diff --git a/crowdsec-docs/docs/concepts.md b/crowdsec-docs/docs/concepts.md
index c2c26af10..e6b9ed06e 100644
--- a/crowdsec-docs/docs/concepts.md
+++ b/crowdsec-docs/docs/concepts.md
@@ -40,7 +40,7 @@ The Local API (abreviated as `LAPI`) has several functions:
> The Remediation Components (also called `Bouncers`) are external components in charge of enforcing decisions.
Remediation Components rely on the Local API to receive decisions about malevolent IPs to be blocked *(or other supported types or remediations such as Captcha, supported by some of our Bouncers).*
-*Note that they also support [CrowdSec's Blocklist as a Service](/u/integrations/intro).*
+*Note that they also support [CrowdSec's Blocklist as a Service](/u/blocklists/blaas_integrations/intro).*
Those Decisions can be based on behavioral detection made by the `LP` or from Blocklists.
diff --git a/crowdsec-docs/sidebarsUnversioned.js b/crowdsec-docs/sidebarsUnversioned.js
index 7cda202f4..acaef3cba 100644
--- a/crowdsec-docs/sidebarsUnversioned.js
+++ b/crowdsec-docs/sidebarsUnversioned.js
@@ -375,18 +375,18 @@ module.exports = {
type: "category",
link: {
type: "doc",
- id: "integrations/intro",
+ id: "blocklists/blaas_integrations/intro",
},
- label: "Integrations",
+ label: "Blocklist as a Service",
items: [
- "integrations/cisco",
- "integrations/checkpoint",
- "integrations/f5",
- "integrations/fortinet",
- "integrations/paloalto",
- "integrations/sophos",
- "integrations/genericfirewall",
- "integrations/remediationcomponent",
+ "blocklists/blaas_integrations/cisco",
+ "blocklists/blaas_integrations/checkpoint",
+ "blocklists/blaas_integrations/f5",
+ "blocklists/blaas_integrations/fortinet",
+ "blocklists/blaas_integrations/paloalto",
+ "blocklists/blaas_integrations/sophos",
+ "blocklists/blaas_integrations/genericfirewall",
+ "blocklists/blaas_integrations/remediationcomponent",
],
},
],
@@ -456,6 +456,17 @@ module.exports = {
],
guidesSideBar: [
"user_guides/intro",
+ {
+ type: "category",
+ label: "Use cases",
+ items: [
+ {
+ type: "doc",
+ label: "Blocklist to Firewall",
+ id: "user_guides/use_cases/blaas_to_firewall",
+ },
+ ],
+ },
{
type: "category",
label: "Management",
diff --git a/crowdsec-docs/unversioned/integrations/checkpoint.mdx b/crowdsec-docs/unversioned/blocklists/blaas_integrations/checkpoint.mdx
similarity index 100%
rename from crowdsec-docs/unversioned/integrations/checkpoint.mdx
rename to crowdsec-docs/unversioned/blocklists/blaas_integrations/checkpoint.mdx
diff --git a/crowdsec-docs/unversioned/integrations/cisco.mdx b/crowdsec-docs/unversioned/blocklists/blaas_integrations/cisco.mdx
similarity index 100%
rename from crowdsec-docs/unversioned/integrations/cisco.mdx
rename to crowdsec-docs/unversioned/blocklists/blaas_integrations/cisco.mdx
diff --git a/crowdsec-docs/unversioned/integrations/f5.mdx b/crowdsec-docs/unversioned/blocklists/blaas_integrations/f5.mdx
similarity index 100%
rename from crowdsec-docs/unversioned/integrations/f5.mdx
rename to crowdsec-docs/unversioned/blocklists/blaas_integrations/f5.mdx
diff --git a/crowdsec-docs/unversioned/integrations/fortinet.mdx b/crowdsec-docs/unversioned/blocklists/blaas_integrations/fortinet.mdx
similarity index 100%
rename from crowdsec-docs/unversioned/integrations/fortinet.mdx
rename to crowdsec-docs/unversioned/blocklists/blaas_integrations/fortinet.mdx
diff --git a/crowdsec-docs/unversioned/integrations/genericvendor.mdx b/crowdsec-docs/unversioned/blocklists/blaas_integrations/genericvendor.mdx
