CrowdSec Threat Intelligence
The largest community-fueled CTI network on earth
The most advanced real-world CTI
CrowdSec CTI leverages the tens of thousands of users of CrowdSec to centralize, curate and redistribute data from real-life users and applications.
- Most CTIs use honeypots to collect cyber threat data. CrowdSec CTI focuses on data from real users, all over the world, operating a large variety of services & apps to provide precise data
- Our users are in more than 180 countries and have hundreds of different use cases, giving accurate context to each attack
- CrowdSec CTI operate two databases: Smoke, containing raw data from our users, and Fire, with rigorously filtered data on especially dangerous IPs
Highly accurate and detailed information
CrowdSec users share millions of signals daily, allowing us to gather a large amount of information on each IP address.
- Each IP address shared gives us information on the type of attack, moment and use case, allowing us to assess its aggressivity of each IP address.
- CrowdSec enriches that data with third-party resources to add information such as country of origin, autonomous system etc.
- Reputation data is frequently refreshed to make sure it reflects the lifecycle of an IP address.
Strictly curated data sets
Most CTI solutions are crippled by low data quality. False positives, deprecated data or poisoned bases increase alert fatigue and provide unreliable information to make decisions. CrowdSec CTI is curated to make sure only high-confidence data is shared with the users.
- Each contributing user gets a reputation score based on seniority and contribution. The higher the reputation, the higher the value the curation algorithm will give to the data provided by the user
- CrowdSec operates its own network of honeypots. User data is correlated with data from honeypots to ensure homogeneity.
- The Smoke database exposes non-curated data to enrich SOC teams or analyst data
- The Fire database provides curated data for direct ingestion by firewalls to preventively block aggressive IPs.
%20(1).png)
Seamless integration with your cybersecurity solution
CrowdSec CTI was designed to seamlessly interface with most cybersecurity solutions.
- Individual queries on IP addresses can be done through a dedicated UI in CrowdSec Console, or directly through an API.
- CrowdSec CTI can stream IP blocklists directly to any firewall or remediation solution. Whether you use Palo Alto or OPNSense, your solution will consume IP data to provide preventive defense.
- Full bulk lists of IP data can also be purchased for data analysts or to train AI models.
How the CrowdSec CTI works

Why use the CTI
Real-World data from real users
By providing data coming from real users and real applications (and not honeypots), CrowdSec CTI ensures data is high quality.
Largest global CTI
CrowdSec CTI is the largest threat intelligence source in the world, taking in millions of signals monthly from tens of thousands of users to provide exhaustive data sets.
100% Accurate
Our advanced curation mechanism allows for the elimination of all false positives or poisoning attempts, making sure users receive the most accurate data possible.
CrowdSec CTI in few figures
48M+
Rogue IPs in the CTI database
40K
"Shoot-in-sight" IPs in the blocklist
13M
Signals/day received from the community
64K+
Machines contributing to the CTI
Why use the CTI
Real-World data from real users
By providing data coming from real users and real applications (and not honeypots), CrowdSec CTI ensures data is high quality.
Largest global CTI
CrowdSec CTI is the largest threat intelligence source in the world, taking in millions of signals monthly from tens of thousands of users to provide exhaustive data sets.
100% Accurate
Our advanced curation mechanism allows for the elimination of all false positives or poisoning attempts, making sure users receive the most accurate data possible.
Run the Agent effectively on multiple platforms
OS
Services
Data sources
Platforms