update LET docs, vendors

Author: buixor

crowdsec-docs/unversioned/tracker_api/api_cves.mdx

@@ -315,6 +315,10 @@ curl -X 'GET' \
 
 You can subscribe and unsubscribe firewall integrations to specific CVEs via the API. See [Integrations & Blocklists](./api_integrations) for full details on creating and managing integrations.
 
+:::tip
+For broader coverage, consider subscribing to a **vendor** instead of individual CVEs. A vendor subscription automatically covers all current and future CVEs and reconnaissance rules for that vendor's products. See [Vendor Subscriptions](./api_lookups#subscribe-an-integration-to-a-vendor).
+:::
+
 ### Subscribe an Integration to a CVE
 
 ```

crowdsec-docs/unversioned/tracker_api/api_fingerprints.mdx

@@ -204,6 +204,10 @@ curl -X 'GET' \
 
 ## Manage Fingerprint Integration Subscriptions
 
+:::tip
+For broader coverage, consider subscribing to a **vendor** instead of individual fingerprint rules. A vendor subscription automatically covers all current and future CVEs and reconnaissance rules for that vendor's products. See [Vendor Subscriptions](./api_lookups#subscribe-an-integration-to-a-vendor).
+:::
+
 ### Subscribe an Integration
 
 ```

crowdsec-docs/unversioned/tracker_api/api_integrations.mdx

@@ -6,7 +6,11 @@ title: Integrations & Blocklists
 import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
 
-Integrations are the bridge between CrowdSec's threat intelligence and your security infrastructure. An integration generates a blocklist of attacker IPs that your firewall can consume. You subscribe integrations to specific CVEs or fingerprint rules, and the blocklist automatically updates as new attacker IPs are observed.
+Integrations are the bridge between CrowdSec's threat intelligence and your security infrastructure. An integration generates a blocklist of attacker IPs that your firewall can consume. You subscribe integrations to specific CVEs, fingerprint rules, or entire vendors, and the blocklist automatically updates as new attacker IPs are observed.
+
+:::tip Vendor Subscriptions
+Instead of subscribing to CVEs and fingerprint rules one by one, you can subscribe an integration to a **vendor**. This automatically covers all current and future CVEs and reconnaissance rules for that vendor's products. See [Vendors, Products & Tags](./api_lookups#subscribe-an-integration-to-a-vendor) for details.
+:::
 
 ## Supported Output Formats
 
@@ -114,6 +118,7 @@ The integration credentials (API key or username/password depending on type) are
 | `output_format` | string | Blocklist format (see table above) |
 | `cves` | array | CVE subscriptions (each with `id`) |
 | `fingerprints` | array | Fingerprint rule subscriptions |
+| `vendors` | array | Vendor subscriptions (each with `id`). Subscribing to a vendor automatically covers all current and future CVEs and reconnaissance rules for that vendor. |
 | `blocklists` | array | Blocklist subscriptions |
 | `endpoint` | string | URL for fetching the integration's blocklist content |
 | `stats` | object | Statistics including `count` (number of IPs in the blocklist) |
@@ -291,7 +296,7 @@ except HTTPStatusError as e:
 </TabItem>
 </Tabs>
 
-Use the `force=true` query parameter to delete an integration even if it has active CVE or fingerprint subscriptions.
+Use the `force=true` query parameter to delete an integration even if it has active CVE, fingerprint, or vendor subscriptions.
 
 ## Get Integration Content (Blocklist)
 
@@ -323,29 +328,38 @@ This is compatible with CrowdSec's remediation component protocol.
 
 ## End-to-End Workflow
 
-Here's a complete example: create an integration, subscribe it to a CVE and a fingerprint rule, and verify the blocklist.
+Here's a complete example: create an integration, subscribe it to a vendor, a CVE, and a fingerprint rule, and verify the blocklist.
 
 ```bash
 # 1. Create a plain text integration
 curl -X 'POST' 'https://admin.api.crowdsec.net/v1/integrations' \
   -H 'x-api-key: ${KEY}' -H 'Content-Type: application/json' \
   -d '{"name": "demo_blocklist", "description": "Demo", "entity_type": "firewall_integration", "output_format": "plain_text"}'
 
-# 2. Subscribe to a CVE
+# 2. Subscribe to a vendor (covers all current and future CVEs + recon rules for that vendor)
+curl -X 'POST' 'https://admin.api.crowdsec.net/v1/vendors/Microsoft/integrations' \
+  -H 'x-api-key: ${KEY}' -H 'Content-Type: application/json' \
+  -d '{"name": "demo_blocklist"}'
+
+# 3. Subscribe to an additional individual CVE (for a vendor you haven't subscribed to)
 curl -X 'POST' 'https://admin.api.crowdsec.net/v1/cves/CVE-2024-25600/integrations' \
   -H 'x-api-key: ${KEY}' -H 'Content-Type: application/json' \
   -d '{"name": "demo_blocklist"}'
 
-# 3. Subscribe to a fingerprint rule
+# 4. Subscribe to an additional fingerprint rule
 curl -X 'POST' 'https://admin.api.crowdsec.net/v1/fingerprints/microsoft-exchange/integrations' \
   -H 'x-api-key: ${KEY}' -H 'Content-Type: application/json' \
   -d '{"name": "demo_blocklist"}'
 
-# 4. Fetch the blocklist (using integration credentials)
+# 5. Fetch the blocklist (using integration credentials)
 curl 'https://admin.api.crowdsec.net/v1/integrations/INTEGRATION_ID/content' \
   -H 'x-api-key: INTEGRATION_API_KEY'
 ```
 
