updating content continues

Author: jdv

crowdsec-docs/static/img/console_create_api_key_dropdown_dark.png

@@ -8,44 +8,45 @@ import AcademyPromo from '@site/src/components/academy-promo';
 import ThemedImage from "@theme/ThemedImage";
 import useBaseUrl from "@docusaurus/useBaseUrl";
 
-## Your first CTI Key
-
-### Sign Up
-
-Head over to the [CrowdSec Console](https://app.crowdsec.net/signup) and sign up for a new account.
-
-<a href="https://app.crowdsec.net/signup" target="_blank">
-    <ThemedImage
-        alt="CrowdSec Signup Screen"
-        sources={{
-            light: useBaseUrl("/img/console_login_light.png"),
-            dark: useBaseUrl("/img/console_login_dark.png"),
-        }}
-    />
-</a>
-
-## Getting an API Key
-
-When you are authenticated you can click the `+` button in the top right hand corner near your profile icon to create a new API key.
-
-<ThemedImage
-    alt="CrowdSec Create API Key Dropdown"
-    sources={{
-        light: useBaseUrl("/img/console_create_api_key_dropdown_light.png"),
-        dark: useBaseUrl("/img/console_create_api_key_dropdown_dark.png"),
-    }}
-/>
-
-On the next page you can create an API key by clicking the `+ New Key` button.
-
+## Create CTI API Keys
+<div style={{display: 'flex', gap: '2rem', alignItems: 'flex-start'}}>
+  <div style={{flex: '1'}}>
+  * Click the `+` in the top right corner.  
+  * Alternatively you can also click the `+ New Key` in the **Settings → CTI API Keys** page.
+  </div>
+  <div style={{flex: '0 0 50%'}}>
+  <ThemedImage
+      alt="CrowdSec Create API Key Dropdown"
+      sources={{
+          light: useBaseUrl("/img/console_create_api_key_dropdown_light.png"),
+          dark: useBaseUrl("/img/console_create_api_key_dropdown_dark.png"),
+      }}
+  />
+  </div>
+</div>
+
+<hr/>
+
+<div style={{display: 'flex', gap: '2rem', alignItems: 'flex-start'}}>
+  <div style={{flex: '1'}}>
+There, you can chose among the various quotas options. We provide a free key in order to test your integrations.
+:::info
+The free quota will be better if your organization is Premium than if it's on the free Community plan.
+:::
+:::info
+Only Premium orgizations can buy keys with higher quotas. See [Premium API Keys](/u/console/ip_reputation/api_keys_premium) for more details.
+:::
+  </div>
+  <div style={{flex: '0 0 50%'}}>
 <ThemedImage
     alt="CrowdSec Create API Key Page"
     sources={{
-        light: useBaseUrl("/img/console_create_api_key_page_light.png"),
-        dark: useBaseUrl("/img/console_create_api_key_page_dark.png"),
+        light: useBaseUrl("/img/console_create_api_key_form_light.png"),
+        dark: useBaseUrl("/img/console_create_api_key_form_dark.png"),
     }}
 />
-
+  </div>
+</div>
 ## Accessing the API
 
 ### cURL

crowdsec-docs/static/img/console_create_api_key_dropdown_light.png

@@ -1,10 +1,76 @@
 ---
 id: intro
-title: IP Reputation
-description: Explore CrowdSec IP Reputation
+title: IP Reputation / CTI
+description: Explore and query CrowdSec's IP Reputation data and manage CTI API keys from the Console.
 ---
 
-// Via the console you can query and explore CrowdSec IP Reputation data. You can also manage CTI API keys that will be used in the integration we created by CrowdSec for various SIEM/SOAR/TIP platforms or your own playbooks and scripts.
-// links to the various sub pages
-// if you want more technical details, check the technical CTI API documentation (linking to the main IP Reputation/CTI section's taxonomy page)
+CrowdSec's **IP Reputation / CTI** section of the Console gives you access to the world's largest crowdsourced threat intelligence network. 
 
