+ );
+};
diff --git a/crowdsec-docs/src/css/custom.css b/crowdsec-docs/src/css/custom.css
index cda298f98..18a40585f 100644
--- a/crowdsec-docs/src/css/custom.css
+++ b/crowdsec-docs/src/css/custom.css
@@ -9,6 +9,7 @@
@import url("code.css");
@import url("navbar.css");
@import url("swagger-dark.css");
+@import url("premium-upgrade.css");
/**
* Any CSS included here will be global. The classic template
diff --git a/crowdsec-docs/src/css/premium-upgrade.css b/crowdsec-docs/src/css/premium-upgrade.css
new file mode 100644
index 000000000..5d8ccd3e3
--- /dev/null
+++ b/crowdsec-docs/src/css/premium-upgrade.css
@@ -0,0 +1,98 @@
+/* Premium Upgrade Page Styles */
+
+/* Persona Selector Cards */
+.persona-card {
+ cursor: pointer;
+ user-select: none;
+ position: relative;
+}
+
+.persona-card:active {
+ transform: scale(0.98);
+}
+
+/* Make default tabs look more like persona cards (fallback) */
+.premium-persona-tabs .tabs__item {
+ font-size: 0.9rem;
+ padding: 0.5rem 1rem;
+ border-radius: 0.5rem;
+ transition: all 0.2s ease;
+}
+
+.premium-persona-tabs .tabs__item:hover {
+ background-color: rgb(var(--muted));
+}
+
+.premium-persona-tabs .tabs__item--active {
+ background: rgb(var(--primary) / 0.1);
+ color: rgb(var(--primary));
+ border-color: rgb(var(--primary) / 0.3);
+}
+
+/* Hide default tabs when using custom persona header */
+.tabs-with-persona .tabs {
+ display: none;
+}
+
+/* Feature card animations */
+.feature-card {
+ animation: fadeIn 0.3s ease-in-out;
+}
+
+@keyframes fadeIn {
+ from {
+ opacity: 0;
+ transform: translateY(10px);
+ }
+ to {
+ opacity: 1;
+ transform: translateY(0);
+ }
+}
+
+/* Highlight card extra styling */
+.feature-card-highlight {
+ position: relative;
+ overflow: hidden;
+}
+
+.feature-card-highlight::before {
+ content: "";
+ position: absolute;
+ top: 0;
+ left: 0;
+ right: 0;
+ height: 3px;
+ background: linear-gradient(90deg, rgb(var(--primary)), rgb(var(--secondary)));
+}
+
+/* Category color accents - left border */
+.category-protection {
+ border-left: 4px solid rgb(var(--color-red));
+}
+
+.category-scale {
+ border-left: 4px solid rgb(133 149 208); /* purple from colors */
+}
+
+.category-monitoring {
+ border-left: 4px solid rgb(75 192 192); /* teal */
+}
+
+.category-intelligence {
+ border-left: 4px solid rgb(var(--color-yellow));
+}
+
+/* Responsive grid improvements */
+@media (max-width: 768px) {
+ .premium-persona-tabs .tabs__item {
+ font-size: 0.8rem;
+ padding: 0.4rem 0.8rem;
+ }
+}
+
+/* Button improvements for CTA */
+.button--lg {
+ padding: 0.75rem 1.5rem;
+ font-size: 1rem;
+}
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade.mdx b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
index 458ffcece..a1ba2aaa4 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
@@ -1,52 +1,570 @@
---
id: premium_upgrade
title: Premium Upgrade
-description: Upgrade to CrowdSec Premium for enhanced security and commercial-grade features
+description: Find Premium features tailored to your role - DevOps, SecOps, or MSP
+toc_max_heading_level: 2
---
-import { Badge } from "@site/src/ui/badge";
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import Link from '@docusaurus/Link';
+import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';
+import { TabsWithPersona } from '@site/src/components/premium-upgrade/tabs-with-persona';
-## Why Upgrade to Premium?
