From 9a96e2f6c6e7329ec25e677feb02dfdc329ab66f Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Thu, 19 Mar 2026 14:36:30 +0100
Subject: [PATCH 01/14] basic ugly change

---
 .../premium_upgrade/features_overview.mdx     | 473 ++++++++++++++++--
 1 file changed, 419 insertions(+), 54 deletions(-)

diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
index a258ed773..ac1c93569 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
@@ -1,82 +1,447 @@
 ---
 id: features_overview
-title: Premium Features Overview
-description: Comprehensive overview of all Premium features
+title: Find Premium Features Made for You
+description: Discover Premium features tailored to your role - DevOps, SecOps, or MSP
 ---
 
-Premium features enable multiple use cases.
-Make the best use of the premium features for your needs in: **Scaling, Multi-tenancy, Inhanced proactive protection, Centralized management, Team collaboration, Integration and automation, Enhanced threat intelligence, and improved support.**
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import Link from '@docusaurus/Link';
+
+<div style={{marginBottom: '2rem'}}>
+
+# Find Premium Features **Made for You**
+
+Premium unlocks advanced capabilities based on your role. **Select your profile below** to see only the features that matter most to you.
+
+</div>
+
+<Tabs groupId="user-persona" className="premium-persona-tabs">
+<TabItem value="devops" label="⚙️ DevOps / SRE" default>
+
+## Solo or Small Team Infrastructure Management
+
+**Best for:** Individual engineers or small teams managing infrastructure, focused on reducing noise and blocking more threats efficiently.
 
 ---
 
-## Scaling, Automation & Multi-Tenancy
+### 🛡️ Enhanced Protection
 
-### Remediation Sync
-Automatically synchronize security decisions across your entire organization. Syncs to all Security Engines and Blocklists Integration endpoints, ensuring consistent protection across your infrastructure.
-[Learn more about remediation sync](/u/console/remediation_sync)
+#### Extended Community Blocklist
+**3k → 50k IPs**
 
-### Console Decision Management
-Add, delete, and manage security decisions directly from the Console. Force pull blocklists when subscribing or unsubscribing, giving you complete control over your security posture from a central interface.
-[Learn more about decision management](/u/console/decisions/decisions_management)
+Receive the top 50,000 most aggressive attackers targeting services like yours (up from 3,000 in Community). More attackers blocked before they reach your servers.
 
-### Centralized Allowlists
-Manage allowlists from a single location and apply them across all security engines and integrations organization-wide. Supports IP expiration for temporary allowlisting.
-[Learn more about allowlists](/u/console/allowlists)
+> **Community:** top 3k → **Premium:** top 50k (×16)
 
-### Service API (SAPI)
-Access APIs for console management.
-[Learn more about Service API](/u/console/service_api/getting_started)
+[Learn more about blocklists](/u/console/blocklists/intro)
+
+#### Threat Forecast Blocklist
+**Organization-specific protection**
+
+Automatically generated blocklists from signals shared by your organization. More precise than community lists—tailored to your specific infrastructure.
+
+> **Community:** generic list → **Premium:** org-specific
+
+[Learn more about Threat Forecast](/u/console/threat_forecast)
+
+#### Background Noise Filtering
+**−75% to −92% noise reduction**
+
+Automatically filter internet background radiation (mass scanners, crawlers) to focus on real threats. Configurable levels: Low, Medium, High.
+
+> **Community:** all signals → **Premium:** real threats only
+
+[Learn more about Background Noise](/u/console/alerts/background_noise)
+
+#### Unlimited Blocklist Subscriptions
+**3 → ∞**
+
+Subscribe to as many specialized blocklists as needed—bruteforce, botnets, tor, scanners, proxies—without limits.
+
+> **Community:** 3 max → **Premium:** unlimited
+
+[Browse Premium blocklists](/u/blocklists/intro#crowdsec-blocklist-tiers)
+
+---
+
+### ⚡ Automation & Sync
 
-### Blocklist Creation & Sharing
-Via our [Service API (SAPI)](/u/console/service_api/getting_started) Distribute custom blocklists across multiple organizations or partners, enabling coordinated security operations across your business ecosystem.
-[Learn more about SAPI Blocklist endpoints](/u/console/service_api/blocklists)
+#### Remediation Sync
+**Synchronize decisions across your entire infrastructure**
 
-### Auto Enroll
-Automatically enroll new security engines into your organization for streamlined deployment and management.
+Automatically sync security decisions to all Security Engines and integrations. One blocklist update propagates everywhere—zero manual work.
 
-### Expanded Organization Seats
-Provide view/edit/admin access to you customers or collaborate with team members by adding more seats to your organization. (3 included in bas Premium plan)
+- **2× more proactive blocking**
+- **0 manual propagation**
 
-## Extra protection
+[Learn more about Remediation Sync](/u/console/remediation_sync)
 
-### Threat Forecast Blocklists
-Access exclusive, organization-specific blocklists generated from the signals your organization shares with CrowdSec. These blocklists are more precise than community blocklists and provide tailored protection for your infrastructure.
-[Learn more about threat forecast blocklists](/u/console/threat_forecast)
+#### Auto Enroll
+**Zero-touch deployment**
 
-### Expanded Community Blocklist Coverage
-Unlock the premium Community Blocklist as a network participant.
-Receive up to 50k of the most aggressive attackers targeting similar services as yours *(up from top [3k in Community](/docs/central_api/community_blocklist/#community-blocklist-lite)).*
+Automatically enroll new Security Engines into your organization as they're deployed. Perfect for infrastructure-as-code (Terraform, Ansible, K8s).
 
-### Premium Tier Blocklist Access
-Get access to our Premium tier blocklists, providing enhanced protection with curated specialized blocklists tailored for different attack vectors.
+> **Community:** manual enrollment → **Premium:** automatic enrollment
 
-### Unlimited Blocklist Subscriptions
-Premium subscribers get unlimited blocklist subscriptions (compared to 3 in Community), allowing you to protect your infrastructure with multiple specialized blocklists simultaneously.
-[Learn more about premium tier blocklists features](/u/blocklists/intro#crowdsec-blocklist-tiers)
+---
+
+### 📊 Monitoring
+
+#### Am I Under Attack
+**Real-time attack surge detection**
 
-## Reactivity & Monitoring
+Get alerted when abnormal attack surges are detected on your infrastructure. Compares current traffic to historical baselines. Includes webhook + email notifications.
 
-### Am I Under Attack Feature
-Receive real-time alerts when your infrastructure experiences attack surges. This feature analyzes current traffic patterns against historical baselines to detect anomalous activity, with support for email notifications and webhook integrations.
 [Learn more about attack detection](/u/console/security_engines/am_i_under_attack)
 
-### Push Notifications Integrations
-Receive alerts when security engines go offline or become outdated, ensuring your security infrastructure remains operational.
-[Learn more about push notifications](/u/console/notification_integrations/overview)
+---
+
+### 💡 Why Premium for DevOps/SRE?
+
+- **Less noise, more signal**: Filter out scanner noise and focus on real threats
+- **Automation-first**: Sync decisions automatically, enroll engines without manual steps
+- **Better blocking**: Access to 50k+ IPs and organization-specific threat intel
+- **Peace of mind**: Get alerted when attacks surge
+
+</TabItem>
+
+<TabItem value="secops" label="🛡️ SecOps / Blue Team">
+
+## Team Collaboration & Investigation
+
+**Best for:** Security teams that need to collaborate, investigate incidents, and maintain data retention for compliance and audits.
+
+---
+
+### 👥 Team Collaboration
+
+#### Multi-Seat Access
+**3 seats included**
+
+Give view/edit/admin access to your team. Multiple members work simultaneously without access conflicts. Add more seats as needed.
+
+> **Community:** 1 user only → **Premium:** full team
+
+[Learn more about Organizations](/u/console/organizations/intro)
+
+#### Centralized Allowlists
+**Organization-wide management**
+
+Manage allowlists from one place and apply across all Security Engines and integrations. Supports automatic expiration for temporary allowlists.
+
+> **Community:** per-engine → **Premium:** centralized + expiration
+
+[Learn more about Allowlists](/u/console/allowlists)
+
+---
+
+### 🔍 Investigation & Forensics
+
+#### Extended Alert Retention
+**2 months → 1 year**
+
+Keep up to 1 year of alerts with custom quotas (up to millions/month). Essential for audits, forensic investigation, and trend analysis.
+
+> **Community:** 500/month, 2 months → **Premium:** millions/month, 365 days
+
+[Learn more about quotas](/u/console/alerts/quotas#why-upgrade-to-premium-)
+
+#### IP Reputation Investigation
+**30 → 100 lookups/week**
 
-### Increased Alert Quotas and Extended Retention
-Upgrade from the Community Plan's 500 alerts per month and 2-month retention to custom quotas (up to several million alerts) and up to 1 year of retention. This enables comprehensive monitoring of large-scale infrastructures and long-term security analysis.
-[Learn more about premium quotas](/u/console/alerts/quotas#why-upgrade-to-premium-)
+View complete IP profiles: reputation, behavior, fingerprint, MITRE ATT&CK. Direct from Console for investigations.
 
-### Background Noise Filtering
-Automatically filter out internet background radiation and mass scanning activity to focus on genuine threats. Customize noise cancellation levels (Low, Medium, High) to match your security requirements.
-[Learn more about background noise filtering](/u/console/alerts/background_noise)
+> **Community:** 30 lookups/week → **Premium:** 100 lookups/week
 
-### IP reputation investigation quotas
-Audit what CrowdSec knows about IP addresses, attacking you and present in blocklists, with increased investigation quotas.
-100 attacker details per week (compared to 30 in Community), including IP reputation and MITRE ATT&CK mappings for comprehensive threat intelligence.
+#### CTI API Access
+**30 → 100 calls/week**
+
+Query CrowdSec IP reputation from your SIEM, SOAR or custom tools. Includes MITRE ATT&CK mappings for contextual threat qualification.
+
+> **Community:** 30 calls/week → **Premium:** 100 calls/week
 
-### CTI API Access
-Leverage CrowdSec IP reputation data into your vendors.
-Get 100 CTI API calls per week (compared to 30 in Community) for integration with SIEM, SOAR, and other security tools.
 [Learn more about CTI API](/u/cti_api/api_integration/integration_intro)
+
+#### Background Noise Filtering
+**Focus on real threats**
+
+Filter internet background radiation automatically. Configurable levels (Low, Medium, High) to match security requirements.
+
+[Learn more about Background Noise](/u/console/alerts/background_noise)
+
+---
+
+### 🔔 Monitoring & Alerting
+
+#### Am I Under Attack
+**Real-time attack detection**
+
+Alert when attack surges are detected on your infrastructure. Compares current traffic vs. historical baselines. Webhook + email included.
+
+[Learn more about attack detection](/u/console/security_engines/am_i_under_attack)
+
+#### Push Notifications Integrations
+**Slack · PagerDuty**
+
+Receive alerts in existing tools when Security Engines go offline or become outdated. Native integrations with major SecOps tools.
+
+> **Community:** email only → **Premium:** webhooks + integrations
+
+[Learn more about Notifications](/u/console/notification_integrations/overview)
+
+---
+
+### 🛡️ Protection Features
+
+#### Extended Community Blocklist
+**3k → 50k IPs**
+
+Top 50,000 most aggressive attackers (up from 3,000 in Community).
+
+[Learn more about blocklists](/u/console/blocklists/intro)
+
+#### Threat Forecast Blocklist
+**Organization-specific**
+
+Automatically generated blocklists from your organization's shared signals.
+
+[Learn more about Threat Forecast](/u/console/threat_forecast)
+
+#### Remediation Sync
+**Automatic propagation**
+
+Sync security decisions across all engines and integrations automatically.
+
+[Learn more about Remediation Sync](/u/console/remediation_sync)
+
+---
+
+### 💡 Why Premium for SecOps/Blue Team?
+
+- **Team collaboration**: Multiple seats with role-based access
+- **Long-term retention**: 1 year of alerts for compliance and forensics
+- **Rich investigation**: 100 CTI lookups/week with MITRE ATT&CK context
+- **Integration-ready**: Push to Slack, PagerDuty, SIEM tools
+
+</TabItem>
+
+<TabItem value="msp" label="🏢 MSP / Integrator">
+
+## Multi-Tenant Management & Automation
+
+**Best for:** MSPs and integrators managing security for multiple clients, requiring isolation, automation, and API-driven workflows.
+
+---
+
+### 🏗️ Multi-Tenancy & Isolation
+
+#### Multi-Organization 🔖 MSP
+**Complete client isolation**
+
+Segment client environments into separate organizations. Each client sees only their data. Manage all clients from a single account.
+
+> **Community:** 1 organization → **Premium:** unlimited orgs
+
+---
+
+### 🤖 Automation & API
+
+#### Service API (SAPI) 🔖 API
+**REST + webhooks**
+
+Automate Console management: create and share custom blocklists, manage decisions and enrollments via API. Integrate into CI/CD or SOAR pipelines.
+
+> **Community:** no API access → **Premium:** full SAPI
+
+[Learn more about Service API](/u/console/service_api/getting_started)
+
+#### Auto Enroll
+**Zero-touch deployment**
+
+Automatically enroll new Security Engines into your organization as deployed. Perfect for infrastructure-as-code deployments (Terraform, Ansible, K8s).
+
+> **Community:** manual enrollment → **Premium:** automatic enrollment
+
+#### Blocklist Creation & Sharing
+**Custom blocklists via API**
+
+Create and distribute custom blocklists across multiple organizations or partners. Enable coordinated security operations across your ecosystem.
+
+[Learn more about SAPI Blocklists](/u/console/service_api/blocklists)
+
+#### Remediation Sync
+**Automatic propagation**
+
+Sync security decisions across all client engines and integrations automatically.
+
+[Learn more about Remediation Sync](/u/console/remediation_sync)
+
+---
+
+### 👥 Team & Client Management
+
+#### Multi-Seat Access
+**3 seats included**
+
+Provide view/edit/admin access to team members or clients. Add seats as your business grows.
+
+[Learn more about Organizations](/u/console/organizations/intro)
+
+#### Centralized Allowlists
+**Organization-wide**
+
+Manage allowlists centrally and apply across all Security Engines. Supports expiration for temporary allowlisting.
+
+[Learn more about Allowlists](/u/console/allowlists)
+
+---
+
+### 🛡️ Protection at Scale
+
+#### Extended Community Blocklist
+**3k → 50k IPs**
+
+Access to 50,000 most aggressive IPs (vs 3,000 in Community).
+
+[Learn more about blocklists](/u/console/blocklists/intro)
+
+#### Unlimited Blocklist Subscriptions
+**3 → ∞**
+
+Subscribe to unlimited specialized blocklists per organization.
+
+#### Threat Forecast Blocklist
+**Per organization**
+
+Each organization gets tailored blocklists from their shared signals.
+
+[Learn more about Threat Forecast](/u/console/threat_forecast)
+
+#### Background Noise Filtering
+**Reduce alert fatigue**
+
+Filter internet noise automatically across all client organizations.
+
+[Learn more about Background Noise](/u/console/alerts/background_noise)
+
+---
+
+### 💡 Why Premium for MSPs?
+
+- **Multi-tenant architecture**: Complete client isolation with unlimited organizations
+- **API-first**: Full Service API for automation and integration
+- **Scalability**: Auto-enroll, remediation sync, unlimited blocklists
+- **White-label ready**: Manage all clients from single dashboard
+
+</TabItem>
+</Tabs>
+
+---
+
+## Community vs Premium: Key Differences
+
+| Feature | Community | Premium |
+|---------|-----------|---------|
+| **Community Blocklist** | Top 3,000 IPs | Top 50,000 IPs |
+| **Blocklist Subscriptions** | 3 max | Unlimited |
+| **Alerts per Month** | 500 | Up to millions |
+| **Alert Retention** | 2 months | 12 months |
+| **Remediation Sync** | ✗ | ✓ |
+| **Background Noise Filter** | ✗ | ✓ |
+| **Am I Under Attack** | ✗ | ✓ |
+| **Threat Forecast Blocklist** | ✗ | ✓ |
+| **Organization Seats** | 1 | 3 included + more |
+| **CTI API Lookups/Week** | 30 | 100 |
+| **Service API (SAPI)** | ✗ | ✓ |
+| **Multi-Organization (MSP)** | ✗ | ✓ (option) |
+
+---
+
+## How to Upgrade to Premium
+
+### 1️⃣ Compare Plans
+
+Review available plans and pricing based on your volume and requirements.
+
+### 2️⃣ Upgrade or Contact
+
+Upgrade self-service in minutes, or contact our team for custom plans (enterprise, MSP, volume).
+
+### 3️⃣ Immediate Access
+
+All Premium features available instantly in your organization. No migration required.
+
+---
+
+## Ready to Go Further?
+
+Start with a trial or discuss your needs with our team. No immediate commitment required.
+
+<div style={{display: 'flex', gap: '1rem', marginTop: '1.5rem'}}>
+	<a href="https://app.crowdsec.net/pricing" className="button button--primary">View Pricing →</a>
+	<a href="https://www.crowdsec.net/contact-crowdsec" className="button button--secondary">Contact Team</a>
+</div>
+
+---
+
+## Next Steps
+
+- [**Optimal Setup**](/u/console/premium_upgrade/optimal_setup) - Organize your Security Engines before migrating
+- [**Testing Premium**](/u/console/premium_upgrade/testing_premium) - Measure the value concretely during your trial
+
+---
+
+## All Premium Features (Reference)
+
+### Scaling, Automation & Multi-Tenancy
+
+**Remediation Sync** - Automatically synchronize security decisions across your entire organization. Syncs to all Security Engines and Blocklists Integration endpoints, ensuring consistent protection across your infrastructure.
+[Learn more](/u/console/remediation_sync)
+
+**Console Decision Management** - Add, delete, and manage security decisions directly from the Console. Force pull blocklists when subscribing or unsubscribing.
+[Learn more](/u/console/decisions/decisions_management)
+
+**Centralized Allowlists** - Manage allowlists from a single location and apply them across all security engines and integrations organization-wide. Supports IP expiration for temporary allowlisting.
+[Learn more](/u/console/allowlists)
+
+**Service API (SAPI)** - Access APIs for console management, blocklist creation, decision management, and more.
+[Learn more](/u/console/service_api/getting_started)
+
+**Blocklist Creation & Sharing** - Distribute custom blocklists across multiple organizations or partners via SAPI, enabling coordinated security operations.
+[Learn more](/u/console/service_api/blocklists)
+
+**Auto Enroll** - Automatically enroll new security engines into your organization for streamlined deployment and management.
+
+**Expanded Organization Seats** - Provide view/edit/admin access to customers or collaborate with team members. 3 seats included in base Premium plan.
+
+### Extra Protection
+
+**Threat Forecast Blocklists** - Access exclusive, organization-specific blocklists generated from the signals your organization shares with CrowdSec. More precise than community blocklists.
+[Learn more](/u/console/threat_forecast)
+
+**Expanded Community Blocklist Coverage** - Receive up to 50k of the most aggressive attackers targeting similar services as yours (up from top [3k in Community](/docs/central_api/community_blocklist/#community-blocklist-lite)).
+
+**Premium Tier Blocklist Access** - Get access to Premium tier blocklists, providing enhanced protection with curated specialized blocklists tailored for different attack vectors.
+
+**Unlimited Blocklist Subscriptions** - Unlimited blocklist subscriptions (compared to 3 in Community), allowing you to protect your infrastructure with multiple specialized blocklists simultaneously.
+[Learn more](/u/blocklists/intro#crowdsec-blocklist-tiers)
+
+### Reactivity & Monitoring
+
+**Am I Under Attack Feature** - Receive real-time alerts when your infrastructure experiences attack surges. Analyzes current traffic patterns against historical baselines to detect anomalous activity.
+[Learn more](/u/console/security_engines/am_i_under_attack)
+
+**Push Notifications Integrations** - Receive alerts when security engines go offline or become outdated, ensuring your security infrastructure remains operational.
+[Learn more](/u/console/notification_integrations/overview)
+
+**Increased Alert Quotas and Extended Retention** - Upgrade from Community's 500 alerts per month and 2-month retention to custom quotas (up to several million alerts) and up to 1 year of retention.
+[Learn more](/u/console/alerts/quotas#why-upgrade-to-premium-)
+
+**Background Noise Filtering** - Automatically filter out internet background radiation and mass scanning activity to focus on genuine threats. Customize noise cancellation levels (Low, Medium, High).
+[Learn more](/u/console/alerts/background_noise)
+
+**IP Reputation Investigation Quotas** - 100 attacker details per week (compared to 30 in Community), including IP reputation and MITRE ATT&CK mappings for comprehensive threat intelligence.
+
+**CTI API Access** - Get 100 CTI API calls per week (compared to 30 in Community) for integration with SIEM, SOAR, and other security tools.
+[Learn more](/u/cti_api/api_integration/integration_intro)