+From the Console you can:
+- **Investigate IPs** directly in the Web UI — no code required
+- **Explore Specific Classifications** with search queries
+- **Query at scale** using the CTI REST API with a managed API key
+
+---
+
+## Web UI Features
+
+### IP Search
+
+The [CTI home page](https://app.crowdsec.net/cti) lets you search any IP address or run Lucene queries against the threat database. Predefined searches give quick access to common patterns, and the **Top 10 Most Aggressive IPs** leaderboard shows the most active threat actors in the last 24 hours.
+
+[IP Search →](/u/console/ip_reputation/search_ui)
+
+### Advanced Search
+
+The [Advanced Search page](https://app.crowdsec.net/cti) supports Lucene queries with a live faceted filter panel (reputation, country, AS, behaviors, classifications). Use it for threat hunting, bulk investigation, or building targeted blocklists.
+
+[Advanced Search →](/u/console/ip_reputation/search_ui_advanced)  
+[Search Query Reference →](/u/cti_api/search_queries)
+
+### IP Report
+
+Clicking any IP opens a full report with its reputation, key metadata, behaviors, classifications, MITRE techniques, CVEs, and time-windowed scores.
+
+[IP Report →](/u/console/ip_reputation/ip_report)
+
+### Live Exploit Tracker
+
+The [Live Exploit Tracker ↗️](https://tracker.crowdsec.net/) is the evolution of the CVE Explorer — a dedicated platform for tracking vulnerabilities that are actively being exploited in the wild, powered by live data from the CrowdSec network.
+:::info
+It now resides outside the Console to provide a more focused experience and richer features, but remains fully accessible with the same CTI API key.
+:::
+
+Beyond listing CVEs, it adds exploitation context that helps you **prioritize and act**:
+
+- **CrowdSec Score** — a SOC-oriented priority signal based on observed attack patterns
+- **Opportunity Score** — how targeted vs. opportunistic the exploitation is (0 = mass automated scan, 5 = precisely targeted campaign)
+- **Momentum Score** — whether exploitation volume is growing, stable, or declining
+- **Exploitation Status** — from *early exploitation* to *background noise*
+- **Timeline** — first/last seen, CVE publication, CISA KEV addition, and key events
+- **Malicious IPs** — IPs actively exploiting a given CVE, with full CTI context, for threat hunting or direct blocklist integration
+
+[Explore the Live Exploit Tracker ↗️](https://tracker.crowdsec.net/)
+
+---
+
+## API Access
+
+You can query the same data programmatically using a CTI API key and the [CTI REST API](/u/cti_api/intro).
+
+| Plan | Quota | Use case |
+|---|---|---|
+| **Free** | 40 queries / month | POC, low-traffic scripts |
+| **Premium** | 120 queries / month | Regular enrichment, small integrations |
+| **Premium Options** | 5K / 25K / 100K queries / month | Production integrations, SIEMs, SOARs |
+
+Manage your keys in the Console under **Settings → CTI API Keys**, or go straight to [app.crowdsec.net/settings/cti-api-keys](https://app.crowdsec.net/settings/cti-api-keys).
+
+[Get your first API key →](/u/console/ip_reputation/api_keys)   
+[Premium quotas →](/u/console/ip_reputation/api_keys_premium)
+
+---
+
+:::tip Want the full technical reference?
+For API endpoints, request/response schemas, integrations (SIEM, SOAR, TIP platforms), and data taxonomy, see the [CTI API documentation](/u/cti_api/intro).
+:::

