Global overview

Security Engine

The Security Engine is CrowdSec's IDS/IPS (Intrusion Detection System/Intrusion Prevention System) It is a rules and behavior detection engine comprised of Log Processor and the Local API.

A Security Engine can operate independently or in a distributed manner, adapting to the specific needs and constraints of your infrastructure. For more information on CrowdSec's distributed approach, visit our documentation on collaborative operations and distributed deployments.

Log Processor (LP)

The Log Processor is the part of the Security Engine in charge of the detection of bad behaviors, based on your logs or your HTTP trafic.

The Log Processor (abreviated as LP) detects bad behaviors via two main functions:

• Acquire logs, parse, enrich and match them against Scenarios.
• Receive HTTP Requests and match them against the Appsec Rules.

Alerts resulting from Scenarios or Appsec Rules being triggered are sent to the LAPI.

Local API (LAPI)

The Local API is the part of the Security Engine acting as the middleman between the Log Processors, the Remediation Components and the Central API.

The Local API (abreviated as LAPI) has several functions:

• Receive alerts from Log Processors and create Decisions based on configured Profiles
• Expose Decisions to Remediation Components
• Interact with the Central API to send Alerts receive Blocklists

Remediation Components (Bouncers)

The Remediation Components (also called Bouncers) are external components in charge of enforcing decisions.

Remediation Components rely on the Local API to receive decisions about malevolent IPs to be blocked (or other supported types or remediations such as Captcha, supported by some of our Bouncers).
Note that they also support CrowdSec's Blocklist as a Service.

Those Decisions can be based on behavioral detection made by the LP or from Blocklists.

Remediations components leverage existing components of your infrastructure to block malevolent IPs where it matters most. You can find them on our Remediation Components' HUB

Central API (CAPI)

The Central API (CAPI) serves as the gateway for network participants to connect and communicate with CrowdSec's network.

The Central API (abreviated as CAPI) receives attack signals from all participating Security Engines and signal partners, then re-distribute them curated community decisions (Community Blocklist).
It's also at the heart of CrowdSec centralized Blocklist services.

Console

The CrowdSec Console is a web-based interface providing reporting, alerting, management and QoL features to CrowdSec's products usages: from your park of Security Engines to the management of CTI related actions

The Console allows you to:

• Manage alerts of your security stack
• Manage decisions in real-time
• View and use blocklists and integrations
• Manage your API keys (CTI API, Service API)