From ae3f67e29c6ef5521a3c406e744e49f8731bdc0f Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Thu, 19 Mar 2026 15:35:50 +0100
Subject: [PATCH 02/14] new premium features overview

---
 .../premium-upgrade/feature-card.tsx          | 148 ++++++
 crowdsec-docs/src/css/custom.css              |   1 +
 crowdsec-docs/src/css/premium-upgrade.css     |  82 +++
 .../premium_upgrade/features_overview.mdx     | 488 +++++++++++-------
 4 files changed, 531 insertions(+), 188 deletions(-)
 create mode 100644 crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
 create mode 100644 crowdsec-docs/src/css/premium-upgrade.css

diff --git a/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx b/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
new file mode 100644
index 000000000..1ff453e96
--- /dev/null
+++ b/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
@@ -0,0 +1,148 @@
+import Link from "@docusaurus/Link";
+import React from "react";
+
+export interface FeatureCardProps {
+	title: string;
+	metric?: string;
+	description: string;
+	comparison?: {
+		before: string;
+		after: string;
+	};
+	link?: string;
+	category?: "protection" | "scale" | "monitoring" | "intelligence";
+	highlight?: boolean;
+	badges?: string[];
+}
+
+const categoryColors = {
+	protection: {
+		border: "border-l-4 border-l-red-500 dark:border-l-red-400",
+		metric: "bg-red-50 dark:bg-red-900/20 text-red-700 dark:text-red-300",
+	},
+	scale: {
+		border: "border-l-4 border-l-purple-500 dark:border-l-purple-400",
+		metric: "bg-purple-50 dark:bg-purple-900/20 text-purple-700 dark:text-purple-300",
+	},
+	monitoring: {
+		border: "border-l-4 border-l-teal-500 dark:border-l-teal-400",
+		metric: "bg-teal-50 dark:bg-teal-900/20 text-teal-700 dark:text-teal-300",
+	},
+	intelligence: {
+		border: "border-l-4 border-l-yellow-600 dark:border-l-yellow-500",
+		metric: "bg-yellow-50 dark:bg-yellow-900/20 text-yellow-700 dark:text-yellow-300",
+	},
+};
+
+export const FeatureCard = ({
+	title,
+	metric,
+	description,
+	comparison,
+	link,
+	category = "protection",
+	highlight = false,
+	badges = [],
+}: FeatureCardProps): React.JSX.Element => {
+	const colors = categoryColors[category];
+
+	const cardContent = (
+		<div
+			className={`
+				h-full border border-solid border-border rounded-lg p-5 bg-card
+				hover:shadow-md hover:border-primary/30 transition-all duration-200
+				${category ? colors.border : ""}
+				${highlight ? "bg-gradient-to-r from-primary/5 to-transparent border-primary/30" : ""}
+			`}
+		>
+			<div className="flex items-start justify-between gap-3 mb-3">
+				<div className="flex-1">
+					<h4 className="font-semibold text-base mb-1 text-gray-900 dark:text-gray-900">
+						{title}
+						{badges.map((badge) => (
+							<span
+								key={badge}
+								className="ml-2 text-xs bg-yellow-100 dark:bg-yellow-900/30 text-yellow-800 dark:text-yellow-300 px-2 py-0.5 rounded-full"
+							>
+								{badge}
+							</span>
+						))}
+					</h4>
+				</div>
+				{metric && (
+					<span className={`flex-shrink-0 text-xs font-medium px-3 py-1 rounded-full whitespace-nowrap ${colors.metric}`}>
+						{metric}
+					</span>
+				)}
+			</div>
+			<p className="text-sm text-gray-600 dark:text-gray-700 mb-3 leading-relaxed">{description}</p>
+			{comparison && (
+				<div className="mt-3 p-3 bg-gray-50 dark:bg-gray-900/30 rounded-md text-xs">
+					<span className="text-gray-500 dark:text-gray-600 line-through">{comparison.before}</span>
+					{" → "}
+					<span className="font-semibold text-primary">{comparison.after}</span>
+				</div>
+			)}
+			{link && (
+				<div className="mt-3 text-sm font-medium text-primary hover:underline">
+					Learn more →
+				</div>
+			)}
+		</div>
+	);
+
+	if (link) {
+		return (
+			<Link href={link} className="hover:no-underline block">
+				{cardContent}
+			</Link>
+		);
+	}
+
+	return cardContent;
+};
+
+export interface HighlightCardProps {
+	title: string;
+	description: string;
+	stats?: Array<{
+		value: string;
+		label: string;
+	}>;
+	link?: string;
+	category?: "protection" | "scale" | "monitoring" | "intelligence";
+}
+
+export const HighlightCard = ({ title, description, stats, link, category = "protection" }: HighlightCardProps): React.JSX.Element => {
+	const content = (
+		<div className="border border-solid border-primary/30 rounded-lg p-6 bg-gradient-to-r from-primary/5 to-transparent hover:shadow-md transition-all">
+			<h4 className="font-semibold text-lg mb-2 text-gray-900 dark:text-gray-900">{title}</h4>
+			<p className="text-sm text-gray-600 dark:text-gray-700 mb-4 leading-relaxed">{description}</p>
+			{stats && stats.length > 0 && (
+				<div className="flex gap-8 mt-4">
+					{stats.map((stat, idx) => (
+						<div key={idx} className="text-center">
+							<div className="text-3xl font-bold text-primary">{stat.value}</div>
+							<div className="text-xs text-gray-500 dark:text-gray-600 mt-1">{stat.label}</div>
+						</div>
+					))}
+				</div>
+			)}
+			{link && (
+				<div className="mt-4 text-sm font-medium text-primary hover:underline">
+					Learn more →
+				</div>
+			)}
+		</div>
+	);
+
+	if (link) {
+		return (
+			<Link href={link} className="hover:no-underline block">
+				{content}
+			</Link>
+		);
+	}
+
+	return content;
+};
diff --git a/crowdsec-docs/src/css/custom.css b/crowdsec-docs/src/css/custom.css
index cda298f98..18a40585f 100644
--- a/crowdsec-docs/src/css/custom.css
+++ b/crowdsec-docs/src/css/custom.css
@@ -9,6 +9,7 @@
 @import url("code.css");
 @import url("navbar.css");
 @import url("swagger-dark.css");
+@import url("premium-upgrade.css");
 
 /**
  * Any CSS included here will be global. The classic template
diff --git a/crowdsec-docs/src/css/premium-upgrade.css b/crowdsec-docs/src/css/premium-upgrade.css
new file mode 100644
index 000000000..4fd462e3c
--- /dev/null
+++ b/crowdsec-docs/src/css/premium-upgrade.css
@@ -0,0 +1,82 @@
+/* Premium Upgrade Page Styles */
+
+/* Make tabs look more like persona cards */
+.premium-persona-tabs .tabs__item {
+	font-size: 0.9rem;
+	padding: 0.5rem 1rem;
+	border-radius: 0.5rem;
+	transition: all 0.2s ease;
+}
+
+.premium-persona-tabs .tabs__item:hover {
+	background-color: rgb(var(--muted));
+}
+
+.premium-persona-tabs .tabs__item--active {
+	background: rgb(var(--primary) / 0.1);
+	color: rgb(var(--primary));
+	border-color: rgb(var(--primary) / 0.3);
+}
+
+/* Feature card animations */
+.feature-card {
+	animation: fadeIn 0.3s ease-in-out;
+}
+
+@keyframes fadeIn {
+	from {
+		opacity: 0;
+		transform: translateY(10px);
+	}
+	to {
+		opacity: 1;
+		transform: translateY(0);
+	}
+}
+
+/* Highlight card extra styling */
+.feature-card-highlight {
+	position: relative;
+	overflow: hidden;
+}
+
+.feature-card-highlight::before {
+	content: '';
+	position: absolute;
+	top: 0;
+	left: 0;
+	right: 0;
+	height: 3px;
+	background: linear-gradient(90deg, rgb(var(--primary)), rgb(var(--secondary)));
+}
+
+/* Category color accents - left border */
+.category-protection {
+	border-left: 4px solid rgb(var(--color-red));
+}
+
+.category-scale {
+	border-left: 4px solid rgb(133 149 208); /* purple from colors */
+}
+
+.category-monitoring {
+	border-left: 4px solid rgb(75 192 192); /* teal */
+}
+
+.category-intelligence {
+	border-left: 4px solid rgb(var(--color-yellow));
+}
+
+/* Responsive grid improvements */
+@media (max-width: 768px) {
+	.premium-persona-tabs .tabs__item {
+		font-size: 0.8rem;
+		padding: 0.4rem 0.8rem;
+	}
+}
+
+/* Button improvements for CTA */
+.button--lg {
+	padding: 0.75rem 1.5rem;
+	font-size: 1rem;
+}
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
index ac1c93569..358028d8d 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
@@ -7,6 +7,7 @@ description: Discover Premium features tailored to your role - DevOps, SecOps, o
 import Tabs from '@theme/Tabs';
 import TabItem from '@theme/TabItem';
 import Link from '@docusaurus/Link';
+import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';
 
 <div style={{marginBottom: '2rem'}}>
 
@@ -27,73 +28,97 @@ Premium unlocks advanced capabilities based on your role. **Select your profile
 
 ### 🛡️ Enhanced Protection
 
-#### Extended Community Blocklist
-**3k → 50k IPs**
-
-Receive the top 50,000 most aggressive attackers targeting services like yours (up from 3,000 in Community). More attackers blocked before they reach your servers.
-
-> **Community:** top 3k → **Premium:** top 50k (×16)
-
-[Learn more about blocklists](/u/console/blocklists/intro)
-
-#### Threat Forecast Blocklist
-**Organization-specific protection**
-
-Automatically generated blocklists from signals shared by your organization. More precise than community lists—tailored to your specific infrastructure.
-
-> **Community:** generic list → **Premium:** org-specific
-
-[Learn more about Threat Forecast](/u/console/threat_forecast)
-
-#### Background Noise Filtering
-**−75% to −92% noise reduction**
-
-Automatically filter internet background radiation (mass scanners, crawlers) to focus on real threats. Configurable levels: Low, Medium, High.
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Extended Community Blocklist"
+	metric="3k → 50k IPs"
+	category="protection"
+	description="Receive the top 50,000 most aggressive attackers targeting services like yours (up from 3,000 in Community). More attackers blocked before they reach your servers."
+	comparison={{
+		before: "Community: top 3k",
+		after: "Premium: top 50k (×16)"
+	}}
+	link="/u/console/blocklists/intro"
+/>
+
+<FeatureCard
+	title="Threat Forecast Blocklist"
+	metric="Organization-specific"
+	category="protection"
+	description="Automatically generated blocklists from signals shared by your organization. More precise than community lists—tailored to your specific infrastructure."
+	comparison={{
+		before: "Community: generic list",
+		after: "Premium: org-specific"
+	}}
+	link="/u/console/threat_forecast"
+/>
+
+<FeatureCard
+	title="Background Noise Filtering"
+	metric="−75% to −92% noise"
+	category="protection"
+	description="Automatically filter internet background radiation (mass scanners, crawlers) to focus on real threats. Configurable levels: Low, Medium, High."
+	comparison={{
+		before: "Community: all signals",
+		after: "Premium: real threats only"
+	}}
+	link="/u/console/alerts/background_noise"
+/>
+
+<FeatureCard
+	title="Unlimited Blocklist Subscriptions"
+	metric="3 → ∞"
+	category="protection"
+	description="Subscribe to as many specialized blocklists as needed—bruteforce, botnets, tor, scanners, proxies—without limits."
+	comparison={{
+		before: "Community: 3 max",
+		after: "Premium: unlimited"
+	}}
+	link="/u/blocklists/intro#crowdsec-blocklist-tiers"
+/>
 
-> **Community:** all signals → **Premium:** real threats only
-
-[Learn more about Background Noise](/u/console/alerts/background_noise)
-
-#### Unlimited Blocklist Subscriptions
-**3 → ∞**
-
-Subscribe to as many specialized blocklists as needed—bruteforce, botnets, tor, scanners, proxies—without limits.
-
-> **Community:** 3 max → **Premium:** unlimited
-
-[Browse Premium blocklists](/u/blocklists/intro#crowdsec-blocklist-tiers)
+</div>
 
 ---
 
 ### ⚡ Automation & Sync
 
-#### Remediation Sync
-**Synchronize decisions across your entire infrastructure**
-
-Automatically sync security decisions to all Security Engines and integrations. One blocklist update propagates everywhere—zero manual work.
-
-- **2× more proactive blocking**
-- **0 manual propagation**
-
-[Learn more about Remediation Sync](/u/console/remediation_sync)
-
-#### Auto Enroll
-**Zero-touch deployment**
-
-Automatically enroll new Security Engines into your organization as they're deployed. Perfect for infrastructure-as-code (Terraform, Ansible, K8s).
-
-> **Community:** manual enrollment → **Premium:** automatic enrollment
+<HighlightCard
+	title="Remediation Sync"
+	category="protection"
+	description="Automatically sync security decisions to all Security Engines and integrations. One blocklist update propagates everywhere—zero manual work."
+	stats={[
+		{ value: "2×", label: "more proactive blocking" },
+		{ value: "0", label: "manual propagation" }
+	]}
+	link="/u/console/remediation_sync"
+/>
+
+<div className="mt-4">
+<FeatureCard
+	title="Auto Enroll"
+	metric="Zero-touch"
+	category="scale"
+	description="Automatically enroll new Security Engines into your organization as they're deployed. Perfect for infrastructure-as-code (Terraform, Ansible, K8s)."
+	comparison={{
+		before: "Community: manual enrollment",
+		after: "Premium: automatic enrollment"
+	}}
+/>
+</div>
 
