+
-
-
-
-
+ IP Reputation & Threat Intelligence +
++ IP reputation and threat data from a global sensor network. Look up IPs, enrich investigations, and automate security + workflows. +
-const CTIPage = () => { - return ( -
- {gettingStarted.map((item) => (
-
+
+
+ Quick access
+
+
-
+
+ {[
+ {
+ label: "Look up an IP",
+ href: "https://app.crowdsec.net/cti",
+ external: true,
+ primary: true,
+ },
+ { label: "Get Started", href: "/u/cti_api/intro", external: false, primary: false },
+ { label: "API Quickstart", href: "/u/console/ip_reputation/api_keys", external: false, primary: false },
+ ].map(({ label, href, external, primary }) => (
+
+ {label}
+ {external &&
- {coreFeatures.map((item) => (
-
+
+
-
-
-
+ How do you want to use it?
-
-
-
- {taxonomy.map((item) => (
-
+
+ {intents.map((intent) => (
+
-
+
- {integrations.map((item) => (
-
-
-
- View all integrations →
-
+ {/* What makes CrowdSec CTI different */}
+
+
+
-
+
+);
+
+// ── Standalone page (with Layout + homepage class) ────────────────────────────
+
+const CTIPage = () => {
+ useEffect(() => {
+ document.body.classList.add("homepage");
+ document.documentElement.classList.add("homepage");
+ return () => {
+ document.body.classList.remove("homepage");
+ document.documentElement.classList.remove("homepage");
+ };
+ }, []);
+
+ return (
+
+
);
};
diff --git a/crowdsec-docs/src/pages/index.tsx b/crowdsec-docs/src/pages/index.tsx
index 0fecb7733..3d21dc0a1 100644
--- a/crowdsec-docs/src/pages/index.tsx
+++ b/crowdsec-docs/src/pages/index.tsx
@@ -1,75 +1,484 @@
import Link from "@docusaurus/Link";
import Layout from "@theme/Layout";
import SearchBar from "@theme/SearchBar";
-import React, { useEffect } from "react";
+import { ExternalLink } from "lucide-react";
+import React, { useEffect, useState } from "react";
import { Button } from "../ui/button";
-type ProductCardProps = {
- title: string;
- description: string;
+// ── Intent card ──────────────────────────────────────────────────────────────
+
+type IntentCardProps = {
icon: React.ReactNode;
- link: string;
- features: string[];
- bestFor: string;
+ title: string;
+ desc: string;
+ pill: string;
+ accent: string;
+ href: string;
+ aka?: string[];
};
-const ProductCard = ({ title, description, icon, link, features, bestFor }: ProductCardProps): React.JSX.Element => (
-
-
+
+ What makes CrowdSec CTI different
+
-
-
-
- {resources.map((item) => (
-
+
+ {differentiators.map((d) => (
+
-
-
+
-
-
+const IntentCard = ({ icon, title, desc, pill, accent, href, aka }: IntentCardProps) => (
+ {
+ const el = e.currentTarget as HTMLAnchorElement;
+ el.style.borderColor = accent;
+ el.style.boxShadow = `0 8px 24px ${accent}22, 0 0 0 1px ${accent}`;
+ el.style.transform = "translateY(-2px)";
+ el.style.borderRadius = "14px";
+ }}
+ onMouseLeave={(e) => {
+ const el = e.currentTarget as HTMLAnchorElement;
+ el.style.borderColor = "";
+ el.style.boxShadow = "";
+ el.style.transform = "";
+ }}
+ >
+
+ 
,
+ accent: ORANGE,
+ title: "Detect & Block attacks on my servers",
+ desc: "Locally identify and ban bad behaving IPs observed in your logs and requests with CrowdSec Detection Scenarios, and Virtual-Patching Collections.",
+ pill: "Security Engine",
+ href: "/security-engine",
+ aka: ["IDPS", "WAF", "CrowdSec FOSS"],
+ },
+ {
+ icon: 
,
+ accent: GREEN,
+ title: "Push a Blocklists into my firewall, CDN or WAF",
+ desc: "You manage network perimeter devices and want a URL to subscribe to — no agent to install.",
+ pill: "Blocklist Integration Endpoint",
+ href: "/blocklists",
+ aka: ["Threat Feeds", "IOC Streams", "Deny-list"],
+ },
+ {
+ icon: 
,
+ accent: BLUE,
+ title: "Investigate IPs or enrich alerts",
+ desc: "You're a security analyst or developer who wants IP context — in a browser or via REST API.",
+ pill: "IP Reputation & CTI",
+ href: "/u/cti_api/intro",
+ aka: ["IoC Lookup", "Threat Intel"],
+ },
+];
+
+const schemas: Omit[] = [
{
- title: "Security Engine",
- description: "Analyze your logs to detect attacks, block malicious IPs, and protect web applications.",
- icon: ,
- link: "/security-engine",
- features: ["Behavior-based detection", "Community threat sharing", "AppSec / WAF for web apps", "Open source"],
- bestFor: "Best for self-hosted detection and protection.",
+ id: "schema-engine",
+ color: ORANGE,
+ eyebrowIcon: "🛡️",
+ eyebrow: "Security Engine",
+ title: "Detect and block malicious behaviors on your infrastructure",
+ ctaLabel: "Get started →",
+ ctaHref: "/security-engine",
+ steps: [
+ {
+ num: 1,
+ icon: "⚡",
+ title: "Install the Security Engine",
+ desc: "Runs on your server, detects attack patterns in real time — immediately protected, and continuously updated with CrowdSec Community Blocklist.",
+ },
+ {
+ num: 2,
+ icon: "🛡️",
+ hint: "RECOMMENDED",
+ title: "Activate the WAF module",
+ desc: "Layer in the AppSec component to inspect HTTP traffic and block web exploits before they reach your app.",
+ },
+ {
+ num: 3,
+ icon: "📋",
+ hint: "OPTIONAL",
+ title: "Subscribe to blocklists",
