,
+ accent: ORANGE,
+ title: "Detect & Block attacks on my servers",
+ desc: "Locally identify and ban bad behaving IPs observed in your logs and requests with CrowdSec Detection Scenarios, and Virtual-Patching Collections.",
+ pill: "Security Engine",
+ href: "/security-engine",
+ aka: ["IDPS", "WAF", "CrowdSec FOSS"],
+ },
+ {
+ icon: 
,
+ accent: GREEN,
+ title: "Push a Blocklists into my firewall, CDN or WAF",
+ desc: "You manage network perimeter devices and want a URL to subscribe to — no agent to install.",
+ pill: "Blocklist Integration Endpoint",
+ href: "/blocklists",
+ aka: ["Threat Feeds", "IOC Streams", "Deny-list"],
+ },
+ {
+ icon: 
,
+ accent: BLUE,
+ title: "Investigate IPs Behaviors and Enrich Alerts",
+ desc: "You're a security analyst or developer who wants IP context, behaviors, CVEs, Aggressivity... In a browser or via REST API.",
+ pill: "IP Reputation & CTI",
+ href: "/u/cti_api/intro",
+ aka: ["IoC Lookup", "Threat Intel"],
+ },
+];
+
+const schemas: Omit
-
+
+
- {/* Search Section */}
+ {/* Search */}
-
- 
-
+ {/* Hero */}
+
-
- CrowdSec Documentation
-- Pronounced: Krowd-Sek [/kraʊd-sek/] -
-- Community-driven security that unifies detection, blocklists, and threat intel for modern - infrastructure. -
-
-
+
+ Find the right
+
+
+ Find the right
+
+ CrowdSec tool for you
+
+ + IDPS/WAF | Blocklist feeds | IP Reputation +
@@ -110,78 +529,206 @@ const HomePage = () => {
- {/* Product Selection */}
-
-
- Choose your starting point -
-- Each path links to setup, how-tos, and reference docs. -
- -
- {products.map((product) => (
-
+
- {/* Help Section */}
-
-
+
+ I want to…
+
+
+ {intents.map((i) => (
+
+
+ {/* Existing user strip */}
+
+
+ Already running CrowdSec?
+
+
+ {[
+ { label: "🖥️ Open the Console", href: "https://app.crowdsec.net", external: true },
+ { label: "🛡️ Activate the WAF", href: "/docs/next/appsec/intro" },
+ { label: "📊 Measure what is being Blocked", href: "/u/console/remediation_metrics" },
+ { label: "🩺 Check my Stack Health", href: "/u/console/stackhealth" },
+ ].map(({ label, href, external }) => (
+
+ {label}
+ {external &&
+
-
- Not sure where to start? -
-- Answer a few questions and get a recommended path with install steps for your stack. -
-
-
-
-
-
-
-
+ {/* How each path works — accordion */}
+
+
- {/* Quick Links */}
-
-
+ toggleSchema(s.id)} />
+ ))}
+ 💡 how each path works
+
+
+ {schemas.map((s) => (
+
-
-Popular Docs
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ {/* Not sure / fallback */}
+
+
+
+ {/* Popular docs */}
+
+
diff --git a/crowdsec-docs/src/theme/DocSidebarItem/Category/index.tsx b/crowdsec-docs/src/theme/DocSidebarItem/Category/index.tsx
index 5ad37769c..42f6e7de1 100644
--- a/crowdsec-docs/src/theme/DocSidebarItem/Category/index.tsx
+++ b/crowdsec-docs/src/theme/DocSidebarItem/Category/index.tsx
@@ -195,7 +195,7 @@ export default function DocSidebarItemCategory({
{...props}
>
{label}
- {!collapsible && isPremium && (
+ {isPremium && (
Premium
diff --git a/crowdsec-docs/static/img/blaas/logo-checkpoint.png b/crowdsec-docs/static/img/blaas/logo-checkpoint.png
new file mode 100644
index 000000000..41ce0b625
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-checkpoint.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-cisco.png b/crowdsec-docs/static/img/blaas/logo-cisco.png
new file mode 100644
index 000000000..5909f67c7
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-cisco.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-default.png b/crowdsec-docs/static/img/blaas/logo-default.png
new file mode 100644
index 000000000..468cf5f4f
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-default.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-f5.png b/crowdsec-docs/static/img/blaas/logo-f5.png
new file mode 100644
index 000000000..23da38486
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-f5.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-fortinet.png b/crowdsec-docs/static/img/blaas/logo-fortinet.png
new file mode 100644
index 000000000..49f4ec406
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-fortinet.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-juniper.png b/crowdsec-docs/static/img/blaas/logo-juniper.png
new file mode 100644
index 000000000..6e80ba980
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-juniper.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-mikrotik.png b/crowdsec-docs/static/img/blaas/logo-mikrotik.png
new file mode 100644
index 000000000..7545c47c6
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-mikrotik.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-opnsense.png b/crowdsec-docs/static/img/blaas/logo-opnsense.png
new file mode 100644
index 000000000..0511fea68
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-opnsense.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-paloalto.png b/crowdsec-docs/static/img/blaas/logo-paloalto.png
new file mode 100644
index 000000000..72371b771