 ---
 
 ### 📊 Monitoring
 
-#### Am I Under Attack
-**Real-time attack surge detection**
-
-Get alerted when abnormal attack surges are detected on your infrastructure. Compares current traffic to historical baselines. Includes webhook + email notifications.
-
-[Learn more about attack detection](/u/console/security_engines/am_i_under_attack)
+<FeatureCard
+	title="Am I Under Attack"
+	metric="Real-time"
+	category="monitoring"
+	description="Get alerted when abnormal attack surges are detected on your infrastructure. Compares current traffic to historical baselines. Includes webhook + email notifications."
+	link="/u/console/security_engines/am_i_under_attack"
+/>
 
 ---
 
@@ -116,79 +141,112 @@ Get alerted when abnormal attack surges are detected on your infrastructure. Com
 
 ### 👥 Team Collaboration
 
-#### Multi-Seat Access
-**3 seats included**
-
-Give view/edit/admin access to your team. Multiple members work simultaneously without access conflicts. Add more seats as needed.
-
-> **Community:** 1 user only → **Premium:** full team
-
-[Learn more about Organizations](/u/console/organizations/intro)
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Multi-Seat Access"
+	metric="3 seats included"
+	category="scale"
+	description="Give view/edit/admin access to your team. Multiple members work simultaneously without access conflicts. Add more seats as needed."
+	comparison={{
+		before: "Community: 1 user only",
+		after: "Premium: full team"
+	}}
+	link="/u/console/organizations/intro"
+/>
+
+<FeatureCard
+	title="Centralized Allowlists"
+	metric="Organization-wide"
+	category="scale"
+	description="Manage allowlists from one place and apply across all Security Engines and integrations. Supports automatic expiration for temporary allowlists."
+	comparison={{
+		before: "Community: per-engine",
+		after: "Premium: centralized + expiration"
+	}}
+	link="/u/console/allowlists"
+/>
 
-#### Centralized Allowlists
-**Organization-wide management**
-
-Manage allowlists from one place and apply across all Security Engines and integrations. Supports automatic expiration for temporary allowlists.
-
-> **Community:** per-engine → **Premium:** centralized + expiration
-
-[Learn more about Allowlists](/u/console/allowlists)
+</div>
 
 ---
 
 ### 🔍 Investigation & Forensics
 
-#### Extended Alert Retention
-**2 months → 1 year**
-
-Keep up to 1 year of alerts with custom quotas (up to millions/month). Essential for audits, forensic investigation, and trend analysis.
-
-> **Community:** 500/month, 2 months → **Premium:** millions/month, 365 days
-
-[Learn more about quotas](/u/console/alerts/quotas#why-upgrade-to-premium-)
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Extended Alert Retention"
+	metric="2 months → 1 year"
+	category="monitoring"
+	description="Keep up to 1 year of alerts with custom quotas (up to millions/month). Essential for audits, forensic investigation, and trend analysis."
+	comparison={{
+		before: "Community: 500/month, 2 months",
+		after: "Premium: millions/month, 365 days"
+	}}
+	link="/u/console/alerts/quotas#why-upgrade-to-premium-"
+/>
+
+<FeatureCard
+	title="IP Reputation Investigation"
+	metric="30 → 100/week"
+	category="intelligence"
+	description="View complete IP profiles: reputation, behavior, fingerprint, MITRE ATT&CK. Direct from Console for investigations."
+	comparison={{
+		before: "Community: 30 lookups/week",
+		after: "Premium: 100 lookups/week"
+	}}
+/>
+
+<FeatureCard
+	title="CTI API Access"
+	metric="30 → 100 calls/week"
+	category="intelligence"
+	description="Query CrowdSec IP reputation from your SIEM, SOAR or custom tools. Includes MITRE ATT&CK mappings for contextual threat qualification."
+	comparison={{
+		before: "Community: 30 calls/week",
+		after: "Premium: 100 calls/week"
+	}}
+	link="/u/cti_api/api_integration/integration_intro"
+/>
+
+<FeatureCard
+	title="Background Noise Filtering"
+	metric="Focus on real threats"
+	category="monitoring"
+	description="Filter internet background radiation automatically. Configurable levels (Low, Medium, High) to match security requirements."
+	link="/u/console/alerts/background_noise"
+/>
 
-#### IP Reputation Investigation
-**30 → 100 lookups/week**
-
-View complete IP profiles: reputation, behavior, fingerprint, MITRE ATT&CK. Direct from Console for investigations.
-
-> **Community:** 30 lookups/week → **Premium:** 100 lookups/week
-
-#### CTI API Access
-**30 → 100 calls/week**
-
-Query CrowdSec IP reputation from your SIEM, SOAR or custom tools. Includes MITRE ATT&CK mappings for contextual threat qualification.
-
-> **Community:** 30 calls/week → **Premium:** 100 calls/week
-
-[Learn more about CTI API](/u/cti_api/api_integration/integration_intro)
-
-#### Background Noise Filtering
-**Focus on real threats**
-
-Filter internet background radiation automatically. Configurable levels (Low, Medium, High) to match security requirements.
-
-[Learn more about Background Noise](/u/console/alerts/background_noise)
+</div>
 
 ---
 
 ### 🔔 Monitoring & Alerting
 
-#### Am I Under Attack
-**Real-time attack detection**
-
-Alert when attack surges are detected on your infrastructure. Compares current traffic vs. historical baselines. Webhook + email included.
-
-[Learn more about attack detection](/u/console/security_engines/am_i_under_attack)
-
-#### Push Notifications Integrations
-**Slack · PagerDuty**
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Am I Under Attack"
+	metric="Real-time"
+	category="monitoring"
+	description="Alert when attack surges are detected on your infrastructure. Compares current traffic vs. historical baselines. Webhook + email included."
+	link="/u/console/security_engines/am_i_under_attack"
+/>
+
+<FeatureCard
+	title="Push Notifications Integrations"
+	metric="Slack · PagerDuty"
+	category="monitoring"
+	description="Receive alerts in existing tools when Security Engines go offline or become outdated. Native integrations with major SecOps tools."
+	comparison={{
+		before: "Community: email only",
+		after: "Premium: webhooks + integrations"
+	}}
+	link="/u/console/notification_integrations/overview"
+/>
 
-Receive alerts in existing tools when Security Engines go offline or become outdated. Native integrations with major SecOps tools.
-
-> **Community:** email only → **Premium:** webhooks + integrations
-
-[Learn more about Notifications](/u/console/notification_integrations/overview)
+</div>
 
 ---
 
@@ -236,94 +294,126 @@ Sync security decisions across all engines and integrations automatically.
 
 ### 🏗️ Multi-Tenancy & Isolation
 
-#### Multi-Organization 🔖 MSP
-**Complete client isolation**
-
-Segment client environments into separate organizations. Each client sees only their data. Manage all clients from a single account.
-
-> **Community:** 1 organization → **Premium:** unlimited orgs
+<HighlightCard
+	title="Multi-Organization"
+	category="scale"
+	description="Segment client environments into separate organizations. Each client sees only their data. Manage all clients from a single account."
+	stats={[
+		{ value: "∞", label: "organizations" },
+		{ value: "100%", label: "isolation" }
+	]}
+/>
 
 ---
 
 ### 🤖 Automation & API
 
-#### Service API (SAPI) 🔖 API
-**REST + webhooks**
-
-Automate Console management: create and share custom blocklists, manage decisions and enrollments via API. Integrate into CI/CD or SOAR pipelines.
-
-> **Community:** no API access → **Premium:** full SAPI
-
-[Learn more about Service API](/u/console/service_api/getting_started)
-
-#### Auto Enroll
-**Zero-touch deployment**
-
-Automatically enroll new Security Engines into your organization as deployed. Perfect for infrastructure-as-code deployments (Terraform, Ansible, K8s).
-
-> **Community:** manual enrollment → **Premium:** automatic enrollment
-
-#### Blocklist Creation & Sharing
-**Custom blocklists via API**
-
-Create and distribute custom blocklists across multiple organizations or partners. Enable coordinated security operations across your ecosystem.
-
-[Learn more about SAPI Blocklists](/u/console/service_api/blocklists)
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Service API (SAPI)"
+	metric="REST + webhooks"
+	category="scale"
+	badges={["API"]}
+	description="Automate Console management: create and share custom blocklists, manage decisions and enrollments via API. Integrate into CI/CD or SOAR pipelines."
+	comparison={{
+		before: "Community: no API access",
+		after: "Premium: full SAPI"
+	}}
+	link="/u/console/service_api/getting_started"
+/>
+
+<FeatureCard
+	title="Auto Enroll"
+	metric="Zero-touch"
+	category="scale"
+	description="Automatically enroll new Security Engines into your organization as deployed. Perfect for infrastructure-as-code deployments (Terraform, Ansible, K8s)."
+	comparison={{
+		before: "Community: manual enrollment",
+		after: "Premium: automatic enrollment"
+	}}
+/>
+
+<FeatureCard
+	title="Blocklist Creation & Sharing"
+	metric="Custom via API"
+	category="scale"
+	description="Create and distribute custom blocklists across multiple organizations or partners. Enable coordinated security operations across your ecosystem."
+	link="/u/console/service_api/blocklists"
+/>
+
+<FeatureCard
+	title="Remediation Sync"
+	metric="Automatic"
+	category="protection"
+	description="Sync security decisions across all client engines and integrations automatically."
+	link="/u/console/remediation_sync"
+/>
 
-#### Remediation Sync
-**Automatic propagation**
-
-Sync security decisions across all client engines and integrations automatically.
-
-[Learn more about Remediation Sync](/u/console/remediation_sync)
+</div>
 
 ---
 
 ### 👥 Team & Client Management
 
-#### Multi-Seat Access
-**3 seats included**
-
-Provide view/edit/admin access to team members or clients. Add seats as your business grows.
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
-[Learn more about Organizations](/u/console/organizations/intro)
+<FeatureCard
+	title="Multi-Seat Access"
+	metric="3 seats included"
+	category="scale"
+	description="Provide view/edit/admin access to team members or clients. Add seats as your business grows."
+	link="/u/console/organizations/intro"
+/>
 
-#### Centralized Allowlists
-**Organization-wide**
+<FeatureCard
+	title="Centralized Allowlists"
+	metric="Organization-wide"
+	category="scale"
+	description="Manage allowlists centrally and apply across all Security Engines. Supports expiration for temporary allowlisting."
+	link="/u/console/allowlists"
+/>
 
-Manage allowlists centrally and apply across all Security Engines. Supports expiration for temporary allowlisting.
-
-[Learn more about Allowlists](/u/console/allowlists)
+</div>
 
 ---
 
 ### 🛡️ Protection at Scale
 
-#### Extended Community Blocklist
-**3k → 50k IPs**
-
-Access to 50,000 most aggressive IPs (vs 3,000 in Community).
-
-[Learn more about blocklists](/u/console/blocklists/intro)
-
-#### Unlimited Blocklist Subscriptions
-**3 → ∞**
-
-Subscribe to unlimited specialized blocklists per organization.
-
-#### Threat Forecast Blocklist
-**Per organization**
-
-Each organization gets tailored blocklists from their shared signals.
-
-[Learn more about Threat Forecast](/u/console/threat_forecast)
-
-#### Background Noise Filtering
-**Reduce alert fatigue**
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Extended Community Blocklist"
+	metric="3k → 50k IPs"
+	category="protection"
+	description="Access to 50,000 most aggressive IPs (vs 3,000 in Community)."
+	link="/u/console/blocklists/intro"
+/>
+
+<FeatureCard
+	title="Unlimited Blocklist Subscriptions"
+	metric="3 → ∞"
+	category="protection"
+	description="Subscribe to unlimited specialized blocklists per organization."
+/>
+
+<FeatureCard
+	title="Threat Forecast Blocklist"
+	metric="Per organization"
+	category="protection"
+	description="Each organization gets tailored blocklists from their shared signals."
+	link="/u/console/threat_forecast"
+/>
+
+<FeatureCard
+	title="Background Noise Filtering"
+	metric="Reduce fatigue"
+	category="monitoring"
+	description="Filter internet noise automatically across all client organizations."
+	link="/u/console/alerts/background_noise"
+/>
 
-Filter internet noise automatically across all client organizations.
-
-[Learn more about Background Noise](/u/console/alerts/background_noise)
+</div>
 
 ---
 
@@ -360,27 +450,49 @@ Filter internet noise automatically across all client organizations.
 
 ## How to Upgrade to Premium
 
+<div className="grid grid-cols-1 md:grid-cols-3 gap-4 mb-8">
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
 ### 1️⃣ Compare Plans
 
 Review available plans and pricing based on your volume and requirements.
 
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
 ### 2️⃣ Upgrade or Contact
 
 Upgrade self-service in minutes, or contact our team for custom plans (enterprise, MSP, volume).
 
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
 ### 3️⃣ Immediate Access
 
 All Premium features available instantly in your organization. No migration required.
 
+</div>
+
+</div>
+
 ---
 
 ## Ready to Go Further?
 
-Start with a trial or discuss your needs with our team. No immediate commitment required.
+<div className="p-8 rounded-xl bg-gradient-to-r from-primary/10 to-primary/5 border border-solid border-primary/20">
+
+### Start with a trial or discuss your needs with our team
+
+No immediate commitment required. All Premium features available instantly upon upgrade.
+
+<div style={{display: 'flex', gap: '1rem', marginTop: '1.5rem', flexWrap: 'wrap'}}>
+	<a href="https://app.crowdsec.net/pricing" className="button button--primary button--lg">View Pricing →</a>
+	<a href="https://www.crowdsec.net/contact-crowdsec" className="button button--secondary button--lg">Contact Team</a>
+</div>
 
-<div style={{display: 'flex', gap: '1rem', marginTop: '1.5rem'}}>
-	<a href="https://app.crowdsec.net/pricing" className="button button--primary">View Pricing →</a>
-	<a href="https://www.crowdsec.net/contact-crowdsec" className="button button--secondary">Contact Team</a>
 </div>
 
 ---

From 644c3067278cfe49262ada342c02bcb27e4421ec Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Thu, 19 Mar 2026 16:39:24 +0100
Subject: [PATCH 03/14] revamp in main section

---
 .../unversioned/console/premium_upgrade.mdx   | 521 +++++++++++++++-
 .../premium_upgrade/features_overview.mdx     | 589 ++----------------
 2 files changed, 548 insertions(+), 562 deletions(-)

diff --git a/crowdsec-docs/unversioned/console/premium_upgrade.mdx b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
index 458ffcece..5f2d5c6bc 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
@@ -1,52 +1,515 @@
 ---
 id: premium_upgrade
 title: Premium Upgrade
-description: Upgrade to CrowdSec Premium for enhanced security and commercial-grade features
+description: Find Premium features tailored to your role - DevOps, SecOps, or MSP
 ---
 
-import { Badge } from "@site/src/ui/badge";
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import Link from '@docusaurus/Link';
+import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';
 
-## Why Upgrade to Premium?
+<div style={{marginBottom: '2rem'}}>
 
-CrowdSec Premium features are designed for users who have **commercial usage** of the Console or organizations that want to **enhance the security posture** of their infrastructure.
-While our Community Plan provides essential security monitoring capabilities, Premium unlocks advanced features that scale with your business needs and provide business-grade protection.
+# Find Premium Features **Made for You**
 
-Premium features bring the following benefits:
+CrowdSec Premium features are designed for users who have **commercial usage** of the Console or organizations that want to **enhance the security posture** of their infrastructure. Premium unlocks advanced capabilities based on your role.
 
-- **Scalability**:
-    - Extra centralization and synchronization features
-    - Extended data retention
-    - Automation and API access for large-scale deployments
-- **Advanced Threat Detection & Qualification**:
-    - Attack surge detection
-    - Premium proactive blocking with AI-powered blocklists
-    - Background noise filtering
+**Select your profile below** to see only the features that matter most to you.
 
-A features comparison can be found on our [pricing page](https://app.crowdsec.net/pricing).
+</div>
+
+<Tabs groupId="user-persona" className="premium-persona-tabs">
+<TabItem value="devops" label="⚙️ DevOps / SRE" default>
+
+## Solo or Small Team Infrastructure Management
+
+**Best for:** Individual engineers or small teams managing infrastructure, focused on reducing noise and blocking more threats efficiently.
 