similarity index 100%
rename from crowdsec-docs/unversioned/integrations/genericvendor.mdx
rename to crowdsec-docs/unversioned/blocklists/blaas_integrations/genericvendor.mdx
diff --git a/crowdsec-docs/unversioned/integrations/intro.mdx b/crowdsec-docs/unversioned/blocklists/blaas_integrations/intro.mdx
similarity index 97%
rename from crowdsec-docs/unversioned/integrations/intro.mdx
rename to crowdsec-docs/unversioned/blocklists/blaas_integrations/intro.mdx
index 5ea0f5bcf..81b9667ec 100644
--- a/crowdsec-docs/unversioned/integrations/intro.mdx
+++ b/crowdsec-docs/unversioned/blocklists/blaas_integrations/intro.mdx
@@ -56,7 +56,7 @@ Once you are on the Integrations page you can select the integration you would l
- [Fortinet](integrations/fortinet.mdx)
- [Palo Alto](integrations/paloalto.mdx)
- [Sophos](integrations/sophos.mdx)
-- [Generic Firewall](integrations/genericvendor.mdx)
+- [Generic Firewall (Raw IP-List)](integrations/genericvendor.mdx)
- [Remediation Component](integrations/remediationcomponent.mdx)
:::info
diff --git a/crowdsec-docs/unversioned/integrations/paloalto.mdx b/crowdsec-docs/unversioned/blocklists/blaas_integrations/paloalto.mdx
similarity index 100%
rename from crowdsec-docs/unversioned/integrations/paloalto.mdx
rename to crowdsec-docs/unversioned/blocklists/blaas_integrations/paloalto.mdx
diff --git a/crowdsec-docs/unversioned/integrations/remediationcomponent.mdx b/crowdsec-docs/unversioned/blocklists/blaas_integrations/remediationcomponent.mdx
similarity index 100%
rename from crowdsec-docs/unversioned/integrations/remediationcomponent.mdx
rename to crowdsec-docs/unversioned/blocklists/blaas_integrations/remediationcomponent.mdx
diff --git a/crowdsec-docs/unversioned/integrations/sophos.mdx b/crowdsec-docs/unversioned/blocklists/blaas_integrations/sophos.mdx
similarity index 100%
rename from crowdsec-docs/unversioned/integrations/sophos.mdx
rename to crowdsec-docs/unversioned/blocklists/blaas_integrations/sophos.mdx
diff --git a/crowdsec-docs/unversioned/blocklists/getting_started.mdx b/crowdsec-docs/unversioned/blocklists/getting_started.mdx
index 25973194f..38d1377fc 100644
--- a/crowdsec-docs/unversioned/blocklists/getting_started.mdx
+++ b/crowdsec-docs/unversioned/blocklists/getting_started.mdx
@@ -1,29 +1,34 @@
---
id: getting_started
-title: Getting Started
+title: How to use CrowdSec Blocklists
---
import ConsolePromo from '@site/src/components/ConsolePromo.js';
-There are two ways to get started with Blocklists:
+There are two main paths to integrate CrowdSec blocklists into your infrastructure:
-1. **Security Engine** - Use the CrowdSec Security Engine to ingest blocklists
-2. **Integrations** - Use Integrations to ingest blocklists into firewall, CDN, or other security solutions
+1. **Security Engine** - If you already have a CrowdSec Security Engine, you can use it to ingest blocklists
+2. **Integrations** - For a purely SaaS approach, use Integrations to ingest blocklists into firewall, CDN, (...) via our Blockist as a Service Integrations endpoints
Depending on which path you take you can start with the following guides:
+# Security Engine Ingestion
+If you already have security engines and remediation components installed in your infrastructure, you can follow the guide bellow.
+
-
+
+# SaaS Integration
+If you want to use blocklists without installing the CrowdSec Security Engine you can follow the guide bellow.
