What is CrowdSec and how does it work?

CrowdSec is an open-source and crowd-powered software enabling you to detect & block attacks. While sharing with its user community, you contribute to improve its efficiency and make the Internet safer.

The solution

  • allows you to detect attacks and respond at all required levels (detect where your logs are, block at CDN or application level)
  • is easy to install and maintain with no technical requirement. The installer even comes with a wizard duh!
  • is designed to be integrated with other solutions and components (ie. use CrowdSec to read your mod_security logs and automatically block attackers at your CDN level)
  • is about sharing : meta-data about the attack/attacker you detect is sent to a central API, and malevolent IPs are shared with all users.
  • is a lightweight : it runs standalone, doesn’t require much ram or CPU
  • can work with cold logs: you can run it on “cold” logs and see what could have happened
  • comes with out of the box dashboards, because we know visualisation is key

Decentralized as of day 1, not affected by Covid crisis.


We created several Open source products before


Reputation engine and real time analysis


Our previous cybersecurity corp was sold in 2016 for tens of millions


CrowdSec service
CrowdSec is the open-source and lightweight service that runs in the background, processes logs and keeps track of attacks.


Cscli is the command line interface for humans, it allows you to view, add or remove bans as well as to install, find or update attack scenarios and parsers.


Bouncers are part of the CrowdSec full stack integration, they block malevolent traffic, and can be deployed anywhere in your infra / stack.

Downloading and installing the software

How to get started with CrowdSec?
Crowdsec’s main goal is to crunch logs to detect threats. You will find below an introduction to the concepts that are frequently used within the documentation.

Acquistion configuration defines which streams of information CrowdSec is going to process.

It can be files but also any kind of stream, such as a kafka topic or a cloudtrail.

The acquisition configuration always contains a stream (i.e. a file to tail) and a tag (i.e. “these are in syslog format”;  “these are non-syslog nginx logs”).

For logs to be exploited and analyzed, they need to be parsed and normalized, and this is where parsers are used. In most cases, you should be able to find the relevant parsers on our CrowdSec Hub.

Usually, a parser has a specific scope. For example, if you are using nginx, you will probably want to use the crowdsecurity/nginx-logs which allows your CrowdSec setup to parse nginx’s access and error logs.

You can also write your own one!

Enrichment is the action of adding extra context to an event based on the information we already have, so a better decision can be made later on. In most cases, you should be able to find the relevant enrichers on our CrowdSec Hub.

The most common type of enrichment would be geoip-enrichment of an event (adding information such as: origin country, origin AS and origin IP range to an event).

Once again, you should be able to find the ones you’re looking for on the CrowdSec Hub!

Our ready-to-use scenario database  allows you to qualify a specific event (usually an attack). In most cases, you should be able to find the relevant scenarios on our CrowdSec Hub.

While not going into details, a scenario often evolves due to different main triggers. More details can be found here.

You can also write your own one!

To make your life easier, “collections” are available, which are just a bundle of parsers and scenarios. In this way, if you want to cover basic use-cases of “nginx” for instance, you can just install the crowdsecurity/nginx collection that is composed of crowdsecurity/nginx-logs parser, as well as generic http scenarios such as crowdsecurity/base-http-scenarios.

Again, these can be found on the CrowdSec Hub!

How to install the software?
tar xvzf crowdsec-release.tgz
cd crowdsec-v0.X.X

A wizard is provided to help you deploy CrowdSec and cscli.

sudo ./wizard.sh -i

Deploy valid/empty CrowdSec configuration files and binaries.

sudo ./wizard.sh --bininstall
cd crowdsec && make build
Getting started
CrowdSec Tour
Finding configurations
As stated, Crowdsec efficiency is growing through installed parsers and scenarios. Please take a look at the CrowdSec Hub to find the most relevant ones!
List installed configurations
List installed parsers/scenarios/collections/enrichers. On the machine where you installed CrowdSec, type cscli list to see deployed configurations. This list shows the parsers, scenarios and/or collections that you deployed.
List existing bans
After having installed CrowdSec, type cscli ban list to see existing bans. If you just deployed it, the list might be empty, but don't worry, it simply means you haven't been attacked...yet!
Monitor on-going activity (prometheus)
Displayed metrics are extracted from CrowdSec Prometheus. Key indicators are grouped by scope: buckets, acquisition, parsers.
Monitor on-going activity (log files)
The /var/log/crowdsec.log file will tell you what is going on and when an IP is blocked.
Check CrowdSec monitoring for more!
Our commitment
We’re constantly refining our product

Best Security Tool

Award 2019

Station F Selection

Award 2020


Award 2020
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.