 ---
 
-## Getting Started with Premium
+### 🛡️ Enhanced Protection
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Extended Community Blocklist"
+	metric="3k → 50k IPs"
+	category="protection"
+	description="Receive the top 50,000 most aggressive attackers targeting services like yours (up from 3,000 in Community). More attackers blocked before they reach your servers."
+	comparison={{
+		before: "Community: top 3k",
+		after: "Premium: top 50k (×16)"
+	}}
+	link="/u/console/blocklists/intro"
+/>
+
+<FeatureCard
+	title="Threat Forecast Blocklist"
+	metric="Organization-specific"
+	category="protection"
+	description="Automatically generated blocklists from signals shared by your organization. More precise than community lists—tailored to your specific infrastructure."
+	comparison={{
+		before: "Community: generic list",
+		after: "Premium: org-specific"
+	}}
+	link="/u/console/threat_forecast"
+/>
+
+<FeatureCard
+	title="Background Noise Filtering"
+	metric="−75% to −92% noise"
+	category="protection"
+	description="Automatically filter internet background radiation (mass scanners, crawlers) to focus on real threats. Configurable levels: Low, Medium, High."
+	comparison={{
+		before: "Community: all signals",
+		after: "Premium: real threats only"
+	}}
+	link="/u/console/alerts/background_noise"
+/>
+
+<FeatureCard
+	title="Unlimited Blocklist Subscriptions"
+	metric="3 → ∞"
+	category="protection"
+	description="Subscribe to as many specialized blocklists as needed—bruteforce, botnets, tor, scanners, proxies—without limits."
+	comparison={{
+		before: "Community: 3 max",
+		after: "Premium: unlimited"
+	}}
+	link="/u/blocklists/intro#crowdsec-blocklist-tiers"
+/>
+
+</div>
+
+---
+
+### ⚡ Automation & Sync
+
+<HighlightCard
+	title="Remediation Sync"
+	category="protection"
+	description="Automatically sync security decisions to all Security Engines and integrations. One blocklist update propagates everywhere—zero manual work."
+	stats={[
+		{ value: "2×", label: "more proactive blocking" },
+		{ value: "0", label: "manual propagation" }
+	]}
+	link="/u/console/remediation_sync"
+/>
+
+<div className="mt-4">
+<FeatureCard
+	title="Auto Enroll"
+	metric="Zero-touch"
+	category="scale"
+	description="Automatically enroll new Security Engines into your organization as they're deployed. Perfect for infrastructure-as-code (Terraform, Ansible, K8s)."
+	comparison={{
+		before: "Community: manual enrollment",
+		after: "Premium: automatic enrollment"
+	}}
+/>
+</div>
+
+---
+
+### 📊 Monitoring
+
+<FeatureCard
+	title="Am I Under Attack"
+	metric="Real-time"
+	category="monitoring"
+	description="Get alerted when abnormal attack surges are detected on your infrastructure. Compares current traffic to historical baselines. Includes webhook + email notifications."
+	link="/u/console/security_engines/am_i_under_attack"
+/>
+
+---
+
+### 💡 Why Premium for DevOps/SRE?
+
+- **Less noise, more signal**: Filter out scanner noise and focus on real threats
+- **Automation-first**: Sync decisions automatically, enroll engines without manual steps
+- **Better blocking**: Access to 50k+ IPs and organization-specific threat intel
+- **Peace of mind**: Get alerted when attacks surge
+
+</TabItem>
 
-To help you make the most of your Premium upgrade, we've prepared the following guides:
+<TabItem value="secops" label="🛡️ SecOps / Blue Team">
 
-### [Optimal Premium Upgrade Setup](/u/console/premium_upgrade/optimal_setup)
-Learn the best practices for organizing your Security Engines across different environments (Production, Dev, Test) before upgrading to maximize value and cost-efficiency.
+## Team Collaboration & Investigation
 
-### [Test Premium Value in Your Environment](/u/console/premium_upgrade/testing_premium)
-Discover practical ways to measure and experience Premium value during your trial period, including improved protection metrics, team collaboration features, and enterprise scaling capabilities.
+**Best for:** Security teams that need to collaborate, investigate incidents, and maintain data retention for compliance and audits.
 
-### [Premium Features Overview](/u/console/premium_upgrade/features_overview)
-Explore the complete catalog of Premium features including scaling & automation, enhanced protection, reactivity & monitoring, and advanced threat intelligence capabilities.
+---
+
+### 👥 Team Collaboration
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Multi-Seat Access"
+	metric="3 seats included"
+	category="scale"
+	description="Give view/edit/admin access to your team. Multiple members work simultaneously without access conflicts. Add more seats as needed."
+	comparison={{
+		before: "Community: 1 user only",
+		after: "Premium: full team"
+	}}
+	link="/u/console/organizations/intro"
+/>
+
+<FeatureCard
+	title="Centralized Allowlists"
+	metric="Organization-wide"
+	category="scale"
+	description="Manage allowlists from one place and apply across all Security Engines and integrations. Supports automatic expiration for temporary allowlists."
+	comparison={{
+		before: "Community: per-engine",
+		after: "Premium: centralized + expiration"
+	}}
+	link="/u/console/allowlists"
+/>
+
+</div>
 
 ---
 
-## How to Upgrade
+### 🔍 Investigation & Forensics
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Extended Alert Retention"
+	metric="2 months → 1 year"
+	category="monitoring"
+	description="Keep up to 1 year of alerts with custom quotas (up to millions/month). Essential for audits, forensic investigation, and trend analysis."
+	comparison={{
+		before: "Community: 500/month, 2 months",
+		after: "Premium: millions/month, 365 days"
+	}}
+	link="/u/console/alerts/quotas#why-upgrade-to-premium-"
+/>
+
+<FeatureCard
+	title="IP Reputation Investigation"
+	metric="30 → 100/week"
+	category="intelligence"
+	description="View complete IP profiles: reputation, behavior, fingerprint, MITRE ATT&CK. Direct from Console for investigations."
+	comparison={{
+		before: "Community: 30 lookups/week",
+		after: "Premium: 100 lookups/week"
+	}}
+/>
+
+<FeatureCard
+	title="CTI API Access"
+	metric="30 → 100 calls/week"
+	category="intelligence"
+	description="Query CrowdSec IP reputation from your SIEM, SOAR or custom tools. Includes MITRE ATT&CK mappings for contextual threat qualification."
+	comparison={{
+		before: "Community: 30 calls/week",
+		after: "Premium: 100 calls/week"
+	}}
+	link="/u/cti_api/api_integration/integration_intro"
+/>
+
+<FeatureCard
+	title="Background Noise Filtering"
+	metric="Focus on real threats"
+	category="monitoring"
+	description="Filter internet background radiation automatically. Configurable levels (Low, Medium, High) to match security requirements."
+	link="/u/console/alerts/background_noise"
+/>
+
+</div>
+
+---
+
+### 🔔 Monitoring & Alerting
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Am I Under Attack"
+	metric="Real-time"
+	category="monitoring"
+	description="Alert when attack surges are detected on your infrastructure. Compares current traffic vs. historical baselines. Webhook + email included."
+	link="/u/console/security_engines/am_i_under_attack"
+/>
+
+<FeatureCard
+	title="Push Notifications Integrations"
+	metric="Slack · PagerDuty"
+	category="monitoring"
+	description="Receive alerts in existing tools when Security Engines go offline or become outdated. Native integrations with major SecOps tools."
+	comparison={{
+		before: "Community: email only",
+		after: "Premium: webhooks + integrations"
+	}}
+	link="/u/console/notification_integrations/overview"
+/>
+
+</div>
+
+---
+
+### 🛡️ Enhanced Protection
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Extended Community Blocklist"
+	metric="3k → 50k IPs"
+	category="protection"
+	description="Top 50,000 most aggressive attackers (up from 3,000 in Community)."
+	link="/u/console/blocklists/intro"
+/>
+
+<FeatureCard
+	title="Threat Forecast Blocklist"
+	metric="Organization-specific"
+	category="protection"
+	description="Automatically generated blocklists from your organization's shared signals."
+	link="/u/console/threat_forecast"
+/>
+
+<FeatureCard
+	title="Remediation Sync"
+	metric="Automatic"
+	category="protection"
+	description="Sync security decisions across all engines and integrations automatically."
+	link="/u/console/remediation_sync"
+/>
+
+</div>
+
+---
+
+### 💡 Why Premium for SecOps/Blue Team?
+
+- **Team collaboration**: Multiple seats with role-based access
+- **Long-term retention**: 1 year of alerts for compliance and forensics
+- **Rich investigation**: 100 CTI lookups/week with MITRE ATT&CK context
+- **Integration-ready**: Push to Slack, PagerDuty, SIEM tools
+
+</TabItem>
+
+<TabItem value="msp" label="🏢 MSP / Integrator">
+
+## Multi-Tenant Management & Automation
+
+**Best for:** MSPs and integrators managing security for multiple clients, requiring isolation, automation, and API-driven workflows.
+
+---
+
+### 🏗️ Multi-Tenancy & Isolation
+
+<HighlightCard
+	title="Multi-Organization"
+	category="scale"
+	description="Segment client environments into separate organizations. Each client sees only their data. Manage all clients from a single account."
+	stats={[
+		{ value: "∞", label: "organizations" },
+		{ value: "100%", label: "isolation" }
+	]}
+/>
 
-Ready to enhance your security posture with Premium features?
+---
+
+### 🤖 Automation & API
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Service API (SAPI)"
+	metric="REST + webhooks"
+	category="scale"
+	badges={["API"]}
+	description="Automate Console management: create and share custom blocklists, manage decisions and enrollments via API. Integrate into CI/CD or SOAR pipelines."
+	comparison={{
+		before: "Community: no API access",
+		after: "Premium: full SAPI"
+	}}
+	link="/u/console/service_api/getting_started"
+/>
+
+<FeatureCard
+	title="Auto Enroll"
+	metric="Zero-touch"
+	category="scale"
+	description="Automatically enroll new Security Engines into your organization as deployed. Perfect for infrastructure-as-code deployments (Terraform, Ansible, K8s)."
+	comparison={{
+		before: "Community: manual enrollment",
+		after: "Premium: automatic enrollment"
+	}}
+/>
+
+<FeatureCard
+	title="Blocklist Creation & Sharing"
+	metric="Custom via API"
+	category="scale"
+	description="Create and distribute custom blocklists across multiple organizations or partners. Enable coordinated security operations across your ecosystem."
+	link="/u/console/service_api/blocklists"
+/>
+
+<FeatureCard
+	title="Remediation Sync"
+	metric="Automatic"
+	category="protection"
+	description="Sync security decisions across all client engines and integrations automatically."
+	link="/u/console/remediation_sync"
+/>
+
+</div>
+
+---
+
+### 👥 Team & Client Management
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Multi-Seat Access"
+	metric="3 seats included"
+	category="scale"
+	description="Provide view/edit/admin access to team members or clients. Add seats as your business grows."
+	link="/u/console/organizations/intro"
+/>
+
+<FeatureCard
+	title="Centralized Allowlists"
+	metric="Organization-wide"
+	category="scale"
+	description="Manage allowlists centrally and apply across all Security Engines. Supports expiration for temporary allowlisting."
+	link="/u/console/allowlists"
+/>
+
+</div>
+
+---
+
+### 🛡️ Protection at Scale
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Extended Community Blocklist"
+	metric="3k → 50k IPs"
+	category="protection"
+	description="Access to 50,000 most aggressive IPs (vs 3,000 in Community)."
+	link="/u/console/blocklists/intro"
+/>
+
+<FeatureCard
+	title="Unlimited Blocklist Subscriptions"
+	metric="3 → ∞"
+	category="protection"
+	description="Subscribe to unlimited specialized blocklists per organization."
+/>
+
+<FeatureCard
+	title="Threat Forecast Blocklist"
+	metric="Per organization"
+	category="protection"
+	description="Each organization gets tailored blocklists from their shared signals."
+	link="/u/console/threat_forecast"
+/>
+
+<FeatureCard
+	title="Background Noise Filtering"
+	metric="Reduce fatigue"
+	category="monitoring"
+	description="Filter internet noise automatically across all client organizations."
+	link="/u/console/alerts/background_noise"
+/>
+
+</div>
+
+---
+
+### 💡 Why Premium for MSPs?
+
+- **Multi-tenant architecture**: Complete client isolation with unlimited organizations
+- **API-first**: Full Service API for automation and integration
+- **Scalability**: Auto-enroll, remediation sync, unlimited blocklists
+- **White-label ready**: Manage all clients from single dashboard
+
+</TabItem>
+</Tabs>
+
+---
+
+## Community vs Premium: Key Differences
+
+| Feature | Community | Premium |
+|---------|-----------|---------|
+| **Community Blocklist** | Top 3,000 IPs | Top 50,000 IPs |
+| **Blocklist Subscriptions** | 3 max | Unlimited |
+| **Alerts per Month** | 500 | Up to millions |
+| **Alert Retention** | 2 months | 12 months |
+| **Remediation Sync** | ✗ | ✓ |
+| **Background Noise Filter** | ✗ | ✓ |
+| **Am I Under Attack** | ✗ | ✓ |
+| **Threat Forecast Blocklist** | ✗ | ✓ |
+| **Organization Seats** | 1 | 3 included + more |
+| **CTI API Lookups/Week** | 30 | 100 |
+| **Service API (SAPI)** | ✗ | ✓ |
+| **Multi-Organization (MSP)** | ✗ | ✓ (option) |
+
+---
+
+## How to Upgrade to Premium
+
+<div className="grid grid-cols-1 md:grid-cols-3 gap-4 mb-8">
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
+### 1️⃣ Compare Plans
+
+Review available plans and pricing based on your volume and requirements.
+
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
+### 2️⃣ Upgrade or Contact
+
+Upgrade self-service in minutes, or contact our team for custom plans (enterprise, MSP, volume).
+
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
+### 3️⃣ Immediate Access
+
+All Premium features available instantly in your organization. No migration required.
+
+</div>
+
+</div>
+
+---
+
+## Ready to Go Further?
+
+<div className="p-8 rounded-xl bg-gradient-to-r from-primary/10 to-primary/5 border border-solid border-primary/20">
+
+### Start with a trial or discuss your needs with our team
+
+No immediate commitment required. All Premium features available instantly upon upgrade.
+
+<div style={{display: 'flex', gap: '1rem', marginTop: '1.5rem', flexWrap: 'wrap'}}>
+	<a href="https://app.crowdsec.net/pricing" className="button button--primary button--lg">View Pricing →</a>
+	<a href="https://www.crowdsec.net/contact-crowdsec" className="button button--secondary button--lg">Contact Team</a>
+</div>
+
+</div>
+
+---
+
+## Getting Started with Premium
 
-1. Visit our [pricing page](https://app.crowdsec.net/pricing) to compare plans and pricing
-2. Upgrade to Premium with our self service plan or [Contact](https://www.crowdsec.net/contact-crowdsec) our sales team to discuss your specific requirements
-3. Once upgraded, enjoy immediate access to all Premium features in your organization and add options as you grow.
+To help you make the most of your Premium upgrade, explore these guides:
 
-For questions about Premium features or to discuss custom enterprise solutions, please [contact our team](https://www.crowdsec.net/pricing).
+- [**Optimal Setup**](/u/console/premium_upgrade/optimal_setup) - Organize your Security Engines before migrating to maximize value
+- [**Testing Premium**](/u/console/premium_upgrade/testing_premium) - Measure the value concretely during your trial period
+- [**All Features Reference**](/u/console/premium_upgrade/features_overview) - Complete catalog of Premium features
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
index 358028d8d..eac688300 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
@@ -1,559 +1,82 @@
 ---
 id: features_overview
-title: Find Premium Features Made for You
-description: Discover Premium features tailored to your role - DevOps, SecOps, or MSP
+title: Premium Features Overview
+description: Comprehensive overview of all Premium features
 ---
 