+ desc: "Add a selection of extra blocklists on top of the built-in detection & community blocklist",
+ },
+ {
+ num: 4,
+ icon: "✍️",
+ hint: "OPTIONAL",
+ title: "Craft your own rules",
+ desc: "Write custom scenarios for your stack, then share them back with the community on the Hub.",
+ },
+ ],
},
{
- title: "Blocklists",
- description: "Deploy curated threat intel feeds to protect your network without running detection yourself.",
- icon: ,
- link: "/blocklists",
- features: ["Curated IP lists", "Ready to deploy", "Automatic updates", "Multiple categories"],
- bestFor: "Best for fast protection with minimal setup.",
+ id: "schema-blocklists",
+ color: GREEN,
+ eyebrowIcon: "🚫",
+ eyebrow: "Blocklists",
+ title: "Push curated threat feeds directly into your firewall, CDN, or WAF",
+ ctaLabel: "Get started →",
+ ctaHref: "/blocklists",
+ steps: [
+ {
+ num: 1,
+ icon: "🔌",
+ title: "Create a blocklist integration endpoint",
+ desc: "Generates a dedicated URL and credentials to serve blocklists to your perimeter devices.",
+ },
+ {
+ num: 2,
+ icon: "🗂️",
+ title: "Choose which blocklists to serve",
+ desc: "Select from curated feeds by threat category: scanners, bots, TOR exits, exploits, and more.",
+ },
+ {
+ num: 3,
+ icon: "🔗",
+ title: "Plug it in as an external threat feed",
+ desc: "Point your firewall, CDN, or WAF at the endpoint. Use the feed to protect your infrastructure.",
+ },
+ ],
},
{
- title: "CTI",
- description: "Query CrowdSec threat intelligence to enrich investigations, automate lookups, and integrate with tools.",
- icon: ,
- link: "/cti",
- features: ["REST API access", "IP reputation scores", "Attack context", "SIEM integrations"],
- bestFor: "Best for enrichment, integrations, and investigations.",
+ id: "schema-cti",
+ color: BLUE,
+ eyebrowIcon: "🔍",
+ eyebrow: "IP Reputation & CTI",
+ title: "Query threat intel — in the browser or via API in your tools",
+ ctaLabel: "Explore CTI →",
+ ctaHref: "/cti",
+ steps: [
+ {
+ num: 1,
+ icon: "🖥️",
+ title: "Look up any IP in the Console",
+ desc: "Search instantly from our Web UI— get reputation score, behaviors, attack history, and CVE links.",
+ },
+ {
+ num: 2,
+ icon: "🔑",
+ hint: "Integrate",
+ title: "Generate a CTI API key",
+ desc: "Unlock programmatic access to 30+ data points on IPs detected by CrowdSec Network.",
+ },
+ {
+ num: 3,
+ icon: "⚙️",
+ hint: "Enrich",
+ title: "Connect to your SIEM/SOAR/TIP",
+ desc: "Native integrations for Splunk, Sentinel, QRadar, TheHive, OpenCTI, MISP, and more.",
+ },
+ ],
},
];
+// ── Page ──────────────────────────────────────────────────────────────────────
+
const HomePage = () => {
- // Add class to body to hide navbar search on homepage
useEffect(() => {
document.body.classList.add("homepage");
document.documentElement.classList.add("homepage");
@@ -79,29 +488,39 @@ const HomePage = () => {
};
}, []);
+ const [openSchema, setOpenSchema] = useState(null);
+
+ const toggleSchema = (id: string) => setOpenSchema((prev) => (prev === id ? null : id));
+
return (
- {/* Hero Section */}
-
-
+
-
{icon}
- - {title} -
+{title}
{description}
-{bestFor}
--
- {features.map((feature) => (
-
- - ✓ - {feature} - - ))} -
- Explore product →
+
-
+
+);
+
+// ── Schema / path block ───────────────────────────────────────────────────────
+
+type Step = {
+ num: number;
+ icon: string;
+ title: string;
+ desc: string;
+ hint?: string;
+};
+
+type SchemaBlockProps = {
+ id: string;
+ color: string;
+ eyebrowIcon: string;
+ eyebrow: string;
+ title: string;
+ ctaLabel: string;
+ ctaHref: string;
+ steps: Step[];
+ open: boolean;
+ onToggle: () => void;
+};
+
+const SchemaBlock = ({ id, color, eyebrowIcon, eyebrow, title, ctaLabel, ctaHref, steps, open, onToggle }: SchemaBlockProps) => (
+
+ {desc}
+
+
+ → {pill}
+
+
+ {aka && aka.length > 0 && (
+
+
+ aka
+
+ {aka.map((tag) => (
+
+ {tag}
+
+ ))}
+
+ )}
+ {/* left accent strip */}
+
+ {/* subtle radial glow */}
+
+
+ {/* header — always visible, clickable to toggle */}
+
+
+ {/* collapsible step flow */}
+ {open && (
+
);
-const products: ProductCardProps[] = [
+// ── Data ──────────────────────────────────────────────────────────────────────
+
+const ORANGE = "#f97316";
+const GREEN = "#22d3a0";
+const BLUE = "#60a5fa";
+
+const intents: IntentCardProps[] = [
+ {
+ icon:
+ {steps.map((step, i) => (
+
+ )}
+
+ {i > 0 && (
+
+ ))}
+
+ →
+
+ )}
+ {step.hint && (
+
+ {step.hint}
+
+ )}
+
+ {step.num}
+
+ {step.icon}
+ {step.title}
+ {step.desc}
+ ,
+ accent: ORANGE,
+ title: "Detect & Block attacks on my servers",
+ desc: "Locally identify and ban bad behaving IPs observed in your logs and requests with CrowdSec Detection Scenarios, and Virtual-Patching Collections.",
+ pill: "Security Engine",
+ href: "/security-engine",
+ aka: ["IDPS", "WAF", "CrowdSec FOSS"],
+ },
+ {
+ icon: ,
+ accent: GREEN,
+ title: "Push a Blocklists into my firewall, CDN or WAF",
+ desc: "You manage network perimeter devices and want a URL to subscribe to — no agent to install.",