+:::tip
+Vendor subscriptions are the simplest way to get broad coverage. Subscribe to the vendors in your technology stack, then add individual CVE or fingerprint subscriptions only for threats outside those vendors.
+:::
+
 ## Next Steps
 
 Once your integration is created and subscribed, configure your firewall to fetch the blocklist URL at regular intervals. See the [CrowdSec Integrations documentation](https://docs.crowdsec.net/u/integrations/intro) for vendor-specific setup guides.

crowdsec-docs/unversioned/tracker_api/api_lookups.mdx

@@ -116,6 +116,85 @@ curl -X 'GET' \
   -H 'x-api-key: ${KEY}'
 ```
 
+### Subscribe an Integration to a Vendor
+
+Subscribing an integration to a vendor automatically covers **all current and future CVEs and reconnaissance rules** for that vendor's products. When a new CVE or reconnaissance rule is added for the vendor, the integration's blocklist is updated automatically — no action needed on your part.
+
+```
+POST /v1/vendors/{vendor}/integrations
+```
+
+<Tabs
+  defaultValue="curl"
+  groupId="tracker-api-lookups-selection"
+  values={[
+    { label: 'cURL', value: 'curl' },
+    { label: 'Python', value: 'python' },
+  ]
+}>
+<TabItem value="curl">
+
+```bash
+curl -X 'POST' \
+  'https://admin.api.crowdsec.net/v1/vendors/Microsoft/integrations' \
+  -H 'accept: application/json' \
+  -H 'x-api-key: ${KEY}' \
+  -H 'Content-Type: application/json' \
+  -d '{"name": "production_firewall"}'
+```
+
+</TabItem>
+<TabItem value="python">
+
+```python
+import os
+import httpx
+
+KEY = os.getenv("CROWDSEC_TRACKER_API_KEY")
+headers = {"x-api-key": KEY, "accept": "application/json", "Content-Type": "application/json"}
+
+response = httpx.post(
+    "https://admin.api.crowdsec.net/v1/vendors/Microsoft/integrations",
+    headers=headers,
+    json={"name": "production_firewall"},
+)
+response.raise_for_status()
+print("Subscribed to Microsoft")
+```
+
+</TabItem>
+</Tabs>
+
+:::tip
+Vendor subscriptions are the simplest way to get broad coverage for your technology stack. Subscribe to the vendors you rely on, and you'll automatically be protected against all tracked threats for their products — including new ones added in the future.
+:::
+
+### List Subscribed Integrations for a Vendor
+
+```
+GET /v1/vendors/{vendor}/integrations
+```
+
+```bash
+curl -X 'GET' \
+  'https://admin.api.crowdsec.net/v1/vendors/Microsoft/integrations' \
+  -H 'accept: application/json' \
+  -H 'x-api-key: ${KEY}'
+```
+
+### Unsubscribe an Integration from a Vendor
+
+```
+DELETE /v1/vendors/{vendor}/integrations/{integration_name}
+```
+
+```bash
+curl -X 'DELETE' \
+  'https://admin.api.crowdsec.net/v1/vendors/Microsoft/integrations/production_firewall' \
+  -H 'accept: application/json' \
+  -H 'x-api-key: ${KEY}'
+```
+
 ## Products
 
 Products are specific software applications (e.g., Exchange Server, BIG-IP, WordPress).
@@ -155,4 +234,4 @@ These lookup endpoints are particularly useful for:
 - **Asset-based monitoring**: "Show me all tracked threats for the products in my technology stack."
 - **Coverage assessment**: "How many vulnerabilities affecting WordPress does CrowdSec track?"
 - **Reporting**: "What's the overall threat landscape for enterprise software this month?"
-- **Automation**: Build scripts that automatically subscribe integrations to all new CVEs for your vendor ecosystem.
+- **Vendor subscriptions**: Subscribe an integration to your vendors and automatically receive blocklist coverage for all their current and future CVEs and reconnaissance rules — no scripting required.

crowdsec-docs/unversioned/tracker_api/fingerprints_vs_cves.mdx

@@ -65,7 +65,7 @@ Fingerprint rules fill a critical gap:
 | Firewall integration subscriptions | ✅ | ✅ |
 | CVSS score | ✅ | — |
 | CWE classification | ✅ | — |
-| CrowdSec Analysis narrative | ✅ | — |
+| CrowdSec Analysis narrative | ✅ | ✅ |
 | CVE events timeline | ✅ | — |
 
 ## Using Them Together

crowdsec-docs/unversioned/tracker_api/guide_proactive.mdx

@@ -48,16 +48,35 @@ curl -X 'GET' \
   -H 'x-api-key: ${KEY}'
 ```
 