+export const personaOptions = [
+ {
+ value: "devops",
+ icon: "⚙️",
+ label: "DevOps / SRE",
+ description: "Managing solo-infra or in small teams, focused on reducing noise and blocking more threats.",
+ tag: "Solo · SMB"
+ },
+ {
+ value: "secops",
+ icon: "🛡️",
+ label: "SecOps / Blue Team",
+ description: "Team needs collaboration, investigation capabilities, and data retention for audits.",
+ tag: "Team · Enterprise"
+ },
+ {
+ value: "msp",
+ icon: "🏢",
+ label: "MSP / Integrator",
+ description: "Managing security for multiple clients, requiring isolation and automation capabilities.",
+ tag: "Multi-tenant · API"
+ }
+];
-CrowdSec Premium features are designed for users who have **commercial usage** of the Console or organizations that want to **enhance the security posture** of their infrastructure.
-While our Community Plan provides essential security monitoring capabilities, Premium unlocks advanced features that scale with your business needs and provide business-grade protection.
+
-Premium features bring the following benefits:
+## Find Premium Features **Made for You**
-- **Scalability**:
- - Extra centralization and synchronization features
- - Extended data retention
- - Automation and API access for large-scale deployments
-- **Advanced Threat Detection & Qualification**:
- - Attack surge detection
- - Premium proactive blocking with AI-powered blocklists
- - Background noise filtering
+**Premium** is designed if you're seeking **enhanced protection** or want to unlock **commercial use** with advanced features.
+**Community** covers the basics, **Premium** scales with your projects' needs.
-A features comparison can be found on our [pricing page](https://app.crowdsec.net/pricing).
+**Select your profile below** to see only the features that matter most to you.
+*Or directly browse all premium features in the [**Features Overview**](/u/console/premium_upgrade/features_overview).*
+
+
+
+
+
+
+### Solo or Small Team Infrastructure Management
+
+**Best for:** Individual engineers or small teams managing infrastructure, focused on reducing noise and blocking more threats efficiently.
+
+---
+
+#### 🛡️ Enhanced Protection
+
+
+
+
+
+
+
+
+
+
+
+
+
+---
+
+#### ⚡ Automation & Sync
+
+
+
+
+
+
+
+---
+
+#### 📊 Monitoring
+
+
+
+---
+
+#### 💡 Why Premium for DevOps/SRE?
+
+- **Less noise, more signal**: Filter out scanner noise and focus on real threats
+- **Automation-first**: Sync decisions automatically, enroll engines without manual steps
+- **Better blocking**: Access to 50k+ IPs and organization-specific threat intel
+- **Peace of mind**: Get alerted when attacks surge
+
+
+
+
+
+### Team Collaboration & Investigation
+
+**Best for:** Security teams that need to collaborate, investigate incidents, and maintain data retention for compliance and audits.
+
+---
+
+#### 👥 Team Collaboration & Access Control
+
+
+
+
+
+
+
+
+
+
+
+
+
+---
+
+#### 🔍 Investigation & Forensics
+
+
+
+
+
+
+
+
+
+
+
+
+
+---
+
+#### 🔔 Monitoring & Alerting
+
+
+
+
+
+
+
+
+
+---
+
+#### 🛡️ Enhanced Protection
+
+
+
+
+
+
+
+
+
+
---
-## Getting Started with Premium
+#### 💡 Why Premium for SecOps/Blue Team?
-To help you make the most of your Premium upgrade, we've prepared the following guides:
+- **Team collaboration**: Multiple seats with role-based access
+- **Long-term retention**: 1 year of alerts for compliance and forensics
+- **Rich investigation**: 100 CTI lookups/week with MITRE ATT&CK context
+- **Integration-ready**: Push to Slack, PagerDuty, SIEM tools
-### [Optimal Premium Upgrade Setup](/u/console/premium_upgrade/optimal_setup)
-Learn the best practices for organizing your Security Engines across different environments (Production, Dev, Test) before upgrading to maximize value and cost-efficiency.
+
-### [Test Premium Value in Your Environment](/u/console/premium_upgrade/testing_premium)
-Discover practical ways to measure and experience Premium value during your trial period, including improved protection metrics, team collaboration features, and enterprise scaling capabilities.
+
-### [Premium Features Overview](/u/console/premium_upgrade/features_overview)
-Explore the complete catalog of Premium features including scaling & automation, enhanced protection, reactivity & monitoring, and advanced threat intelligence capabilities.
+### Multi-Tenant Management & Automation
+
+**Best for:** MSPs and integrators managing security for multiple clients, requiring isolation, automation, and API-driven workflows.
