“Emergency security support” is one of those phrases that shows up constantly in hosting marketing and rarely gets explained. It sounds reassuring, but if you’re the one actually deciding whether to pay for it — especially mid-crisis, when your site is already down — a vague promise isn’t good enough. So instead of another marketing summary, here’s a literal, line-by-line breakdown of what’s actually included in Tremhost Armor SOS, and why each piece exists.
Line Item 1: Emergency DNS Cutover to Cloudflare (Same-Day)
What this means in practice: if your site currently has no proxy protection at all — traffic going directly to your server with nothing filtering it — this is the process of routing your domain’s traffic through Cloudflare instead, on the same day the emergency is happening, rather than the multi-day timeline of a standard, unhurried migration.
Why it’s a distinct line item: a normal DNS/proxy setup is deliberately paced to avoid misconfiguration. Doing it safely and quickly, under pressure, while a site may already be struggling, is a different skill than doing it carefully over several days — which is why this isn’t just “the same service, faster.”
Line Item 2: Under Attack Mode Activation
What this means in practice: once traffic is routed through Cloudflare, this specific setting adds a brief automated verification step in front of every visitor before they reach your site — filtering out much of the automated, script-driven traffic typical of an active attack.
Why it’s a distinct line item: this isn’t switched on by default even with a standard Cloudflare setup, because it does add a small amount of friction for legitimate visitors — it’s a deliberate, situational trade-off made specifically when a site is actively under pressure, not a permanent setting.
Line Item 3: Emergency WAF and Rate-Limiting Rules
What this means in practice: rather than deploying generic, one-size-fits-all firewall rules, this is building rules specific to what’s actually happening to your site right now — if it’s a login brute-force, rate limiting goes directly on the login endpoint; if it’s XML-RPC abuse, that specific vector gets closed.
Why it’s a distinct line item: generic rule sets can miss the specific attack pattern happening in the moment, or worse, block legitimate traffic unnecessarily. Custom, situation-specific rules take deliberate configuration — this is diagnostic work, not a template being applied.
Line Item 4: Origin IP Rotation (If Compromised)
What this means in practice: if there’s reason to believe your server’s real IP address is already known to an attacker, this replaces it with a new one and ensures every path to your site goes through the proxy going forward — closing the direct route that would otherwise let attackers bypass all of the above protections entirely.
Why it’s a distinct line item: this step is only necessary when there’s evidence of exposure, but when it is needed, it’s the difference between protection that’s genuinely effective versus protection that looks complete on paper while a known bypass still exists.
Line Item 5: Post-Incident Summary
What this means in practice: a clear, written account of what happened and exactly what was changed — not a log dump, a readable summary covering the timeline, likely entry point, actions taken, and current status.
Why it’s a distinct line item: fixing a site and documenting what was fixed are two different deliverables. Without this, six months from now there’s no record to check against if something looks off again — and no clear account to give customers or auditors if one is needed.
What’s Deliberately Not Included (And Why That’s Honest, Not a Gap)
To be transparent about scope: Armor SOS is built to stabilize an active emergency, not to be ongoing protection. It doesn’t include continuous WAF tuning, monthly reporting, or quarterly reviews — those are what Armor Lite, Pro, and Business are for. Positioning a one-time emergency service as a replacement for ongoing protection would be misleading; it’s the fix for right now, not the plan for going forward.
The Full Picture in One Table
| Included | Purpose |
|---|---|
| Same-day DNS cutover | Get traffic behind protection immediately |
| Under Attack Mode | Filter automated attack traffic in real time |
| Emergency WAF/rate limiting | Close the specific attack vector in use |
| Origin IP rotation | Remove any existing bypass to your real server |
| Post-incident summary | Document what happened and what changed |
Price: $150.00, one-time.
When This Makes Sense vs. When It Doesn’t
Armor SOS makes sense if your site has no existing proxy or WAF protection and something is actively happening right now. If you already have Armor Lite or Pro running, most of this is already in place proactively — the emergency scenario this solves largely doesn’t arise in the first place, which is really the underlying point of having ongoing protection at all.