+ pill: "Blocklist Integration Endpoint",
+ href: "/blocklists",
+ aka: ["Threat Feeds", "IOC Streams", "Deny-list"],
+ },
+ {
+ icon: ,
+ accent: BLUE,
+ title: "Investigate IPs or enrich alerts",
+ desc: "You're a security analyst or developer who wants IP context — in a browser or via REST API.",
+ pill: "IP Reputation & CTI",
+ href: "/u/cti_api/intro",
+ aka: ["IoC Lookup", "Threat Intel"],
+ },
+];
+
+const schemas: Omit,
- link: "/security-engine",
- features: ["Behavior-based detection", "Community threat sharing", "AppSec / WAF for web apps", "Open source"],
- bestFor: "Best for self-hosted detection and protection.",
+ id: "schema-engine",
+ color: ORANGE,
+ eyebrowIcon: "🛡️",
+ eyebrow: "Security Engine",
+ title: "Detect and block malicious behaviors on your infrastructure",
+ ctaLabel: "Get started →",
+ ctaHref: "/security-engine",
+ steps: [
+ {
+ num: 1,
+ icon: "⚡",
+ title: "Install the Security Engine",
+ desc: "Runs on your server, detects attack patterns in real time — immediately protected, and continuously updated with CrowdSec Community Blocklist.",
+ },
+ {
+ num: 2,
+ icon: "🛡️",
+ hint: "RECOMMENDED",
+ title: "Activate the WAF module",
+ desc: "Layer in the AppSec component to inspect HTTP traffic and block web exploits before they reach your app.",
+ },
+ {
+ num: 3,
+ icon: "📋",
+ hint: "OPTIONAL",
+ title: "Subscribe to blocklists",
+ desc: "Add a selection of extra blocklists on top of the built-in detection & community blocklist",
+ },
+ {
+ num: 4,
+ icon: "✍️",
+ hint: "OPTIONAL",
+ title: "Craft your own rules",
+ desc: "Write custom scenarios for your stack, then share them back with the community on the Hub.",
+ },
+ ],
},
{
- title: "Blocklists",
- description: "Deploy curated threat intel feeds to protect your network without running detection yourself.",
- icon: ,
- link: "/blocklists",
- features: ["Curated IP lists", "Ready to deploy", "Automatic updates", "Multiple categories"],
- bestFor: "Best for fast protection with minimal setup.",
+ id: "schema-blocklists",
+ color: GREEN,
+ eyebrowIcon: "🚫",
+ eyebrow: "Blocklists",
+ title: "Push curated threat feeds directly into your firewall, CDN, or WAF",
+ ctaLabel: "Get started →",
+ ctaHref: "/blocklists",
+ steps: [
+ {
+ num: 1,
+ icon: "🔌",
+ title: "Create a blocklist integration endpoint",
+ desc: "Generates a dedicated URL and credentials to serve blocklists to your perimeter devices.",
+ },
+ {
+ num: 2,
+ icon: "🗂️",
+ title: "Choose which blocklists to serve",
+ desc: "Select from curated feeds by threat category: scanners, bots, TOR exits, exploits, and more.",
+ },
+ {
+ num: 3,
+ icon: "🔗",
+ title: "Plug it in as an external threat feed",
+ desc: "Point your firewall, CDN, or WAF at the endpoint. Use the feed to protect your infrastructure.",
+ },
+ ],
},
{
- title: "CTI",
- description: "Query CrowdSec threat intelligence to enrich investigations, automate lookups, and integrate with tools.",
- icon: ,
- link: "/cti",
- features: ["REST API access", "IP reputation scores", "Attack context", "SIEM integrations"],
- bestFor: "Best for enrichment, integrations, and investigations.",
+ id: "schema-cti",
+ color: BLUE,
+ eyebrowIcon: "🔍",
+ eyebrow: "IP Reputation & CTI",
+ title: "Query threat intel — in the browser or via API in your tools",
+ ctaLabel: "Explore CTI →",
+ ctaHref: "/cti",
+ steps: [
+ {
+ num: 1,
+ icon: "🖥️",
+ title: "Look up any IP in the Console",
+ desc: "Search instantly from our Web UI— get reputation score, behaviors, attack history, and CVE links.",
+ },
+ {
+ num: 2,
+ icon: "🔑",
+ hint: "Integrate",
+ title: "Generate a CTI API key",
+ desc: "Unlock programmatic access to 30+ data points on IPs detected by CrowdSec Network.",
+ },
+ {
+ num: 3,
+ icon: "⚙️",
+ hint: "Enrich",
+ title: "Connect to your SIEM/SOAR/TIP",
+ desc: "Native integrations for Splunk, Sentinel, QRadar, TheHive, OpenCTI, MISP, and more.",
+ },
+ ],
},
];
+// ── Page ──────────────────────────────────────────────────────────────────────
+
const HomePage = () => {
- // Add class to body to hide navbar search on homepage
useEffect(() => {
document.body.classList.add("homepage");
document.documentElement.classList.add("homepage");
@@ -79,29 +488,39 @@ const HomePage = () => {
};
}, []);
+ const [openSchema, setOpenSchema] = useState
-
+
+
- {/* Search Section */}
+ {/* Search */}
-
- 
-
+ {/* Hero */}
+
-
- CrowdSec Documentation
-- Pronounced: Krowd-Sek [/kraʊd-sek/] -
-- Community-driven security that unifies detection, blocklists, and threat intel for modern - infrastructure. -
-
-
+
+ Find the right
+
+
+ Find the right
+
+ CrowdSec tool for you
+
+ + IDPS/WAF | Blocklist feeds | IP Reputation +
@@ -110,78 +529,206 @@ const HomePage = () => {
- {/* Product Selection */}
-
-
- Choose your starting point -
-- Each path links to setup, how-tos, and reference docs. -
- -
- {products.map((product) => (
-
+
- {/* Help Section */}
-
-
+
+ I want to…
+
+
+ {intents.map((i) => (
+
+
+ {/* Existing user strip */}
+
+
+ Already running CrowdSec?