+
+---
+
+#### 🏗️ Multi-Tenancy & Isolation
+
+
+
+---
+
+#### 🤖 Automation & API
+
+
+
+
+
+
+
+
+
+
+
+
+
+---
+
+#### 👥 Team & Client Management
+
+
+
+
+
+
+
+
+
+---
+
+#### 🛡️ Protection at Scale
+
+
+
+
+
+
+
+
+
+
+
+
---
-## How to Upgrade
+#### 💡 Why Premium for MSPs?
+
+- **Multi-tenant architecture**: Complete client isolation with unlimited organizations
+- **API-first**: Full Service API for automation and integration
+- **Scalability**: Auto-enroll, remediation sync, unlimited blocklists
+- **White-label ready**: Manage all clients from single dashboard
+
+
+
+
+---
+
+## Community vs Premium: Key Differences
+
+| Feature | Community | Premium |
+|---------|-----------|---------|
+| **Community Blocklist** | Top 3k IPs | Top 50k IPs |
+| **Blocklist Subscriptions** | 3 max | Unlimited |
+| **Alerts per Month** | 500 | Up to millions |
+| **Alert Retention** | 2 months | 12 months |
+| **Remediation Sync** | ✗ | ✓ |
+| **Background Noise Filter** | ✗ | ✓ |
+| **Am I Under Attack** | ✗ | ✓ |
+| **Threat Forecast Blocklist** | ✗ | ✓ |
+| **Organization Seats** | 1 | 5 included + more |
+| **CTI API Lookups/Week** | 30 | 100 + more |
+| **Service API (SAPI)** | ✗ | ✓ |
+| **Multi-Organization (MSP)** | ✗ | ✓ |
+
+---
+
+## How to Upgrade to Premium
+
+
+
+
+
+### 1️⃣ Compare Plans
+
+Review available plans and pricing based on your volume and requirements.
+
+
+
+
+
+### 2️⃣ Upgrade or Contact
+
+[Upgrade self-service](https://app.crowdsec.net/pricing) with 30 days free trial, or contact our team for custom plans (enterprise, MSP, volume).
+
+
+
+
+
+### 3️⃣ Immediate Access
+
+Premium features available instantly in your organization. No migration required.
+
+
+
+
+
+---
+
+## Ready to Go Further?
+
+
+
+### Start with a trial or discuss your needs with our team
+
+No immediate commitment required. Premium features available instantly upon upgrade.
+
+
+
+---
-Ready to enhance your security posture with Premium features?
+## Need more help deciding?
-1. Visit our [pricing page](https://app.crowdsec.net/pricing) to compare plans and pricing
-2. Upgrade to Premium with our self service plan or [Contact](https://www.crowdsec.net/contact-crowdsec) our sales team to discuss your specific requirements
-3. Once upgraded, enjoy immediate access to all Premium features in your organization and add options as you grow.
+To help you make the most of your Premium upgrade, explore these guides:
-For questions about Premium features or to discuss custom enterprise solutions, please [contact our team](https://www.crowdsec.net/pricing).
+- [**Optimal Setup**](/u/console/premium_upgrade/optimal_setup) - Organize your Security Engines before migrating to maximize value
+- [**Testing Premium**](/u/console/premium_upgrade/testing_premium) - Measure the value concretely during your trial period
+- [**All Features Reference**](/u/console/premium_upgrade/features_overview) - Complete catalog of Premium features
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
index a258ed773..cb4fd9e46 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
@@ -2,81 +2,223 @@
id: features_overview
title: Premium Features Overview
description: Comprehensive overview of all Premium features
+toc_max_heading_level: 2
---
+import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';
+
Premium features enable multiple use cases.
-Make the best use of the premium features for your needs in: **Scaling, Multi-tenancy, Inhanced proactive protection, Centralized management, Team collaboration, Integration and automation, Enhanced threat intelligence, and improved support.**
+Make the best use of the premium features for your needs in: **Scaling, Multi-tenancy, Enhanced proactive protection, Centralized management, Team collaboration, Integration and automation, Enhanced threat intelligence, and improved support.**
---
## Scaling, Automation & Multi-Tenancy
-### Remediation Sync
-Automatically synchronize security decisions across your entire organization. Syncs to all Security Engines and Blocklists Integration endpoints, ensuring consistent protection across your infrastructure.
-[Learn more about remediation sync](/u/console/remediation_sync)
-
-### Console Decision Management
-Add, delete, and manage security decisions directly from the Console. Force pull blocklists when subscribing or unsubscribing, giving you complete control over your security posture from a central interface.