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import Link from '@docusaurus/Link';
-import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';
-
-<div style={{marginBottom: '2rem'}}>
-
-# Find Premium Features **Made for You**
-
-Premium unlocks advanced capabilities based on your role. **Select your profile below** to see only the features that matter most to you.
-
-</div>
-
-<Tabs groupId="user-persona" className="premium-persona-tabs">
-<TabItem value="devops" label="⚙️ DevOps / SRE" default>
-
-## Solo or Small Team Infrastructure Management
-
-**Best for:** Individual engineers or small teams managing infrastructure, focused on reducing noise and blocking more threats efficiently.
-
----
-
-### 🛡️ Enhanced Protection
-
-<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
-
-<FeatureCard
-	title="Extended Community Blocklist"
-	metric="3k → 50k IPs"
-	category="protection"
-	description="Receive the top 50,000 most aggressive attackers targeting services like yours (up from 3,000 in Community). More attackers blocked before they reach your servers."
-	comparison={{
-		before: "Community: top 3k",
-		after: "Premium: top 50k (×16)"
-	}}
-	link="/u/console/blocklists/intro"
-/>
-
-<FeatureCard
-	title="Threat Forecast Blocklist"
-	metric="Organization-specific"
-	category="protection"
-	description="Automatically generated blocklists from signals shared by your organization. More precise than community lists—tailored to your specific infrastructure."
-	comparison={{
-		before: "Community: generic list",
-		after: "Premium: org-specific"
-	}}
-	link="/u/console/threat_forecast"
-/>
-
-<FeatureCard
-	title="Background Noise Filtering"
-	metric="−75% to −92% noise"
-	category="protection"
-	description="Automatically filter internet background radiation (mass scanners, crawlers) to focus on real threats. Configurable levels: Low, Medium, High."
-	comparison={{
-		before: "Community: all signals",
-		after: "Premium: real threats only"
-	}}
-	link="/u/console/alerts/background_noise"
-/>
-
-<FeatureCard
-	title="Unlimited Blocklist Subscriptions"
-	metric="3 → ∞"
-	category="protection"
-	description="Subscribe to as many specialized blocklists as needed—bruteforce, botnets, tor, scanners, proxies—without limits."
-	comparison={{
-		before: "Community: 3 max",
-		after: "Premium: unlimited"
-	}}
-	link="/u/blocklists/intro#crowdsec-blocklist-tiers"
-/>
-
-</div>
-
----
-
-### ⚡ Automation & Sync
-
-<HighlightCard
-	title="Remediation Sync"
-	category="protection"
-	description="Automatically sync security decisions to all Security Engines and integrations. One blocklist update propagates everywhere—zero manual work."
-	stats={[
-		{ value: "2×", label: "more proactive blocking" },
-		{ value: "0", label: "manual propagation" }
-	]}
-	link="/u/console/remediation_sync"
-/>
-
-<div className="mt-4">
-<FeatureCard
-	title="Auto Enroll"
-	metric="Zero-touch"
-	category="scale"
-	description="Automatically enroll new Security Engines into your organization as they're deployed. Perfect for infrastructure-as-code (Terraform, Ansible, K8s)."
-	comparison={{
-		before: "Community: manual enrollment",
-		after: "Premium: automatic enrollment"
-	}}
-/>
-</div>
-
----
-
-### 📊 Monitoring
-
-<FeatureCard
-	title="Am I Under Attack"
-	metric="Real-time"
-	category="monitoring"
-	description="Get alerted when abnormal attack surges are detected on your infrastructure. Compares current traffic to historical baselines. Includes webhook + email notifications."
-	link="/u/console/security_engines/am_i_under_attack"
-/>
-
----
-
-### 💡 Why Premium for DevOps/SRE?
-
-- **Less noise, more signal**: Filter out scanner noise and focus on real threats
-- **Automation-first**: Sync decisions automatically, enroll engines without manual steps
-- **Better blocking**: Access to 50k+ IPs and organization-specific threat intel
-- **Peace of mind**: Get alerted when attacks surge
-
-</TabItem>
-
-<TabItem value="secops" label="🛡️ SecOps / Blue Team">
-
-## Team Collaboration & Investigation
-
-**Best for:** Security teams that need to collaborate, investigate incidents, and maintain data retention for compliance and audits.
-
----
-
-### 👥 Team Collaboration
-
-<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
-
-<FeatureCard
-	title="Multi-Seat Access"
-	metric="3 seats included"
-	category="scale"
-	description="Give view/edit/admin access to your team. Multiple members work simultaneously without access conflicts. Add more seats as needed."
-	comparison={{
-		before: "Community: 1 user only",
-		after: "Premium: full team"
-	}}
-	link="/u/console/organizations/intro"
-/>
-
-<FeatureCard
-	title="Centralized Allowlists"
-	metric="Organization-wide"
-	category="scale"
-	description="Manage allowlists from one place and apply across all Security Engines and integrations. Supports automatic expiration for temporary allowlists."
-	comparison={{
-		before: "Community: per-engine",
-		after: "Premium: centralized + expiration"
-	}}
-	link="/u/console/allowlists"
-/>
-
-</div>
-
----
-
-### 🔍 Investigation & Forensics
-
-<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
-
-<FeatureCard
-	title="Extended Alert Retention"
-	metric="2 months → 1 year"
-	category="monitoring"
-	description="Keep up to 1 year of alerts with custom quotas (up to millions/month). Essential for audits, forensic investigation, and trend analysis."
-	comparison={{
-		before: "Community: 500/month, 2 months",
-		after: "Premium: millions/month, 365 days"
-	}}
-	link="/u/console/alerts/quotas#why-upgrade-to-premium-"
-/>
-
-<FeatureCard
-	title="IP Reputation Investigation"
-	metric="30 → 100/week"
-	category="intelligence"
-	description="View complete IP profiles: reputation, behavior, fingerprint, MITRE ATT&CK. Direct from Console for investigations."
-	comparison={{
-		before: "Community: 30 lookups/week",
-		after: "Premium: 100 lookups/week"
-	}}
-/>
-
-<FeatureCard
-	title="CTI API Access"
-	metric="30 → 100 calls/week"
-	category="intelligence"
-	description="Query CrowdSec IP reputation from your SIEM, SOAR or custom tools. Includes MITRE ATT&CK mappings for contextual threat qualification."
-	comparison={{
-		before: "Community: 30 calls/week",
-		after: "Premium: 100 calls/week"
-	}}
-	link="/u/cti_api/api_integration/integration_intro"
-/>
-
-<FeatureCard
-	title="Background Noise Filtering"
-	metric="Focus on real threats"
-	category="monitoring"
-	description="Filter internet background radiation automatically. Configurable levels (Low, Medium, High) to match security requirements."
-	link="/u/console/alerts/background_noise"
-/>
-
-</div>
-
----
-
-### 🔔 Monitoring & Alerting
-
-<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
-
-<FeatureCard
-	title="Am I Under Attack"
-	metric="Real-time"
-	category="monitoring"
-	description="Alert when attack surges are detected on your infrastructure. Compares current traffic vs. historical baselines. Webhook + email included."
-	link="/u/console/security_engines/am_i_under_attack"
-/>
-
-<FeatureCard
-	title="Push Notifications Integrations"
-	metric="Slack · PagerDuty"
-	category="monitoring"
-	description="Receive alerts in existing tools when Security Engines go offline or become outdated. Native integrations with major SecOps tools."
-	comparison={{
-		before: "Community: email only",
-		after: "Premium: webhooks + integrations"
-	}}
-	link="/u/console/notification_integrations/overview"
-/>
-
-</div>
-
----
-
-### 🛡️ Protection Features
-
-#### Extended Community Blocklist
-**3k → 50k IPs**
-
-Top 50,000 most aggressive attackers (up from 3,000 in Community).
-
-[Learn more about blocklists](/u/console/blocklists/intro)
-
-#### Threat Forecast Blocklist
-**Organization-specific**
-
-Automatically generated blocklists from your organization's shared signals.
-
-[Learn more about Threat Forecast](/u/console/threat_forecast)
-
-#### Remediation Sync
-**Automatic propagation**
-
-Sync security decisions across all engines and integrations automatically.
-
-[Learn more about Remediation Sync](/u/console/remediation_sync)
-
----
-
-### 💡 Why Premium for SecOps/Blue Team?
-
-- **Team collaboration**: Multiple seats with role-based access
-- **Long-term retention**: 1 year of alerts for compliance and forensics
-- **Rich investigation**: 100 CTI lookups/week with MITRE ATT&CK context
-- **Integration-ready**: Push to Slack, PagerDuty, SIEM tools
-
-</TabItem>
-
-<TabItem value="msp" label="🏢 MSP / Integrator">
-
-## Multi-Tenant Management & Automation
-
-**Best for:** MSPs and integrators managing security for multiple clients, requiring isolation, automation, and API-driven workflows.
-
----
-
-### 🏗️ Multi-Tenancy & Isolation
-
-<HighlightCard
-	title="Multi-Organization"
-	category="scale"
-	description="Segment client environments into separate organizations. Each client sees only their data. Manage all clients from a single account."
-	stats={[
-		{ value: "∞", label: "organizations" },
-		{ value: "100%", label: "isolation" }
-	]}
-/>
-
----
-
-### 🤖 Automation & API
-
-<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
-
-<FeatureCard
-	title="Service API (SAPI)"
-	metric="REST + webhooks"
-	category="scale"
-	badges={["API"]}
-	description="Automate Console management: create and share custom blocklists, manage decisions and enrollments via API. Integrate into CI/CD or SOAR pipelines."
-	comparison={{
-		before: "Community: no API access",
-		after: "Premium: full SAPI"
-	}}
-	link="/u/console/service_api/getting_started"
-/>
-
-<FeatureCard
-	title="Auto Enroll"
-	metric="Zero-touch"
-	category="scale"
-	description="Automatically enroll new Security Engines into your organization as deployed. Perfect for infrastructure-as-code deployments (Terraform, Ansible, K8s)."
-	comparison={{
-		before: "Community: manual enrollment",
-		after: "Premium: automatic enrollment"
-	}}
-/>
-
-<FeatureCard
-	title="Blocklist Creation & Sharing"
-	metric="Custom via API"
-	category="scale"
-	description="Create and distribute custom blocklists across multiple organizations or partners. Enable coordinated security operations across your ecosystem."
-	link="/u/console/service_api/blocklists"
-/>
-
-<FeatureCard
-	title="Remediation Sync"
-	metric="Automatic"
-	category="protection"
-	description="Sync security decisions across all client engines and integrations automatically."
-	link="/u/console/remediation_sync"
-/>
-
-</div>
-
----
-
-### 👥 Team & Client Management
-
-<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
-
-<FeatureCard
-	title="Multi-Seat Access"
-	metric="3 seats included"
-	category="scale"
-	description="Provide view/edit/admin access to team members or clients. Add seats as your business grows."
-	link="/u/console/organizations/intro"
-/>
-
-<FeatureCard
-	title="Centralized Allowlists"
-	metric="Organization-wide"
-	category="scale"
-	description="Manage allowlists centrally and apply across all Security Engines. Supports expiration for temporary allowlisting."
-	link="/u/console/allowlists"
-/>
-
-</div>
-
----
-
-### 🛡️ Protection at Scale
-
-<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
-
-<FeatureCard
-	title="Extended Community Blocklist"
-	metric="3k → 50k IPs"
-	category="protection"
-	description="Access to 50,000 most aggressive IPs (vs 3,000 in Community)."
-	link="/u/console/blocklists/intro"
-/>
-
-<FeatureCard
-	title="Unlimited Blocklist Subscriptions"
-	metric="3 → ∞"
-	category="protection"
-	description="Subscribe to unlimited specialized blocklists per organization."
-/>
-
-<FeatureCard
-	title="Threat Forecast Blocklist"
-	metric="Per organization"
-	category="protection"
-	description="Each organization gets tailored blocklists from their shared signals."
-	link="/u/console/threat_forecast"
-/>
-
-<FeatureCard
-	title="Background Noise Filtering"
-	metric="Reduce fatigue"
-	category="monitoring"
-	description="Filter internet noise automatically across all client organizations."
-	link="/u/console/alerts/background_noise"
-/>
-
-</div>
-
----
-
-### 💡 Why Premium for MSPs?
-
-- **Multi-tenant architecture**: Complete client isolation with unlimited organizations
-- **API-first**: Full Service API for automation and integration
-- **Scalability**: Auto-enroll, remediation sync, unlimited blocklists
-- **White-label ready**: Manage all clients from single dashboard
-
-</TabItem>
-</Tabs>
-
----
-
-## Community vs Premium: Key Differences
-
-| Feature | Community | Premium |
-|---------|-----------|---------|
-| **Community Blocklist** | Top 3,000 IPs | Top 50,000 IPs |
-| **Blocklist Subscriptions** | 3 max | Unlimited |
-| **Alerts per Month** | 500 | Up to millions |
-| **Alert Retention** | 2 months | 12 months |
-| **Remediation Sync** | ✗ | ✓ |
-| **Background Noise Filter** | ✗ | ✓ |
-| **Am I Under Attack** | ✗ | ✓ |
-| **Threat Forecast Blocklist** | ✗ | ✓ |
-| **Organization Seats** | 1 | 3 included + more |
-| **CTI API Lookups/Week** | 30 | 100 |
-| **Service API (SAPI)** | ✗ | ✓ |
-| **Multi-Organization (MSP)** | ✗ | ✓ (option) |
-
----
-
-## How to Upgrade to Premium
-
-<div className="grid grid-cols-1 md:grid-cols-3 gap-4 mb-8">
-
-<div className="border border-solid border-border rounded-lg p-6 bg-card">
-
-### 1️⃣ Compare Plans
-
-Review available plans and pricing based on your volume and requirements.
-
-</div>
-
-<div className="border border-solid border-border rounded-lg p-6 bg-card">
-
-### 2️⃣ Upgrade or Contact
-
-Upgrade self-service in minutes, or contact our team for custom plans (enterprise, MSP, volume).
-
-</div>
-
-<div className="border border-solid border-border rounded-lg p-6 bg-card">
-
-### 3️⃣ Immediate Access
-
-All Premium features available instantly in your organization. No migration required.
-
-</div>
-
-</div>
-
----
-
-## Ready to Go Further?
-
-<div className="p-8 rounded-xl bg-gradient-to-r from-primary/10 to-primary/5 border border-solid border-primary/20">
-
-### Start with a trial or discuss your needs with our team
-
-No immediate commitment required. All Premium features available instantly upon upgrade.
-
-<div style={{display: 'flex', gap: '1rem', marginTop: '1.5rem', flexWrap: 'wrap'}}>
-	<a href="https://app.crowdsec.net/pricing" className="button button--primary button--lg">View Pricing →</a>
-	<a href="https://www.crowdsec.net/contact-crowdsec" className="button button--secondary button--lg">Contact Team</a>
-</div>
-
-</div>
+Premium features enable multiple use cases.
+Make the best use of the premium features for your needs in: **Scaling, Multi-tenancy, Enhanced proactive protection, Centralized management, Team collaboration, Integration and automation, Enhanced threat intelligence, and improved support.**
 
 ---
 
-## Next Steps
-
-- [**Optimal Setup**](/u/console/premium_upgrade/optimal_setup) - Organize your Security Engines before migrating
-- [**Testing Premium**](/u/console/premium_upgrade/testing_premium) - Measure the value concretely during your trial
-
----
-
-## All Premium Features (Reference)
-
-### Scaling, Automation & Multi-Tenancy
+## Scaling, Automation & Multi-Tenancy
 
-**Remediation Sync** - Automatically synchronize security decisions across your entire organization. Syncs to all Security Engines and Blocklists Integration endpoints, ensuring consistent protection across your infrastructure.
-[Learn more](/u/console/remediation_sync)
+### Remediation Sync
+Automatically synchronize security decisions across your entire organization. Syncs to all Security Engines and Blocklists Integration endpoints, ensuring consistent protection across your infrastructure.
+[Learn more about remediation sync](/u/console/remediation_sync)
 
-**Console Decision Management** - Add, delete, and manage security decisions directly from the Console. Force pull blocklists when subscribing or unsubscribing.
-[Learn more](/u/console/decisions/decisions_management)
+### Console Decision Management
+Add, delete, and manage security decisions directly from the Console. Force pull blocklists when subscribing or unsubscribing, giving you complete control over your security posture from a central interface.
+[Learn more about decision management](/u/console/decisions/decisions_management)
 
-**Centralized Allowlists** - Manage allowlists from a single location and apply them across all security engines and integrations organization-wide. Supports IP expiration for temporary allowlisting.
-[Learn more](/u/console/allowlists)
+### Centralized Allowlists
+Manage allowlists from a single location and apply them across all security engines and integrations organization-wide. Supports IP expiration for temporary allowlisting.
+[Learn more about allowlists](/u/console/allowlists)
 
-**Service API (SAPI)** - Access APIs for console management, blocklist creation, decision management, and more.
-[Learn more](/u/console/service_api/getting_started)
+### Service API (SAPI)
+Access APIs for console management.
+[Learn more about Service API](/u/console/service_api/getting_started)
 
-**Blocklist Creation & Sharing** - Distribute custom blocklists across multiple organizations or partners via SAPI, enabling coordinated security operations.
-[Learn more](/u/console/service_api/blocklists)
+### Blocklist Creation & Sharing
+Via our [Service API (SAPI)](/u/console/service_api/getting_started) Distribute custom blocklists across multiple organizations or partners, enabling coordinated security operations across your business ecosystem.
+[Learn more about SAPI Blocklist endpoints](/u/console/service_api/blocklists)
 
-**Auto Enroll** - Automatically enroll new security engines into your organization for streamlined deployment and management.
+### Auto Enroll
+Automatically enroll new security engines into your organization for streamlined deployment and management.
 
-**Expanded Organization Seats** - Provide view/edit/admin access to customers or collaborate with team members. 3 seats included in base Premium plan.
+### Expanded Organization Seats
+Provide view/edit/admin access to you customers or collaborate with team members by adding more seats to your organization. (3 included in base Premium plan)
 
-### Extra Protection
+## Extra protection
 
-**Threat Forecast Blocklists** - Access exclusive, organization-specific blocklists generated from the signals your organization shares with CrowdSec. More precise than community blocklists.
-[Learn more](/u/console/threat_forecast)
+### Threat Forecast Blocklists
+Access exclusive, organization-specific blocklists generated from the signals your organization shares with CrowdSec. These blocklists are more precise than community blocklists and provide tailored protection for your infrastructure.
+[Learn more about threat forecast blocklists](/u/console/threat_forecast)
 
-**Expanded Community Blocklist Coverage** - Receive up to 50k of the most aggressive attackers targeting similar services as yours (up from top [3k in Community](/docs/central_api/community_blocklist/#community-blocklist-lite)).
+### Expanded Community Blocklist Coverage
+Unlock the premium Community Blocklist as a network participant.
+Receive up to 50k of the most aggressive attackers targeting similar services as yours *(up from top [3k in Community](/docs/central_api/community_blocklist/#community-blocklist-lite)).*
 
-**Premium Tier Blocklist Access** - Get access to Premium tier blocklists, providing enhanced protection with curated specialized blocklists tailored for different attack vectors.
+### Premium Tier Blocklist Access
+Get access to our Premium tier blocklists, providing enhanced protection with curated specialized blocklists tailored for different attack vectors.
 