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-paloalto.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-pfsense.png b/crowdsec-docs/static/img/blaas/logo-pfsense.png
new file mode 100644
index 000000000..1b4d566a7
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-pfsense.png differ
diff --git a/crowdsec-docs/static/img/blaas/logo-sophos.png b/crowdsec-docs/static/img/blaas/logo-sophos.png
new file mode 100644
index 000000000..358c0f94d
Binary files /dev/null and b/crowdsec-docs/static/img/blaas/logo-sophos.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-chrome.png b/crowdsec-docs/static/img/cti-integrations/logo-chrome.png
new file mode 100644
index 000000000..649fa44bc
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-chrome.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-default.png b/crowdsec-docs/static/img/cti-integrations/logo-default.png
new file mode 100644
index 000000000..468cf5f4f
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-default.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-gigasheet.png b/crowdsec-docs/static/img/cti-integrations/logo-gigasheet.png
new file mode 100644
index 000000000..61adfa146
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-gigasheet.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-intelowl.png b/crowdsec-docs/static/img/cti-integrations/logo-intelowl.png
new file mode 100644
index 000000000..d0cc7aed1
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-intelowl.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-maltego.png b/crowdsec-docs/static/img/cti-integrations/logo-maltego.png
new file mode 100644
index 000000000..ccd27565e
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-maltego.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-misp.png b/crowdsec-docs/static/img/cti-integrations/logo-misp.png
new file mode 100644
index 000000000..65db78ff9
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-misp.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-ms-sentinel.png b/crowdsec-docs/static/img/cti-integrations/logo-ms-sentinel.png
new file mode 100644
index 000000000..5edc39ebd
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-ms-sentinel.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-msticpy.png b/crowdsec-docs/static/img/cti-integrations/logo-msticpy.png
new file mode 100644
index 000000000..9d612f995
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-msticpy.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-opencti.png b/crowdsec-docs/static/img/cti-integrations/logo-opencti.png
new file mode 100644
index 000000000..c03f27e77
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-opencti.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-paloalto_xsoar.png b/crowdsec-docs/static/img/cti-integrations/logo-paloalto_xsoar.png
new file mode 100644
index 000000000..d88a19a24
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-paloalto_xsoar.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-qradar.png b/crowdsec-docs/static/img/cti-integrations/logo-qradar.png
new file mode 100644
index 000000000..9f9cd3305
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-qradar.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-securitycopilot.png b/crowdsec-docs/static/img/cti-integrations/logo-securitycopilot.png
new file mode 100644
index 000000000..0e27ff864
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-securitycopilot.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-sekoia.png b/crowdsec-docs/static/img/cti-integrations/logo-sekoia.png
new file mode 100644
index 000000000..00c8ab8a8
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-sekoia.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-splunk_siem.png b/crowdsec-docs/static/img/cti-integrations/logo-splunk_siem.png
new file mode 100644
index 000000000..abfe1df49
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-splunk_siem.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-splunk_soar.png b/crowdsec-docs/static/img/cti-integrations/logo-splunk_soar.png
new file mode 100644
index 000000000..8c38a1c4a
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-splunk_soar.png differ
diff --git a/crowdsec-docs/static/img/cti-integrations/logo-thehive.png b/crowdsec-docs/static/img/cti-integrations/logo-thehive.png
new file mode 100644
index 000000000..67f4c16d1
Binary files /dev/null and b/crowdsec-docs/static/img/cti-integrations/logo-thehive.png differ
diff --git a/crowdsec-docs/unversioned/console/ip_reputation/api_keys.mdx b/crowdsec-docs/unversioned/console/ip_reputation/api_keys.mdx
index a131e0a41..d4b4389f8 100644
--- a/crowdsec-docs/unversioned/console/ip_reputation/api_keys.mdx
+++ b/crowdsec-docs/unversioned/console/ip_reputation/api_keys.mdx
@@ -31,12 +31,12 @@ export const PremiumBadge = () => (
{" — "}
{quota}
{" · "}
- {desc}
+ {desc}
{label.includes("Premium") &&
))}
+
+
+
+
+
+ Not sure where to start?