+
+
+ {[
+ { label: "🖥️ Open the Console", href: "https://app.crowdsec.net", external: true },
+ { label: "🛡️ Activate the WAF", href: "/docs/next/appsec/intro" },
+ { label: "📊 Measure what is being Blocked", href: "/u/console/remediation_metrics" },
+ { label: "🩺 Check my Stack Health", href: "/u/console/stackhealth" },
+ ].map(({ label, href, external }) => (
+
+ {label}
+ {external &&
+
-
- Not sure where to start? -
-- Answer a few questions and get a recommended path with install steps for your stack. -
-
-
-
-
-
-
-
+ {/* How each path works — accordion */}
+
+
- {/* Quick Links */}
-
-
+ toggleSchema(s.id)} />
+ ))}
+
+ how each path works
+
+
+ {schemas.map((s) => (
+
-
Popular Docs
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ {/* Not sure / fallback */}
+
+
+
+ {/* Popular docs */}
+
+
diff --git a/crowdsec-docs/static/img/blaas/logo-checkpoint.png b/crowdsec-docs/static/img/blaas/logo-checkpoint.png
new file mode 100644
index 000000000..41ce0b625
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-checkpoint.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-cisco.png b/crowdsec-docs/static/img/blaas/logo-cisco.png
new file mode 100644
index 000000000..5909f67c7
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-cisco.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-default.png b/crowdsec-docs/static/img/blaas/logo-default.png
new file mode 100644
index 000000000..468cf5f4f
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-default.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-f5.png b/crowdsec-docs/static/img/blaas/logo-f5.png
new file mode 100644
index 000000000..23da38486
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-f5.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-fortinet.png b/crowdsec-docs/static/img/blaas/logo-fortinet.png
new file mode 100644
index 000000000..49f4ec406
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-fortinet.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-juniper.png b/crowdsec-docs/static/img/blaas/logo-juniper.png
new file mode 100644
index 000000000..6e80ba980
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-juniper.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-mikrotik.png b/crowdsec-docs/static/img/blaas/logo-mikrotik.png
new file mode 100644
index 000000000..7545c47c6
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-mikrotik.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-opnsense.png b/crowdsec-docs/static/img/blaas/logo-opnsense.png
new file mode 100644
index 000000000..0511fea68
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-opnsense.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-paloalto.png b/crowdsec-docs/static/img/blaas/logo-paloalto.png
new file mode 100644
index 000000000..72371b771
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-paloalto.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-pfsense.png b/crowdsec-docs/static/img/blaas/logo-pfsense.png
new file mode 100644
index 000000000..1b4d566a7
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-pfsense.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-sophos.png b/crowdsec-docs/static/img/blaas/logo-sophos.png
new file mode 100644
index 000000000..358c0f94d
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-sophos.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-chrome.png b/crowdsec-docs/static/img/cti-integrations/logo-chrome.png
new file mode 100644
index 000000000..649fa44bc
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-chrome.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-default.png b/crowdsec-docs/static/img/cti-integrations/logo-default.png
new file mode 100644
index 000000000..468cf5f4f
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-default.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-gigasheet.png b/crowdsec-docs/static/img/cti-integrations/logo-gigasheet.png
new file mode 100644
index 000000000..61adfa146
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-gigasheet.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-intelowl.png b/crowdsec-docs/static/img/cti-integrations/logo-intelowl.png
new file mode 100644
index 000000000..d0cc7aed1
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-intelowl.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-maltego.png b/crowdsec-docs/static/img/cti-integrations/logo-maltego.png
new file mode 100644
index 000000000..ccd27565e
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-maltego.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-misp.png b/crowdsec-docs/static/img/cti-integrations/logo-misp.png
new file mode 100644
index 000000000..65db78ff9
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-misp.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-ms-sentinel.png b/crowdsec-docs/static/img/cti-integrations/logo-ms-sentinel.png
new file mode 100644
index 000000000..5edc39ebd
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-ms-sentinel.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-msticpy.png b/crowdsec-docs/static/img/cti-integrations/logo-msticpy.png
new file mode 100644
index 000000000..9d612f995
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-msticpy.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-opencti.png b/crowdsec-docs/static/img/cti-integrations/logo-opencti.png
new file mode 100644
index 000000000..c03f27e77
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-opencti.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-paloalto_xsoar.png b/crowdsec-docs/static/img/cti-integrations/logo-paloalto_xsoar.png
new file mode 100644
index 000000000..d88a19a24
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-paloalto_xsoar.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-qradar.png b/crowdsec-docs/static/img/cti-integrations/logo-qradar.png
new file mode 100644
index 000000000..9f9cd3305
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-qradar.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-securitycopilot.png b/crowdsec-docs/static/img/cti-integrations/logo-securitycopilot.png
new file mode 100644
index 000000000..0e27ff864
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-securitycopilot.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-sekoia.png b/crowdsec-docs/static/img/cti-integrations/logo-sekoia.png
new file mode 100644
index 000000000..00c8ab8a8
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-sekoia.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-splunk_siem.png b/crowdsec-docs/static/img/cti-integrations/logo-splunk_siem.png
new file mode 100644
index 000000000..abfe1df49
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-splunk_siem.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-splunk_soar.png b/crowdsec-docs/static/img/cti-integrations/logo-splunk_soar.png
new file mode 100644
index 000000000..8c38a1c4a
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-splunk_soar.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-thehive.png b/crowdsec-docs/static/img/cti-integrations/logo-thehive.png
new file mode 100644
index 000000000..67f4c16d1
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-thehive.png differ
diff --git a/crowdsec-docs/unversioned/console/ip_reputation/api_keys_premium.mdx b/crowdsec-docs/unversioned/console/ip_reputation/api_keys_premium.mdx
index 0073f6889..7abd7788b 100644
--- a/crowdsec-docs/unversioned/console/ip_reputation/api_keys_premium.mdx
+++ b/crowdsec-docs/unversioned/console/ip_reputation/api_keys_premium.mdx
@@ -1,15 +1,72 @@
---
id: api_keys_premium
-title: Premium CTI API Keys
+title: CTI API Access & Quotas
sidebar_position: 2
---
-A [Premium Plan](/u/console/premium_upgrade) unlocks two benefits for CTI API access:
+import Link from "@docusaurus/Link";
-- **Increased free quota** — the complimentary CTI key included with every account has a higher quota on a Premium plan than on the free Community plan.
-- **Purchasable high-quota keys** — Premium organizations can buy additional CTI API keys with larger monthly quotas (5K, 25K, or 100K queries/month) to support production integrations, automated enrichment pipelines, and high-volume use cases.