-**Unlimited Blocklist Subscriptions** - Unlimited blocklist subscriptions (compared to 3 in Community), allowing you to protect your infrastructure with multiple specialized blocklists simultaneously.
-[Learn more](/u/blocklists/intro#crowdsec-blocklist-tiers)
+### Unlimited Blocklist Subscriptions
+Premium subscribers get unlimited blocklist subscriptions (compared to 3 in Community), allowing you to protect your infrastructure with multiple specialized blocklists simultaneously.
+[Learn more about premium tier blocklists features](/u/blocklists/intro#crowdsec-blocklist-tiers)
 
-### Reactivity & Monitoring
+## Reactivity & Monitoring
 
-**Am I Under Attack Feature** - Receive real-time alerts when your infrastructure experiences attack surges. Analyzes current traffic patterns against historical baselines to detect anomalous activity.
-[Learn more](/u/console/security_engines/am_i_under_attack)
+### Am I Under Attack Feature
+Receive real-time alerts when your infrastructure experiences attack surges. This feature analyzes current traffic patterns against historical baselines to detect anomalous activity, with support for email notifications and webhook integrations.
+[Learn more about attack detection](/u/console/security_engines/am_i_under_attack)
 
-**Push Notifications Integrations** - Receive alerts when security engines go offline or become outdated, ensuring your security infrastructure remains operational.
-[Learn more](/u/console/notification_integrations/overview)
+### Push Notifications Integrations
+Receive alerts when security engines go offline or become outdated, ensuring your security infrastructure remains operational.
+[Learn more about push notifications](/u/console/notification_integrations/overview)
 
-**Increased Alert Quotas and Extended Retention** - Upgrade from Community's 500 alerts per month and 2-month retention to custom quotas (up to several million alerts) and up to 1 year of retention.
-[Learn more](/u/console/alerts/quotas#why-upgrade-to-premium-)
+### Increased Alert Quotas and Extended Retention
+Upgrade from the Community Plan's 500 alerts per month and 2-month retention to custom quotas (up to several million alerts) and up to 1 year of retention. This enables comprehensive monitoring of large-scale infrastructures and long-term security analysis.
+[Learn more about premium quotas](/u/console/alerts/quotas#why-upgrade-to-premium-)
 
-**Background Noise Filtering** - Automatically filter out internet background radiation and mass scanning activity to focus on genuine threats. Customize noise cancellation levels (Low, Medium, High).
-[Learn more](/u/console/alerts/background_noise)
+### Background Noise Filtering
+Automatically filter out internet background radiation and mass scanning activity to focus on genuine threats. Customize noise cancellation levels (Low, Medium, High) to match your security requirements.
+[Learn more about background noise filtering](/u/console/alerts/background_noise)
 
-**IP Reputation Investigation Quotas** - 100 attacker details per week (compared to 30 in Community), including IP reputation and MITRE ATT&CK mappings for comprehensive threat intelligence.
+### IP reputation investigation quotas
+Audit what CrowdSec knows about IP addresses, attacking you and present in blocklists, with increased investigation quotas.
+100 attacker details per week (compared to 30 in Community), including IP reputation and MITRE ATT&CK mappings for comprehensive threat intelligence.
 
-**CTI API Access** - Get 100 CTI API calls per week (compared to 30 in Community) for integration with SIEM, SOAR, and other security tools.
-[Learn more](/u/cti_api/api_integration/integration_intro)
+### CTI API Access
+Leverage CrowdSec IP reputation data into your vendors.
+Get 100 CTI API calls per week (compared to 30 in Community) for integration with SIEM, SOAR, and other security tools.
+[Learn more about CTI API](/u/cti_api/api_integration/integration_intro)

From a771b6e60ab78102cde21bda943f90cc27dddbc5 Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Thu, 19 Mar 2026 16:54:39 +0100
Subject: [PATCH 04/14] bigger personna selector

---
 .../src/components/premium-upgrade/index.ts   |  11 ++
 .../premium-upgrade/persona-selector.tsx      |  90 ++++++++++++
 .../premium-upgrade/persona-tabs.tsx          |  88 ++++++++++++
 .../premium-upgrade/tabs-with-persona.tsx     | 133 ++++++++++++++++++
 crowdsec-docs/src/css/premium-upgrade.css     |  18 ++-
 .../unversioned/console/premium_upgrade.mdx   |  36 ++++-
 6 files changed, 372 insertions(+), 4 deletions(-)
 create mode 100644 crowdsec-docs/src/components/premium-upgrade/index.ts
 create mode 100644 crowdsec-docs/src/components/premium-upgrade/persona-selector.tsx
 create mode 100644 crowdsec-docs/src/components/premium-upgrade/persona-tabs.tsx
 create mode 100644 crowdsec-docs/src/components/premium-upgrade/tabs-with-persona.tsx

diff --git a/crowdsec-docs/src/components/premium-upgrade/index.ts b/crowdsec-docs/src/components/premium-upgrade/index.ts
new file mode 100644
index 000000000..a8599e4c2
--- /dev/null
+++ b/crowdsec-docs/src/components/premium-upgrade/index.ts
@@ -0,0 +1,11 @@
+export { FeatureCard, HighlightCard } from "./feature-card";
+export type { FeatureCardProps, HighlightCardProps } from "./feature-card";
+
+export { PersonaSelector } from "./persona-selector";
+export type { PersonaOption as PersonaSelectorOption, PersonaSelectorProps } from "./persona-selector";
+
+export { PersonaTabsHeader } from "./persona-tabs";
+export type { PersonaOption as PersonaTabsOption, PersonaTabsHeaderProps } from "./persona-tabs";
+
+export { TabsWithPersona } from "./tabs-with-persona";
+export type { PersonaOption, TabsWithPersonaProps } from "./tabs-with-persona";
diff --git a/crowdsec-docs/src/components/premium-upgrade/persona-selector.tsx b/crowdsec-docs/src/components/premium-upgrade/persona-selector.tsx
new file mode 100644
index 000000000..9b283d2be
--- /dev/null
+++ b/crowdsec-docs/src/components/premium-upgrade/persona-selector.tsx
@@ -0,0 +1,90 @@
+import React, { useState } from "react";
+
+export interface PersonaOption {
+	id: string;
+	icon: string;
+	title: string;
+	description: string;
+	tag: string;
+}
+
+export interface PersonaSelectorProps {
+	options: PersonaOption[];
+	defaultSelected?: string;
+	onChange?: (selectedId: string) => void;
+	label?: string;
+}
+
+export const PersonaSelector = ({
+	options,
+	defaultSelected,
+	onChange,
+	label = "Your Profile",
+}: PersonaSelectorProps): React.JSX.Element => {
+	const [selected, setSelected] = useState<string>(defaultSelected || options[0]?.id || "");
+
+	const handleSelect = (id: string) => {
+		setSelected(id);
+		onChange?.(id);
+	};
+
+	return (
+		<div className="persona-selector mb-8">
+			<p className="text-xs font-medium uppercase tracking-wider text-gray-500 dark:text-gray-600 mb-4">{label}</p>
+			<div className="grid grid-cols-1 md:grid-cols-3 gap-3">
+				{options.map((option) => (
+					<button
+						key={option.id}
+						type="button"
+						onClick={() => handleSelect(option.id)}
+						className={`
+							persona-card text-left p-5 rounded-xl border-2 transition-all duration-200
+							${
+								selected === option.id
+									? "border-primary bg-primary text-white shadow-lg scale-[1.02]"
+									: "border-border bg-card hover:border-gray-400 dark:hover:border-gray-500 hover:shadow-md"
+							}
+						`}
+					>
+						<div
+							className={`
+								text-3xl mb-3 w-9 h-9 rounded-lg flex items-center justify-center transition-all
+								${selected === option.id ? "bg-white/20" : "bg-gray-100 dark:bg-gray-800"}
+							`}
+						>
+							{option.icon}
+						</div>
+						<h3
+							className={`
+								font-semibold text-base mb-2 transition-colors
+								${selected === option.id ? "text-white" : "text-gray-900 dark:text-gray-100"}
+							`}
+						>
+							{option.title}
+						</h3>
+						<p
+							className={`
+								text-sm mb-3 leading-relaxed transition-colors
+								${selected === option.id ? "text-white/80" : "text-gray-600 dark:text-gray-400"}
+							`}
+						>
+							{option.description}
+						</p>
+						<span
+							className={`
+								inline-block text-xs font-medium px-3 py-1 rounded-full transition-all
+								${
+									selected === option.id
+										? "bg-white/20 text-white/90"
+										: "bg-gray-100 dark:bg-gray-800 text-gray-600 dark:text-gray-400"
+								}
+							`}
+						>
+							{option.tag}
+						</span>
+					</button>
+				))}
+			</div>
+		</div>
+	);
+};
diff --git a/crowdsec-docs/src/components/premium-upgrade/persona-tabs.tsx b/crowdsec-docs/src/components/premium-upgrade/persona-tabs.tsx
new file mode 100644
index 000000000..9a92ad27c
--- /dev/null
+++ b/crowdsec-docs/src/components/premium-upgrade/persona-tabs.tsx
@@ -0,0 +1,88 @@
+import React from "react";
+
+export interface PersonaOption {
+	value: string;
+	icon: string;
+	label: string;
+	description: string;
+	tag: string;
+}
+
+export interface PersonaTabsHeaderProps {
+	options: PersonaOption[];
+	selectedValue: string;
+	onSelect: (value: string) => void;
+	headerLabel?: string;
+}
+
+/**
+ * Custom header for Docusaurus Tabs that looks like persona selector cards
+ * Use this with Docusaurus <Tabs> component by passing a custom tabsHeader
+ */
+export const PersonaTabsHeader = ({
+	options,
+	selectedValue,
+	onSelect,
+	headerLabel = "Your Profile",
+}: PersonaTabsHeaderProps): React.JSX.Element => {
+	return (
+		<div className="persona-tabs-header mb-8">
+			<p className="text-xs font-medium uppercase tracking-wider text-gray-500 dark:text-gray-600 mb-4">{headerLabel}</p>
+			<div className="grid grid-cols-1 md:grid-cols-3 gap-3">
+				{options.map((option) => {
+					const isSelected = selectedValue === option.value;
+					return (
+						<button
+							key={option.value}
+							type="button"
+							role="tab"
+							aria-selected={isSelected}
+							onClick={() => onSelect(option.value)}
+							className={`
+								persona-card text-left p-5 rounded-xl border-2 transition-all duration-200
+								${
+									isSelected
+										? "border-primary bg-primary text-white shadow-lg scale-[1.02]"
+										: "border-border bg-card hover:border-gray-400 dark:hover:border-gray-500 hover:shadow-md"
+								}
+							`}
+						>
+							<div
+								className={`
+									text-3xl mb-3 w-9 h-9 rounded-lg flex items-center justify-center transition-all
+									${isSelected ? "bg-white/20" : "bg-gray-100 dark:bg-gray-800"}
+								`}
+							>
+								{option.icon}
+							</div>
+							<h3
+								className={`
+									font-semibold text-base mb-2 transition-colors
+									${isSelected ? "text-white" : "text-gray-900 dark:text-gray-100"}
+								`}
+							>
+								{option.label}
+							</h3>
+							<p
+								className={`
+									text-sm mb-3 leading-relaxed transition-colors
+									${isSelected ? "text-white/80" : "text-gray-600 dark:text-gray-400"}
+								`}
+							>
+								{option.description}
+							</p>
+							<span
+								className={`
+									inline-block text-xs font-medium px-3 py-1 rounded-full transition-all
+									${isSelected ? "bg-white/20 text-white/90" : "bg-gray-100 dark:bg-gray-800 text-gray-600 dark:text-gray-400"}
+								`}
+							>
+								{option.tag}
+							</span>
+						</button>
+					);
+				})}
+			</div>
+		</div>
+	);
+};
diff --git a/crowdsec-docs/src/components/premium-upgrade/tabs-with-persona.tsx b/crowdsec-docs/src/components/premium-upgrade/tabs-with-persona.tsx
new file mode 100644
index 000000000..656254628
--- /dev/null
+++ b/crowdsec-docs/src/components/premium-upgrade/tabs-with-persona.tsx
@@ -0,0 +1,133 @@
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+import React, { useState } from "react";
+import type { ReactElement } from "react";
+
+export interface PersonaOption {
+	value: string;
+	icon: string;
+	label: string;
+	description: string;
+	tag: string;
+}
+
+export interface TabsWithPersonaProps {
+	options: PersonaOption[];
+	defaultValue?: string;
+	groupId?: string;
+	headerLabel?: string;
+	children: ReactElement<typeof TabItem> | ReactElement<typeof TabItem>[];
+}
+
+/**
+ * Tabs component with custom persona selector header
+ * Combines Docusaurus Tabs functionality with styled persona cards
+ *
+ * @example
+ * <TabsWithPersona
+ *   options={[
+ *     { value: "devops", icon: "⚙️", label: "DevOps", description: "...", tag: "Solo" }
+ *   ]}
+ *   defaultValue="devops"
+ *   groupId="user-persona"
+ * >
+ *   <TabItem value="devops">Content</TabItem>
+ * </TabsWithPersona>
+ */
+export const TabsWithPersona = ({
+	options,
+	defaultValue,
+	groupId,
+	headerLabel = "Your Profile",
+	children,
+}: TabsWithPersonaProps): React.JSX.Element => {
+	const [selectedValue, setSelectedValue] = useState<string>(defaultValue || options[0]?.value || "");
+
+	const handleSelect = (value: string) => {
+		setSelectedValue(value);
+		// Trigger tab change by programmatically clicking the hidden tab button
+		const tabButton = document.querySelector(`[role="tab"][data-value="${value}"]`) as HTMLElement;
+		if (tabButton) {
+			tabButton.click();
+		}
+	};
+
+	return (
+		<div className="tabs-with-persona">
+			{/* Custom Persona Header */}
+			<div className="persona-tabs-header mb-8">
+				<p className="text-xs font-medium uppercase tracking-wider text-gray-500 dark:text-gray-600 mb-4">{headerLabel}</p>
+				<div className="grid grid-cols-1 md:grid-cols-3 gap-3">
+					{options.map((option) => {
+						const isSelected = selectedValue === option.value;
+						return (
+							<button
+								key={option.value}
+								type="button"
+								onClick={() => handleSelect(option.value)}
+								className={`
+									persona-card text-left p-5 rounded-xl border-2 transition-all duration-200
+									${
+										isSelected
+											? "border-primary bg-primary text-white shadow-lg scale-[1.02]"
+											: "border-border bg-card hover:border-gray-400 dark:hover:border-gray-500 hover:shadow-md"
+									}
+								`}
+							>
+								<div
+									className={`
+										text-3xl mb-3 w-9 h-9 rounded-lg flex items-center justify-center transition-all
+										${isSelected ? "bg-white/20" : "bg-gray-100 dark:bg-gray-800"}
+									`}
+								>
+									{option.icon}
+								</div>
+								<h3
+									className={`
+										font-semibold text-base mb-2 transition-colors
+										${isSelected ? "text-white" : "text-gray-900 dark:text-gray-100"}
+									`}
+								>
+									{option.label}
+								</h3>
+								<p
+									className={`
+										text-sm mb-3 leading-relaxed transition-colors
+										${isSelected ? "text-white/80" : "text-gray-600 dark:text-gray-400"}
+									`}
+								>
+									{option.description}
+								</p>
+								<span
+									className={`
+										inline-block text-xs font-medium px-3 py-1 rounded-full transition-all
+										${isSelected ? "bg-white/20 text-white/90" : "bg-gray-100 dark:bg-gray-800 text-gray-600 dark:text-gray-400"}
+									`}
+								>
+									{option.tag}
+								</span>
+							</button>
+						);
+					})}
+				</div>
+			</div>
+
+			{/* Hidden Docusaurus Tabs - just for content switching */}
+			<div className="hidden-tabs" style={{ display: "none" }}>
+				<Tabs defaultValue={defaultValue} groupId={groupId}>
+					{children}
+				</Tabs>
+			</div>
+
+			{/* Tab Content - controlled by selected value */}
+			<div className="tab-content">
+				{React.Children.map(children, (child) => {
+					if (React.isValidElement(child) && child.props.value === selectedValue) {
+						return <div key={child.props.value}>{child.props.children}</div>;
+					}
+					return null;
+				})}
+			</div>
+		</div>
+	);
+};
diff --git a/crowdsec-docs/src/css/premium-upgrade.css b/crowdsec-docs/src/css/premium-upgrade.css
index 4fd462e3c..6b8fc87df 100644
--- a/crowdsec-docs/src/css/premium-upgrade.css
+++ b/crowdsec-docs/src/css/premium-upgrade.css
@@ -1,6 +1,17 @@
 /* Premium Upgrade Page Styles */
 
-/* Make tabs look more like persona cards */
+/* Persona Selector Cards */
+.persona-card {
+	cursor: pointer;
+	user-select: none;
+	position: relative;
+}
+
+.persona-card:active {
+	transform: scale(0.98);
+}
+
+/* Make default tabs look more like persona cards (fallback) */
 .premium-persona-tabs .tabs__item {
 	font-size: 0.9rem;
 	padding: 0.5rem 1rem;
@@ -18,6 +29,11 @@
 	border-color: rgb(var(--primary) / 0.3);
 }
 
+/* Hide default tabs when using custom persona header */
+.tabs-with-persona .tabs {
+	display: none;
+}
+
 /* Feature card animations */
 .feature-card {
 	animation: fadeIn 0.3s ease-in-out;
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade.mdx b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
index 5f2d5c6bc..bfcd5d739 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
@@ -8,6 +8,31 @@ import Tabs from '@theme/Tabs';
 import TabItem from '@theme/TabItem';
 import Link from '@docusaurus/Link';
 import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';
+import { TabsWithPersona } from '@site/src/components/premium-upgrade/tabs-with-persona';
+
+export const personaOptions = [
+	{
+		value: "devops",
+		icon: "⚙️",
+		label: "DevOps / SRE",
+		description: "Managing infrastructure solo or in small teams, focused on reducing noise and blocking more threats.",
+		tag: "Solo · SME"
+	},
+	{
+		value: "secops",
+		icon: "🛡️",
+		label: "SecOps / Blue Team",
+		description: "Team needs collaboration, investigation capabilities, and data retention for audits.",
+		tag: "Team · Enterprise"
+	},
+	{
+		value: "msp",
+		icon: "🏢",
+		label: "MSP / Integrator",
+		description: "Managing security for multiple clients, requiring isolation and automation capabilities.",
+		tag: "Multi-tenant · API"
+	}
+];
 