+
+ Answer a few questions and get a recommended path with install steps for your stack.
+
+
+
+
+
+
+
+
+
+
+
+ Popular docs
+
+
+ {[
+ { label: "🖥️ Console", href: "/u/console/intro" },
+ { label: "🛡️ AppSec / WAF", href: "/docs/next/appsec/intro" },
+ { label: "💻 CLI Reference", href: "/docs/next/cscli/" },
+ { label: "🔑 CTI API Keys", href: "/u/console/ip_reputation/api_keys" },
+ { label: "❓ Troubleshooting", href: "/u/troubleshooting/intro" },
+ // Need to redo the prompt this one is out of date
+ // {
+ // label: "📖 Docs AI Assistant",
+ // href: "https://chatgpt.com/g/g-682c3a61a78081918417571116c2b563-crowdsec-documentation",
+ // external: true,
+ // },
+ { label: "🌐 WWW - CrowdSec", href: "https://www.crowdsec.net", external: true },
+ ].map(({ label, href, external }) => (
+
+ {label}
+ {external &&
+
API quotas are separate from Web UI quotas. Unused quota does not roll over.
diff --git a/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx b/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx
index cd0cf6b83..ec889d7a6 100644
--- a/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx
+++ b/crowdsec-docs/unversioned/console/ip_reputation/intro.mdx
@@ -4,72 +4,75 @@ title: IP Reputation / CTI
description: Explore and query CrowdSec's IP Reputation data and manage CTI API keys from the Console.
---
-CrowdSec's **IP Reputation / CTI** section of the Console gives you access to the world's largest crowdsourced threat intelligence network.
-
-From the Console you can:
-- **Investigate IPs** directly in the Web UI — no code required
-- **Explore Specific Classifications** with search queries
-- **Query at scale** using the CTI REST API with a managed API key
-
----
-
-## Web UI Features
-
-### IP Search
-
-The [CTI home page](https://app.crowdsec.net/cti) lets you search any IP address or run Lucene queries against the threat database. Predefined searches give quick access to common patterns, and the **Top 10 Most Aggressive IPs** leaderboard shows the most active threat actors in the last 24 hours.
-
-[IP Search →](/u/console/ip_reputation/search_ui)
-
-### Advanced Search
-
-The [Advanced Search page](https://app.crowdsec.net/cti) supports Lucene queries with a live faceted filter panel (reputation, country, AS, behaviors, classifications). Use it for threat hunting, bulk investigation, or building targeted blocklists.
-
-[Advanced Search →](/u/console/ip_reputation/search_ui_advanced)
-[Search Query Reference →](/u/cti_api/search_queries)
-
-### IP Report
-
-Clicking any IP opens a full report with its reputation, key metadata, behaviors, classifications, MITRE techniques, CVEs, and time-windowed scores.
-
-[IP Report →](/u/console/ip_reputation/ip_report)
-
-### Live Exploit Tracker
-
-The [Live Exploit Tracker ↗️](https://tracker.crowdsec.net/) is the evolution of the CVE Explorer — a dedicated platform for tracking vulnerabilities that are actively being exploited in the wild, powered by live data from the CrowdSec network.
-:::info
-It now resides outside the Console to provide a more focused experience and richer features, but remains fully accessible with the same CTI API key.
