+
-
-
-
-
+ IP Reputation & Threat Intelligence +
++ IP reputation and threat data from a global sensor network. Look up IPs, enrich investigations, and automate security + workflows. +
-const CTIPage = () => { - return ( -
- {gettingStarted.map((item) => (
-
+
+
+ Quick access
+
+
-
+
+ {[
+ {
+ label: "Look up an IP",
+ href: "https://app.crowdsec.net/cti",
+ external: true,
+ primary: true,
+ },
+ { label: "Get Started", href: "/u/cti_api/intro", external: false, primary: false },
+ { label: "API Quickstart", href: "/u/console/ip_reputation/api_keys", external: false, primary: false },
+ ].map(({ label, href, external, primary }) => (
+
+ {label}
+ {external &&
- {coreFeatures.map((item) => (
-
+
+
-
-
-
+ How do you want to use it?
-
-
-
- {taxonomy.map((item) => (
-
+
+ {intents.map((intent) => (
+
-
+
- {integrations.map((item) => (
-
-
-
- View all integrations →
-
+ {/* What makes CrowdSec CTI different */}
+
+
+
-
+
+);
+
+// ── Standalone page (with Layout + homepage class) ────────────────────────────
+
+const CTIPage = () => {
+ useEffect(() => {
+ document.body.classList.add("homepage");
+ document.documentElement.classList.add("homepage");
+ return () => {
+ document.body.classList.remove("homepage");
+ document.documentElement.classList.remove("homepage");
+ };
+ }, []);
+
+ return (
+
+
);
};
diff --git a/crowdsec-docs/src/pages/index.tsx b/crowdsec-docs/src/pages/index.tsx
index 0fecb7733..5fdd909b3 100644
--- a/crowdsec-docs/src/pages/index.tsx
+++ b/crowdsec-docs/src/pages/index.tsx
@@ -1,75 +1,484 @@
import Link from "@docusaurus/Link";
import Layout from "@theme/Layout";
import SearchBar from "@theme/SearchBar";
-import React, { useEffect } from "react";
+import { ExternalLink } from "lucide-react";
+import React, { useEffect, useState } from "react";
import { Button } from "../ui/button";
-type ProductCardProps = {
- title: string;
- description: string;
+// ── Intent card ──────────────────────────────────────────────────────────────
+
+type IntentCardProps = {
icon: React.ReactNode;
- link: string;
- features: string[];
- bestFor: string;
+ title: string;
+ desc: string;
+ pill: string;
+ accent: string;
+ href: string;
};
-const ProductCard = ({ title, description, icon, link, features, bestFor }: ProductCardProps): React.JSX.Element => (
-
-
+
+ What makes CrowdSec CTI different
+
-
-
-
- {resources.map((item) => (
-
+
+ {differentiators.map((d) => (
+
-
-
+
-
-
+const IntentCard = ({ icon, title, desc, pill, accent, href }: IntentCardProps) => (
+ {
+ const el = e.currentTarget as HTMLAnchorElement;
+ el.style.borderColor = accent;
+ el.style.boxShadow = `0 8px 24px ${accent}22, 0 0 0 1px ${accent}`;
+ el.style.transform = "translateY(-2px)";
+ el.style.borderRadius = "14px";
+ }}
+ onMouseLeave={(e) => {
+ const el = e.currentTarget as HTMLAnchorElement;
+ el.style.borderColor = "";
+ el.style.boxShadow = "";
+ el.style.transform = "";
+ }}
+ >
+
+ 
,
- link: "/security-engine",
- features: ["Behavior-based detection", "Community threat sharing", "AppSec / WAF for web apps", "Open source"],
- bestFor: "Best for self-hosted detection and protection.",
+ icon: ,
+ accent: ORANGE,
+ title: "Detect and block attacks on systems I run",
+ desc: "You operate servers, VMs, or containers and want active threat detection — not just a blocklist.",
+ pill: "Security Engine",
+ href: "/security-engine",
},
{
- title: "Blocklists",
- description: "Deploy curated threat intel feeds to protect your network without running detection yourself.",
- icon: 
,
- link: "/blocklists",
- features: ["Curated IP lists", "Ready to deploy", "Automatic updates", "Multiple categories"],
- bestFor: "Best for fast protection with minimal setup.",
+ icon: ,
+ accent: GREEN,
+ title: "Push a threat feed into my firewall, router, or CDN",
+ desc: "You manage network perimeter devices and want a URL to subscribe to — no agent to install.",
+ pill: "Blocklist Feed Endpoints",
+ href: "/blocklists",
},
{
- title: "CTI",
- description: "Query CrowdSec threat intelligence to enrich investigations, automate lookups, and integrate with tools.",
- icon: 
,
- link: "/cti",
- features: ["REST API access", "IP reputation scores", "Attack context", "SIEM integrations"],