If you're new to CrowdSec, and want to use blocklists we recommend starting with the [Integrations guide](integrations/intro.mdx), however, if you are unsure where to start, feel free to browse our [main website for more information](https://www.crowdsec.net/).
diff --git a/crowdsec-docs/unversioned/blocklists/intro.md b/crowdsec-docs/unversioned/blocklists/intro.md
index ffc546af6..f8eb8cc59 100644
--- a/crowdsec-docs/unversioned/blocklists/intro.md
+++ b/crowdsec-docs/unversioned/blocklists/intro.md
@@ -1,12 +1,16 @@
---
id: intro
-title: Introduction
+title: CrowdSec Blocklists - Proactively defend your perimeter
sidebar_position: 2
---
-## Objective
+CrowdSec's Blocklist regroup IPs and ranges that have been **validated** as performing **malicious behaviors** on **exposed endpoints**.
+Those blocklists are kept up to date and are currated to ensure they don't contain false positives.
+Their are meant to be directly actionable to protect your perimeter from thousands of known attackers.
+The unique nature of CrowdSec's network, by its diversity and size brings unmatched exclusivity and quality.
-Welcome to the documentation section dedicated to CrowdSec's Blocklists. This section will outline what Blocklists are, how they work, and how you can use them to protect your systems.
+
+This section will help you understand the nature of our different blocklists, how they work, and how you can use them to protect your systems.
## What are CrowdSec Blocklists?
diff --git a/crowdsec-docs/unversioned/user_guides/use_cases/blaas_to_firewall.mdx b/crowdsec-docs/unversioned/user_guides/use_cases/blaas_to_firewall.mdx
new file mode 100644
index 000000000..2110ba845
--- /dev/null
+++ b/crowdsec-docs/unversioned/user_guides/use_cases/blaas_to_firewall.mdx
@@ -0,0 +1,71 @@
+---
+id: blaas_to_firewall
+title: Use our blocklist directly in your firewall
+sidebar_position: 10
+tags: [blaas,firewall,usecase]
+---
+
+# Integrating CrowdSec Blocklists Directly Into Your Firewall
+
+> Use CrowdSec's Blocklist within your firewall without the need to install the CrowdSec agent.
+> // Preemptive security greatly reducing mass attacks and saving resources at the same time.
+// or Turn your FW in preemptive mode with CS blocklist to block malicious ips before they reach you and reduce drastically the volume of alars for your soc
+
+
+
+## **Steps to follow**
+For this use case, you will need to:
+- [Create a **Blocklist As A Service endpoint** within the CrowdSec Console UI or API](/u/blocklists/blaas_integrations/intro)
+ - **Who**: Anybody with a browser
+ - **Skill Level**: Easy
+ - **Time**: 5 minutes *(including account creation)*
+ - **Minium Plan**: free
+- [**Subscribe** to the blocklist(s) you want to use](/u/console/blocklists/subscription)
+ - **Who**: Anybody with a browser
+ - **Skill Level**: Easy
+ - **Time**: < 5 minutes
+ - **Minium Plan**: free
+- Make a **rule into your firewall** that fetches the blocklist from the BLAAS endpoint (basic auth URL)
+ - **Who**: Firewall administrator
+ - **Skill Level**: Easy
+ - **Time**: 5~10 minutes
+
+## Test that it works and evaluate performance
+1. Check that the end point is providing the blocklist you subscribed to at the format you chose by running a `curl` command:
+```
+curl -u :
+```
+2. Check that the blocklist is being fetched by your firewall by observing the logs or metrics of your firewall.
+Depending on your firewall capabilities you can chose a metered action in your rule OR observe volume of ingress reaching your services before and after using the blocklist.
+
+
+## Next step - Scale and Automate
+You can use CrowdSec Service API (SAPI) to automate both:
+- [**Creation of BLaaS endpoints**](/u/service_api/quickstart/integrations#creating-integration)
+- And [**Blocklist subscriptions**](/u/service_api/quickstart/blocklists#subscribe-to-a-blocklist)
+
+You can also look into [**creating**](/u/service_api/quickstart/blocklists#create-a-blocklist) and Sharing your own blocklists via SAPI.
+Check out our [swagger for SAPI ↗️](https://admin.api.crowdsec.net/v1/docs#/)
+
+*(usecase coming soon)*
\ No newline at end of file