 <div style={{marginBottom: '2rem'}}>
 
@@ -19,8 +44,13 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 </div>
 
-<Tabs groupId="user-persona" className="premium-persona-tabs">
-<TabItem value="devops" label="⚙️ DevOps / SRE" default>
+<TabsWithPersona
+	options={personaOptions}
+	defaultValue="devops"
+	groupId="user-persona"
+	headerLabel="Your Profile"
+>
+<TabItem value="devops">
 
 ## Solo or Small Team Infrastructure Management
 
@@ -434,7 +464,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 - **White-label ready**: Manage all clients from single dashboard
 
 </TabItem>
-</Tabs>
+</TabsWithPersona>
 
 ---
 

From 51fe6481b6e9ec408202681f41e34e62f6f0bf80 Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Thu, 19 Mar 2026 18:36:27 +0100
Subject: [PATCH 05/14] redeisgn on full feature list page

---
 .../premium_upgrade/features_overview.mdx     | 267 +++++++++++++-----
 1 file changed, 204 insertions(+), 63 deletions(-)

diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
index eac688300..0569a0c99 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
@@ -4,6 +4,8 @@ title: Premium Features Overview
 description: Comprehensive overview of all Premium features
 ---
 
+import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';
+
 Premium features enable multiple use cases.
 Make the best use of the premium features for your needs in: **Scaling, Multi-tenancy, Enhanced proactive protection, Centralized management, Team collaboration, Integration and automation, Enhanced threat intelligence, and improved support.**
 
@@ -11,72 +13,211 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 
 ## Scaling, Automation & Multi-Tenancy
 
-### Remediation Sync
-Automatically synchronize security decisions across your entire organization. Syncs to all Security Engines and Blocklists Integration endpoints, ensuring consistent protection across your infrastructure.
-[Learn more about remediation sync](/u/console/remediation_sync)
-
-### Console Decision Management
-Add, delete, and manage security decisions directly from the Console. Force pull blocklists when subscribing or unsubscribing, giving you complete control over your security posture from a central interface.
-[Learn more about decision management](/u/console/decisions/decisions_management)
-
-### Centralized Allowlists
-Manage allowlists from a single location and apply them across all security engines and integrations organization-wide. Supports IP expiration for temporary allowlisting.
-[Learn more about allowlists](/u/console/allowlists)
-
-### Service API (SAPI)
-Access APIs for console management.
-[Learn more about Service API](/u/console/service_api/getting_started)
-
-### Blocklist Creation & Sharing
-Via our [Service API (SAPI)](/u/console/service_api/getting_started) Distribute custom blocklists across multiple organizations or partners, enabling coordinated security operations across your business ecosystem.
-[Learn more about SAPI Blocklist endpoints](/u/console/service_api/blocklists)
-
-### Auto Enroll
-Automatically enroll new security engines into your organization for streamlined deployment and management.
-
-### Expanded Organization Seats
-Provide view/edit/admin access to you customers or collaborate with team members by adding more seats to your organization. (3 included in base Premium plan)
-
-## Extra protection
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Remediation Sync"
+	metric="Automatic"
+	category="scale"
+	description="Automatically synchronize security decisions across your entire organization. Syncs to all Security Engines and Blocklists Integration endpoints, ensuring consistent protection across your infrastructure."
+	comparison={{
+		before: "Community: manual sync",
+		after: "Premium: automatic sync"
+	}}
+	link="/u/console/remediation_sync"
+/>
+
+<FeatureCard
+	title="Console Decision Management"
+	metric="Centralized"
+	category="scale"
+	description="Add, delete, and manage security decisions directly from the Console. Force pull blocklists when subscribing or unsubscribing, giving you complete control over your security posture from a central interface."
+	link="/u/console/decisions/decisions_management"
+/>
+
+<FeatureCard
+	title="Centralized Allowlists"
+	metric="Organization-wide"
+	category="scale"
+	description="Manage allowlists from a single location and apply them across all security engines and integrations organization-wide. Supports IP expiration for temporary allowlisting."
+	comparison={{
+		before: "Community: per-engine",
+		after: "Premium: centralized + expiration"
+	}}
+	link="/u/console/allowlists"
+/>
+
+<FeatureCard
+	title="Service API (SAPI)"
+	metric="REST + webhooks"
+	category="scale"
+	badges={["API"]}
+	description="Access APIs for console management. Automate blocklist creation, decision management, and enrollment operations via API."
+	comparison={{
+		before: "Community: no API access",
+		after: "Premium: full SAPI"
+	}}
+	link="/u/console/service_api/getting_started"
+/>
+
+<FeatureCard
+	title="Blocklist Creation & Sharing"
+	metric="Custom via API"
+	category="scale"
+	badges={["API"]}
+	description="Distribute custom blocklists across multiple organizations or partners, enabling coordinated security operations across your business ecosystem."
+	link="/u/console/service_api/blocklists"
+/>
+
+<FeatureCard
+	title="Auto Enroll"
+	metric="Zero-touch"
+	category="scale"
+	description="Automatically enroll new security engines into your organization for streamlined deployment and management. Perfect for infrastructure-as-code deployments."
+	comparison={{
+		before: "Community: manual enrollment",
+		after: "Premium: automatic enrollment"
+	}}
+/>
+
+<FeatureCard
+	title="Expanded Organization Seats"
+	metric="3 seats included"
+	category="scale"
+	description="Provide view/edit/admin access to your customers or collaborate with team members by adding more seats to your organization. Base Premium plan includes 3 seats, with options to add more."
+	comparison={{
+		before: "Community: 1 user only",
+		after: "Premium: full team (3+)"
+	}}
+	link="/u/console/organizations/intro"
+/>
+
+</div>
 
-### Threat Forecast Blocklists
-Access exclusive, organization-specific blocklists generated from the signals your organization shares with CrowdSec. These blocklists are more precise than community blocklists and provide tailored protection for your infrastructure.
-[Learn more about threat forecast blocklists](/u/console/threat_forecast)
-
-### Expanded Community Blocklist Coverage
-Unlock the premium Community Blocklist as a network participant.
-Receive up to 50k of the most aggressive attackers targeting similar services as yours *(up from top [3k in Community](/docs/central_api/community_blocklist/#community-blocklist-lite)).*
+---
 
-### Premium Tier Blocklist Access
-Get access to our Premium tier blocklists, providing enhanced protection with curated specialized blocklists tailored for different attack vectors.
+## Extra Protection
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Threat Forecast Blocklists"
+	metric="Organization-specific"
+	category="protection"
+	description="Access exclusive, organization-specific blocklists generated from the signals your organization shares with CrowdSec. These blocklists are more precise than community blocklists and provide tailored protection for your infrastructure."
+	comparison={{
+		before: "Community: generic list",
+		after: "Premium: org-specific"
+	}}
+	link="/u/console/threat_forecast"
+/>
+
+<FeatureCard
+	title="Expanded Community Blocklist Coverage"
+	metric="3k → 50k IPs"
+	category="protection"
+	description="Unlock the premium Community Blocklist as a network participant. Receive up to 50,000 of the most aggressive attackers targeting similar services as yours (up from top 3k in Community)."
+	comparison={{
+		before: "Community: top 3k",
+		after: "Premium: top 50k (×16)"
+	}}
+	link="/u/console/blocklists/intro"
+/>
+
+<FeatureCard
+	title="Premium Tier Blocklist Access"
+	metric="Curated lists"
+	category="protection"
+	description="Get access to our Premium tier blocklists, providing enhanced protection with curated specialized blocklists tailored for different attack vectors."
+	link="/u/blocklists/intro#crowdsec-blocklist-tiers"
+/>
+
+<FeatureCard
+	title="Unlimited Blocklist Subscriptions"
+	metric="3 → ∞"
+	category="protection"
+	description="Premium subscribers get unlimited blocklist subscriptions (compared to 3 in Community), allowing you to protect your infrastructure with multiple specialized blocklists simultaneously."
+	comparison={{
+		before: "Community: 3 max",
+		after: "Premium: unlimited"
+	}}
+	link="/u/blocklists/intro#crowdsec-blocklist-tiers"
+/>
+
+</div>
 
-### Unlimited Blocklist Subscriptions
-Premium subscribers get unlimited blocklist subscriptions (compared to 3 in Community), allowing you to protect your infrastructure with multiple specialized blocklists simultaneously.
-[Learn more about premium tier blocklists features](/u/blocklists/intro#crowdsec-blocklist-tiers)
+---
 
 ## Reactivity & Monitoring
 
-### Am I Under Attack Feature
-Receive real-time alerts when your infrastructure experiences attack surges. This feature analyzes current traffic patterns against historical baselines to detect anomalous activity, with support for email notifications and webhook integrations.
-[Learn more about attack detection](/u/console/security_engines/am_i_under_attack)
-
-### Push Notifications Integrations
-Receive alerts when security engines go offline or become outdated, ensuring your security infrastructure remains operational.
-[Learn more about push notifications](/u/console/notification_integrations/overview)
-
-### Increased Alert Quotas and Extended Retention
-Upgrade from the Community Plan's 500 alerts per month and 2-month retention to custom quotas (up to several million alerts) and up to 1 year of retention. This enables comprehensive monitoring of large-scale infrastructures and long-term security analysis.
-[Learn more about premium quotas](/u/console/alerts/quotas#why-upgrade-to-premium-)
-
-### Background Noise Filtering
-Automatically filter out internet background radiation and mass scanning activity to focus on genuine threats. Customize noise cancellation levels (Low, Medium, High) to match your security requirements.
-[Learn more about background noise filtering](/u/console/alerts/background_noise)
-
-### IP reputation investigation quotas
-Audit what CrowdSec knows about IP addresses, attacking you and present in blocklists, with increased investigation quotas.
-100 attacker details per week (compared to 30 in Community), including IP reputation and MITRE ATT&CK mappings for comprehensive threat intelligence.
-
-### CTI API Access
-Leverage CrowdSec IP reputation data into your vendors.
-Get 100 CTI API calls per week (compared to 30 in Community) for integration with SIEM, SOAR, and other security tools.
-[Learn more about CTI API](/u/cti_api/api_integration/integration_intro)
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Am I Under Attack"
+	metric="Real-time"
+	category="monitoring"
+	description="Receive real-time alerts when your infrastructure experiences attack surges. This feature analyzes current traffic patterns against historical baselines to detect anomalous activity, with support for email notifications and webhook integrations."
+	link="/u/console/security_engines/am_i_under_attack"
+/>
+
+<FeatureCard
+	title="Push Notifications Integrations"
+	metric="Slack · PagerDuty"
+	category="monitoring"
+	description="Receive alerts when security engines go offline or become outdated, ensuring your security infrastructure remains operational. Native integrations with major SecOps tools."
+	comparison={{
+		before: "Community: email only",
+		after: "Premium: webhooks + integrations"
+	}}
+	link="/u/console/notification_integrations/overview"
+/>
+
+<FeatureCard
+	title="Increased Alert Quotas and Extended Retention"
+	metric="2 months → 1 year"
+	category="monitoring"
+	description="Upgrade from the Community Plan's 500 alerts per month and 2-month retention to custom quotas (up to several million alerts) and up to 1 year of retention. This enables comprehensive monitoring of large-scale infrastructures and long-term security analysis."
+	comparison={{
+		before: "Community: 500/month, 2 months",
+		after: "Premium: millions/month, 365 days"
+	}}
+	link="/u/console/alerts/quotas#why-upgrade-to-premium-"
+/>
+
+<FeatureCard
+	title="Background Noise Filtering"
+	metric="−75% to −92% noise"
+	category="monitoring"
+	description="Automatically filter out internet background radiation and mass scanning activity to focus on genuine threats. Customize noise cancellation levels (Low, Medium, High) to match your security requirements."
+	comparison={{
+		before: "Community: all signals",
+		after: "Premium: real threats only"
+	}}
+	link="/u/console/alerts/background_noise"
+/>
+
+<FeatureCard
+	title="IP Reputation Investigation"
+	metric="30 → 100/week"
+	category="intelligence"
+	description="Audit what CrowdSec knows about IP addresses attacking you and present in blocklists, with increased investigation quotas. 100 attacker details per week (compared to 30 in Community), including IP reputation and MITRE ATT&CK mappings for comprehensive threat intelligence."
+	comparison={{
+		before: "Community: 30 lookups/week",
+		after: "Premium: 100 lookups/week"
+	}}
+/>
+
+<FeatureCard
+	title="CTI API Access"
+	metric="30 → 100 calls/week"
+	category="intelligence"
+	badges={["API"]}
+	description="Leverage CrowdSec IP reputation data into your vendors. Get 100 CTI API calls per week (compared to 30 in Community) for integration with SIEM, SOAR, and other security tools."
+	comparison={{
+		before: "Community: 30 calls/week",
+		after: "Premium: 100 calls/week"
+	}}
+	link="/u/cti_api/api_integration/integration_intro"
+/>
+
+</div>

From ca416a4fb5c544a3c2f79115a03236bf0284ff8e Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Thu, 19 Mar 2026 18:49:19 +0100
Subject: [PATCH 06/14] updated page optimal setup

---
 .../console/premium_upgrade/optimal_setup.mdx | 235 ++++++++++++++++--
 1 file changed, 220 insertions(+), 15 deletions(-)

diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
index 4134ef52d..c2afff66e 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
@@ -4,23 +4,228 @@ title: Optimal Premium Upgrade Setup
 description: Best practices for setting up your Premium upgrade
 ---
 
-When upgrading to a Premium plan, you may not want to upgrade every single Security Engine you monitor. It is common to have a mix of environments:
-- **Production:** Requires Premium features (longer data retention, heavy API limits, organization-wide blocklists).
-- **Dev / Test / Staging:** Can remain on the Free tier.
+import { FeatureCard } from '@site/src/components/premium-upgrade/feature-card';
 
-Because the Premium Upgrade applies to an entire **Organization**, the optimal strategy is to separate your Security Engines into different contexts before subscribing.
+<div className="p-6 rounded-xl bg-gradient-to-r from-primary/10 to-primary/5 border border-solid border-primary/20 mb-8">
 
-When you first create a Console account, your workspace is your "Personal Account".
-As a Community account, you can create one extra organization for free.
+## 💡 Why Organize Before Upgrading?
 
-We recommend the following setup:
-- If you have not already, create a new organization for your **Production** environment.
-- Keep your **Dev / Test / Staging** Security Engines in your **Personal Account**.
-- Move your **Production** Security Engines to the new **Production** organization.
-- Upgrade the **Production** organization to **Premium**.
+Premium upgrades apply to an **entire Organization**. You may not want Premium features for all environments—typically only **Production** needs extended retention, higher quotas, and advanced protection.
 
-To split your Security Engines into different organizations, use either:
-- The [Transfer feature](/u/console/security_engines/transfer_engine) from the Security Engine page.
-- Or via `cscli`, re-enroll your Security Engines in the desired organization with the `--overwrite` flag to force moving them to the new organization.
+By organizing your Security Engines **before** upgrading, you save costs and keep your infrastructure organized.
 