-:::
-
-Beyond listing CVEs, it adds exploitation context that helps you **prioritize and act**:
-
-- **CrowdSec Score** — a SOC-oriented priority signal based on observed attack patterns
-- **Opportunity Score** — how targeted vs. opportunistic the exploitation is (0 = mass automated scan, 5 = precisely targeted campaign)
-- **Momentum Score** — whether exploitation volume is growing, stable, or declining
-- **Exploitation Status** — from *early exploitation* to *background noise*
-- **Timeline** — first/last seen, CVE publication, CISA KEV addition, and key events
-- **Malicious IPs** — IPs actively exploiting a given CVE, with full CTI context, for threat hunting or direct blocklist integration
-
-[Explore the Live Exploit Tracker ↗️](https://tracker.crowdsec.net/)
-
----
-
-## API Access
-
-You can query the same data programmatically using a CTI API key and the [CTI REST API](/u/cti_api/intro).
-
-| Plan | Quota | Use case |
-|---|---|---|
-| **Free** | 40 queries / month | POC, low-traffic scripts |
-| **Premium** | 120 queries / month | Regular enrichment, small integrations |
-| **Premium Options** | 5K / 25K / 100K queries / month | Production integrations, SIEMs, SOARs |
-
-Manage your keys in the Console under **Settings → CTI API Keys**, or go straight to [app.crowdsec.net/settings/cti-api-keys](https://app.crowdsec.net/settings/cti-api-keys).
+import Link from "@docusaurus/Link";
+import { ExternalLink } from "lucide-react";
+
+export const BLUE = "#60a5fa";
+export const GREEN = "#22d3a0";
+export const PURPLE = "#a78bfa";
+
++ Query behavioral intelligence on any IP — reputation scores, attack patterns, linked CVEs, and activity history — sourced from hundreds of thousands of real CrowdSec deployments worldwide. +
+ +{/* ── Row 1: two cards side by side ──────────────────────────────────── */} + +
+
+ {/* Card 1: Web UI exploration (merged Search + IP Report) */}
+
+
+{/* ── You might also be interested in: LET ───────────────────────────── */}
+
+
+
+
+ {/* Card 2: Enrich your Alerts (API Key) */}
+ 🔍
+ Explore in the Web UI
+
+ No setup needed. Search any IP directly from your browser — run Lucene queries with live faceted filters (reputation, country, AS, behaviors, classifications) and open any result to see its full report: threat score, behaviors mapped to MITRE ATT&CK, linked CVEs, and time-windowed activity. The homepage also surfaces a Top 10 Most Aggressive IPs leaderboard updated every 24h.
+
+
+ IP Search →
+ Advanced Search →
+ IP Report →
+ Lucene Query Reference →
+
+
+
+
+🔑
+ Enrich your Alerts
+
+ Unlock programmatic access to 30+ enrichment fields per IP — reputation, behaviors, CVEs, attack context, MITRE mappings, and more. Use it to enrich SIEM alerts, automate lookups, or feed threat intel platforms. Free tier included, no credit card needed.
+
+
+
+ Create an API key →
+ Data Taxonomy →
+ API Reference
+
+
[Get your first API key →](/u/console/ip_reputation/api_keys)
---
-:::tip Want the full technical reference?
+:::tip Full technical reference
For API endpoints, request/response schemas, integrations (SIEM, SOAR, TIP platforms), and data taxonomy, see the [CTI API documentation](/u/cti_api/intro).
:::
diff --git a/crowdsec-docs/unversioned/console/stackhealth.mdx b/crowdsec-docs/unversioned/console/stackhealth.mdx
index 3410b8ed4..a79276f24 100644
--- a/crowdsec-docs/unversioned/console/stackhealth.mdx
+++ b/crowdsec-docs/unversioned/console/stackhealth.mdx
@@ -4,7 +4,8 @@ title: Stack Health
---
The **Stack Health** Feature is a monitoring tool within the CrowdSec Console helping you keep your infrastructure operational and properly configured.
-Its primary goal is to identify configuration issues, connectivity problems, or potential misconfigurations that could impact your detection capabilities.
+Its primary goal is to identify configuration issues, connectivity problems, or potential misconfigurations that could impact your detection capabilities.
+*You can also do a manual health check of your stack by following this post installation [Health-Check guide](/u/getting_started/health_check).*
---
diff --git a/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.md b/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.md
deleted file mode 100644
index 7b0e0991b..000000000
--- a/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-id: integration_intro
-title: Integrations
----
-
-CrowdSec has developed native integrations for the most common security platforms so you can enrich your workflows with IP reputation data without writing any code. If your platform isn't listed, the API is a standard REST interface — you can query it directly with cURL, write your own scripts, or build custom playbooks in any SIEM, SOAR, or TIP that supports HTTP enrichment:
-
-```shell
-curl -H "x-api-key: $API_KEY" https://cti.api.crowdsec.net/v2/smoke/1.2.3.4 | jq .