-## Step 3: Set Up Fingerprint Monitoring
+## Step 3: Subscribe to Your Vendors
 
-[Fingerprint rules](./fingerprints_vs_cves) give you broad coverage for product families. Even if a new CVE drops tomorrow for Exchange, the "Microsoft Exchange Probing" fingerprint rule already captures reconnaissance activity.
+The simplest way to get broad, ongoing coverage is to subscribe your integration to the **vendors** in your technology stack. A vendor subscription automatically covers all current and future CVEs and reconnaissance rules for that vendor's products — when a new threat is added, your blocklist is updated without any action on your part.
 
-1. Identify fingerprint rules matching your products
-2. Create a firewall integration (if you don't have one)
-3. Subscribe the integration to relevant fingerprint rules
+1. Create a firewall integration (if you don't have one) — see [Integrations & Blocklists](./api_integrations)
+2. Subscribe the integration to each vendor you rely on
 
 ```bash
-# Subscribe to Microsoft Exchange probing detection
+# Subscribe to all Microsoft threats
+curl -X 'POST' \
+  'https://admin.api.crowdsec.net/v1/vendors/Microsoft/integrations' \
+  -H 'accept: application/json' \
+  -H 'x-api-key: ${KEY}' \
+  -H 'Content-Type: application/json' \
+  -d '{"name": "production_firewall"}'
+
+# Subscribe to all Citrix threats
+curl -X 'POST' \
+  'https://admin.api.crowdsec.net/v1/vendors/Citrix/integrations' \
+  -H 'accept: application/json' \
+  -H 'x-api-key: ${KEY}' \
+  -H 'Content-Type: application/json' \
+  -d '{"name": "production_firewall"}'
+```
+
+For threats outside your subscribed vendors, you can also subscribe to individual [fingerprint rules](./fingerprints_vs_cves) or CVEs:
+
+```bash
+# Subscribe to a specific reconnaissance rule
 curl -X 'POST' \
   'https://admin.api.crowdsec.net/v1/fingerprints/microsoft-exchange/integrations' \
   -H 'accept: application/json' \
@@ -68,7 +87,7 @@ curl -X 'POST' \
 
 ## Step 4: Monitor New and Trending CVEs
 
-Check the tracker regularly (or automate it) for new CVEs affecting your stack:
+If you've subscribed to your vendors (Step 3), new CVEs are automatically covered in your blocklist. However, you'll still want to monitor the threat landscape for situational awareness and to inform patching priorities:
 
 ```bash
 # Get the latest detection rules, sorted by release date
@@ -88,7 +107,7 @@ For each new CVE that affects your products:
 
 1. Check the **CrowdSec Score** and **Exploitation Phase**
 2. Read the **CrowdSec Analysis** for exploitation context
-3. Subscribe your integration if the threat warrants immediate blocklist protection
+3. If the CVE is from a vendor you've subscribed to, your blocklist is already protecting you. If not, subscribe the integration to the CVE directly.
 4. Open a patching ticket with the appropriate priority
 
 ## Step 5: Build a Monitoring Script
@@ -137,6 +156,6 @@ for alert in sorted(alerts, key=lambda x: x["score"], reverse=True):
 The Live Exploit Tracker API can feed data into:
 
