CrowdSec offers an alternative approach for web security: an open-source WAF integrated into the CrowdSec Security Engine, powered by a global community of defenders. It’s designed to be transparent, scalable, and proactive, far from traditional WAFs’ high costs and heavy maintenance. In this article, we’ll look at how CrowdSec WAF can be deployed, from a simple setup to advanced enterprise-grade protection.
Level 1: Simpler
Virtual Patching Out-of-the-Box
The easiest way to get started with CrowdSec WAF is to install it with the crowdsecurity/appsec-virtual-patching collection. This provides immediate virtual patching against known exploits, without touching your application code or risking downtime. Requests are analyzed before they reach your apps, and malicious traffic is blocked instantly. The rules are kept up to date automatically, so you don’t have to worry about chasing the latest CVEs. Because CrowdSec curates the ruleset to focus on confirmed exploits, the risk of false positives is very low. And since it works with all major web servers and proxies like Nginx, Traefik, or Caddy, it can be dropped into almost any environment.
Key benefits:
- Instant protection against known exploits
- No app changes or downtime required
- Automatic updates with minimal false positives
- Compatible with all major web servers and proxies
Level 2: Further
Adding the Core Rule Set (CRS)
Now that the basics are covered, you can extend protection by enabling the OWASP ModSecurity Core Rule Set through the crowdsecurity/crs collection. Unlike the default rules, which are enforced inline, CRS is evaluated asynchronously. That means the request goes through without delay, but you still gain visibility into a much wider range of attack techniques, including SQL injection, cross-site scripting, and remote code execution attempts, and allows you to test in real conditions the behavior of the CRS to avoid any false positives. With the crowdsecurity/crowdsec-appsec-outofband scenario, IPs that repeatedly trigger CRS rules can be automatically banned.
When the setup is ready, you can switch the CRS to blocking mode using crowdsecurity/crowdsec-crs-inband collection. In this mode, you keep the same insights into the malicious requests on your server, but they will now be blocked before reaching your application. And of course, you can still integrate the CRS with the behavior engine of CrowdSec to ban repeated offenders.
Key benefits:
- Broad threat detection (SQLi, XSS, RCE, etc.)
- No latency impact during the evaluation phase
- Behavioral scenarios for automatic banning
- Community-powered global IP intelligence
Level 3: Deeper
Custom Rules and DSL
Every application has specificities, and generic rulesets can only go so far. That’s why CrowdSec WAF supports custom rules. You can import existing ModSecurity Seclang rules, but more importantly, you can write your own using CrowdSec’s simpler YAML-based DSL. YAML makes rules much easier to read, write, and maintain, especially for teams already familiar with Kubernetes, Prometheus, or Docker. To avoid breaking production traffic, custom rules can be tested in out-of-band mode before being enforced. CrowdSec also offers a unique framework to facilitate and strengthen testing and tokenization tools to efficiently create XSS or SQLi-specific rules.
Custom rules can be safely tested in out-of-band mode before being deployed in production. For advanced use cases, custom scenarios can be created to detect specific behaviors unique to your application or industry.
Key benefits:
- Tailor protection to your unique app and APIs
- Import legacy ModSecurity rules
- Use YAML for easier rule writing and maintenance
- Safely test rules out-of-band before enforcement
Level 4: Safer
Enterprise-Grade Enhancements
For organizations requiring scalable, production-grade WAF protection, CrowdSec offers powerful enterprise capabilities through its SaaS Console and Enterprise Plan.
Decisions and allowlists can be centrally managed and propagated across all WAF instances, with alerts sent via Slack, Teams, or webhooks. Real-time dashboards offer visibility into threat patterns and mitigation efficiency. Premium and LTS support are available for mission-critical workloads. CrowdSec’s world-leading Threat Intelligence data could also be leveraged to enrich the WAF data and gain a unique visibility on incoming IPs.
Key benefits:
- Fastest rule updates and proactive defenses
- Centralized fleet management via SaaS Console
- Real-time alerting integrations (Slack, Teams, webhooks)
- Metrics and dashboards for operational oversight
- Premium support and long-term stable builds
Conclusion
The CrowdSec WAF grows with you. You can start with an effortless install that shields your applications against known exploits. Then, you can add the CRS for broader detection, introduce custom rules to defend what makes your app unique, and finally, industrialize everything with blocklists, SaaS Console, and enterprise features.
By blending open-source transparency with community-powered intelligence, CrowdSec WAF delivers modern web application security without the trade-offs of legacy or commercial solutions. To try it out, visit the CrowdSec WAF documentation and see how quickly you can integrate collaborative security into your stack.
