# Security Engine Overview

The [CrowdSec Security Engine](https://github.com/crowdsecurity/crowdsec) is an open-source, lightweight security engine that detects and blocks malicious actors. It analyzes logs and HTTP requests using behavior-based patterns called scenarios.

CrowdSec is modular: it provides [behavior-based detection](https://app.crowdsec.net/hub/collections), including [AppSec rules](https://app.crowdsec.net/hub/appsec-rules), and optional [Remediation Components](https://app.crowdsec.net/hub/bouncers) that enforce blocks.

![](/img/simplified_SE_overview.svg)

   

CrowdSec is crowdsourced: when you participate, you share the attacks you detect and block. In return, the Security Engine automatically downloads a curated list of validated attackers (the community blocklist), so you can take action sooner against known threats.

## Main Features[​](#main-features "Direct link to Main Features")

In addition to the core "detect and react" mechanism, CrowdSec is committed to several other key aspects:

* **Easy Installation**: Get started quickly on all [supported platforms](https://docs.crowdsec.net/u/getting_started/intro.md).

* **Simplified Daily Operations**: Manage and maintain your setup from the [CrowdSec Console](http://app.crowdsec.net) (Web UI) or with the [cscli command-line tool](https://docs.crowdsec.net/docs/next/cscli/.md).

* **Reproducibility**: Analyze live logs and [cold logs](https://docs.crowdsec.net/u/user_guides/replay_mode.md) to validate detections, run forensic analysis, or generate reports.

* **Versatile**: Protect your perimeter by analyzing [system logs](https://docs.crowdsec.net/docs/next/log_processor/data_sources/intro.md) and [HTTP requests](https://docs.crowdsec.net/docs/next/appsec/intro.md).

* **Observability**: Providing valuable insights into the system's activity:

  <!-- -->

  * View and manage alerts in the [Console](https://app.crowdsec.net/signup).
  * Expose detailed [Prometheus metrics](https://docs.crowdsec.net/docs/next/observability/prometheus.md).
  * Use the [cscli CLI](https://docs.crowdsec.net/docs/next/observability/cscli.md) for administration.

* **API-Centric**: All components communicate via an [HTTP API](https://docs.crowdsec.net/docs/next/local_api/intro.md), facilitating multi-machine setups.

## Architecture[​](#architecture "Direct link to Architecture")

![](/img/simplified_SE_underthehood.svg)

Under the hood, the Security Engine has various components:

* The [Log Processor](https://docs.crowdsec.net/docs/next/log_processor/intro.md) handles detection. It analyzes logs from [various data sources](https://docs.crowdsec.net/docs/next/log_processor/data_sources/intro.md) and [HTTP requests](https://docs.crowdsec.net/docs/next/appsec/intro.md) from compatible web servers.

* The [Appsec](https://docs.crowdsec.net/docs/next/appsec/intro.md) feature is part of the Log Processor. It filters HTTP requests from compatible web servers.

* The [Local API](https://docs.crowdsec.net/docs/next/local_api/intro.md) acts as a middleman:

  <!-- -->

  * Between the [Log Processors](https://docs.crowdsec.net/docs/next/log_processor/intro.md) and the [Remediation Components](https://docs.crowdsec.net/u/bouncers/intro.md) which are in charge of enforcing decisions.
  * And with the [Central API](https://docs.crowdsec.net/docs/next/central_api/intro.md) to share alerts and receive blocklists.

* The [Remediation Components](https://docs.crowdsec.net/u/bouncers/intro.md) (also called bouncers) block malicious IPs at your chosen level: IpTables, firewalls, web servers, or reverse proxies. [See the full list on the CrowdSec Hub.](https://app.crowdsec.net/hub/remediation-components)

## Deployment options[​](#deployment-options "Direct link to Deployment options")

This architecture supports simple standalone setups and more distributed deployments:

* Single machine: Follow the [getting started guide](https://docs.crowdsec.net/u/getting_started/intro.md).
* Multiple machines: Use the [distributed setup guide](https://docs.crowdsec.net/u/user_guides/multiserver_setup.md).
* Centralized logs (rsyslog, Loki, ...): [Run CrowdSec next to your log pipeline](https://docs.crowdsec.net/u/user_guides/log_centralization.md), not on production workloads.
* Kubernetes: See [our Helm chart](https://docs.crowdsec.net/u/getting_started/installation/kubernetes.md).
* Containers: Use the [Docker data source](https://docs.crowdsec.net/docs/next/log_processor/data_sources/docker.md).
* WAF only: Start with the [AppSec quickstart](https://docs.crowdsec.net/docs/next/appsec/intro.md).

Distributed architecture example:

![](/img/distributed_SE_setup.svg)

***

## More ways to learn

[![More ways to learn](/img/academy/crowdsec_fundamentals.svg)](https://academy.crowdsec.net/course/crowdsec-fundamentals?utm_source=docs\&utm_medium=banner\&utm_campaign=intro-page\&utm_id=academydocs)

Watch a short series of videos on how to install CrowdSec and protect your infrastructure

[**Learn with CrowdSec Academy**](https://academy.crowdsec.net/course/crowdsec-fundamentals?utm_source=docs\&utm_medium=banner\&utm_campaign=intro-page\&utm_id=academydocs)

***