CrowdSec turbocharges business growth with MongoDB

THEIR CHALLENGE

Using MongoDB powers developer velocity for CrowdSec

CrowdSec likens itself to a collaborative and crowd-driven cybersecurity solution with the concept of “Safer Together” summing up the company’s methodology. The cybersecurity startup, launched in France in 2020, delivers advanced security blocklists and curated threat intelligence through the world's largest cyber threat intelligence (CTI) network built on crowdsourced data.

CrowdSec’s self-developed open source engine is easy to audit, contribute to, and install—and once it is in place, it actively detects attacks on its host machine. When an attack is identified, the engine remediates the threat locally and sends data to the CrowdSec cloud platform. Here, AI and ML algorithms classify malicious IP addresses, which are added to a central database and shared with the broader community for proactive protection.

“With more than 110,000 live engines sending data regularly, we know a lot of things about a lot of IPs,” says Cristian Nitescu, Data Architect at CrowdSec. This means the company can maintain a real-time view of cyber threats, enabling highly reliable intelligence. Additionally, CrowdSec offers specialized blocklists and feeds tailored to specific sectors, attack types, or vulnerabilities, ensuring users receive targeted protection.

CrowdSec initially relied on PostgreSQL for its data storage, Initially, because Postgres is a relational database, it was a familiar, safe option for the company’s developers. However, as CrowdSec grew and as its data became more complex, challenges arose. In PostgreSQL, changes to the schema—such as adding columns or modifying data structures—require manual migrations and having to write scripts, which became cumbersome over time. Version upgrades involved complex operations, sometimes requiring hours of downtime for migrations. This slowed development and hindered CrowdSec’s ability to iterate quickly, leading it to seek a more agile solution. “Our first motivation was developer velocity,” said Cristian. “And we went to MongoDB looking for it.”

OUR SOLUTION

Optimizing data needs through combined capabilities

Drawn by MongoDB’s efficiency, ability to scale, and speed, CrowdSec now leverages several MongoDB products to optimally manage its growing data needs. Initially, the team used MongoDB Atlas, moving increasing amounts of API and CTI data over from PostgreSQL—which is retained with a limited perimeter—to generate community blocklists. “There was an experimentation with MongoDB, and we grew from there,” said Cristian. “If we started all over again, maybe we would put everything in MongoDB.”

Recognizing the value of making CTI data easily searchable, CrowdSec adopted MongoDB Atlas Search to enable fast, efficient querying—transforming the data into a powerful, user-facing asset. Around the same time, the team began using MongoDB Atlas Vector Search, With MongoDB Professional Services, the team was able to complete implementation within days—while through some advanced-level consulting and training on server optimization, indexing, and collections, they could fine-tune performance and consolidate their existing MongoDB expertise.

CrowdSec now uses MongoDB Atlas Vector Search to generate and store vector embeddings for IP addresses, using algorithms, like large language models. By leveraging similarity search, the team can identify IPs with comparable behavior, helping to uncover patterns and emerging threat actors within the vast data quantities ingested daily. This clustering approach not only highlights long-standing malicious actors but also allows CrowdSec to track more transient, fast-moving threats as they evolve across the internet.

CrowdSec also uses MongoDB Time Series collections to manage telemetry data from over 100,000 active engines, with a staggering 900 million documents being ingested every 30 days. This system enables real-time insights for users, allowing them to see exactly how many malicious connections CrowdSec's engines have blocked, which directly correlates to measurable ROI. Furthermore, CrowdSec uses MongoDB Data Federation to export data to cold storage, enabling data scientists to perform in-depth analysis without having to conduct exploration of live data with its attendant cost and resource inefficiencies. The seamless integration of these tools allows CrowdSec to maintain high performance while managing vast amounts of data, offering a highly scalable and efficient solution.

“We have best-of-breed components, and with MongoDB everything is very well integrated,” says Cristian. “That’s very interesting for us.”

OUTCOME

Delivering best in class cyber threat intelligence

From both an operational and strategic standpoint, MongoDB has been a winner for CrowdSec. Its CTI data and blocklists make the most of MongoDB’s capabilities—leveraging multiple indexes, Atlas Search, and Vector Search. Overall, these capabilities enable fast, flexible querying and deep pattern analysis, making these datasets central to CrowdSec’s value proposition. And because CrowdSec’s CTI data and blocklists are exposed directly to customers, ensuring high availability is critical. With MongoDB, the team benefits from a highly reliable system that handles upgrades, cluster changes, and other heavy operations without causing downtime—something that wasn’t previously feasible with PostgreSQL.

What’s more, slowed developer velocity is no longer an issue. This reliability, combined with MongoDB’s strong performance, has been a significant win for CrowdSec and its users. “From an operations standpoint, MongoDB is a no-brainer,” says Cristian. “It’s there, it works, there’s no headache—that’s really important for us and we are very happy with it.”

Implementing Atlas Search has also given CrowdSec the ability to let users explore its vast CTI dataset with custom queries—going beyond single IP lookups to finding IPs that match very specific criteria. The addition of dedicated search nodes has made this not only possible but highly efficient, offloading the query load to specialized infrastructure and delivering fast, reliable performance without impacting operations. “We thought at first we would need to set up a specialized Vector Database, that would increase the development time and maintenance. ” said Matthieu Mazzolini, Head of Data at CrowdSec. “With Atlas Vector Search we manage to gather documents’ metadata and their embeddings in the same place, it’s a breeze!”

MongoDB has played a key role in accelerating CrowdSec’s business. It has ‘sky-rocketed’ since acquiring a more data-centric view over the last year and a half. This evolution—driven by AI, algorithms, and enriched CTI data—has significantly expanded the company’s offerings, particularly around specialized blocklists. MongoDB’s flexible schema and ease of evolution enables CrowdSec to rapidly enrich its CTI data and to deliver new features without the friction of complex migrations, in turn enabling faster innovation and greater value for its users.

“With MongoDB, we can truly leverage our data to power AI algorithms on data all in one place. And that allows us to deliver one of the best—if not the best—CTI offerings on the market today," says Cristian.