CrowdSec IP Reputation / CTI
Understand the IPs behind attacks
CrowdSec tracks malicious IPs across hundreds of thousands of real deployments worldwide.
Every lookup gives you behavioral context — what the IP was doing, where, and when.
Entry points
How do you want to use it?
🔍 No setup needed
🖥️
Web UI investigation - in the Console
Search any IP instantly. Explore threat history and the top aggressive IPs in the last 24h — no API key needed.
⚙️ Developer / SecOps
🔌
Enrich Alerts via API
Use the CTI API to add CrowdSec IP context to SIEM alerts, SOAR workflows, TIPs, scripts, and internal tools.
🎯 Threat hunter
🚨
Hunt active threats
Advanced Search with live faceted filters — behavior, country, AS, CVE — to find campaigns or build blocklists.
Why CrowdSec CTI
Most IP reputation services tell you an IP is "bad." CrowdSec tells you what it was doing — from real deployments, not honeypots.
🌍Real-world attack signals — CrowdSec intelligence is built from signals shared by real deployments across the Internet.
🧠Behavioral, not just reputation — Brute-force, CVE exploitation, scan, credential stuffing — mapped to MITRE ATT&CK.
⚡Real-time, not cached lists — Continuously updated with time-windowed scores showing if a threat is rising, stable, or decaying.
🔬CVE-level exploit tracking — Live Exploit Tracker shows which CVEs are actively exploited, with momentum, opportunity, and malicious IP context.
Integrations
Already using one of these?
Jump straight to the integration guide — no need to read the full API docs first.
Community Plan Free Key — 40 / month · Testing integrations, personal servers, ad-hoc lookups
Premium Plan Free Key — 120 / month · Regular enrichment, small SOC teams, recurring automation
Premium Keys Options — 5K · 25K · 100K / month · Production SIEMs, SOARs, high-volume pipelines — requires Premium
API quotas are separate from Web UI quotas. Unused quota does not roll over.
Technical details
Need help?
Get answers in Discord or check the FAQ.