-[Learn more about decision management](/u/console/decisions/decisions_management)
-
-### Centralized Allowlists
-Manage allowlists from a single location and apply them across all security engines and integrations organization-wide. Supports IP expiration for temporary allowlisting.
-[Learn more about allowlists](/u/console/allowlists)
-
-### Service API (SAPI)
-Access APIs for console management.
-[Learn more about Service API](/u/console/service_api/getting_started)
-
-### Blocklist Creation & Sharing
-Via our [Service API (SAPI)](/u/console/service_api/getting_started) Distribute custom blocklists across multiple organizations or partners, enabling coordinated security operations across your business ecosystem.
-[Learn more about SAPI Blocklist endpoints](/u/console/service_api/blocklists)
-
-### Auto Enroll
-Automatically enroll new security engines into your organization for streamlined deployment and management.
-
-### Expanded Organization Seats
-Provide view/edit/admin access to you customers or collaborate with team members by adding more seats to your organization. (3 included in bas Premium plan)
-
-## Extra protection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-### Threat Forecast Blocklists
-Access exclusive, organization-specific blocklists generated from the signals your organization shares with CrowdSec. These blocklists are more precise than community blocklists and provide tailored protection for your infrastructure.
-[Learn more about threat forecast blocklists](/u/console/threat_forecast)
-
-### Expanded Community Blocklist Coverage
-Unlock the premium Community Blocklist as a network participant.
-Receive up to 50k of the most aggressive attackers targeting similar services as yours *(up from top [3k in Community](/docs/central_api/community_blocklist/#community-blocklist-lite)).*
+---
-### Premium Tier Blocklist Access
-Get access to our Premium tier blocklists, providing enhanced protection with curated specialized blocklists tailored for different attack vectors.
+## Extra Protection
+
+
+
+
+
+
+
+
+
+
+
+
-### Unlimited Blocklist Subscriptions
-Premium subscribers get unlimited blocklist subscriptions (compared to 3 in Community), allowing you to protect your infrastructure with multiple specialized blocklists simultaneously.
-[Learn more about premium tier blocklists features](/u/blocklists/intro#crowdsec-blocklist-tiers)
+---
## Reactivity & Monitoring
-### Am I Under Attack Feature
-Receive real-time alerts when your infrastructure experiences attack surges. This feature analyzes current traffic patterns against historical baselines to detect anomalous activity, with support for email notifications and webhook integrations.
-[Learn more about attack detection](/u/console/security_engines/am_i_under_attack)
-
-### Push Notifications Integrations
-Receive alerts when security engines go offline or become outdated, ensuring your security infrastructure remains operational.
-[Learn more about push notifications](/u/console/notification_integrations/overview)
-
-### Increased Alert Quotas and Extended Retention
-Upgrade from the Community Plan's 500 alerts per month and 2-month retention to custom quotas (up to several million alerts) and up to 1 year of retention. This enables comprehensive monitoring of large-scale infrastructures and long-term security analysis.
-[Learn more about premium quotas](/u/console/alerts/quotas#why-upgrade-to-premium-)
-
-### Background Noise Filtering
-Automatically filter out internet background radiation and mass scanning activity to focus on genuine threats. Customize noise cancellation levels (Low, Medium, High) to match your security requirements.
-[Learn more about background noise filtering](/u/console/alerts/background_noise)
-
-### IP reputation investigation quotas
-Audit what CrowdSec knows about IP addresses, attacking you and present in blocklists, with increased investigation quotas.
-100 attacker details per week (compared to 30 in Community), including IP reputation and MITRE ATT&CK mappings for comprehensive threat intelligence.
-
-### CTI API Access
-Leverage CrowdSec IP reputation data into your vendors.
-Get 100 CTI API calls per week (compared to 30 in Community) for integration with SIEM, SOAR, and other security tools.
-[Learn more about CTI API](/u/cti_api/api_integration/integration_intro)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
index 4134ef52d..df430001c 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
@@ -2,25 +2,231 @@
id: optimal_setup
title: Optimal Premium Upgrade Setup
description: Best practices for setting up your Premium upgrade
+toc_max_heading_level: 2
---
-When upgrading to a Premium plan, you may not want to upgrade every single Security Engine you monitor. It is common to have a mix of environments:
-- **Production:** Requires Premium features (longer data retention, heavy API limits, organization-wide blocklists).
