Skip to main content

Use Cases and Quick Solutions

This page provides quick recommendations for common CrowdSec implementation scenarios. Each use case includes practical implementation paths with links to relevant documentation.

New to CrowdSec? Start with our installation guide and health check guide.

Block Known-Bad IPs at the Edge

Pull up-to-date IP lists from CrowdSec Blocklist as a Service endpoints into your edge protection.

Is it for me?

Ideal if you want direct integration into your firewalls. Good option if you are not using a Security Engine and want your CDN or WAF to benefit from CrowdSec's blocklists.

How it works:

  • Create a blocklist integration in your console account.
  • Select blocklists you want to be served by this endpoints.
  • Use the endpoint's URL and credentials to retrieve the merged and up-to-date list.

References

Reduce Noise to save Resources address alert fatigue

Eliminate automated noise from unwanted probes, spam and malicious traffic to reduce server load and log volumes by up to 80%.

Is it for me?

Ideal if you're experiencing high server load from automated traffic or want to reduce infrastructure costs. Good option if you need to optimize server performance and reduce log storage requirements.

How it works:

  • Use CrowdSec blocklists to preemptively block crowd validated noise.
  • Go further by deploying CrowdSec Security Engine to detect malicious patterns in your traffic.
  • Use an AppSec enabled Remediation Component to use CrowdSec WAF.
  • Track quantified savings through metrics and performance monitoring.

References

Multi-Tenant Protection

Apply different security policies per customer, application, tier, [...] retrieving contextualized IP Lists.

Is it for me?

Ideal if you're managing multiple customers, applications, or environments with different security requirements. Good option if you need granular policy control and want to avoid cross-tenant security policy interference.

How it works:

  • Configure separate blocklist integrations for each context.
  • Assign context-specific blocklist AND allowlists.
  • Go further by creating custom lists based on detections made on your infrastructure.

References

Looking for complementary IOC streams

Add qualified IOCs from CrowdSec's real-time IP reputation.

Is it for me?

Ideal if you want to complement your IOC insights with exclusive CrowdSec IP reputation data. Quickly choose among qualified malicious actors regrouped by industry, behaviors...

How it works:

  • Stream CrowdSec IP Lists into your security tools.
  • Integrate directly in your security tools thanks to our integrations or easy to use CTI API.
  • 🏅 Get custom IOC streams made for your needs.
  • Next step: Enrich IPs via CrowdSec CTI API.

References

Bot and Scraper Management

Control aggressive crawlers and scraping tools while preserving legitimate user access using graduated response strategies.

Is it for me?

Ideal if you're dealing with aggressive bots or scrapers that impact your site performance. Good option if you want to prevent illegitimate AI crawlers from visiting your site.

How it works:

  • Retrieve AI Crawlers and/or Botnets IPs from CrowdSec Blocklist integrations
  • Block at the edge using your firewall or CDN.

References

Block Common web attacks fast

Quickly protect web applications from the latest CVEs and generic vulnerability exploits using CrowdSec WAF.

Is it for me?

Ideal if you want a modern OpenSource WAF solution.
Benefit from CrowdSec's Virtual patching catalog while being able to use your existing ModSecurity rules as is.

How it works:

  • Deploy CrowdSec Security Engine with AppSec module on your reverse proxy or web server.
  • Get CrowdSec Virtual patching collection.
  • Easily scale and identify behaviors accross multiple servers over time.
  • Go further by using your existing appsec rules.
  • Even test CRS rules out of band on your production traffic to easily adapt them to you needs.

References

Legacy Application Protection

Add modern security controls to legacy applications that cannot be modified directly using transparent proxy protection.

Is it for me?

Ideal if you're running legacy applications that lack built-in security features. Good option if you need immediate protection without the risk of modifying critical legacy code.

How it works:

  • Deploy CrowdSec WAF at the reverse proxy level in front of your legacy application.
  • Configure virtual patching rules to block known exploits targeting your application stack.
  • Additionally create custom AppSec rules adapted to your legacy application's specific patterns.
  • Test protection rules out of band (simulation mode) before enabling blocking to ensure application functionality.

References

Custom Behavior Protection

Create targeted protections for specific abuse patterns like spam, credential stuffing, or scalping attacks, [...] using custom detection rules or scenarios.

Is it for me?

Ideal if you're facing unique attack patterns not covered by standard security solutions. Good option if you need highly specific protection tailored to your application's business logic and user patterns.

How it works:

  • Analyze your specific abuse patterns to understand attacker behavior.
  • Create custom scenarios using CrowdSec's scenario framework for behavioral detection.
  • Eventually develop AppSec rules for pattern-matching specific malicious requests.
  • Test custom rules thoroughly using explain mode and simulation before production deployment.

References

Alert Enhancement and Triage

Accelerate incident response with contextual threat intelligence and automated routing to reduce alert volume by up to 80%.

Is it for me?

Ideal if your SOC team is overwhelmed with security alerts and needs better context for prioritization. Add exclusive context to your alerts and automate incident response with up to 30+ IP reputation enrichment dimensions.

How it works:

  • Consult CrowdSec CTI: per IP queries, advanced search on behavior, classifications or performed CVEs- Configure notification plugins to automatically enrich alerts with global threat intelligence context.
  • Obtain your CTI API key from your CrowdSec Console account or a contact with CrowdSec team for higher quotas.
  • Integrate it in your tools with out existing integrations or via simple calls to the API.
  • 🏅 Advanced usages: API search, Offline replication, ...

References

Threat Hunting and Intelligence

Enable proactive threat hunting with access to global intelligence from 190+ countries, often 7-60 days ahead of other vendors.

Is it for me?

Ideal if you have a threat hunting team that needs fresh, contextual intelligence for proactive security investigations. Good option if you want to correlate local events with global attack patterns and emerging threats.

How it works:

  • Explore our CTI and CVE explorer
  • Leverage advanced search capabilities to identify relevant threats and vulnerabilities.
  • Go further using our CTI API to integrate threat intelligence into your existing workflows.

References