- bestFor: "Best for enrichment, integrations, and investigations.",
+ icon: ,
+ accent: BLUE,
+ title: "Look up an IP or enrich my security tools",
+ desc: "You're a security analyst or developer who wants IP context — in a browser or via REST API.",
+ pill: "IP Reputation & CTI",
+ href: "/u/cti_api/intro",
},
];
+const schemas: Omit[] = [
+ {
+ id: "schema-engine",
+ color: ORANGE,
+ eyebrowIcon: "🛡️",
+ eyebrow: "Security Engine",
+ title: "Detect and block malicious behaviors on your infrastructure",
+ ctaLabel: "Get started →",
+ ctaHref: "/security-engine",
+ steps: [
+ {
+ num: 1,
+ icon: "⚡",
+ title: "Install the Security Engine",
+ desc: "Runs on your server, reads your logs, detects attack patterns in real time.",
+ perks: [
+ "Immediately protected from incoming attacks",
+ "Automatically receives global threat intel from the CrowdSec network",
+ ],
+ },
+ {
+ num: 2,
+ icon: "🛡️",
+ hint: "RECOMMENDED",
+ title: "Activate the Web Application Firewall",
+ desc: "Layer in the AppSec component to inspect HTTP traffic and block web exploits before they reach your app.",
+ },
+ {
+ num: 3,
+ icon: "📋",
+ hint: "OPTIONAL",
+ title: "Subscribe to additional blocklists",
+ desc: "Add curated threat feeds on top of the community blocklist — by category, use case, or vendor.",
+ },
+ {
+ num: 4,
+ icon: "✍️",
+ hint: "OPTIONAL",
+ title: "Craft your own detection rules",
+ desc: "Write custom scenarios for your stack, then share them back with the community on the Hub.",
+ },
+ ],
+ },
+ {
+ id: "schema-blocklists",
+ color: GREEN,
+ eyebrowIcon: "🚫",
+ eyebrow: "Blocklists",
+ title: "Push curated threat feeds directly into your firewall, CDN, or WAF",
+ ctaLabel: "Get started →",
+ ctaHref: "/blocklists",
+ steps: [
+ {
+ num: 1,
+ icon: "🔌",
+ title: "Create a blocklist integration endpoint",
+ desc: "Generate a dedicated URL in the Console — one per target device or environment.",
+ },
+ {
+ num: 2,
+ icon: "🗂️",
+ title: "Choose which blocklists to serve",
+ desc: "Select from curated feeds by threat category: scanners, bots, TOR exits, exploits, and more.",
+ },
+ {
+ num: 3,
+ icon: "🔗",
+ title: "Plug it in as an external threat feed",
+ desc: "Point your firewall, CDN, or WAF at the endpoint. It auto-refreshes — no further maintenance needed.",
+ perks: ["Works with pfSense, OPNsense, Cloudflare, nginx, HAProxy, and more", "No agent to install or maintain"],
+ },
+ ],
+ },
+ {
+ id: "schema-cti",
+ color: BLUE,
+ eyebrowIcon: "🔍",
+ eyebrow: "IP Reputation & CTI",
+ title: "Query threat intel — in the browser or via API in your tools",
+ ctaLabel: "Explore CTI →",
+ ctaHref: "/cti",
+ steps: [
+ {
+ num: 1,
+ icon: "🖥️",
+ title: "Look up any IP in the Console",
+ desc: "No setup. Search instantly — get reputation score, behaviors, attack history, and CVE links.",
+ },
+ {
+ num: 2,
+ icon: "🔑",
+ hint: "For integrations",
+ title: "Generate a CTI API key",
+ desc: "Unlock programmatic access to the same data. Free tier included — no credit card needed.",
+ },
+ {
+ num: 3,
+ icon: "⚙️",
+ hint: "Enrich",
+ title: "Connect to your SIEM or security tool",
+ desc: "Native integrations for Splunk, Sentinel, QRadar, TheHive, OpenCTI, MISP, and more.",
+ },
+ ],
+ },
+];
+
+// ── Page ──────────────────────────────────────────────────────────────────────
+
const HomePage = () => {
- // Add class to body to hide navbar search on homepage
useEffect(() => {
document.body.classList.add("homepage");
document.documentElement.classList.add("homepage");
@@ -79,29 +488,39 @@ const HomePage = () => {
};
}, []);
+ const [openSchema, setOpenSchema] = useState(null);
+
+ const toggleSchema = (id: string) => setOpenSchema((prev) => (prev === id ? null : id));
+
return (
- {/* Hero Section */}
-
-
+
-
{icon}
- - {title} -
+{title}
{description}
-{bestFor}
--
- {features.map((feature) => (
-
- - ✓ - {feature} - - ))} -
- Explore product →
+
-
+
+);
+
+// ── Schema / path block ───────────────────────────────────────────────────────
+
+type Step = {
+ num: number;
+ icon: string;
+ title: string;
+ desc: string;
+ hint?: string;
+ perks?: string[];
+};
+
+type SchemaBlockProps = {
+ id: string;
+ color: string;
+ eyebrowIcon: string;
+ eyebrow: string;
+ title: string;
+ ctaLabel: string;
+ ctaHref: string;
+ steps: Step[];
