Dual-layer kernel protection

Protect your servers with kernel-level precision.

XDP stops volumetric attacks before the network stack. nftables filters remaining traffic with a stateful firewall. Two independent layers, one panel.

Start free trial arrow_forward View architecture
10M+
packets/sec XDP
< 1ms
added latency
1 cmd
to install
PAKKT Engine

Install with
one command.

The agent detects the kernel, network interfaces and existing firewall conflicts. Compatible with Debian 11+, Ubuntu 22+, kernel 5.9+.

terminalAuto-detection

Kernel, interface, iptables/nftables/Docker conflicts. Single binary, zero dependencies.

storefront77 marketplace templates

Gaming, anti-flood, rate limiting, amplification, ICMP, VoIP. XDP + nftables.

smart_toyAI Assistant

Describe your rule in plain language, the AI generates the configuration.

pakkt-agent ● LIVE
$
Dual-layer kernel

XDP + nftables. Defense in depth.

Every packet traverses two independent filters. XDP eliminates volumetric noise. nftables inspects the rest.

XDP / eBPF

Before the kernel

Stateless. Drop at the earliest point in the kernel, before any memory allocation. Up to 256 simultaneous rules per interface.

  • Rate limit per port (pkt/s)
  • Block by protocol and port range
  • Blacklist / Whitelist IP (BPF map)
  • Anti-amplification UDP
10M+ packets/sec
nftables

After the kernel

Stateful. Conntrack, TCP flags, NAT, per-connection rate limiting. The intelligent layer for application-level attacks.

  • SYN flood protection (conntrack)
  • SSH brute force block
  • Per-connection rate limit
  • Isolated table (zero Docker conflict)
Stateful inspection
All included

Every agent. All features included.

monitoring
monitoring

Real-time monitoring

Passed
977.5K
pkkt
Volume passed
371.4
MB
Blocked
1.3K
pkkt
Volume blocked
80.3
KB
Passed
Blocked
00:00 04:00 08:00 12:00 16:00 20:00 24h
storefront

Marketplace

77 XDP + nftables templates. Gaming, anti-flood, VoIP, infra. One-click deploy.

bolt

Zero-downtime hot-swap

Modify your rules on the fly. Zero impact, zero network restart.

integration_instructions

Integrations

Pterodactyl, Pelican, public REST API. Integrate protection directly into your panel or software.

Pricing

One price. No surprises.

Pay per protected server. No tiers, no hidden fees.

All included
3€
Per server / month

1 agent = 1 VPS or 1 dedicated server (one network interface)

1 server3€/mo
5 servers15€/mo
20 servers60€/mo
check_circle XDP + nftables dual-layer
check_circle 77 marketplace templates
check_circle AI Assistant + public API
check_circle Real-time monitoring
check_circle Pterodactyl & Pelican integration
7-day free trial

No commitment · no credit card

Security & transparency

Built on auditable primitives.

Every component has a public audit trail. No black boxes, no marketing promises — just auditable code.

memoryKernel eBPF

XDP code upstream in the Linux kernel since 2018. Verified by the BPF verifier before load.

lockmTLS + Argon2id

Agent ↔ backend mutually authenticated by certificate. Passwords hashed with memory-hard Argon2id.

credit_cardStripe SCA

Payments processed by Stripe (PCI DSS level 1). We never see your card number.

privacy_tipGDPR · France

Infrastructure hosted in France. Metrics kept 90 days max, no packet capture, zero data resale.

FAQ

Frequently asked questions

Everything most people ask before installing.

What is XDP and how is it different from iptables or nftables? expand_more
XDP (eXpress Data Path) is a Linux kernel hook that runs eBPF programs on packets the moment they reach the network driver — before the kernel allocates any memory for them or runs its full network stack. That's why XDP can drop up to 10 million packets per second per CPU core with sub-millisecond latency, while iptables and nftables inspect packets further down the stack and are typically 50× to 100× slower on DDoS-grade traffic. PAKKT runs XDP as a first stateless layer (volumetric drop) and nftables as a second stateful layer (conntrack, TCP flags, NAT).
Does installing PAKKT require a server restart? expand_more
No. The agent installs with a single curl command, loads the XDP program into the running kernel via eBPF, and inserts nftables rules into an isolated "inet pakkt" table. There is no restart, no systemd reshuffle, and no interruption of existing services. The same applies to uninstalling — the agent detaches the XDP program and flushes its nftables table cleanly.
Does PAKKT conflict with Docker, fail2ban or an existing firewall? expand_more
No. XDP runs before iptables/nftables in the kernel data path, so it doesn't touch your existing rules. PAKKT's nftables rules live in a separate "inet pakkt" table, which means Docker's iptables chains, fail2ban jails and your own nftables rules are untouched. The install script scans for conflicts (iptables, nftables, UFW, firewalld, CSF, fail2ban, CrowdSec, Shorewall, ipset, ip6tables) and offers to disable only managers that would break XDP — Docker rules are explicitly never modified.
Which operating systems and kernel versions does PAKKT support? expand_more
PAKKT supports Debian 11+, Ubuntu 22.04+ and most recent Linux distributions on kernel 5.9 or later. The XDP engine uses eBPF features that have been stable since kernel 5.9 (2020). The installer auto-detects your OS and kernel version and refuses to install if XDP support is missing, so you never end up in a broken state.
How much does PAKKT cost? Is there a free trial? expand_more
PAKKT costs 3 € per server per month, billed via Stripe. There are no tiers, no bandwidth limits and no hidden fees — one agent protects one VPS or dedicated server, whatever its size. A 7-day free trial is included with no credit card required: you can install, deploy rules and watch real traffic before any payment method is requested.
Does PAKKT log or forward my server traffic? expand_more
No. The agent only sends aggregated counters (packets passed, packets dropped, per-port totals, top source IPs by volume) to the PAKKT backend over mTLS every 30 seconds — never full payloads, never packet captures. Source IPs are stored in a short-retention hypertable (90 days) to power the dashboard and are never shared with third parties.
What latency does PAKKT add to legitimate traffic? expand_more
Less than 1 millisecond per packet on a modern CPU. XDP runs before the network stack, so legitimate packets pass through the engine's allow list in a handful of CPU cycles — measurable only under microbenchmark. The nftables layer adds a few microseconds per connection state lookup. In practice, users don't see any difference versus a server without PAKKT.
Can I uninstall PAKKT cleanly? expand_more
Yes. Running the uninstall command detaches the XDP program from every interface, flushes the "inet pakkt" nftables table, removes the agent binary and its systemd unit, and leaves your system in its original state. No residual rules, no kernel lingering, no orphan config files.

Ready to protect your servers?

Deploy the agent in under 60 seconds. 7-day free trial, no commitment.

Start free trial API Documentation