-```
-
-For the full API reference, see the [Swagger documentation](https://crowdsecurity.github.io/cti-api/).
-
----
-
-| Integration | Description |
-|---------------------------|----------------------------------------|
-| [Chrome](/cti_api/api_integration/integration_browser_chrome.md) | A Chrome extension which allows you to quickly search an IP on a web page |
-| [Gigasheet](/cti_api/api_integration/integration_gigasheet.md) | Gigasheet's No-Code API-data-enrichment feature |
-| [IntelOwl](/cti_api/api_integration/integration_intelowl.md) | IntelOwl is an open-source framework and platform for analyzing and processing threat intelligence data |
-| [Maltego](/cti_api/api_integration/integration_maltego.md) | Maltego is a powerful and versatile data visualization and link analysis tool used primarily in the field of digital forensics, cybersecurity, and intelligence gathering |
-| [MISP](/cti_api/api_integration/integration_misp.md) | MISP, short for Malware Information Sharing Platform & Threat Sharing, is an open-source threat intelligence platform designed to facilitate the sharing and collaboration |
-| [MSTICpy](/cti_api/api_integration/integration_msticpy.md) | MSTICpy, short for Microsoft Threat Intelligence Python Security Tools and Common Practices, is an open-source Python library developed by Microsoft |
-| [OpenCTI](/cti_api/api_integration/integration_opencti.md) | OpenCTI is an open-source threat intelligence platform that focuses on facilitating the collection, management, and analysis of cyber threat intelligence data |
-| [PaloAlto XSOAR](/cti_api/api_integration/integration_paloalto_xsoar.md) | Palo Alto Networks Cortex XSOAR is a Security Orchestration, Automation, and Response (SOAR) platform |
-| [QRadar](/cti_api/api_integration/integration_qradar.md) | QRadar is a widely-used Security Information and Event Management (SIEM) solution designed to provide comprehensive visibility into an organization's cybersecurity landscape |
-| [Sekoia XDR](/cti_api/api_integration/integration_sekoia_xdr.md) | Sekoia XDR (Extended Detection and Response) is a cybersecurity platform that combines threat detection, incident response, and proactive threat hunting capabilities into a unified solution |
-| [Splunk SIEM](/cti_api/api_integration/integration_splunk_siem.md) | Splunk Enterprise Security is a Security Information and Event Management (SIEM) solution that helps organizations centralize, analyze, and manage security-related data from various sources |
-| [Splunk SOAR](/cti_api/api_integration/integration_splunk_soar.md) | Splunk SOAR (Security Orchestration, Automation, and Response) is a security platform designed to streamline and automate the incident response and security operations processes |
-| [TheHive](/cti_api/api_integration/integration_thehive.md) | TheHive is an open-source, collaborative, and customizable Security Incident Response Platform (SIRP) designed to assist cybersecurity teams in managing and mitigating security incidents effectively |
diff --git a/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.mdx b/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.mdx
new file mode 100644
index 000000000..f04f9c4da
--- /dev/null
+++ b/crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.mdx
@@ -0,0 +1,24 @@
+---
+id: integration_intro
+title: Integrations
+---
+
+import CtiIntegrationTile, { ctiIntegrations } from '@site/src/components/cti-integration-tile';
+
+CrowdSec has native integrations for the most common security platforms — enrich your workflows with IP reputation data without writing any code.
+
+If your platform isn't listed, the API is a standard REST interface you can query directly:
+
+```shell
+curl -H "x-api-key: $API_KEY" https://cti.api.crowdsec.net/v2/smoke/1.2.3.4 | jq .
+```
+
+For the full reference, see the [Swagger documentation](https://crowdsecurity.github.io/cti-api/).
+
+---
+
+You might also be interested in
+
+
+🚨
+
+
+
+
+ A dedicated platform tracking CVEs actively exploited in the wild — with exploitation momentum, opportunity scores, and the IPs behind each attack. Uses the same CTI API key.