+ open: boolean;
+ onToggle: () => void;
+};
+
+const SchemaBlock = ({ id, color, eyebrowIcon, eyebrow, title, ctaLabel, ctaHref, steps, open, onToggle }: SchemaBlockProps) => (
+
+ {desc}
+
+
+
+ → {pill}
+
+ →
+ {/* left accent strip */}
+
+ {/* subtle radial glow */}
+
+
+ {/* header — always visible, clickable to toggle */}
+
+
+ {/* collapsible step flow */}
+ {open && (
+
);
-const products: ProductCardProps[] = [
+// ── Data ──────────────────────────────────────────────────────────────────────
+
+const ORANGE = "#f97316";
+const GREEN = "#22d3a0";
+const BLUE = "#60a5fa";
+
+const intents: IntentCardProps[] = [
{
- title: "Security Engine",
- description: "Analyze your logs to detect attacks, block malicious IPs, and protect web applications.",
- icon:
+ {steps.map((step, i) => (
+
+ )}
+
+ {i > 0 && (
+
+ ))}
+
+ →
+
+ )}
+ {step.hint && (
+
+ {step.hint}
+
+ )}
+
+ {step.num}
+
+ {step.icon}
+ {step.title}
+ {step.desc}
+ {step.perks && (
+ -
+ {step.perks.map((p) => (
+
- + ✓ + {p} + + ))} +
,
- link: "/security-engine",
- features: ["Behavior-based detection", "Community threat sharing", "AppSec / WAF for web apps", "Open source"],
- bestFor: "Best for self-hosted detection and protection.",
+ icon: ,
+ accent: ORANGE,
+ title: "Detect and block attacks on systems I run",
+ desc: "You operate servers, VMs, or containers and want active threat detection — not just a blocklist.",
+ pill: "Security Engine",
+ href: "/security-engine",
},
{
- title: "Blocklists",
- description: "Deploy curated threat intel feeds to protect your network without running detection yourself.",
- icon: ,
- link: "/blocklists",
- features: ["Curated IP lists", "Ready to deploy", "Automatic updates", "Multiple categories"],
- bestFor: "Best for fast protection with minimal setup.",
+ icon: ,
+ accent: GREEN,
+ title: "Push a threat feed into my firewall, router, or CDN",
+ desc: "You manage network perimeter devices and want a URL to subscribe to — no agent to install.",
+ pill: "Blocklist Feed Endpoints",
+ href: "/blocklists",
},
{
- title: "CTI",
- description: "Query CrowdSec threat intelligence to enrich investigations, automate lookups, and integrate with tools.",
- icon: ,
- link: "/cti",
- features: ["REST API access", "IP reputation scores", "Attack context", "SIEM integrations"],
- bestFor: "Best for enrichment, integrations, and investigations.",
+ icon: ,
+ accent: BLUE,
+ title: "Look up an IP or enrich my security tools",
+ desc: "You're a security analyst or developer who wants IP context — in a browser or via REST API.",
+ pill: "IP Reputation & CTI",
+ href: "/u/cti_api/intro",
},
];
+const schemas: Omit
-
+
+
- {/* Search Section */}
+ {/* Search */}
-
- 
-
+ {/* Hero */}
+
-
- CrowdSec Documentation
-- Pronounced: Krowd-Sek [/kraʊd-sek/] -
-- Community-driven security that unifies detection, blocklists, and threat intel for modern - infrastructure. -
-
-
+
+ What do you want
+
+
+ What do you want
+
+ to protect today?
+
+ + Community-driven security — detection, blocklists, and threat intel for modern infrastructure. +
@@ -110,78 +529,206 @@ const HomePage = () => {
- {/* Product Selection */}
-
-
- Choose your starting point -
-- Each path links to setup, how-tos, and reference docs. -
- -
- {products.map((product) => (
-
+
- {/* Help Section */}
-
-
+
+ I want to…
+
+
+ {intents.map((i) => (
+
+
+ {/* Existing user strip */}
+
+
+ Already running CrowdSec?
+
+
+ {[
+ { label: "🖥️ Open the Console", href: "https://app.crowdsec.net", external: true },
+ { label: "📋 Manage alerts & decisions", href: "/u/console/intro" },
+ { label: "🔄 Remediation sync", href: "/u/bouncers/intro" },
+ { label: "❓ Troubleshooting", href: "/docs/next/troubleshooting/security_engine" },
+ ].map(({ label, href, external }) => (
+
+ {label}
+ {external &&
+
-
- Not sure where to start? -
-- Answer a few questions and get a recommended path with install steps for your stack. -
-
-
-
-
-
-
-
+ {/* How each path works — accordion */}
+
+
+
+ {/* Not sure / fallback */}
+
+
- {/* Quick Links */}
-
-
+ toggleSchema(s.id)} />
+ ))}
+
+
+
+ how each path works
+
+
+
+ {schemas.map((s) => (
+
+
+
+
+ Not sure where to start?
+
+ Answer a few questions and get a recommended path with install steps for your stack.
