Any releases are signed off on by appropriate parties, which always include the SVP of Engineering and SVP of Delivery.

To minimize the risk of the corruption of information systems and the accidental removal of security controls a formal change control procedure must be followed when making changes to any production system.
Vulnerability management type Supplier-defined controls
Vulnerability management approach The vulnerability management process is set forth to ensure timely deployment of security patches and remediation of vulnerabilities to maintain confidentiality, integrity, and availability of Akamai systems and applications. The lifecycle of the vulnerability management includes tasks such as: investigate new vulnerabilities, remediate vulnerabilities, and close out the records when applicable. If the vulnerability is impacting to Akamai, the Information Security team is responsible for shepherding the vulnerability through all of the stages, ending in the closure stage. Please see this post for more information:
Protective monitoring type Supplier-defined controls
Protective monitoring approach New vulnerabilities are identified and tracked. Vulnerabilities are identified by: Receiving vendor and security researcher vulnerability announcements, Monitoring vendor reporting distribution lists and reporting forums, monitoring public reporting forums (CERT, Bugtraq, SANS, etc) These Subscriptions help identify vulnerabilities that might impact Akamai information systems and networks. Additionally, the Information Security teams analyse Akamai's software and architecture to identify potential vulnerabilities. Once a specific vulnerability is identified, it is assigned to an Information Security and a subject matter expert to remedy. Vulnerabilities that do not impact Akamai are marked as such and closed.
Incident management type Supplier-defined controls
Incident management approach Akamai operates a documented Technical Crisis and Incident Management Process, this document can be shared with customers. Akamai has designed its technical systems and human operations with many safety controls and sensors to help prevent and detect issues in our environment as they arise. If a customer-identified issue cannot be solved by Akamai Support then an incident is declared. For all severity levels, we have an Incident Manager role identified to evaluate the severity of a situation and coordinate with others working on the problem. A Service Incident Report is produced identifying failures and highlighting changes to prevent reoccurrence.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres No


Price £5000 per unit per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