crowdsec-docs/static/img/console_create_api_key_form_dark.png

@@ -3,33 +3,58 @@ id: search_ui
 title: Search UI
 ---
 
-import ConsolePromo from '@site/src/components/console-promo';
-
-# Getting Started
-
-The CrowdSec Console provides a range of tools designed to bolster your infrastructure's security. We offer a range of features that can be tailored to your specific needs, including the ability to manage your Security Engines, subscribe to CrowdSec CTI, and integrate blocklists.
-
-Depending on your use case you may want to start with the following guides:
-
-<ConsolePromo
-    title="CrowdSec Security Engine"
-    description="The CrowdSec Security Engine is a powerful, open-source software for detecting and blocking malicious IPs, safeguarding both infrastructure and application security."
-    image="Hero Security Engine.png"
-    link="/u/getting_started/post_installation/console/"
-/>
-<br/>
-<ConsolePromo
-    title="CrowdSec CTI"
-    description="CrowdSec Cyber Threat Intelligence is the largest and most diverse CTI network on earth, delivering key contextualized and curated benchmarking insights from real users across the globe."
-    image="Hero CTI Engine.png"
-    link="/u/cti_api/getting_started/"
-/>
-<br/>
-<ConsolePromo
-    title="CrowdSec Blocklists"
-    description="Get immediate protection against active malicious IPs with CrowdSec’s actionable and real-time Blocklists."
-    image="Hero Blocklists.png"
-    link="/u/blocklists/getting_started/"
-/>
-<br/>
-If you're new to CrowdSec, we recommend starting with the [Security Engine](/getting_started/introduction.mdx) guide, however, if you are unsure where to start, feel free to browse our [main website for more information](https://www.crowdsec.net/).
+Welcome to **CrowdSec’s Cyber Threat Intelligence (CTI)**!   
+This guide will help you navigate the **CTI Web UI** and make the most of its features, from searching for IP details to exploring real-time threat insights. Let’s get started!
+
+> You can access CrowdSec's CTI via our **Web UI** on the [**CTI Home page** ↗️](https://app.crowdsec.net/cti)
+> Or [Create a **CTI API key** and use our **CTI API**](/u/cti_api/api_getting_started)
+
+## Features on the CTI Web UI
+
+The **CTI home page** is designed to give you instant access to valuable **threat intelligence**. There’s what you’ll find:
+<!-- Not using bullet points to avoid VS annoying auto table of content "fix" -->
+[An IP or Query search bar](#search-bar)
+[A shortcut to search your own IP](#check-your-own-ip)
+[Predefined query to explore our CTI](#predefined-searches)
+[A top 10 of the most agressive IPs](#top-10-most-aggressive-ips)
+
+### Search Bar
+
+A powerful search bar at the top of the page allows you to:
+
+-   Search for any IP address to see detailed information about its activity, risk level, and geolocation. (Example: `192.168.0.0`)
+-   Use Lucene queries for more advanced searches to filter data based on specific criteria, such as threat type or country. _Example queries:_
+    -   `reputation:malicious`
+    -   `behaviors.label:"HTTP Bruteforce" AND location.country:"FR"`
+
+![CTI Search Bar](/img/console/cti/searchbar.png)
+
+### Check Your Own IP
+
+A dedicated button lets you check the details of your own IP address with one click.
+When clicked, this feature automatically redirects you to your IP detail page.
+
+![Search Check own IP button](/img/console/cti/searchbar_check_ip_button.png)
+
+### Predefined Searches
+
+To save time, the home page offers predefined searches showcasing typical use cases. These searches are built with Lucene queries and allow you to explore. Each predefined query is clickable, leading to a results page where you can further refine or explore the data.
+
+![CTI Featured Searches](/img/console/cti/featured_searches.png)
+
+### Top 10 Most Aggressive IPs
+
+A dynamic leaderboard displays the top 10 most aggressive IPs observed by CrowdSec in the last 24 hours. Each entry includes:
+
+-   The IP address.
+-   The attack type (e.g., brute force, DDoS).
+-   The geographical location of the IP.
+-   The IP range
+-   The AS
+-   The background noise level (More info [here](https://doc.crowdsec.net/u/console/alerts/background_noise))
+
+Clicking on an IP in the list takes you to its detail page, where you can explore its full profile.
+
+![Top 10 IPs](/img/console/cti/top_ten_ips.png)
+
+> Start exploring the CTI home page [here](https://app.crowdsec.net/cti) and discover the latest threat intelligence to protect your infrastructure.

crowdsec-docs/static/img/console_create_api_key_form_light.png

@@ -31,5 +31,8 @@ When querying the CTI API about a given IP, you will get to know more about:
 
 ## How to access it
 
-See the [getting started](/cti_api/api_getting_started.mdx) section to see how to get your API key and start exploring data.
-The [console](https://app.crowdsec.net) can also show a lighter version of the CTI API data.
+See the [getting started](/u/cti_api/api_getting_started) section to see how to get your API key and start exploring data.
+
+API keys are managed in the Console under **Settings → CTI API Keys**: [app.crowdsec.net/settings/cti-api-keys](https://app.crowdsec.net/settings/cti-api-keys). See [API Keys](/u/console/ip_reputation/api_keys) for step-by-step instructions.
+
+For a no-code interface to the same data, see the [IP Reputation section of the Console](/u/console/ip_reputation/intro).