+
+
+
+
+
+
+
+
+
-
Popular Docs
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ {/* Popular docs */}
+
+
diff --git a/crowdsec-docs/static/img/blaas/logo-checkpoint.png b/crowdsec-docs/static/img/blaas/logo-checkpoint.png
new file mode 100644
index 000000000..41ce0b625
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-checkpoint.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-cisco.png b/crowdsec-docs/static/img/blaas/logo-cisco.png
new file mode 100644
index 000000000..5909f67c7
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-cisco.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-default.png b/crowdsec-docs/static/img/blaas/logo-default.png
new file mode 100644
index 000000000..468cf5f4f
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-default.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-f5.png b/crowdsec-docs/static/img/blaas/logo-f5.png
new file mode 100644
index 000000000..23da38486
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-f5.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-fortinet.png b/crowdsec-docs/static/img/blaas/logo-fortinet.png
new file mode 100644
index 000000000..49f4ec406
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-fortinet.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-juniper.png b/crowdsec-docs/static/img/blaas/logo-juniper.png
new file mode 100644
index 000000000..6e80ba980
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-juniper.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-mikrotik.png b/crowdsec-docs/static/img/blaas/logo-mikrotik.png
new file mode 100644
index 000000000..7545c47c6
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-mikrotik.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-opnsense.png b/crowdsec-docs/static/img/blaas/logo-opnsense.png
new file mode 100644
index 000000000..0511fea68
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-opnsense.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-paloalto.png b/crowdsec-docs/static/img/blaas/logo-paloalto.png
new file mode 100644
index 000000000..72371b771
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-paloalto.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-pfsense.png b/crowdsec-docs/static/img/blaas/logo-pfsense.png
new file mode 100644
index 000000000..1b4d566a7
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-pfsense.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-sophos.png b/crowdsec-docs/static/img/blaas/logo-sophos.png
new file mode 100644
index 000000000..358c0f94d
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-sophos.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-chrome.png b/crowdsec-docs/static/img/cti-integrations/logo-chrome.png
new file mode 100644
index 000000000..649fa44bc
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-chrome.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-default.png b/crowdsec-docs/static/img/cti-integrations/logo-default.png
new file mode 100644
index 000000000..468cf5f4f
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-default.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-gigasheet.png b/crowdsec-docs/static/img/cti-integrations/logo-gigasheet.png
new file mode 100644
index 000000000..61adfa146
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-gigasheet.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-intelowl.png b/crowdsec-docs/static/img/cti-integrations/logo-intelowl.png
new file mode 100644
index 000000000..d0cc7aed1
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-intelowl.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-maltego.png b/crowdsec-docs/static/img/cti-integrations/logo-maltego.png
new file mode 100644
index 000000000..ccd27565e
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-maltego.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-misp.png b/crowdsec-docs/static/img/cti-integrations/logo-misp.png
new file mode 100644
index 000000000..65db78ff9
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-misp.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-ms-sentinel.png b/crowdsec-docs/static/img/cti-integrations/logo-ms-sentinel.png
new file mode 100644
index 000000000..5edc39ebd
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-ms-sentinel.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-msticpy.png b/crowdsec-docs/static/img/cti-integrations/logo-msticpy.png
new file mode 100644
index 000000000..9d612f995
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-msticpy.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-opencti.png b/crowdsec-docs/static/img/cti-integrations/logo-opencti.png
new file mode 100644
index 000000000..c03f27e77
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-opencti.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-paloalto_xsoar.png b/crowdsec-docs/static/img/cti-integrations/logo-paloalto_xsoar.png
new file mode 100644
index 000000000..d88a19a24
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-paloalto_xsoar.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-qradar.png b/crowdsec-docs/static/img/cti-integrations/logo-qradar.png
new file mode 100644
index 000000000..9f9cd3305
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-qradar.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-securitycopilot.png b/crowdsec-docs/static/img/cti-integrations/logo-securitycopilot.png
new file mode 100644
index 000000000..0e27ff864
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-securitycopilot.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-sekoia.png b/crowdsec-docs/static/img/cti-integrations/logo-sekoia.png
new file mode 100644
index 000000000..00c8ab8a8
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-sekoia.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-splunk_siem.png b/crowdsec-docs/static/img/cti-integrations/logo-splunk_siem.png
new file mode 100644
index 000000000..abfe1df49
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-splunk_siem.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-splunk_soar.png b/crowdsec-docs/static/img/cti-integrations/logo-splunk_soar.png
new file mode 100644
index 000000000..8c38a1c4a
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-splunk_soar.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-thehive.png b/crowdsec-docs/static/img/cti-integrations/logo-thehive.png
new file mode 100644
index 000000000..67f4c16d1
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-thehive.png differ
diff --git a/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx b/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx
index 670ec4b6b..d5b0e440e 100644
--- a/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx
+++ b/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx
@@ -4,73 +4,114 @@ title: IP Reputation / CTI
description: Explore and query CrowdSec's IP Reputation data and manage CTI API keys from the Console.
---
-CrowdSec's **IP Reputation / CTI** section of the Console gives you access to the world's largest crowdsourced threat intelligence network.
