« back to schedule

CrowdSec , A crowd approach to infrastructure defense

The CrowdSec project aims at providing a crowdsourced approach to common infrastructure defense problems, by distributing free & open-source softwares allowing to protect yourself and share information about malevolent actors.

These software components, of which CrowdWatch is the main piece (release date : 15th of may) work by processing logs (or more generally information stream such as cloudtrail or kafka) and enriching them, in order to apply behavior based scenarios (heuristics) that will identify attacks patterns and even sort targeted attacks from opportunistic ones.

One of the core concepts of crowdwatch is to decorelate the detection of an attack and its reaction, to be suitable for modern architectures.

While CrowdWatch is in charge of the detection, the reaction is performed by “blockers” that aim to be deployable at any level of the applicative / infrastructure stack :

  • as a nftables/iptables daemon “a la fail2ban”
  • as a nginx plugin
  • as a wordpress plugin
  • etc.

We hope that this approach, combined with a declarative configuration and a stateless behaviour, will make it an ideal candidate to enhance security of modern stacks (containers, k8s, serverless and more generally automatically deployed infrastructures).

Furthermore, we intend to create and share the most accurate database of malevolent actors as possible, under the form of a real time IP reputation system, accessible through API. Whenever an attack is locally blocked/detected by crowdwatch, the “meta” information of the attack is shared amongst participants (source ip, date and triggered scenario) for redistribution to network members.

We are committed to building a strong community, with all that it implies :

  • a public hub to find, share and amend parsers, scenarios and blockers
  • permissive open-source licence to stay business friendly
  • and overall a strong commitment to transparency and community-first mentality, by tooling and behaviour


Thibault Koechlin (crowdsec), Philippe Humeau (crowdsec)


« back to schedule