Security Engine No Remediation Component
The Security Engine No Remediation Component issue appears when a Security Engine has no Remediation Component (bouncer) registered against it.
A Security Engine that detects threats but has no Remediation Component attached cannot act on its decisions โ attackers are detected but never blocked.
What Triggers This Issueโ
- Trigger condition: Security Engine has no Remediation Component registered
- Criticality: ๐ก Recommended
- Impact: Threats are detected but no remediation action is taken โ your infrastructure is not actively protected.
Common Root Causesโ
- No Remediation Component installed: No bouncer has been installed and registered to this Security Engine.
- Intentional โ this Security Engine is detection-only: The absence of a local RC is deliberate and this alert can be safely ignored.
Diagnosis & Resolutionโ
No Remediation Component installedโ
๐ Check registered bouncersโ
Verify which Remediation Components are currently registered with this Security Engine:
- You can check directly in the console's Security Engine details page
- Or via the following command line:
sudo cscli bouncers list
Run this command for Docker or Kubernetes
Docker
docker exec crowdsec cscli bouncers list
Kubernetes
kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l type=lapi -o name) -- cscli bouncers list
If the list is empty, it confirms that no Remediation Component is registered.
๐ ๏ธ Install and/or register a Remediation Componentโ
Choose and install a Remediation Component suited to your infrastructure:
- cs-firewall-bouncer โ blocks IPs at the OS firewall level (nftables/iptables)
- cs-nginx-bouncer โ blocks at the NGINX web server level
- cs-traefik-bouncer โ blocks at the Traefik reverse proxy level
- More options available on the Remediation Components page
Typical Remediation Component auto-registers during installation, verify registration:
sudo cscli bouncers list
If it doesn't appear after installation follow the bouncer registration guide Don't forget to update the credentials in the bouncer config and restart it
Intentional โ this Security Engine is detection-onlyโ
If you knowingly have no Remediation Component on this Security Engine, this alert can be ignored. A few common intentional setups:
-
Remediation handled by another Security Engine: Your bouncers are registered against a different LAPI in your infrastructure. Decisions from this SE are not automatically enforced there.
-
Perimeter protection via a Blocklist Integration: You rely on a BLaaS integration (e.g. a firewall or CDN at the edge) for enforcement and only want this SE for detection and signal sharing. This is a valid architecture.
-
Other intentional reason (custom remediation pipeline, testing/staging environment, detection-only node, etc.): You know what you're doing โ this alert does not indicate a problem.
Did you know: Remediation Sync lets you propagate decisions across all your Security Engines enrolled in the Console and to Blocklist Integrations too. It can be useful to remediate on the edge of your perimeter or make sure your SE protect each other.
Verify Resolutionโ
After registering a Remediation Component:
- Check registration:
sudo cscli bouncers list
The bouncer should appear with a recent Last Pull timestamp.
You'll also see it appear in the console's Security Engine details page
Related Issuesโ
- Security Engine Offline โ If the Security Engine itself is not reporting
- Security Engine No Alerts โ If the Security Engine is not generating decisions to enforce
Getting Helpโ
If you need help choosing or installing a Remediation Component:
- Browse the Remediation Components catalog
- Ask on Discord with your infrastructure details
- Check Discourse for setup examples