+import Link from "@docusaurus/Link";
-From the Console you can:
-- **Investigate IPs** directly in the Web UI — no code required
-- **Explore Specific Classifications** with search queries
-- **Query at scale** using the CTI REST API with a managed API key
+CrowdSec's **IP Reputation / CTI** section gives you access to the world's largest crowdsourced threat intelligence network — investigate IPs in the web UI, hunt threats with advanced search, or query at scale via REST API.
---
## Web UI Features
-### IP Search
-
-The [CTI home page](https://app.crowdsec.net/cti) lets you search any IP address or run Lucene queries against the threat database. Predefined searches give quick access to common patterns, and the **Top 10 Most Aggressive IPs** leaderboard shows the most active threat actors in the last 24 hours.
-
-[IP Search →](/u/console/ip_reputation/search_ui)
-
-### Advanced Search
-
-The [Advanced Search page](https://app.crowdsec.net/cti) supports Lucene queries with a live faceted filter panel (reputation, country, AS, behaviors, classifications). Use it for threat hunting, bulk investigation, or building targeted blocklists.
-
-[Advanced Search →](/u/console/ip_reputation/search_ui_advanced)
-[Search Query Reference →](/u/cti_api/search_queries)
-
-### IP Report
-
-Clicking any IP opens a full report with its reputation, key metadata, behaviors, classifications, MITRE techniques, CVEs, and time-windowed scores.
-
-[IP Report →](/u/console/ip_reputation/ip_report)
+
+
+ Popular docs
+
+
+ {[
+ { label: "🖥️ Console", href: "/u/console/intro" },
+ { label: "🛡️ AppSec / WAF", href: "/docs/next/appsec/intro" },
+ { label: "💻 CLI Reference", href: "/docs/next/cscli/" },
+ {
+ label: "📖 Docs AI Assistant",
+ href: "https://chatgpt.com/g/g-682c3a61a78081918417571116c2b563-crowdsec-documentation",
+ external: true,
+ },
+ { label: "🔑 CTI API Keys", href: "/cti" },
+ { label: "❓ Troubleshooting", href: "/docs/next/troubleshooting/security_engine" },
+ { label: "🌐 About CrowdSec", href: "https://www.crowdsec.net", external: true },
+ ].map(({ label, href, external }) => (
+
+ {label}
+ {external &&
+
+
### Live Exploit Tracker
-The [Live Exploit Tracker ↗️](https://tracker.crowdsec.net/) is the evolution of the CVE Explorer — a dedicated platform for tracking vulnerabilities that are actively being exploited in the wild, powered by live data from the CrowdSec network.
-:::info
-It now resides outside the Console to provide a more focused experience and richer features, but remains fully accessible with the same CTI API key.
-:::
+
+
+
+🔍
+ IP Search
+
+ Search any IP or run Lucene queries against the threat database. Predefined searches and a Top 10 Most Aggressive IPs leaderboard (last 24h) are available right on the homepage.
+
+ IP Search →
+
+
+
+🎯
+ Advanced Search
+
+ Lucene queries with a live faceted filter panel — reputation, country, AS, behaviors, classifications. Built for threat hunting, bulk investigation, and targeted blocklist building.
+
+
+ Advanced Search →
+ Query Reference →
+
+
+
+
+📋
+ IP Report
+
+ Click any IP to open its full report: reputation score, key metadata, behaviors, classifications, MITRE techniques, CVEs, and time-windowed activity scores.
+
+ IP Report →
+
+
-Beyond listing CVEs, it adds exploitation context that helps you **prioritize and act**:
+---
-- **CrowdSec Score** — a SOC-oriented priority signal based on observed attack patterns
-- **Opportunity Score** — how targeted vs. opportunistic the exploitation is (0 = mass automated scan, 5 = precisely targeted campaign)
-- **Momentum Score** — whether exploitation volume is growing, stable, or declining
-- **Exploitation Status** — from *early exploitation* to *background noise*
-- **Timeline** — first/last seen, CVE publication, CISA KEV addition, and key events
-- **Malicious IPs** — IPs actively exploiting a given CVE, with full CTI context, for threat hunting or direct blocklist integration
+## API Access
-[Explore the Live Exploit Tracker ↗️](https://tracker.crowdsec.net/)
+Query the same data programmatically with a CTI API key and the [CTI REST API](/u/cti_api/intro).
----
+🚨
+
+
+
+
+ A dedicated platform for tracking vulnerabilities actively exploited in the wild, powered by live CrowdSec network data. Accessible with the same CTI API key.
+
+
+ {[
+ ["⚡", "CrowdSec Score", "SOC-oriented priority signal based on observed attack patterns"],
+ ["🎯", "Opportunity Score", "How targeted vs. opportunistic the exploitation is (0 = mass scan, 5 = precise campaign)"],
+ ["📈", "Momentum Score", "Whether exploitation volume is growing, stable, or declining"],
+ ["🏷️", "Exploitation Status", "From early exploitation to background noise"],
+ ["🕐", "Timeline", "First/last seen, CVE publication, CISA KEV addition, key events"],
+ ["🌐", "Malicious IPs", "IPs actively exploiting a CVE — with full CTI context for hunting or blocklisting"],
+ ].map(([icon, title, desc]) => (
+
+
+
+ ))}
+ {icon} {title}
+ {desc}
+
-## API Access
+
-Manage your keys in the Console under **Settings → CTI API Keys**, or go straight to [app.crowdsec.net/settings/cti-api-keys](https://app.crowdsec.net/settings/cti-api-keys).