-- **Dev / Test / Staging:** Can remain on the Free tier.
+import { FeatureCard } from '@site/src/components/premium-upgrade/feature-card';
-Because the Premium Upgrade applies to an entire **Organization**, the optimal strategy is to separate your Security Engines into different contexts before subscribing.
+
-When you first create a Console account, your workspace is your "Personal Account".
-As a Community account, you can create one extra organization for free.
+## 💡 Why Organize Before Upgrading?
-We recommend the following setup:
-- If you have not already, create a new organization for your **Production** environment.
-- Keep your **Dev / Test / Staging** Security Engines in your **Personal Account**.
-- Move your **Production** Security Engines to the new **Production** organization.
-- Upgrade the **Production** organization to **Premium**.
+Premium upgrades apply to an **entire Organization**. You may not want Premium features for all environments—typically only **Production** needs extended retention, higher quotas, and advanced protection.
-To split your Security Engines into different organizations, use either:
-- The [Transfer feature](/u/console/security_engines/transfer_engine) from the Security Engine page.
-- Or via `cscli`, re-enroll your Security Engines in the desired organization with the `--overwrite` flag to force moving them to the new organization.
+By organizing your Security Engines **before** upgrading, you save costs and keep your infrastructure organized.
-After the transfer, the alerts will reappear in the new organization after a few minutes.
+
+
+---
+
+## Common Multi-Environment Setup
+
+Most teams have a mix of environments with different security requirements:
+
+
+
+
+
+### 🔥 Production Environments
+
+**Needs Premium:**
+
+- Extended alert retention (12 months)
+- Higher alert quotas (millions/month)
+- Organization-wide blocklists
+- CTI API access for SIEM integration
+- Threat Forecast Blocklist
+- Multi-seat team access
+
+
+
+
+
+### 🧪 Dev / Test / Staging
+
+**Community is sufficient:**
+
+- Basic alert monitoring (500/month)
+- Short retention (2 months)
+- Community blocklist (3k IPs)
+- Individual engine management
+- Single-user access
+
+
+
+
+
+---
+
+## Recommended Setup Strategy
+
+
+
+
+
+### 1️⃣ Create Production Organization
+
+Create a new organization specifically for your Production environment.
+
+**Community accounts** get **1 extra organization for free** (beyond your Personal Account).
+
+[Learn about Organizations →](/u/console/organizations/intro)
+
+
+
+
+
+### 2️⃣ Organize Your Engines
+
+- **Personal Account:** Keep Dev/Test/Staging engines here (Community tier)
+- **Production Org:** Transfer Production engines to the new organization
+
+You can transfer engines in two ways:
+- Console: [Transfer feature](/u/console/security_engines/transfer_engine)
+- CLI: Re-enroll with `cscli`
+ using `--overwrite` flag
+
+
+
+
+
+### 3️⃣ Upgrade Production Only
+
+Upgrade **only the Production organization** to Premium.
+
+Your Dev/Test/Staging environments remain on Community tier with no additional cost.
+
+✅ Alerts reappear in the new organization within minutes
+
+
+
+
+
+---
+
+## Step-by-Step: Splitting Your Engines
+
+### Option 1: Transfer via Console UI
+
+
+
+**Best for:** Quick transfers of individual or small batches of engines
+
+1. Navigate to **Security Engines** page in Console
+2. Select the engine(s) you want to transfer
+3. Use the **Transfer** feature to move them to your Production organization
+4. Confirm the transfer
+
+[Transfer Feature Documentation →](/u/console/security_engines/transfer_engine)
+
+
+
+### Option 2: Re-enroll via `cscli`
+
+
+
+**Best for:** Bulk transfers, automation, or infrastructure-as-code deployments
+
+```bash
+# Get enrollment key from your Production organization
+# Console → Organizations → Production → Enrollment Keys
+
+# Re-enroll the Security Engine with --overwrite flag
+cscli console enroll --overwrite
+```
+
+The `--overwrite` flag forces the engine to move to the new organization, even if already enrolled elsewhere.