+export const GREEN = "#22d3a0";
+export const BLUE = "#60a5fa";
+export const PURPLE = "#a78bfa";
-For current quota tiers and pricing, go to **Settings → CTI API Keys** in the Console and click **+ New Key** — all available options and their costs are shown there.
+Every CrowdSec account — free or Premium — includes a complimentary CTI API key. The right tier depends on what you're doing with the data.
+
+{/* ── Tier cards ─────────────────────────────────────────────────────────── */}
+
+
+
+
+
+
+
+ Not sure where to start?
+
+ Answer a few questions and get a recommended path with install steps for your stack.
+
+
+
+
+
+
+
+
+
+
+
+ Popular docs
+
+
+ {[
+ { label: "🖥️ Console", href: "/u/console/intro" },
+ { label: "🛡️ AppSec / WAF", href: "/docs/next/appsec/intro" },
+ { label: "💻 CLI Reference", href: "/docs/next/cscli/" },
+ {
+ label: "📖 Docs AI Assistant",
+ href: "https://chatgpt.com/g/g-682c3a61a78081918417571116c2b563-crowdsec-documentation",
+ external: true,
+ },
+ { label: "🔑 CTI API Keys", href: "/cti" },
+ { label: "❓ Troubleshooting", href: "/u/troubleshooting/intro" },
+ { label: "🌐 About CrowdSec", href: "https://www.crowdsec.net", external: true },
+ ].map(({ label, href, external }) => (
+
+ {label}
+ {external &&
+
+ {/* Community */}
+
+
+{/* ── Quota note ─────────────────────────────────────────────────────────── */}
+
+
+
+
+ {/* Premium */}
+
+ Community Plan
+ Free · 40 queries / month
+
+
+ Included with every account at no cost. Suited for testing a CTI integration end-to-end, enriching alerts on personal homelab or hobby servers, or doing occasional ad-hoc IP lookups during an investigation. Not designed for production pipelines that query continuously.
+
+ Free key · no credit card needed · resets monthly
+
+
+
+ {/* Extended */}
+
+ Premium Plan
+ 120 queries / month
+
+
+ For practitioners with growing CTI enrichment needs — small SOC teams, security engineers running regular automation, or analysts who enrich SIEM alerts on a recurring basis. The 3× quota increase over Community covers light-to-moderate production use without committing to a paid quota add-on.
+
+ Included with Premium Plan · resets monthly
+
+
+
+
+ Extended Quota Options
+ 5K · 25K · 100K queries / month
+
+
+ Purchasable add-ons available to Premium organizations. Designed for production SIEMs, SOARs, and high-volume enrichment pipelines — cases where every incoming alert or event triggers an IP lookup. Available in three sizes to match your actual throughput rather than forcing an all-or-nothing commitment.
+
+ Requires Premium Plan · pricing shown in Console under Settings → CTI API Keys
+
+ API quotas are separate from Web UI quotas. Searching IPs through the Console web interface consumes its own quota and does not count against your API key. Unused API quota does not roll over to the next month.
+
+
+## Purchasing a high-quota key
+
+Extended quota keys are available in the Console under **Settings → CTI API Keys → + New Key**. All available options and their costs are shown there.
+
+## Lucene search via API
+
+The [Advanced Search](/u/console/ip_reputation/search_ui_advanced) Lucene query interface available in the Console is a **Web UI feature only** — it is not accessible through self-service API keys. If you need programmatic access to Lucene-style bulk querying or advanced filtering at scale, this requires an Advanced CTI plan. [Contact our team](https://www.crowdsec.net/contact-crowdsec?message=Advanced%20CTI%20plan%20discussion) to discuss your use case.
:::warning CTI API Keys and trials
- Purchasing a CTI API Key does **not** grant access to a Premium Plan trial.
diff --git a/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx b/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx
index 670ec4b6b..3c379568b 100644
--- a/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx
+++ b/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx
@@ -4,73 +4,89 @@ title: IP Reputation / CTI
description: Explore and query CrowdSec's IP Reputation data and manage CTI API keys from the Console.
---
-CrowdSec's **IP Reputation / CTI** section of the Console gives you access to the world's largest crowdsourced threat intelligence network.
-
-From the Console you can:
-- **Investigate IPs** directly in the Web UI — no code required
-- **Explore Specific Classifications** with search queries
-- **Query at scale** using the CTI REST API with a managed API key
-
----
-
-## Web UI Features
-
-### IP Search
-
-The [CTI home page](https://app.crowdsec.net/cti) lets you search any IP address or run Lucene queries against the threat database. Predefined searches give quick access to common patterns, and the **Top 10 Most Aggressive IPs** leaderboard shows the most active threat actors in the last 24 hours.
-
-[IP Search →](/u/console/ip_reputation/search_ui)
-
-### Advanced Search
-
-The [Advanced Search page](https://app.crowdsec.net/cti) supports Lucene queries with a live faceted filter panel (reputation, country, AS, behaviors, classifications). Use it for threat hunting, bulk investigation, or building targeted blocklists.
-
-[Advanced Search →](/u/console/ip_reputation/search_ui_advanced)
-[Search Query Reference →](/u/cti_api/search_queries)
-
-### IP Report
-
-Clicking any IP opens a full report with its reputation, key metadata, behaviors, classifications, MITRE techniques, CVEs, and time-windowed scores.
-
-[IP Report →](/u/console/ip_reputation/ip_report)
-
-### Live Exploit Tracker
-
-The [Live Exploit Tracker ↗️](https://tracker.crowdsec.net/) is the evolution of the CVE Explorer — a dedicated platform for tracking vulnerabilities that are actively being exploited in the wild, powered by live data from the CrowdSec network.
-:::info
-It now resides outside the Console to provide a more focused experience and richer features, but remains fully accessible with the same CTI API key.