+Manage your keys under **Settings → CTI API Keys** in the Console, or go directly to [app.crowdsec.net/settings/cti-api-keys](https://app.crowdsec.net/settings/cti-api-keys).
-[Get your first API key →](/u/console/ip_reputation/api_keys)
-[Premium quotas →](/u/console/ip_reputation/api_keys_premium)
+
+
+
+Free
+ 40 queries / month
+ POC, low-traffic scripts
+
+
-You can query the same data programmatically using a CTI API key and the [CTI REST API](/u/cti_api/intro).
+Premium
+ 120 queries / month
+ Regular enrichment, small integrations
+
+
-| Plan | Quota | Use case |
-|---|---|---|
-| **Free** | 40 queries / month | POC, low-traffic scripts |
-| **Premium** | 120 queries / month | Regular enrichment, small integrations |
-| **Premium Options** | 5K / 25K / 100K queries / month | Production integrations, SIEMs, SOARs |
+Premium Options
+ 5K–100K queries / month
+ Production integrations, SIEMs, SOARs
+
+ Get your first API key →
+ Premium quotas →
+
---
-:::tip Want the full technical reference?
+:::tip Full technical reference
For API endpoints, request/response schemas, integrations (SIEM, SOAR, TIP platforms), and data taxonomy, see the [CTI API documentation](/u/cti_api/intro).
:::
diff --git a/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.md b/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.md
deleted file mode 100644
index 7b0e0991b..000000000
--- a/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-id: integration_intro
-title: Integrations
----
-
-CrowdSec has developed native integrations for the most common security platforms so you can enrich your workflows with IP reputation data without writing any code. If your platform isn't listed, the API is a standard REST interface — you can query it directly with cURL, write your own scripts, or build custom playbooks in any SIEM, SOAR, or TIP that supports HTTP enrichment:
-
-```shell
-curl -H "x-api-key: $API_KEY" https://cti.api.crowdsec.net/v2/smoke/1.2.3.4 | jq .
-```
-
-For the full API reference, see the [Swagger documentation](https://crowdsecurity.github.io/cti-api/).
-
----
-
-| Integration | Description |
-|---------------------------|----------------------------------------|
-| [Chrome](/cti_api/api_integration/integration_browser_chrome.md) | A Chrome extension which allows you to quickly search an IP on a web page |
-| [Gigasheet](/cti_api/api_integration/integration_gigasheet.md) | Gigasheet's No-Code API-data-enrichment feature |
-| [IntelOwl](/cti_api/api_integration/integration_intelowl.md) | IntelOwl is an open-source framework and platform for analyzing and processing threat intelligence data |
-| [Maltego](/cti_api/api_integration/integration_maltego.md) | Maltego is a powerful and versatile data visualization and link analysis tool used primarily in the field of digital forensics, cybersecurity, and intelligence gathering |
-| [MISP](/cti_api/api_integration/integration_misp.md) | MISP, short for Malware Information Sharing Platform & Threat Sharing, is an open-source threat intelligence platform designed to facilitate the sharing and collaboration |
-| [MSTICpy](/cti_api/api_integration/integration_msticpy.md) | MSTICpy, short for Microsoft Threat Intelligence Python Security Tools and Common Practices, is an open-source Python library developed by Microsoft |
-| [OpenCTI](/cti_api/api_integration/integration_opencti.md) | OpenCTI is an open-source threat intelligence platform that focuses on facilitating the collection, management, and analysis of cyber threat intelligence data |
-| [PaloAlto XSOAR](/cti_api/api_integration/integration_paloalto_xsoar.md) | Palo Alto Networks Cortex XSOAR is a Security Orchestration, Automation, and Response (SOAR) platform |
-| [QRadar](/cti_api/api_integration/integration_qradar.md) | QRadar is a widely-used Security Information and Event Management (SIEM) solution designed to provide comprehensive visibility into an organization's cybersecurity landscape |
-| [Sekoia XDR](/cti_api/api_integration/integration_sekoia_xdr.md) | Sekoia XDR (Extended Detection and Response) is a cybersecurity platform that combines threat detection, incident response, and proactive threat hunting capabilities into a unified solution |
-| [Splunk SIEM](/cti_api/api_integration/integration_splunk_siem.md) | Splunk Enterprise Security is a Security Information and Event Management (SIEM) solution that helps organizations centralize, analyze, and manage security-related data from various sources |
-| [Splunk SOAR](/cti_api/api_integration/integration_splunk_soar.md) | Splunk SOAR (Security Orchestration, Automation, and Response) is a security platform designed to streamline and automate the incident response and security operations processes |
-| [TheHive](/cti_api/api_integration/integration_thehive.md) | TheHive is an open-source, collaborative, and customizable Security Incident Response Platform (SIRP) designed to assist cybersecurity teams in managing and mitigating security incidents effectively |
diff --git a/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.mdx b/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.mdx
new file mode 100644
index 000000000..f04f9c4da
--- /dev/null
+++ b/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.mdx
@@ -0,0 +1,24 @@
+---
+id: integration_intro
+title: Integrations
+---
+
+import CtiIntegrationTile, { ctiIntegrations } from '@site/src/components/cti-integration-tile';
+
+CrowdSec has native integrations for the most common security platforms — enrich your workflows with IP reputation data without writing any code.