+
+
+
+---
+
+## Example Organizational Structure
+
+
+
+**Before Organizing (All in Personal Account):**
+
+- 10 Production servers (web, API, database)
+- 5 Staging servers
+- 3 Dev laptops
+
+**After Organizing:**
+
+**Personal Account (Community - Free):**
+- 5 Staging servers
+- 3 Dev laptops
+
+**Production Organization (Premium - Paid):**
+- 10 Production servers
+- Full Premium features
+- Team collaboration with 3 seats
+- Extended retention and quotas
+
+
+
+---
+
+## Benefits of This Approach
+
+
+
+
+
+
+
+
+
+
+
+
+
+---
+
+## When NOT to Separate
+
+You may want **all** engines in a single Premium organization if:
+
+- You need extended retention across **all environments** for compliance
+- Your team investigates attacks in staging/dev environments regularly
+- You want centralized allowlists and blocklists everywhere
+- You're an MSP managing multiple client environments (use [Multi-Organization](/u/console/premium_upgrade/features_overview) instead)
+
+---
+
+## Next Steps
+
+
+
+### Ready to upgrade?
+
+1. **Organize** your Security Engines across Personal Account and Production Organization
+2. **Upgrade** the Production organization to Premium
+3. **Test** Premium features during your trial period ([Testing Guide →](/u/console/premium_upgrade/testing_premium))
+
+
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
index 803bb69c1..a6ba3a2a4 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
@@ -2,56 +2,280 @@
id: testing_premium
title: Test Premium Value in Your Environment
description: Practical ways to measure and experience Premium value during your trial
+toc_max_heading_level: 2
---
-Before exploring all Premium features, here are practical ways to measure and experience the value yourself.
-The following can be used as a guide during your trial period to assess the benefits of upgrading to Premium.
+import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';
-## 🎯 Measure Improved Protection
+
-**Activate:**
-- Community Blocklists (premium) will automatically be sent to your enrolled engines.
-- The [Threat Forecast Blocklist](/u/console/threat_forecast) Will be generated automatically used in your organization based on your shared signals.
-- Premium Tier Blocklists can be subscribed and subscription numbers per org are unlimited.
-- You can activate [Remediation Sync](/u/console/remediation_sync) to propagate decisions across all your enrolled Security Engines.
-- Respond faster to a spike of alerts thanks to "Am I Under Attack"
+## 🧪 Measure Premium Value During Your Trial
-**Measure the impact:**
-- **Remediation Metrics:** Track your proactive vs reactive blocking ratio
-- **Server Resources:** Monitor CPU, memory, and bandwidth reduction
-- **SIEM Logs:** Measure log volume decrease and background noise reduction
+Before exploring all Premium features, use this guide to measure and experience the value in your environment. These practical tests help you assess the concrete benefits of Premium during your trial period.
-**Expected results:** 2x more proactive blocking, 75-92% less malicious traffic reaching your servers, cleaner logs and reduced alert fatigue.
+
---
-## 👥 Enable Team Collaboration
+## 🎯 Test 1: Measure Improved Protection
-**Activate:**
-- Invite collaborators thanks to Multi-Seat Access
-- Extended Alert Retention (365 days) allow improved traceability
-- Use the improved in-console CTI quotas to enrich your investigations
-- Get notified within your tools thanks to [Push Notification Integrations](/u/console/notification_integrations/overview)
+
-**How your team benefits:**
-- Analyze long-term attack trends and recurring threats
-- Conduct CTI investigations directly in the Console
-- Multiple team members work simultaneously without access conflicts
+### What to Activate
-**Expected results:** Faster incident investigations, better threat attribution, reduced tool sprawl.
+Premium protection features are automatically enabled when you upgrade:
+
+- **Community Blocklist (Premium):** Automatically sent to enrolled engines (50k IPs vs 3k)
+- **[Threat Forecast Blocklist](/u/console/threat_forecast):** Generated automatically from your organization's shared signals
+- **Premium Tier Blocklists:** Subscribe to unlimited specialized blocklists
+- **[Remediation Sync](/u/console/remediation_sync):** Propagate decisions across all Security Engines
+- **Am I Under Attack:** Get alerted on traffic surges
+
+
+
+
+
+
+
+### 📊 Metric 1: Remediation Ratio
+
+**How to measure:**
+Check your Console dashboard for proactive vs reactive blocking ratio.
+
+**Expected result:**
+2× more proactive blocking (blocklist hits vs real-time decisions)
+
+
+
+
+
+### 💻 Metric 2: Server Resources
+
+**How to measure:**
+Monitor CPU, memory, and bandwidth usage on your Security Engines before and after.