-:::
-
-Beyond listing CVEs, it adds exploitation context that helps you **prioritize and act**:
-
-- **CrowdSec Score** — a SOC-oriented priority signal based on observed attack patterns
-- **Opportunity Score** — how targeted vs. opportunistic the exploitation is (0 = mass automated scan, 5 = precisely targeted campaign)
-- **Momentum Score** — whether exploitation volume is growing, stable, or declining
-- **Exploitation Status** — from *early exploitation* to *background noise*
-- **Timeline** — first/last seen, CVE publication, CISA KEV addition, and key events
-- **Malicious IPs** — IPs actively exploiting a given CVE, with full CTI context, for threat hunting or direct blocklist integration
-
-[Explore the Live Exploit Tracker ↗️](https://tracker.crowdsec.net/)
-
----
-
-## API Access
-
-You can query the same data programmatically using a CTI API key and the [CTI REST API](/u/cti_api/intro).
-
-| Plan | Quota | Use case |
-|---|---|---|
-| **Free** | 40 queries / month | POC, low-traffic scripts |
-| **Premium** | 120 queries / month | Regular enrichment, small integrations |
-| **Premium Options** | 5K / 25K / 100K queries / month | Production integrations, SIEMs, SOARs |
-
-Manage your keys in the Console under **Settings → CTI API Keys**, or go straight to [app.crowdsec.net/settings/cti-api-keys](https://app.crowdsec.net/settings/cti-api-keys).
-
-[Get your first API key →](/u/console/ip_reputation/api_keys)
-[Premium quotas →](/u/console/ip_reputation/api_keys_premium)
-
----
-
-:::tip Want the full technical reference?
-For API endpoints, request/response schemas, integrations (SIEM, SOAR, TIP platforms), and data taxonomy, see the [CTI API documentation](/u/cti_api/intro).
-:::
+import Link from "@docusaurus/Link";
+import { ExternalLink } from "lucide-react";
+
+export const BLUE = "#60a5fa";
+export const GREEN = "#22d3a0";
+export const PURPLE = "#a78bfa";
+
++ Query behavioral intelligence on any IP — reputation scores, attack patterns, linked CVEs, and activity history — sourced from hundreds of thousands of real CrowdSec deployments worldwide. +
+ +{/* ── Row 1: two cards side by side ──────────────────────────────────── */} + +
+
+ {/* Card 1: Web UI exploration (merged Search + IP Report) */}
+
+
+{/* ── You might also be interested in: LET ───────────────────────────── */}
+
+
+
+
+ {/* Card 2: Enrich your Alerts (API Key) */}
+ 🔍
+ Explore in the Web UI
+
+ No setup needed. Search any IP directly from your browser — run Lucene queries with live faceted filters (reputation, country, AS, behaviors, classifications) and open any result to see its full report: threat score, behaviors mapped to MITRE ATT&CK, linked CVEs, and time-windowed activity. The homepage also surfaces a Top 10 Most Aggressive IPs leaderboard updated every 24h.
+
+
+ IP Search →
+ Advanced Search →
+ IP Report →
+ Lucene Query Reference →
+
+
+
+
+🔑
+ Enrich your Alerts
+
+ Unlock programmatic access to 30+ enrichment fields per IP — reputation, behaviors, CVEs, attack context, MITRE mappings, and more. Use it to enrich SIEM alerts, automate lookups, or feed threat intel platforms. Free tier included, no credit card needed.
+
+
+ {/* Quota rows */}
+
+ {[
+ { label: "Community", quota: "40 / month", desc: "ad-hoc lookups, proof of concept", color: GREEN },
+ { label: "Premium", quota: "120 / month", desc: "regular enrichment, small integrations", color: BLUE },
+ { label: "Premium Options", quota: "5K–100K / month", desc: "production SIEMs, SOARs, high-volume pipelines", color: PURPLE },
+ ].map(({ label, quota, desc, color }) => (
+
+
+
+ {label}
+ {" — "}
+ {quota}
+ {" · "}
+ {desc}
+
+ ))}
+
+ API quotas are separate from Web UI quotas. Unused quota does not roll over.
+
+
+
+ Create an API key →
+ Quotas & plans →
+ Data Taxonomy →
+ API Reference
+
+
diff --git a/crowdsec-docs/unversioned/console/stackhealth.mdx b/crowdsec-docs/unversioned/console/stackhealth.mdx
index 3410b8ed4..a79276f24 100644
--- a/crowdsec-docs/unversioned/console/stackhealth.mdx
+++ b/crowdsec-docs/unversioned/console/stackhealth.mdx
@@ -4,7 +4,8 @@ title: Stack Health
---
The **Stack Health** Feature is a monitoring tool within the CrowdSec Console helping you keep your infrastructure operational and properly configured.
-Its primary goal is to identify configuration issues, connectivity problems, or potential misconfigurations that could impact your detection capabilities.
+Its primary goal is to identify configuration issues, connectivity problems, or potential misconfigurations that could impact your detection capabilities.
+*You can also do a manual health check of your stack by following this post installation [Health-Check guide](/u/getting_started/health_check).*
---
diff --git a/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.md b/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.md
deleted file mode 100644
index 7b0e0991b..000000000
--- a/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-id: integration_intro
-title: Integrations
----
-
-CrowdSec has developed native integrations for the most common security platforms so you can enrich your workflows with IP reputation data without writing any code. If your platform isn't listed, the API is a standard REST interface — you can query it directly with cURL, write your own scripts, or build custom playbooks in any SIEM, SOAR, or TIP that supports HTTP enrichment:
-
-```shell
-curl -H "x-api-key: $API_KEY" https://cti.api.crowdsec.net/v2/smoke/1.2.3.4 | jq .
-```
-
-For the full API reference, see the [Swagger documentation](https://crowdsecurity.github.io/cti-api/).