+
+If your platform isn't listed, the API is a standard REST interface you can query directly:
+
+```shell
+curl -H "x-api-key: $API_KEY" https://cti.api.crowdsec.net/v2/smoke/1.2.3.4 | jq .
+```
+
+For the full reference, see the [Swagger documentation](https://crowdsecurity.github.io/cti-api/).
+
+---
+
+
+ {ctiIntegrations.map(({ name, slug, href, plugin, desc, color }) => (
+
diff --git a/crowdsec-docs/unversioned/cti_api/intro.md b/crowdsec-docs/unversioned/cti_api/intro.md
index 889eb4bb5..7754f9391 100644
--- a/crowdsec-docs/unversioned/cti_api/intro.md
+++ b/crowdsec-docs/unversioned/cti_api/intro.md
@@ -1,5 +1,5 @@
---
-id: intro
+id: intro_old
title: CrowdSec CTI - Cyber Threat Intelligence
sidebar_position: 1
---
diff --git a/crowdsec-docs/unversioned/cti_api/intro.mdx b/crowdsec-docs/unversioned/cti_api/intro.mdx
new file mode 100644
index 000000000..d055ba601
--- /dev/null
+++ b/crowdsec-docs/unversioned/cti_api/intro.mdx
@@ -0,0 +1,175 @@
+---
+id: intro
+title: CrowdSec IP Reputation / CTI
+sidebar_position: 1
+---
+
+import Link from "@docusaurus/Link";
+import { ExternalLink } from "lucide-react";
+import CtiIntegrationTile, { ctiIntegrations } from '@site/src/components/cti-integration-tile';
+
+export const BLUE = "#60a5fa";
+export const ORANGE = "#f97316";
+export const PURPLE = "#a78bfa";
+
+{/* ── Hero ─────────────────────────────────────────────────────────────── */}
+
++ Know who's attacking you — and why. +
++
CrowdSec tracks malicious IPs across hundreds of thousands of real deployments worldwide.
+
Every lookup gives you behavioral context — what the IP was doing, where, and when.
+ Quick access
+
+
+{/* ── What makes CrowdSec CTI different ───────────────────────────────── */}
+
+
+ 🔍 Look up an IP
+
+
+
+{/* ── How do you want to use it? ──────────────────────────────────────── */}
+
+Why CrowdSec CTI
+ What makes it different
+ + Most IP reputation services tell you an IP is "bad." CrowdSec tells you what it was doing — data from real deployments detecting real attacks, not honeypots. +
+
+ {[
+ { icon: "🌍", title: "Crowdsourced from live attacks", desc: "Signals from active CrowdSec installs globally. When an IP appears here, hundreds of machines saw it in action." },
+ { icon: "🧠", title: "Behavioral, not just reputation", desc: "What was the IP doing? Brute-force, CVE exploitation, scan, credential stuffing — mapped to MITRE ATT&CK." },
+ { icon: "⚡", title: "Real-time, not cached lists", desc: "Continuously updated. Time-windowed scores show if a threat is rising, stable, or decaying." },
+ { icon: "🔬", title: "CVE-level exploit tracking", desc: "The Live Exploit Tracker shows which CVEs are actively exploited, with momentum and opportunity scores." },
+ ].map(({ icon, title, desc }) => (
+
+
+ {icon}
+
+ ))}
+
+
+ {title}
+ {desc}
+
+
+
+{/* ── Integrations ────────────────────────────────────────────────────── */}
+
+Entry points
+ How do you want to use it?
+
+ {[
+ {
+ badge: "🔍 No setup needed", icon: "🖥️", accent: BLUE,
+ title: "Investigate in the Console",
+ desc: "Search any IP instantly. Explore threat history and the top aggressive IPs in the last 24h — no API key needed.",
+ links: [{ label: "Web UI guide →", href: "/u/console/ip_reputation/intro" }, { label: "IP Report →", href: "/u/console/ip_reputation/ip_report" }],
+ },
+ {
+ badge: "⚙️ Developer / SecOps", icon: "🔌", accent: ORANGE,
+ title: "Integrate via API",
+ desc: "Enrich SIEM alerts, build enrichment pipelines, or plug into Splunk, Sentinel, QRadar, TheHive, and more.",
+ links: [{ label: "API quickstart →", href: "/u/cti_api/api_introduction" }, { label: "All integrations →", href: "/u/cti_api/api_integration/integration_intro" }],
+ },
+ {
+ badge: "🎯 Threat hunter", icon: "🚨", accent: PURPLE,
+ title: "Hunt for threat patterns",
+ desc: "Advanced Search with live faceted filters — behavior, country, AS, CVE — to find campaigns or build blocklists.",
+ links: [{ label: "Advanced search →", href: "/u/console/ip_reputation/search_ui_advanced" }, { label: "Live Exploit Tracker →", href: "/u/tracker_api/intro" }],
+ },
+ ].map(({ badge, icon, accent, title, desc, links }) => (
+
+
+
+ ))}
+ {badge}
+ {icon}
+ {title}
+ {desc}
+
+ {links.map(({ label, href }) => (
+ {label}
+ ))}
+
+
+
+
+{/* ── Technical details ───────────────────────────────────────────────── */}
+
+Integrations
+ Already using one of these?
