Version: Next

Security Engine Overview

The CrowdSec Security Engine is an open-source, lightweight security engine that detects and blocks malicious actors. It analyzes logs and HTTP requests using behavior-based patterns called scenarios.

CrowdSec is modular: it provides behavior-based detection, including AppSec rules, and optional Remediation Components that enforce blocks.

CrowdSec is crowdsourced: when you participate, you share the attacks you detect and block. In return, the Security Engine automatically downloads a curated list of validated attackers (the community blocklist), so you can take action sooner against known threats.

Main Features

In addition to the core "detect and react" mechanism, CrowdSec is committed to several other key aspects:

Easy Installation: Get started quickly on all supported platforms.
Simplified Daily Operations: Manage and maintain your setup from the CrowdSec Console (Web UI) or with the cscli command-line tool.
Reproducibility: Analyze live logs and cold logs to validate detections, run forensic analysis, or generate reports.
Versatile: Protect your perimeter by analyzing system logs and HTTP requests.
Observability: Providing valuable insights into the system's activity:
- View and manage alerts in the Console.
- Expose detailed Prometheus metrics.
- Use the cscli CLI for administration.
API-Centric: All components communicate via an HTTP API, facilitating multi-machine setups.

Architecture

Under the hood, the Security Engine has various components:

The Log Processor handles detection. It analyzes logs from various data sources and HTTP requests from compatible web servers.
The Appsec feature is part of the Log Processor. It filters HTTP requests from compatible web servers.
The Local API acts as a middleman:
- Between the Log Processors and the Remediation Components which are in charge of enforcing decisions.
- And with the Central API to share alerts and receive blocklists.
The Remediation Components (also called bouncers) block malicious IPs at your chosen level—IpTables, firewalls, web servers, or reverse proxies. See the full list on the CrowdSec Hub.

Deployment options

This architecture supports simple standalone setups and more distributed deployments:

Single machine: Follow the getting started guide.
Multiple machines: Use the distributed setup guide.
Centralized logs (rsyslog, Loki, ...): Run CrowdSec next to your log pipeline, not on production workloads.
Kubernetes: See our Helm chart.
Containers: Use the Docker data source.
WAF only: Start with the AppSec quickstart.