+
+ Explore the Live Exploit Tracker →
+
+ {ctiIntegrations.map(({ name, slug, href, plugin, desc, color }) => (
+
diff --git a/crowdsec-docs/unversioned/cti_api/intro.md b/crowdsec-docs/unversioned/cti_api/intro.md
deleted file mode 100644
index 889eb4bb5..000000000
--- a/crowdsec-docs/unversioned/cti_api/intro.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-id: intro
-title: CrowdSec CTI - Cyber Threat Intelligence
-sidebar_position: 1
----
-
-CrowdSec's **Cyber Threat Intelligence (CTI)** exposes the threat data collected by the global CrowdSec network — millions of IPs enriched with behaviors, classifications, scores, MITRE techniques, and CVE associations — through a REST API designed for programmatic integration.
-
-This section covers the **API** side of CTI: authentication, datasets, data format, taxonomy, and integrations with third-party security platforms.
-
-:::tip Prefer a visual interface?
-The [IP Reputation section of the Console](/u/console/ip_reputation/intro) presents exploration via the Console UI to: get details about a specific IP, run advanced queries, and manage your CTI API Key(s)
-:::
-
----
-
-## What the API Gives You
-
-For any queried IP, the CTI API returns:
-
-| Field | Description |
-| --- | --- |
-| **Reputation** | Malicious, Suspicious, Known, Benign, Safe, or Unknown |
-| **Behaviors** | Attack types observed (SSH Bruteforce, HTTP Scan, CVE exploitation, etc.) |
-| **Classifications** | TOR exit node, VPN/Proxy, CDN, scanner, false positive, and more |
-| **Scores** | Aggressiveness, threat, trust, and anomaly — computed over 1d / 7d / 30d windows |
-| **MITRE ATT&CK** | Techniques mapped to the IP's observed behaviors |
-| **CVEs** | Vulnerabilities the IP has been actively exploiting |
-| **History** | First seen / last seen, activity age |
-| **Target countries** | Geographic distribution of attacks from this IP |
-
-Full field-level documentation: [CTI Object format](/u/cti_api/taxonomy/cti_object).
-
----
-
-## Taxonomy
-
-Understanding the CTI data model is key to making good use of the API. The [Taxonomy section](/u/cti_api/taxonomy/intro) documents:
-
-- [**CTI Format**](/u/cti_api/taxonomy/cti_object) — complete response structure and field reference
-- [**Scores**](/u/cti_api/taxonomy/scores) — how aggressiveness, threat, trust, and anomaly are computed
-- [**Behaviors**](/u/cti_api/taxonomy/behaviors) — defined attack behaviors and their labels
-- [**Classifications**](/u/cti_api/taxonomy/classifications) — IP category tags (VPN, TOR, CDN, scanner, etc.)
-- [**False Positives**](/u/cti_api/taxonomy/false_positives) — categories excluded from malicious verdicts
-- [**Scenarios**](/u/cti_api/taxonomy/scenarios) — the detection scenarios that triggered reports for an IP
-
----
-
-## Getting Started
-
-1. **Get an API key** — create one in the [Console](https://app.crowdsec.net/settings/cti-api-keys). A free key is available to all registered users. See [API Keys](/u/console/ip_reputation/api_keys).
-2. **Make your first request** — see [API Introduction](/u/cti_api/api_introduction) for the base URL, authentication header, and an example response.
-3. **Integrate** — connect CrowdSec CTI to your SIEM, SOAR, or TIP using one of the [supported integrations](/u/cti_api/api_integration/integration_intro).