+ + Jump straight to the integration guide — no need to read the full API docs first. +
+
+ {ctiIntegrations.map(({ name, slug, href, plugin, desc, color }) => (
+
+
+
+
+API access & quotas
+
+ {[
+ { label: "Community Plan Free Key", quota: "40 / month", desc: "Ad-hoc lookups, proof of concept", color: "#22d3a0" },
+ { label: "Premium Plan Free Key", quota: "120 / month", desc: "Regular enrichment, small integrations", color: BLUE },
+ { label: "Premium Options", quota: "5K–100K / month", desc: "Production SIEMs, SOARs, high-volume pipelines", color: PURPLE },
+ ].map(({ label, quota, desc, color }) => (
+
+
+
+ ))}
+
+ {label}
+ {quota}
+
+ {desc}
+
+ Web UI lookups do not consume API quota. Free tier resets monthly — unused queries don't roll over.
+
+ Get your first API key →
+
+
+
+{/* ── Need help ───────────────────────────────────────────────────────── */}
+
+Technical details
+
+ {[
+ { icon: "📊", title: "Data Taxonomy", desc: "CTI Data structure, scores, behaviors and classifications", href: "/u/cti_api/taxonomy/intro" },
+ { icon: "📚", title: "API Reference", desc: "Full endpoint reference with request/response schemas.", href: "https://crowdsecurity.github.io/cti-api/", external: true },
+ { icon: "❓", title: "FAQ", desc: "Common questions about access, quotas, and data.", href: "/u/cti_api/faq" },
+ ].map(({ icon, title, desc, href, external }) => (
+
+ {icon}
+
+
+
+
+ ))}
+
+ {title}{external &&
+ {desc}
+
+
diff --git a/crowdsec-docs/unversioned/integrations/intro.mdx b/crowdsec-docs/unversioned/integrations/intro.mdx
index 25e8900e5..ab41909e5 100644
--- a/crowdsec-docs/unversioned/integrations/intro.mdx
+++ b/crowdsec-docs/unversioned/integrations/intro.mdx
@@ -11,6 +11,7 @@ import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import CodeBlock from '@theme/CodeBlock';
import UnderlineTooltip from '@site/src/components/underline-tooltip';
+import IntegrationTile, { firewallIntegrations } from '@site/src/components/integration-tile';
CrowdSec Blocklist Integrations — also known as **Blocklist as a Service** — give you a secure, hosted HTTPS endpoint serving live blocklists that you configure your firewall or security tool to pull from.
@@ -41,27 +42,37 @@ Pulling more frequently than the allowed interval for your plan will result in H
## Available integrations
+
### Firewall integrations
Each vendor page explains how to create the integration in the CrowdSec Console and includes a link to the vendor's own documentation on how to configure ingestion on the firewall side.
-| Firewall | Vendor feature name |
-|---|---|
-| [Checkpoint](integrations/checkpoint.mdx) | Custom Intelligence (IoC) Feeds |
-| [Cisco](integrations/cisco.mdx) | Security Intelligence feeds |
-| [F5](integrations/f5.mdx) | External IP blocklist / Feed lists |
-| [Fortinet](integrations/fortinet.mdx) | IP address Threat Feeds |
-| [Juniper](integrations/juniper.mdx) | Security Dynamic Address feeds |
-| [Mikrotik](integrations/mikrotik.mdx) | — |
-| [OPNsense](integrations/opnsense.mdx) | URL Table (IPs) aliases |
-| [Palo Alto](integrations/paloalto.mdx) | External Dynamic Lists (EDL) |
-| [pfSense](integrations/pfsense.mdx) | URL Table (IPs) aliases |
-| [Sophos](integrations/sophos.mdx) | Third-Party Threat Feeds |
+
+
+ Need help?
+ Get answers in Discord or check the FAQ.
+
+ 💬 Join Discord
+
+ {firewallIntegrations.map(({ name, slug, href, desc, color }) => (
+
### Other integrations
-- [Raw IP List](integrations/rawiplist.mdx) — generic format, works with any HTTP-capable device
-- [Remediation Component](integrations/remediationcomponent.mdx) — for platforms without native IP list ingestion (Cloudflare, AWS WAF, etc.)
+
+
+ One IP per line — compatible with virtually any firewall, router, or HTTP-capable device
+
+
+ Extends blocklist handling to platforms without native ingestion (Cloudflare, AWS WAF, …) via CrowdSec Remediation Components
+
+
## Setup a Blocklist Integration Endpoint