×
🎓 [Upcoming Webinar] What Does Crowdsourced Cybersecurity Actually mean?
Register now

CrowdSec Threat Intelligence

The largest community-fueled CTI network on earth

CrowdSec CTI distributes IP reputation intelligence, allowing SOC teams & security analysts to obtain highly curated data on intrusion attempts, origins, and trends.
Get started for freeGet started for free
Get started for freeDownload The Majority Report
Understand your attackers
our two databases
supercharge the existing
use our api
01/04

The most advanced real-world CTI

CrowdSec CTI leverages the tens of thousands of users of CrowdSec to centralize, curate and redistribute data from real-life users and applications.

  • Most CTIs use honeypots to collect cyber threat data. CrowdSec CTI focuses on data from real users, all over the world, operating a large variety of services & apps to provide precise data
  • Our users are in more than 180 countries and have hundreds of different use cases, giving accurate context to each attack
  • CrowdSec CTI operate two databases: Smoke, containing raw data from our users, and Fire, with rigorously filtered data on especially dangerous IPs
02/04

Highly accurate and detailed information

CrowdSec users share millions of signals daily, allowing us to gather a large amount of information on each IP address.

  • Each IP address shared gives us information on the type of attack, moment and use case, allowing us to assess its aggressivity of each IP address.
  • CrowdSec enriches that data with third-party resources to add information such as country of origin, autonomous system etc.
  • Reputation data is frequently refreshed to make sure it reflects the lifecycle of an IP address.
03/04

Strictly curated data sets

Most CTI solutions are crippled by low data quality. False positives, deprecated data or poisoned bases increase alert fatigue and provide unreliable information to make decisions. CrowdSec CTI is curated to make sure only high-confidence data is shared with the users.

  • Each contributing user gets a reputation score based on seniority and contribution. The higher the reputation, the higher the value the curation algorithm will give to the data provided by the user
  • CrowdSec operates its own network of honeypots. User data is correlated with data from honeypots to ensure homogeneity.
  • The Smoke database exposes non-curated data to enrich SOC teams or analyst data
  • The Fire database provides curated data for direct ingestion by firewalls to preventively block aggressive IPs.
04/04

Seamless integration with your cybersecurity solution

CrowdSec CTI was designed to seamlessly interface with most cybersecurity solutions.

  • Individual queries on IP addresses can be done through a dedicated UI in CrowdSec Console, or directly through an API.
  • CrowdSec CTI can stream IP blocklists directly to any firewall or remediation solution. Whether you use Palo Alto or OPNSense, your solution will consume IP data to provide preventive defense.
  • Full bulk lists of IP data can also be purchased for data analysts or to train AI models.

How the CrowdSec CTI works

The feed can be consumed by your firewall or any existing remediation mechanism.

a clock inside a wheel and a tic over it

a magnifying glass over a screen

aws logo

a tic over a checklist

a magnifying glass over a document

a hand clicking on a dashboard

kubernetes logo

a forbidden icon

Why use the CTI

an orange tic

Real-World data from real users

By providing data coming from real users and real applications (and not honeypots), CrowdSec CTI ensures data is high quality.

an orange tic

Largest global CTI

CrowdSec CTI is the largest threat intelligence source in the world, taking in millions of signals monthly from tens of thousands of users to provide exhaustive data sets.

an orange tic

100% Accurate

Our advanced curation mechanism allows for the elimination of all  false positives or poisoning attempts, making sure users receive the most accurate data possible.

CrowdSec CTI in few figures

CrowdSec CTI is a collaborative cyber threat intelligence platform providing real-life and highly curated data on IP reputation, helping cybersecurity experts to better assess threats and fight back more efficiently.

48M+

Rogue IPs in the CTI database

40K

"Shoot-in-sight" IPs in the blocklist

13M

Signals/day received from the community

64K+

Machines contributing to the CTI

Why use the CTI

Real-World data from real users

By providing data coming from real users and real applications (and not honeypots), CrowdSec CTI ensures data is high quality.

Largest global CTI

CrowdSec CTI is the largest threat intelligence source in the world, taking in millions of signals monthly from tens of thousands of users to provide exhaustive data sets.

100% Accurate

Our advanced curation mechanism allows for the elimination of all  false positives or poisoning attempts, making sure users receive the most accurate data possible.

Run the Agent effectively on multiple platforms

OS

Linux
Linux
Coming soon
FreeBSD
FreeBSD
Coming soon
Windows
Windows
Coming soon
Open WRT
Open WRT
Coming soon

Services

Iptables
Iptables
Coming soon
Nftables
Nftables
Coming soon
Nginx
Nginx
Coming soon
Apache
Apache
Coming soon
Caddy
Caddy
Coming soon
PF
PF
Coming soon
Traefik
Traefik
Coming soon

Data sources

AWS Cloudwatch
AWS Cloudwatch
Coming soon
Amazon Kinesis
Amazon Kinesis
Coming soon
Docker
Docker
Coming soon

Platforms

Cloudflare
Cloudflare
Coming soon
AWS
AWS
Coming soon
Docker
Docker
Coming soon
See full list

Discover how companies are using our CTI

Select
Tab1
Tab2
Tab3
Tab4
esyoil is using CrowdSec Security Engine to bring multiple data sources together and block bad IPs before they even act, leveraging log analysis.
John DOE
 - 
CEO at Acme Inc.
Read use case
EsyOil
Yannick Siegler has been one of our earliest adopters and most involved community members. Discover his CrowdSec Security Engine use cases, both personal and professional.
John Doe
 - 
CEO at Acme Inc.
Read use case
Siegler Informatique
We had a chat with Dyllan Pascoe, co-founder of Lookopen. Find out how he used CrowdSec Security Engine and how it helped him secure his clients' IT assets.
John DOE
 - 
CEO at Acme Inc.
Read use case
Lookopen

Get started with CrowdSec today

Install a Security Engine
Select
Debian / Ubuntu
RHEL / CentOS / Amazon Linux
Debian (legacy)
Docker
FreeBSD
Tarball

$ curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
$ sudo apt-get install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash
$ sudo yum install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ sudo apt-get install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ docker run -d -v acquis.yaml:/etc/crowdsec/acquis.yaml -e COLLECTIONS="crowdsecurity/sshd" -v /var/log/auth.log:/var/log/auth.log -v /path/mycustom.log:/var/log/mycustom.log --name crowdsec crowdsecurity/crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

# pkg install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ wget -qO - https://github.com/crowdsecurity/crowdsec/releases/latest/download/crowdsec-release.tgz | tar zxvf -
$ cd crowdsec-v* && sudo ./wizard.sh -i

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
See the GitHub repository
an image of the CrowdSec community
icon of ellipses
icon of ellipses

DIVE INTO CROWDEC’S UNIVERSE

Get started with
the Console today
Book a Demo
a screenshot of the alerts section on the CrowdSec console