-
----
-
-## Integrations
-
-CrowdSec CTI has native integrations with major security platforms:
-
-| Category | Platforms |
-| --- | --- |
-| **SIEM** | Splunk Enterprise Security, QRadar, Microsoft Sentinel |
-| **SOAR** | Splunk SOAR, Palo Alto XSOAR, TheHive |
-| **TIP** | MISP, OpenCTI, Sekoia XDR |
-| **Investigation** | Maltego, MSTICpy, IntelOwl |
-| **Other** | Chrome extension, Gigasheet |
-
-[See all integrations →](/u/cti_api/api_integration/integration_intro)
diff --git a/crowdsec-docs/unversioned/cti_api/intro.mdx b/crowdsec-docs/unversioned/cti_api/intro.mdx
new file mode 100644
index 000000000..0fad953ea
--- /dev/null
+++ b/crowdsec-docs/unversioned/cti_api/intro.mdx
@@ -0,0 +1,170 @@
+---
+id: intro
+title: CrowdSec IP Reputation / CTI
+sidebar_position: 1
+---
+
+import Link from "@docusaurus/Link";
+import { ExternalLink } from "lucide-react";
+import CtiIntegrationTile, { ctiIntegrations } from '@site/src/components/cti-integration-tile';
+
+export const BLUE = "#60a5fa";
+export const ORANGE = "#f97316";
+export const PURPLE = "#a78bfa";
+export const GREEN = "#22d3a0";
+
+{/* ── Hero ─────────────────────────────────────────────────────────────── */}
+
++ Understand the IPs behind attacks +
++
CrowdSec tracks malicious IPs across hundreds of thousands of real deployments worldwide.
+
Every lookup gives you behavioral context — what the IP was doing, where, and when.
+ Quick access
+
+
+{/* ── How do you want to use it? ──────────────────────────────────────── */}
+
+
+ 🔍 Look up an IP
+
+
+
+{/* ── Why CrowdSec CTI (informational, de-emphasized) ────────────────── */}
+
+Entry points
+ How do you want to use it?
+
+ {[
+ {
+ badge: "🔍 No setup needed", icon: "🖥️", accent: BLUE,
+ title: "Web UI investigation - in the Console",
+ desc: "Search any IP instantly. Explore threat history and the top aggressive IPs in the last 24h — no API key needed.",
+ links: [{ label: "Web UI guide →", href: "/u/console/ip_reputation/intro" }, { label: "IP Report →", href: "/u/console/ip_reputation/ip_report" }],
+ },
+ {
+ badge: "⚙️ Developer / SecOps", icon: "🔌", accent: ORANGE,
+ title: "Enrich Alerts via API",
+ desc: "Use the CTI API to add CrowdSec IP context to SIEM alerts, SOAR workflows, TIPs, scripts, and internal tools.",
+ links: [{ label: "API quickstart →", href: "/u/cti_api/api_introduction" }, { label: "All integrations →", href: "/u/cti_api/api_integration/integration_intro" }],
+ },
+ {
+ badge: "🎯 Threat hunter", icon: "🚨", accent: PURPLE,
+ title: "Hunt active threats",
+ desc: "Advanced Search with live faceted filters — behavior, country, AS, CVE — to find campaigns or build blocklists.",
+ links: [{ label: "Advanced search →", href: "/u/console/ip_reputation/search_ui_advanced" }, { label: "Live Exploit Tracker →", href: "/u/tracker_api/intro" }],
+ },
+ ].map(({ badge, icon, accent, title, desc, links }) => (
+
+
+
+ ))}
+ {badge}
+ {icon}
+ {title}
+ {desc}
+
+ {links.map(({ label, href }) => (
+ {label}
+ ))}
+
+
+
+
+{/* ── Integrations ────────────────────────────────────────────────────── */}
+
+Why CrowdSec CTI
+ + Most IP reputation services tell you an IP is "bad." CrowdSec tells you what it was doing — from real deployments, not honeypots. +
+
+ {[
+ { icon: "🌍", title: "Real-world attack signals", desc: "CrowdSec intelligence is built from signals shared by real deployments across the Internet." },
+ { icon: "🧠", title: "Behavioral, not just reputation", desc: "Brute-force, CVE exploitation, scan, credential stuffing — mapped to MITRE ATT&CK." },
+ { icon: "⚡", title: "Real-time, not cached lists", desc: "Continuously updated with time-windowed scores showing if a threat is rising, stable, or decaying." },
+ { icon: "🔬", title: "CVE-level exploit tracking", desc: "Live Exploit Tracker shows which CVEs are actively exploited, with momentum, opportunity, and malicious IP context." },
+ ].map(({ icon, title, desc }) => (
+
+
+ {icon}
+
+ {title} — {desc}
+
+
+ ))}
+
+
+
+{/* ── Technical details ───────────────────────────────────────────────── */}
+
+Integrations
+ Already using one of these?