+
+**Expected result:**
+75-92% reduction in malicious traffic reaching your servers
+
+
+
+
+
+### 📝 Metric 3: Log Volume
+
+**How to measure:**
+Check your SIEM or log aggregator for alert volume changes.
+
+**Expected result:**
+Cleaner logs, reduced alert fatigue, fewer false positives
+
+
+
+
+
+
+
+---
+
+## 👥 Test 2: Enable Team Collaboration
+
+
+
+### What to Activate
+
+Enable team features to see collaboration improvements:
+
+- **Multi-Seat Access:** Invite team members (view/edit/admin roles)
+- **Extended Alert Retention:** 365 days of historical data (vs 60 days)
+- **Increased CTI Quotas:** 100 IP lookups/week (vs 30)
+- **[Push Notification Integrations](/u/console/notification_integrations/overview):** Slack, PagerDuty, webhooks
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**Expected Results:**
+
+- ⚡ Faster incident investigations (direct CTI access in Console)
+- 🔍 Better threat attribution (1-year retention for pattern analysis)
+- 🤝 Reduced tool sprawl (team works in one place)
+- 📢 Proactive alerting (issues detected before users complain)
+
+
+
+---
+
+## 🏢 Test 3: Scale for MSPs & Enterprises
+
+
+
+### What to Activate
+
+Test multi-tenant and automation capabilities:
+
+- **Multi-Organization:** Create separate organizations for each client/environment
+- **[Service API (SAPI)](/u/console/service_api/getting_started):** Automate console management
+- **Blocklist Creation & Sharing:** Distribute custom threat intel via API
+- **Auto Enroll:** Zero-touch engine enrollment
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**Expected Results:**
+
+- 🏗️ Clear tenant isolation (one org per client)
+- 🤖 Streamlined multi-customer operations (API automation)
+- 📊 Custom visibility per client (each org has its own dashboard)
+- ⚙️ Infrastructure-as-code ready (zero-touch enrollment)
+
+
+
+### Week 2: Team
+
+- Invite team members
+- Test CTI lookups
+- Configure push notifications
+- Analyze historical trends
+
+
+
+
+
+### Week 3: Scale
+
+- Create test organizations
+- Test SAPI endpoints
+- Try Auto Enroll
+- Custom blocklist sharing
+
+
+
+
+
+### Week 4: Review
+
+- Compare metrics vs Week 1
+- Document value realized
+- Plan production rollout
+- Prepare upgrade decision
+
+
+
+
+
+---
+
+## 💡 Need Help Testing?
+
+
-**Activate:**
-- Administrate & share access to your clients thanks to Multi-Organization
-- Create & Share Blocklists across organizations via our [Service API (SAPI)](/u/console/service_api/getting_started)
+### Questions about your trial?
+Our team can help you set up proper testing and measure the value in your specific environment.
-**Manage at scale:**
-- Segment customer environments (one org per client)
-- Share custom threat intelligence across organizations
-- Automate blocklist management via API
+
-**Expected results:** Clear tenant isolation, streamlined multi-customer operations, custom visibility on their defenses.
+
diff --git a/crowdsec-docs/unversioned/console/threat_forecast.mdx b/crowdsec-docs/unversioned/console/threat_forecast.mdx
index dd109a774..e4d78b10a 100644
--- a/crowdsec-docs/unversioned/console/threat_forecast.mdx
+++ b/crowdsec-docs/unversioned/console/threat_forecast.mdx
@@ -15,7 +15,7 @@ It provides an additional layer of security on top of the community blocklist. I
## Enabling the Threat Forecast
-The Threat Forecast is automatically enabled after a plan upgrade. Similar to the community blocklist, the Threat Forecast blocklist is also automatically pushed to all your security engines. Users that want more finegrained control over their subscription can manage the blocklist under the blocklist tab in their console. For more detail, check the [blocklist page](/console/blocklists/subscription.md).
+The Threat Forecast is automatically enabled after a plan upgrade. Similar to the community blocklist, the Threat Forecast Blocklist is also automatically pushed to all your security engines. Users that want more finegrained control over their subscription can manage the blocklist under the blocklist tab in their console. For more detail, check the [blocklist page](/console/blocklists/subscription.md).
## Disabling the Threat Forecast