 - **SIEM**: Enrich alerts with CrowdSec Scores and exploitation context. When your SIEM fires an alert for a CVE, automatically look up the CrowdSec intelligence to assign priority.
-- **SOAR**: Build playbooks that automatically create blocklist subscriptions when a new high-severity CVE is detected for your products.
+- **SOAR**: Build playbooks that react to new high-severity CVEs. If you're using vendor subscriptions, the blocklist is already covered — your playbook can focus on escalation, ticket creation, and patching workflows.
 - **Vulnerability Management**: Correlate your vulnerability scanner findings with real-world exploitation data to reorder your patch queue.
 - **Reporting Dashboards**: Pull scores and phase data into your security dashboard to give leadership a real-time view of the threat landscape.

crowdsec-docs/unversioned/tracker_api/guide_triage.mdx

@@ -87,9 +87,10 @@ Based on what you've found:
 
 If the situation calls for immediate mitigation:
 
-1. **Create a firewall integration** (if you don't have one) — see [Integrations & Blocklists](./api_integrations)
-2. **Subscribe it to the CVE** — either via the web interface or API
-3. Your firewall will start blocking known attacker IPs automatically
+1. **Check your vendor subscriptions first** — if you've already subscribed an integration to this CVE's vendor, your blocklist is already covering this threat automatically.
+2. If not, **create a firewall integration** (if you don't have one) — see [Integrations & Blocklists](./api_integrations)
+3. **Subscribe it to the CVE** (or to the vendor for broader coverage) — either via the web interface or API
+4. Your firewall will start blocking known attacker IPs automatically
 
 This buys you time while you schedule and deploy the patch.
 

crowdsec-docs/unversioned/tracker_api/overview.mdx

@@ -38,7 +38,7 @@ Each tracked CVE also includes a **CrowdSec Analysis** — a human-readable inte
 Once you've identified a threat, the tracker lets you act on it:
 
 - **IP Intelligence**: View every IP address observed exploiting a specific CVE or probing a specific product, enriched with CTI data including reputation, geolocation, known classifications, and behavioral history.
-- **Firewall Integrations**: Create blocklists that automatically feed malicious IPs into your firewalls (Palo Alto, FortiGate, Cisco, pfSense, OPNsense, and more). Subscribe an integration to one or more CVEs, and the blocklist stays current as new attacker IPs are observed.
+- **Firewall Integrations**: Create blocklists that automatically feed malicious IPs into your firewalls (Palo Alto, FortiGate, Cisco, pfSense, OPNsense, and more). Subscribe an integration to entire vendors, specific CVEs, or reconnaissance rules, and the blocklist stays current as new attacker IPs are observed. Vendor subscriptions automatically cover all current and future threats for that vendor's products.
 
 ### Beyond CVEs: Reconnaissance Rules
 

crowdsec-docs/unversioned/tracker_api/web_interface.mdx

@@ -189,7 +189,7 @@ Each vendor card displays:
 
 Use the **search bar** to find a specific vendor and the **Sort by** dropdown to order by Most IPs, Most CVEs, or alphabetically.
 
-Clicking a vendor card shows all CVEs and Reconnaissance rules affecting their products.
+Clicking a vendor card shows all CVEs and Reconnaissance rules affecting their products. From the vendor detail page, you can **subscribe a firewall integration to the vendor**, which automatically covers all current and future CVEs and reconnaissance rules for that vendor's products.
 
 ![Vendors Page](/img/exploit-tracker/vendors.png)
 
@@ -211,15 +211,17 @@ Each integration card shows:
 2. Choose a name and select the output format matching your firewall vendor
 3. Save the integration and **securely store the generated credentials** — they are only shown once
 
-### Subscribing to CVEs and Reconnaissance Rules
+### Subscribing to Vendors, CVEs, and Reconnaissance Rules
 
-There are two ways to subscribe:
+There are several ways to subscribe an integration:
+
+**Subscribe to a vendor** (recommended for broad coverage): From a vendor's detail page, click the **SUBSCRIBE TO FIREWALL** button. This subscribes the integration to **all current and future** CVEs and reconnaissance rules for that vendor's products. When a new threat is added for the vendor, your blocklist is updated automatically.
 
 **From the CVE/Recon detail page**: Click the **SUBSCRIBE TO FIREWALL** button in the top right of any CVE or Reconnaissance rule detail page, then select the integration to subscribe.
 
 **From the Remediation & Protection section**: Scroll to the bottom of a CVE detail page and click **Subscribe** under the Firewall Integration card.
 
-The integration's blocklist will now include all IPs observed exploiting that CVE or matching that Reconnaissance rule. As new IPs are observed, they are automatically added.
+The integration's blocklist will now include all IPs observed exploiting the subscribed CVEs, matching the subscribed Reconnaissance rules, or targeting the subscribed vendors' products. As new IPs are observed, they are automatically added.
 
 ### Consuming the Blocklist