-
----
-
-| Integration | Description |
-|---------------------------|----------------------------------------|
-| [Chrome](/cti_api/api_integration/integration_browser_chrome.md) | A Chrome extension which allows you to quickly search an IP on a web page |
-| [Gigasheet](/cti_api/api_integration/integration_gigasheet.md) | Gigasheet's No-Code API-data-enrichment feature |
-| [IntelOwl](/cti_api/api_integration/integration_intelowl.md) | IntelOwl is an open-source framework and platform for analyzing and processing threat intelligence data |
-| [Maltego](/cti_api/api_integration/integration_maltego.md) | Maltego is a powerful and versatile data visualization and link analysis tool used primarily in the field of digital forensics, cybersecurity, and intelligence gathering |
-| [MISP](/cti_api/api_integration/integration_misp.md) | MISP, short for Malware Information Sharing Platform & Threat Sharing, is an open-source threat intelligence platform designed to facilitate the sharing and collaboration |
-| [MSTICpy](/cti_api/api_integration/integration_msticpy.md) | MSTICpy, short for Microsoft Threat Intelligence Python Security Tools and Common Practices, is an open-source Python library developed by Microsoft |
-| [OpenCTI](/cti_api/api_integration/integration_opencti.md) | OpenCTI is an open-source threat intelligence platform that focuses on facilitating the collection, management, and analysis of cyber threat intelligence data |
-| [PaloAlto XSOAR](/cti_api/api_integration/integration_paloalto_xsoar.md) | Palo Alto Networks Cortex XSOAR is a Security Orchestration, Automation, and Response (SOAR) platform |
-| [QRadar](/cti_api/api_integration/integration_qradar.md) | QRadar is a widely-used Security Information and Event Management (SIEM) solution designed to provide comprehensive visibility into an organization's cybersecurity landscape |
-| [Sekoia XDR](/cti_api/api_integration/integration_sekoia_xdr.md) | Sekoia XDR (Extended Detection and Response) is a cybersecurity platform that combines threat detection, incident response, and proactive threat hunting capabilities into a unified solution |
-| [Splunk SIEM](/cti_api/api_integration/integration_splunk_siem.md) | Splunk Enterprise Security is a Security Information and Event Management (SIEM) solution that helps organizations centralize, analyze, and manage security-related data from various sources |
-| [Splunk SOAR](/cti_api/api_integration/integration_splunk_soar.md) | Splunk SOAR (Security Orchestration, Automation, and Response) is a security platform designed to streamline and automate the incident response and security operations processes |
-| [TheHive](/cti_api/api_integration/integration_thehive.md) | TheHive is an open-source, collaborative, and customizable Security Incident Response Platform (SIRP) designed to assist cybersecurity teams in managing and mitigating security incidents effectively |
diff --git a/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.mdx b/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.mdx
new file mode 100644
index 000000000..f04f9c4da
--- /dev/null
+++ b/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.mdx
@@ -0,0 +1,24 @@
+---
+id: integration_intro
+title: Integrations
+---
+
+import CtiIntegrationTile, { ctiIntegrations } from '@site/src/components/cti-integration-tile';
+
+CrowdSec has native integrations for the most common security platforms — enrich your workflows with IP reputation data without writing any code.
+
+If your platform isn't listed, the API is a standard REST interface you can query directly:
+
+```shell
+curl -H "x-api-key: $API_KEY" https://cti.api.crowdsec.net/v2/smoke/1.2.3.4 | jq .
+```
+
+For the full reference, see the [Swagger documentation](https://crowdsecurity.github.io/cti-api/).
+
+---
+
+You might also be interested in
+
+
+🚨
+
+
+
+
+ A dedicated platform tracking CVEs actively exploited in the wild — with exploitation momentum, opportunity scores, and the IPs behind each attack. Uses the same CTI API key.
+
+ Explore the Live Exploit Tracker →
+
+ {ctiIntegrations.map(({ name, slug, href, plugin, desc, color }) => (
+
diff --git a/crowdsec-docs/unversioned/cti_api/intro.md b/crowdsec-docs/unversioned/cti_api/intro.md
index 889eb4bb5..7754f9391 100644
--- a/crowdsec-docs/unversioned/cti_api/intro.md
+++ b/crowdsec-docs/unversioned/cti_api/intro.md
@@ -1,5 +1,5 @@
---
-id: intro
+id: intro_old
title: CrowdSec CTI - Cyber Threat Intelligence
sidebar_position: 1
---
diff --git a/crowdsec-docs/unversioned/cti_api/intro.mdx b/crowdsec-docs/unversioned/cti_api/intro.mdx
new file mode 100644
index 000000000..a51919f31
--- /dev/null
+++ b/crowdsec-docs/unversioned/cti_api/intro.mdx
@@ -0,0 +1,173 @@
+---
+id: intro
+title: CrowdSec IP Reputation / CTI
+sidebar_position: 1
+---
+
+import Link from "@docusaurus/Link";
+import { ExternalLink } from "lucide-react";
+import CtiIntegrationTile, { ctiIntegrations } from '@site/src/components/cti-integration-tile';
+
+export const BLUE = "#60a5fa";
+export const ORANGE = "#f97316";
+export const PURPLE = "#a78bfa";
+
+{/* ── Hero ─────────────────────────────────────────────────────────────── */}
+
++ Understand the IPs behind attacks +
++
CrowdSec tracks malicious IPs across hundreds of thousands of real deployments worldwide.
+
Every lookup gives you behavioral context — what the IP was doing, where, and when.
+ Quick access
+
+
+{/* ── How do you want to use it? ──────────────────────────────────────── */}
+
+
+ 🔍 Look up an IP
+
+
+
+{/* ── Why CrowdSec CTI (informational, de-emphasized) ────────────────── */}
+
+Entry points
+ How do you want to use it?
