Crowdsec Threat Intelligence

Community-fueled IP reputation database

CrowdSec CTI ingests and distributes intelligence on IP reputation allowing SOC teams & security analysts to obtain highly curated data on intrusions attemps, origins, trends.
Get started for freeGet started for free
01/04

The most advanced real-world CTI

CrowdSec CTI leverages the tens of thousands of users of CrowdSec to centralize, curate and redistribute data from real-life users and applications.

  • Most CTIs use honeypots to collect cyber threat data. CrowdSec CTI focuses on data from real users, all over the world, operating a large variety of services & apps to provide precise data
  • Our users are in more than 150 countries and have hundreds of different use cases, giving accurate context to each attack
  • CrowdSec CTI operate two databases: Smoke, containing raw data from our users, and Fire, with rigorously filtered data on especially dangerous IPs
02/04

Only highly accurate and detailed information

CrowdSec users share millions of signals daily, allowing to extrapolate a large amount of information on each IP address.

  • Each IP address shared gives information on the type of attack, moment and use case, allowing us assess the aggressivity of each IP address.
  • CrowdSec enriches that data with third-party resources to add information such as country of origin, autonomous system etc.
  • Reputation data is frequently refreshed to make sure it reflects the lifecycle of an IP address.
03/04

Highly curated data sets

Most CTI solutions are crippled by low data quality. False positives, deprecated data or poisoned base provoke alert fatigue and unreliable information to take decisions. CrowdSec CTI is curated to make sure only high-confidence data is shared with the users.

  • Each contributing user gets a reputation score based on seniority and contribution. The higher the reputation, the higher the value the curation algorithm will give to the data provided by the user
  • CrowdSec operates its own network of honeypots. User data is correlated with data from honeypots to ensure homogeneity.
  • The Smoke database exposes non-curated data to enrich SOC teams or analyst data
  • Fire database exposes only curated data for direct ingestion by firewalls to preventively block aggressive IPs.
04/04

Seamless integration with your cybersecurity solution

CrowdSec CTI was designed to seamlessly interface with most cybersecurity solutions.

  • Individual queries on IP addresses can be done through a dedicated UI in CrowdSec Console, or directly through an API.
  • CrowdSec CTI can stream IP blocklists directly to any firewall or remediation solution. Whether you use Palo Alto or OPNSense, your solution will consume IP data to provide preventive defense.
  • Full bulk lists of IP data can also be purchased for data analysts or to train AI models.

How the Crowdsec CTI works

The feed can be consumed by your firewall or any existing remediation mechanism.

Why use the Console

Real-World data from real users

By providing data coming from real users and real applications (and not honeypots), CrowdSec CTI ensures data is qualified and of high quality.

Largest global CTI

CrowdSec CTI is the largest threat intelligence source in the world, ingesting millions of signals monthly from tens of thousand of users, to provide exhaustive data sets.

100% Accurate

Our advanced curation mechanism allows for eliminating all 0 false positives or poisoning attempts making sure users receive the most accurate data possible.

Crowdsec CTI in few figures

CrowdSec CTI is a collaborative cyber threat intelligence platform exposing real-life and highly curated data on IP reputation helping cybersecurity experts to better assess threats and fight back more efficiently.

3M

Rogue IPs in the CTI database

30K

"Shoot-in-sight" IPs in the blocklist

1.5M

Signals/day received from the community

+50K

Machines contributing to the CTI

Why use the Console

Real-World data from real users

By providing data coming from real users and real applications (and not honeypots), CrowdSec CTI ensures data is qualified and of high quality.

Largest global CTI

CrowdSec CTI is the largest threat intelligence source in the world, ingesting millions of signals monthly from tens of thousand of users, to provide exhaustive data sets.

100% Accurate

Our advanced curation mechanism allows for eliminating all 0 false positives or poisoning attempts making sure users receive the most accurate data possible.

Run the Agent effectively on multiple platforms

OS

Linux
Linux
Coming soon
BSD
BSD
Coming soon
Apple
Apple
Coming soon
Windows
Windows
Coming soon
Open WRT
Open WRT
Coming soon

Services

Iptables
Iptables
Coming soon
Nftables
Nftables
Coming soon
Nginx
Nginx
Coming soon
Apache
Apache
Coming soon
Caddy
Caddy
Coming soon
PF
PF
Coming soon

Data sources

AWS Cloudwatch
AWS Cloudwatch
Coming soon
Amazon Kinesis
Amazon Kinesis
Coming soon
Docker
Docker
Coming soon

Platforms

Cloudflare
Cloudflare
Coming soon
GCP
GCP
Coming soon
AWS
AWS
Coming soon
Docker
Docker
Coming soon
Traefik
Traefik
Coming soon
Envoy
Envoy
Coming soon

Discover how companies are using our CTI

Select
esyoil is using CrowdSec Agent to bring multiple data sources together and block IPs even before they do something bad, leveraging log analysis.
John DOE
 - 
CEO at Acme Inc.
EsyOil
Yannick Siegler has been one of our earliest adopters and most involved community member. Discover his CrowdSec Agents use cases, both for personal and professional use.
John Doe
 - 
CEO at Acme Inc.
Siegler Informatique
We had a chat with Dyllan Pascoe, co-founder of Lookopen. Find out how he used CrowdSec Agent and how it helped him secure his clients' IT assets.
John DOE
 - 
CEO at Acme Inc.
Lookopen

Get started with CrowdSec today

Install an agent
Select

$ curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
$ sudo apt-get install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash
$ sudo yum install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ sudo apt-get install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ docker run -d -v acquis.yaml:/etc/crowdsec/acquis.yaml -e COLLECTIONS="crowdsecurity/sshd" -v /var/log/auth.log:/var/log/auth.log -v /path/mycustom.log:/var/log/mycustom.log --name crowdsec crowdsecurity/crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

# pkg install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ wget -qO - https://github.com/crowdsecurity/crowdsec/releases/latest/download/crowdsec-release.tgz | tar zxvf -
$ cd crowdsec-v* && sudo ./wizard.sh -i

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

DIVE INTO CROWDEC’S UNIVERSE

Get started with
the Console today