Skip to main content

Introduction

What is CrowdSec Security Engine?

The Security Engine is a lightweight, collaborative Intrusion Detection System (IDS) with optional Web Application Firewall (WAF) capabilities. It detects behaviors that match known attack patterns defined by scenarios.

At a high level, the engine works like this:

  1. It reads logs from sources you define in acquisitions.
  2. It normalizes them with parsers.
  3. It evaluates behavior against scenarios.
  4. It creates decisions based on profiles, which remediation components enforce.

What makes CrowdSec unique is its collaborative threat intelligence: when you opt in, your detections help maintain a community blocklist that protects everyone.

What is a Remediation Component?

Remediation Components (previously called bouncers) enforce the Security Engine's decisions by connecting to the Local API (LAPI).

They can be standalone (for example, Firewall Remediation with iptables, nftables, or pf) or embedded inside applications like Nginx, where Lua enforces decisions in real time.

Think of this as the Intrusion Prevention System (IPS) layer that complements the Security Engine's IDS role. The Remediation Component does not decide; it simply enforces what the Security Engine decides.

Architecture Diagram

Prerequisites

If you are new to CrowdSec, read this page once, then jump to your platform install guide. We recommend understanding the following prerequisites before you install:

Hardware

CrowdSec is lightweight and runs on most modern hardware. Recommended minimums:

  • platform:
    • amd64
    • arm64
    • armhf
  • 1 CPU core
  • 100 MB of free RAM
  • 1 GB of free disk space

We recommend 1 GB of free disk space due to the amount of data that can be stored in the database.

Operating System

We support the following operating systems:

Ports

CrowdSec Security Engine uses the following default ports (bound to localhost/loopback by default). You can change them after installation:

  • 6060/tcp: Prometheus metrics port
  • 8080/tcp: API port

Next Steps

After installing CrowdSec, use our interactive Health-Check guide to verify your setup. It will walk you through detection, connectivity, and remediation so you can confirm the stack is working end to end.

Resources

Complete Introduction

Complete Introduction

Watch a short series of videos on how to install CrowdSec and protect your infrastructure

Learn with CrowdSec Academy