On May 8, 2026, during a scheduled maintenance window at 2AM UTC, Kentik will introduce an F5 Distributed Cloud Web Application Firewall (WAF) in front of our US SaaS platform (portal.kentik.com / api.kentik.com).  This is part of our commitment to continual improvement and defense in depth strategy to secure our systems in the face of novel, AI-assisted attack chains. (Note - As part of our initial deployment, this change took effect in EU SaaS on April 22, 2026)

What's changing

All HTTPS traffic to portal.kentik.com,  api.kentik.com (including *.my.kentik.com, beta.kentik.com & next.kentik.com), and the corresponding .eu domains, now routes through the F5 WAF at 159.60.158.89 before reaching Kentik infrastructure. This provides enhanced protection against malicious web application traffic and attacks with no change to the portal or API functionality.

What's not changing

• Our SaaS platform remains hosted with its data stored in our co-location facility in Ashburn, Virginia for our US and Frankfurt, Germany for EU.
• Flow data ingest is unaffected. NetFlow/IPFIX/sFlow sent to your assigned Kentik collector IPs continues to reach us directly and is not routed through the F5-WAF.

Action required

Action only required if you have outbound IP allowlists. If your proxies, firewalls or other routing policies restrict outbound HTTPS (port 443) to Kentik by IP, you must add 159.60.158.89 alongside the existing Kentik VIPs. Without this, portal and API access may be blocked from your network.

Data Processing Notes

F5 Data Processing

• Requests will be processed by F5’s regional endpoints based on where they originate.
• F5 is a member of the US DPF program & shares our overall GDPR commitment, so this change should not introduce novel data locality concerns. 
• WAF performs transient analysis of user requests hitting the SaaS website only and is not used to process network telemetry data (such as NetFlow) sent to our servers. Furthermore, F5 does not store any user request data post-processing. As a result, we determined that this does not meet our criteria for declaring F5 as a full subprocessor working with customer personal data.

Private Network Interconnect (PNI)

• If you have a private network interconnect (PNI) configured to Kentik with the portal/API being accessed via the PNI. Then with the WAF in place, portal and API access will be routed via F5’s regional edges over the internet. (Note: This is only for web traffic and, Flow/ingest data will still continue to go over the PNI)

Additional F5 information

• F5 Data Protection:  https://www.f5.com/company/trust-center/general-data-protection-regulation-and-data-protection-framework
• F5 Regional Edge Locations: https://my.f5.com/manage/s/article/K000146743 
• F5 Regional Edge IP ranges: https://docs.cloud.f5.com/docs-v2/downloads/platform/reference/network-cloud-ref/ips-domains.txt 

If you have any questions regarding this, please reach out to Kentik support or your customer success advisor.