+
+ {[
+ {
+ badge: "🔍 No setup needed", icon: "🖥️", accent: BLUE,
+ title: "Web UI investigation - in the Console",
+ desc: "Search any IP instantly. Explore threat history and the top aggressive IPs in the last 24h — no API key needed.",
+ links: [{ label: "Web UI guide →", href: "/u/console/ip_reputation/intro" }, { label: "IP Report →", href: "/u/console/ip_reputation/ip_report" }],
+ },
+ {
+ badge: "⚙️ Developer / SecOps", icon: "🔌", accent: ORANGE,
+ title: "Enrich Alerts via API",
+ desc: "Use the CTI API to add CrowdSec IP context to SIEM alerts, SOAR workflows, TIPs, scripts, and internal tools.",
+ links: [{ label: "API quickstart →", href: "/u/cti_api/api_introduction" }, { label: "All integrations →", href: "/u/cti_api/api_integration/integration_intro" }],
+ },
+ {
+ badge: "🎯 Threat hunter", icon: "🚨", accent: PURPLE,
+ title: "Hunt active threats",
+ desc: "Advanced Search with live faceted filters — behavior, country, AS, CVE — to find campaigns or build blocklists.",
+ links: [{ label: "Advanced search →", href: "/u/console/ip_reputation/search_ui_advanced" }, { label: "Live Exploit Tracker →", href: "/u/tracker_api/intro" }],
+ },
+ ].map(({ badge, icon, accent, title, desc, links }) => (
+
+
+
+ ))}
+ {badge}
+ {icon}
+ {title}
+ {desc}
+
+ {links.map(({ label, href }) => (
+ {label}
+ ))}
+
+
+
+
+{/* ── Integrations ────────────────────────────────────────────────────── */}
+
+Why CrowdSec CTI
+ + Most IP reputation services tell you an IP is "bad." CrowdSec tells you what it was doing — from real deployments, not honeypots. +
+
+ {[
+ { icon: "🌍", title: "Real-world attack signals", desc: "CrowdSec intelligence is built from signals shared by real deployments across the Internet." },
+ { icon: "🧠", title: "Behavioral, not just reputation", desc: "Brute-force, CVE exploitation, scan, credential stuffing — mapped to MITRE ATT&CK." },
+ { icon: "⚡", title: "Real-time, not cached lists", desc: "Continuously updated with time-windowed scores showing if a threat is rising, stable, or decaying." },
+ { icon: "🔬", title: "CVE-level exploit tracking", desc: "Live Exploit Tracker shows which CVEs are actively exploited, with momentum, opportunity, and malicious IP context." },
+ ].map(({ icon, title, desc }) => (
+
+
+ {icon}
+
+ {title} — {desc}
+
+
+ ))}
+
+
+
+{/* ── Technical details ───────────────────────────────────────────────── */}
+
+Integrations
+ Already using one of these?
+ + Jump straight to the integration guide — no need to read the full API docs first. +
+
+ {ctiIntegrations.map(({ name, slug, href, plugin, desc, color }) => (
+
+
+
+
+API access & quotas
+
+ {[
+ { label: "Community Plan Free Key", quota: "40 / month", desc: "Ad-hoc lookups, proof of concept", color: "#22d3a0" },
+ { label: "Premium Plan Free Key", quota: "120 / month", desc: "Regular enrichment, small integrations", color: BLUE },
+ { label: "Premium Options", quota: "5K–100K / month", desc: "Production SIEMs, SOARs, high-volume pipelines", color: PURPLE },
+ ].map(({ label, quota, desc, color }) => (
+
+
+
+ ))}
+
+ {label}
+ {quota}
+
+ {desc}
+
+ Web UI lookups do not consume API quota. Free tier resets monthly — unused queries don't roll over.
+
+ Get your first API key →
+
+
+
+{/* ── Need help ───────────────────────────────────────────────────────── */}
+
+Technical details
+
+ {[
+ { icon: "📊", title: "Data Taxonomy", desc: "CTI Data structure, scores, behaviors and classifications", href: "/u/cti_api/taxonomy/intro" },
+ { icon: "📚", title: "API Reference", desc: "Full endpoint reference with request/response schemas.", href: "https://crowdsecurity.github.io/cti-api/", external: true },
+ { icon: "❓", title: "FAQ", desc: "Common questions about access, quotas, and data.", href: "/u/cti_api/faq" },
+ ].map(({ icon, title, desc, href, external }) => (
+
+ {icon}
+
+
+
+
+ ))}
+
+ {title}{external &&
+ {desc}
+
+
diff --git a/crowdsec-docs/unversioned/integrations/intro.mdx b/crowdsec-docs/unversioned/integrations/intro.mdx
index 25e8900e5..ab41909e5 100644
--- a/crowdsec-docs/unversioned/integrations/intro.mdx
+++ b/crowdsec-docs/unversioned/integrations/intro.mdx
@@ -11,6 +11,7 @@ import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import CodeBlock from '@theme/CodeBlock';
import UnderlineTooltip from '@site/src/components/underline-tooltip';
+import IntegrationTile, { firewallIntegrations } from '@site/src/components/integration-tile';
CrowdSec Blocklist Integrations — also known as **Blocklist as a Service** — give you a secure, hosted HTTPS endpoint serving live blocklists that you configure your firewall or security tool to pull from.
@@ -41,27 +42,37 @@ Pulling more frequently than the allowed interval for your plan will result in H
## Available integrations
+
### Firewall integrations
Each vendor page explains how to create the integration in the CrowdSec Console and includes a link to the vendor's own documentation on how to configure ingestion on the firewall side.
-| Firewall | Vendor feature name |
-|---|---|
-| [Checkpoint](integrations/checkpoint.mdx) | Custom Intelligence (IoC) Feeds |
-| [Cisco](integrations/cisco.mdx) | Security Intelligence feeds |
-| [F5](integrations/f5.mdx) | External IP blocklist / Feed lists |
-| [Fortinet](integrations/fortinet.mdx) | IP address Threat Feeds |
-| [Juniper](integrations/juniper.mdx) | Security Dynamic Address feeds |
-| [Mikrotik](integrations/mikrotik.mdx) | — |
-| [OPNsense](integrations/opnsense.mdx) | URL Table (IPs) aliases |
-| [Palo Alto](integrations/paloalto.mdx) | External Dynamic Lists (EDL) |
-| [pfSense](integrations/pfsense.mdx) | URL Table (IPs) aliases |
-| [Sophos](integrations/sophos.mdx) | Third-Party Threat Feeds |
+
+
+ Need help?
+ Get answers in Discord or check the FAQ.
+
+ 💬 Join Discord
+
+ {firewallIntegrations.map(({ name, slug, href, desc, color }) => (
+
### Other integrations
-- [Raw IP List](integrations/rawiplist.mdx) — generic format, works with any HTTP-capable device
-- [Remediation Component](integrations/remediationcomponent.mdx) — for platforms without native IP list ingestion (Cloudflare, AWS WAF, etc.)
+
+
+ One IP per line — compatible with virtually any firewall, router, or HTTP-capable device
+
+
+ Extends blocklist handling to platforms without native ingestion (Cloudflare, AWS WAF, …) via CrowdSec Remediation Components
+
+
## Setup a Blocklist Integration Endpoint