Skip to main content

CrowdSec CTI - Cyber Threat Intelligence

CrowdSec's Cyber Threat Intelligence (CTI) exposes the threat data collected by the global CrowdSec network — millions of IPs enriched with behaviors, classifications, scores, MITRE techniques, and CVE associations — through a REST API designed for programmatic integration.

This section covers the API side of CTI: authentication, datasets, data format, taxonomy, and integrations with third-party security platforms.

The IP Reputation section of the Console presents exploration via the Console UI to: get details about a specific IP, run advanced queries, and manage your CTI API Key(s)

What the API Gives You

For any queried IP, the CTI API returns:

FieldDescription
ReputationMalicious, Suspicious, Known, Benign, Safe, or Unknown
BehaviorsAttack types observed (SSH Bruteforce, HTTP Scan, CVE exploitation, etc.)
ClassificationsTOR exit node, VPN/Proxy, CDN, scanner, false positive, and more
ScoresAggressiveness, threat, trust, and anomaly — computed over 1d / 7d / 30d windows
MITRE ATT&CKTechniques mapped to the IP's observed behaviors
CVEsVulnerabilities the IP has been actively exploiting
HistoryFirst seen / last seen, activity age
Target countriesGeographic distribution of attacks from this IP

Full field-level documentation: CTI Object format.

Taxonomy

Understanding the CTI data model is key to making good use of the API. The Taxonomy section documents:

  • CTI Format — complete response structure and field reference
  • Scores — how aggressiveness, threat, trust, and anomaly are computed
  • Behaviors — defined attack behaviors and their labels
  • Classifications — IP category tags (VPN, TOR, CDN, scanner, etc.)
  • False Positives — categories excluded from malicious verdicts
  • Scenarios — the detection scenarios that triggered reports for an IP

Getting Started

  1. Get an API key — create one in the Console. A free key is available to all registered users. See API Keys.
  2. Make your first request — see API Introduction for the base URL, authentication header, and an example response.
  3. Integrate — connect CrowdSec CTI to your SIEM, SOAR, or TIP using one of the supported integrations.

Integrations

CrowdSec CTI has native integrations with major security platforms:

CategoryPlatforms
SIEMSplunk Enterprise Security, QRadar, Microsoft Sentinel
SOARSplunk SOAR, Palo Alto XSOAR, TheHive
TIPMISP, OpenCTI, Sekoia XDR
InvestigationMaltego, MSTICpy, IntelOwl
OtherChrome extension, Gigasheet

See all integrations →