+ + Jump straight to the integration guide — no need to read the full API docs first. +
+
+ {ctiIntegrations.map(({ name, slug, href, plugin, desc, color }) => (
+
+
+
+ {[
+ { label: "Community Plan Free Key", quota: "40 / month", desc: "Testing integrations, personal servers, ad-hoc lookups", color: GREEN },
+ { label: "Premium Plan Free Key", quota: "120 / month", desc: "Regular enrichment, small SOC teams, recurring automation", color: BLUE },
+ { label: "Premium Keys Options", quota: "5K · 25K · 100K / month", desc: "Production SIEMs, SOARs, high-volume pipelines — requires Premium", color: PURPLE },
+ ].map(({ label, quota, desc, color }) => (
+
+
+ {label}
+ {" — "}
+ {quota}
+ {" · "}
+ {desc}
+
+ ))}
+
+ API quotas are separate from Web UI quotas. Unused quota does not roll over.
+
+
+
+
+{/* ── Need help ───────────────────────────────────────────────────────── */}
+
+Technical details
+
+ {[
+ { icon: "📊", title: "Data Taxonomy", desc: "CTI Data structure, scores, behaviors and classifications", href: "/u/cti_api/taxonomy/intro" },
+ { icon: "📚", title: "API Reference", desc: "Full endpoint reference with request/response schemas.", href: "https://crowdsecurity.github.io/cti-api/", external: true },
+ { icon: "❓", title: "FAQ", desc: "Common questions about access, quotas, and data.", href: "/u/cti_api/faq" },
+ ].map(({ icon, title, desc, href, external }) => (
+
+ {icon}
+
+
+
+
+ ))}
+
+ {title}{external &&
+ {desc}
+
+
diff --git a/crowdsec-docs/unversioned/integrations/intro.mdx b/crowdsec-docs/unversioned/integrations/intro.mdx
index 25e8900e5..6a5db6d36 100644
--- a/crowdsec-docs/unversioned/integrations/intro.mdx
+++ b/crowdsec-docs/unversioned/integrations/intro.mdx
@@ -11,6 +11,7 @@ import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import CodeBlock from '@theme/CodeBlock';
import UnderlineTooltip from '@site/src/components/underline-tooltip';
+import IntegrationTile, { firewallIntegrations } from '@site/src/components/integration-tile';
CrowdSec Blocklist Integrations — also known as **Blocklist as a Service** — give you a secure, hosted HTTPS endpoint serving live blocklists that you configure your firewall or security tool to pull from.
@@ -41,27 +42,37 @@ Pulling more frequently than the allowed interval for your plan will result in H
## Available integrations
+
### Firewall integrations
Each vendor page explains how to create the integration in the CrowdSec Console and includes a link to the vendor's own documentation on how to configure ingestion on the firewall side.
-| Firewall | Vendor feature name |
-|---|---|
-| [Checkpoint](integrations/checkpoint.mdx) | Custom Intelligence (IoC) Feeds |
-| [Cisco](integrations/cisco.mdx) | Security Intelligence feeds |
-| [F5](integrations/f5.mdx) | External IP blocklist / Feed lists |
-| [Fortinet](integrations/fortinet.mdx) | IP address Threat Feeds |
-| [Juniper](integrations/juniper.mdx) | Security Dynamic Address feeds |
-| [Mikrotik](integrations/mikrotik.mdx) | — |
-| [OPNsense](integrations/opnsense.mdx) | URL Table (IPs) aliases |
-| [Palo Alto](integrations/paloalto.mdx) | External Dynamic Lists (EDL) |
-| [pfSense](integrations/pfsense.mdx) | URL Table (IPs) aliases |
-| [Sophos](integrations/sophos.mdx) | Third-Party Threat Feeds |
+
+
+ Need help?
+ Get answers in Discord or check the FAQ.
+
+ 💬 Join Discord
+
+ {firewallIntegrations.map(({ name, slug, href, desc, color }) => (
+
### Other integrations
-- [Raw IP List](integrations/rawiplist.mdx) — generic format, works with any HTTP-capable device
-- [Remediation Component](integrations/remediationcomponent.mdx) — for platforms without native IP list ingestion (Cloudflare, AWS WAF, etc.)
+
+
+ One IP per line — compatible with virtually any firewall, router, or HTTP-capable device
+
+
+ Integrate blocklists to platforms without native ingestion (Cloudflare, AWS WAF, …) via Remediation Components
+
+
## Setup a Blocklist Integration Endpoint