-After the transfer, the alerts will reappear in the new organization after a few minutes.
+</div>
+
+---
+
+## Common Multi-Environment Setup
+
+Most teams have a mix of environments with different security requirements:
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-8">
+
+<div className="border-2 border-solid border-primary/30 rounded-lg p-6 bg-card">
+
+### 🔥 Production Environments
+
+**Needs Premium:**
+
+- Extended alert retention (12 months)
+- Higher alert quotas (millions/month)
+- Organization-wide blocklists
+- CTI API access for SIEM integration
+- Threat Forecast blocklists
+- Multi-seat team access
+
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
+### 🧪 Dev / Test / Staging
+
+**Community is sufficient:**
+
+- Basic alert monitoring (500/month)
+- Short retention (2 months)
+- Community blocklists (3k IPs)
+- Individual engine management
+- Single-user access
+
+</div>
+
+</div>
+
+---
+
+## Recommended Setup Strategy
+
+<div className="grid grid-cols-1 md:grid-cols-3 gap-4 mb-8 text-sm">
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card text-left">
+
+### 1️⃣ Create Production Organization
+
+Create a new organization specifically for your Production environment.
+
+**Community accounts** get **1 extra organization for free** (beyond your Personal Account).
+
+[Learn about Organizations →](/u/console/organizations/intro)
+
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card text-left">
+
+### 2️⃣ Organize Your Engines
+
+- **Personal Account:** Keep Dev/Test/Staging engines here (Community tier)
+- **Production Org:** Transfer Production engines to the new organization
+
+You can transfer engines in two ways:
+- Console: [Transfer feature](/u/console/security_engines/transfer_engine)
+- CLI: Re-enroll with `cscli`   
+  using `--overwrite` flag
+
+</div>
+
+<div className="border-2 border-solid border-primary/30 rounded-lg p-6 bg-card text-left">
+
+### 3️⃣ Upgrade Production Only
+
+Upgrade **only the Production organization** to Premium.
+
+Your Dev/Test/Staging environments remain on Community tier with no additional cost.
+
+✅ Alerts reappear in the new organization within minutes
+
+</div>
+
+</div>
+
+---
+
+## Step-by-Step: Splitting Your Engines
+
+### Option 1: Transfer via Console UI
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card mb-4">
+
+**Best for:** Quick transfers of individual or small batches of engines
+
+1. Navigate to **Security Engines** page in Console
+2. Select the engine(s) you want to transfer
+3. Use the **Transfer** feature to move them to your Production organization
+4. Confirm the transfer
+
+[Transfer Feature Documentation →](/u/console/security_engines/transfer_engine)
+
+</div>
+
+### Option 2: Re-enroll via `cscli`
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card mb-4">
+
+**Best for:** Bulk transfers, automation, or infrastructure-as-code deployments
+
+```bash
+# Get enrollment key from your Production organization
+# Console → Organizations → Production → Enrollment Keys
+
+# Re-enroll the Security Engine with --overwrite flag
+cscli console enroll <ENROLLMENT_KEY> --overwrite
+```
+
+The `--overwrite` flag forces the engine to move to the new organization, even if already enrolled elsewhere.
+
+</div>
+
+---
+
+## Example Organizational Structure
+
+<div className="border-l-4 border-solid border-primary p-6 bg-card mb-6">
+
+**Before Organizing (All in Personal Account):**
+
+- 10 Production servers (web, API, database)
+- 5 Staging servers
+- 3 Dev laptops
+
+**After Organizing:**
+
+**Personal Account (Community - Free):**
+- 5 Staging servers
+- 3 Dev laptops
+
+**Production Organization (Premium - Paid):**
+- 10 Production servers
+- Full Premium features
+- Team collaboration with 3 seats
+- Extended retention and quotas
+
+</div>
+
+---
+
+## Benefits of This Approach
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-8">
+
+<FeatureCard
+	title="Cost Optimization"
+	metric="Save 60-80%"
+	category="scale"
+	description="Only pay for Premium where you need it. Dev/Test environments remain free on Community tier."
+/>
+
+<FeatureCard
+	title="Clear Separation"
+	metric="Zero confusion"
+	category="scale"
+	description="Production and non-production environments are cleanly separated, reducing noise and improving security posture visibility."
+/>
+
+<FeatureCard
+	title="Flexible Scaling"
+	metric="Grow as needed"
+	category="scale"
+	description="Add more organizations later (MSPs can create unlimited orgs). Start simple, expand when required."
+/>
+
+<FeatureCard
+	title="No Downtime"
+	metric="Seamless transfer"
+	category="monitoring"
+	description="Alerts reappear in new organization within minutes. No disruption to security monitoring."
+/>
+
+</div>
+
+---
+
+## When NOT to Separate
+
+You may want **all** engines in a single Premium organization if:
+
+- You need extended retention across **all environments** for compliance
+- Your team investigates attacks in staging/dev environments regularly
+- You want centralized allowlists and blocklists everywhere
+- You're an MSP managing multiple client environments (use [Multi-Organization](/u/console/premium_upgrade/features_overview) instead)
+
+---
+
+## Next Steps
+
+<div className="p-6 rounded-xl bg-gradient-to-r from-primary/10 to-primary/5 border border-solid border-primary/20">
+
+### Ready to upgrade?
+
+1. **Organize** your Security Engines across Personal Account and Production Organization
+2. **Upgrade** the Production organization to Premium
+3. **Test** Premium features during your trial period ([Testing Guide →](/u/console/premium_upgrade/testing_premium))
+
+<div style={{display: 'flex', gap: '1rem', marginTop: '1.5rem', flexWrap: 'wrap'}}>
+	<a href="https://app.crowdsec.net/pricing" className="button button--primary button--lg">View Pricing →</a>
+	<a href="/u/console/premium_upgrade/testing_premium" className="button button--secondary button--lg">Testing Premium →</a>
+</div>
+
+</div>

From 284b75a2bc46413aeeabb30dfb73fb0f27e79a07 Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Thu, 19 Mar 2026 18:51:36 +0100
Subject: [PATCH 07/14] updated testing premium page

---
 .../premium_upgrade/testing_premium.mdx       | 291 ++++++++++++++++--
 1 file changed, 257 insertions(+), 34 deletions(-)

diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
index 803bb69c1..a8df1404d 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
@@ -4,54 +4,277 @@ title: Test Premium Value in Your Environment
 description: Practical ways to measure and experience Premium value during your trial
 ---
 
-Before exploring all Premium features, here are practical ways to measure and experience the value yourself.
-The following can be used as a guide during your trial period to assess the benefits of upgrading to Premium.
+import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';
 
-## 🎯 Measure Improved Protection
+<div className="p-6 rounded-xl bg-gradient-to-r from-primary/10 to-primary/5 border border-solid border-primary/20 mb-8">
 
-**Activate:**
-- Community Blocklists (premium) will automatically be sent to your enrolled engines.
-- The [Threat Forecast Blocklist](/u/console/threat_forecast) Will be generated automatically used in your organization based on your shared signals.
-- Premium Tier Blocklists can be subscribed and subscription numbers per org are unlimited.
-- You can activate [Remediation Sync](/u/console/remediation_sync) to propagate decisions across all your enrolled Security Engines.
-- Respond faster to a spike of alerts thanks to "Am I Under Attack"
+## 🧪 Measure Premium Value During Your Trial
 
-**Measure the impact:**
-- **Remediation Metrics:** Track your proactive vs reactive blocking ratio
-- **Server Resources:** Monitor CPU, memory, and bandwidth reduction
-- **SIEM Logs:** Measure log volume decrease and background noise reduction
+Before exploring all Premium features, use this guide to measure and experience the value in your environment. These practical tests help you assess the concrete benefits of Premium during your trial period.
 
-**Expected results:** 2x more proactive blocking, 75-92% less malicious traffic reaching your servers, cleaner logs and reduced alert fatigue.
+</div>
 
 ---
 
-## 👥 Enable Team Collaboration
+## 🎯 Test 1: Measure Improved Protection
 
-**Activate:**
-- Invite collaborators thanks to Multi-Seat Access
-- Extended Alert Retention (365 days) allow improved traceability
-- Use the improved in-console CTI quotas to enrich your investigations
-- Get notified within your tools thanks to [Push Notification Integrations](/u/console/notification_integrations/overview)
+<div className="border-l-4 border-solid border-primary p-6 bg-card mb-6">
 
-**How your team benefits:**
-- Analyze long-term attack trends and recurring threats
-- Conduct CTI investigations directly in the Console
-- Multiple team members work simultaneously without access conflicts
+### What to Activate
 
-**Expected results:** Faster incident investigations, better threat attribution, reduced tool sprawl.
+Premium protection features are automatically enabled when you upgrade:
+
+- **Community Blocklist (Premium):** Automatically sent to enrolled engines (50k IPs vs 3k)
+- **[Threat Forecast Blocklist](/u/console/threat_forecast):** Generated automatically from your organization's shared signals
+- **Premium Tier Blocklists:** Subscribe to unlimited specialized blocklists
+- **[Remediation Sync](/u/console/remediation_sync):** Propagate decisions across all Security Engines
+- **Am I Under Attack:** Get alerted on traffic surges
+
+</div>
+
+<div className="grid grid-cols-1 md:grid-cols-3 gap-4 mb-8">
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
+### 📊 Metric 1: Remediation Ratio
+
+**How to measure:**
+Check your Console dashboard for proactive vs reactive blocking ratio.
+
+**Expected result:**
+2× more proactive blocking (blocklist hits vs real-time decisions)
+
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
+### 💻 Metric 2: Server Resources
+
+**How to measure:**
+Monitor CPU, memory, and bandwidth usage on your Security Engines before and after.
+
+**Expected result:**
+75-92% reduction in malicious traffic reaching your servers
+
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
+### 📝 Metric 3: Log Volume
+
+**How to measure:**
+Check your SIEM or log aggregator for alert volume changes.
+
+**Expected result:**
+Cleaner logs, reduced alert fatigue, fewer false positives
+
+</div>
+
+</div>
+
+<HighlightCard
+	title="Quick Test: Background Noise Filtering"
+	category="monitoring"
+	description="Enable Background Noise Filtering (Low/Medium/High) and compare your alert dashboard before/after. You should see 75-92% fewer scanner and crawler alerts within 24 hours."
+	stats={[
+		{ value: "24h", label: "to see results" },
+		{ value: "75-92%", label: "noise reduction" }
+	]}
+	link="/u/console/alerts/background_noise"
+/>
+
+---
+
+## 👥 Test 2: Enable Team Collaboration
+
+<div className="border-l-4 border-solid border-primary p-6 bg-card mb-6">
+
+### What to Activate
+
+Enable team features to see collaboration improvements:
+
+- **Multi-Seat Access:** Invite team members (view/edit/admin roles)
+- **Extended Alert Retention:** 365 days of historical data (vs 60 days)
+- **Increased CTI Quotas:** 100 IP lookups/week (vs 30)
+- **[Push Notification Integrations](/u/console/notification_integrations/overview):** Slack, PagerDuty, webhooks
+
+</div>
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Test: Long-Term Trend Analysis"
+	metric="365 days"
+	category="monitoring"
+	description="Access your Console's Alerts page and analyze attack patterns over the past year. Look for recurring threats, seasonal patterns, or evolving attack vectors. This is impossible with Community's 60-day retention."
+	link="/u/console/alerts/quotas#why-upgrade-to-premium-"
+/>
+
+<FeatureCard
+	title="Test: CTI Investigation Workflow"
+	metric="100 lookups/week"
+	category="intelligence"
+	description="Investigate suspicious IPs directly in the Console. View complete profiles: reputation, behavior, fingerprint, MITRE ATT&CK mappings. Perfect for incident response workflows without leaving the Console."
+/>
+
+<FeatureCard
+	title="Test: Simultaneous Access"
+	metric="3+ seats"
+	category="scale"
+	description="Have multiple team members work in the Console at the same time. Test concurrent operations: one person investigates alerts, another manages allowlists, a third reviews metrics. No access conflicts."
+	link="/u/console/organizations/intro"
+/>
+
+<FeatureCard
+	title="Test: Alerting Integration"
+	metric="Real-time"
+	category="monitoring"
+	description="Connect your Slack or PagerDuty account and test notifications when a Security Engine goes offline or becomes outdated. Verify your team receives alerts in their existing tools."
+	link="/u/console/notification_integrations/overview"
+/>
+
+</div>
+
+<div className="p-6 rounded-lg bg-gray-50 dark:bg-gray-900/30 border border-solid border-border mb-8">
+
+**Expected Results:**
+
+- ⚡ Faster incident investigations (direct CTI access in Console)
+- 🔍 Better threat attribution (1-year retention for pattern analysis)
+- 🤝 Reduced tool sprawl (team works in one place)
+- 📢 Proactive alerting (issues detected before users complain)
+
+</div>
+
+---
+
+## 🏢 Test 3: Scale for MSPs & Enterprises
+
+<div className="border-l-4 border-solid border-primary p-6 bg-card mb-6">
+
+### What to Activate
+
+Test multi-tenant and automation capabilities:
+
+- **Multi-Organization:** Create separate organizations for each client/environment
+- **[Service API (SAPI)](/u/console/service_api/getting_started):** Automate console management
+- **Blocklist Creation & Sharing:** Distribute custom threat intel via API
+- **Auto Enroll:** Zero-touch engine enrollment
+
+</div>
+
+<div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+
+<FeatureCard
+	title="Test: Multi-Tenant Isolation"
+	metric="100% isolated"
+	category="scale"
+	description="Create 2-3 test organizations for different clients. Verify complete data isolation: each org sees only its engines, alerts, and decisions. Test switching between orgs from a single account."
+/>
+
+<FeatureCard
+	title="Test: Custom Blocklist via API"
+	metric="API-driven"
+	category="scale"
+	badges={["API"]}
+	description="Use SAPI to create a custom blocklist with 10-20 IPs from your SIEM. Subscribe multiple organizations to it. Verify the IPs are blocked across all client environments within minutes."
+	link="/u/console/service_api/blocklists"
+/>
+
+<FeatureCard
+	title="Test: Automated Enrollment"
+	metric="Zero-touch"
+	category="scale"
+	description="Enable Auto Enroll, then deploy a new Security Engine with your org's enrollment key. It should automatically join your organization without manual approval. Perfect for Terraform/Ansible/K8s deployments."
+/>
+
+<FeatureCard
+	title="Test: Decision Management via API"
+	metric="Programmatic"
+	category="scale"
+	badges={["API"]}
+	description="Use SAPI to add/remove decisions from the Console. Test forcing a blocklist pull after subscription. Integrate this into your incident response playbooks or SOAR platform."
+	link="/u/console/service_api/getting_started"
+/>
+
+</div>
+
+<div className="p-6 rounded-lg bg-gray-50 dark:bg-gray-900/30 border border-solid border-border mb-8">
+
+**Expected Results:**
+
+- 🏗️ Clear tenant isolation (one org per client)
+- 🤖 Streamlined multi-customer operations (API automation)
+- 📊 Custom visibility per client (each org has its own dashboard)
+- ⚙️ Infrastructure-as-code ready (zero-touch enrollment)
+
+</div>
 
 ---
 
-## 🏢 Scale for MSPs & Enterprises
+## 🎓 Recommended Trial Timeline
+
+<div className="grid grid-cols-1 md:grid-cols-4 gap-4 mb-8 text-sm">
+
+<div className="border-2 border-solid border-primary/30 rounded-lg p-6 bg-card">
+
+### Week 1: Protection
+
+- Enable all blocklists
+- Activate Background Noise
+- Turn on Remediation Sync
+- Measure baseline metrics
+
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
+### Week 2: Team
+
+- Invite team members
+- Test CTI lookups
+- Configure push notifications
+- Analyze historical trends
+
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
+### Week 3: Scale
+
+- Create test organizations
+- Test SAPI endpoints
+- Try Auto Enroll
+- Custom blocklist sharing
+
+</div>
+
+<div className="border border-solid border-border rounded-lg p-6 bg-card">
+
+### Week 4: Review
+
+- Compare metrics vs Week 1
+- Document value realized
+- Plan production rollout
+- Prepare upgrade decision
+
+</div>
+
+</div>
+
+---
+
+## 💡 Need Help Testing?
+
+<div className="p-6 rounded-xl bg-gradient-to-r from-primary/10 to-primary/5 border border-solid border-primary/20">
 
-**Activate:**
-- Administrate & share access to your clients thanks to Multi-Organization
-- Create & Share Blocklists across organizations via our [Service API (SAPI)](/u/console/service_api/getting_started)
+### Questions about your trial?
 
+Our team can help you set up proper testing and measure the value in your specific environment.
 
-**Manage at scale:**
-- Segment customer environments (one org per client)
-- Share custom threat intelligence across organizations
-- Automate blocklist management via API
+<div style={{display: 'flex', gap: '1rem', marginTop: '1.5rem', flexWrap: 'wrap'}}>
+	<a href="https://www.crowdsec.net/contact-crowdsec" className="button button--primary button--lg">Contact Support</a>
+	<a href="/u/console/premium_upgrade/features_overview" className="button button--secondary button--lg">View All Features →</a>
+</div>
 
-**Expected results:** Clear tenant isolation, streamlined multi-customer operations, custom visibility on their defenses.
+</div>

From a0c5685e3773e4c1ab9b76298f4c4fe2a7915add Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Thu, 19 Mar 2026 21:45:37 +0100
Subject: [PATCH 08/14] toc level to 2

---
 crowdsec-docs/unversioned/console/premium_upgrade.mdx            | 1 +
 .../unversioned/console/premium_upgrade/features_overview.mdx    | 1 +
 .../unversioned/console/premium_upgrade/optimal_setup.mdx        | 1 +
 .../unversioned/console/premium_upgrade/testing_premium.mdx      | 1 +
 4 files changed, 4 insertions(+)

diff --git a/crowdsec-docs/unversioned/console/premium_upgrade.mdx b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
index bfcd5d739..867169a14 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
@@ -2,6 +2,7 @@
 id: premium_upgrade
 title: Premium Upgrade
 description: Find Premium features tailored to your role - DevOps, SecOps, or MSP
+toc_max_heading_level: 2
 ---
 
 import Tabs from '@theme/Tabs';
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
index 0569a0c99..5e386e1a4 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
@@ -2,6 +2,7 @@
 id: features_overview
 title: Premium Features Overview
 description: Comprehensive overview of all Premium features
+toc_max_heading_level: 2
 ---
 
 import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
index c2afff66e..9b22c6003 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
@@ -2,6 +2,7 @@
 id: optimal_setup
 title: Optimal Premium Upgrade Setup
 description: Best practices for setting up your Premium upgrade
+toc_max_heading_level: 2
 ---
 
 import { FeatureCard } from '@site/src/components/premium-upgrade/feature-card';
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
index a8df1404d..e0d84929e 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
@@ -2,6 +2,7 @@
 id: testing_premium
 title: Test Premium Value in Your Environment
 description: Practical ways to measure and experience Premium value during your trial
+toc_max_heading_level: 2
 ---
 
 import { FeatureCard, HighlightCard } from '@site/src/components/premium-upgrade/feature-card';

From 41c2556ab1c29c7fd0e75f7a24605bc627054a29 Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Mon, 23 Mar 2026 12:19:54 +0100
Subject: [PATCH 09/14] adjusting prmeium upgrade

---
 .../premium-upgrade/feature-card.tsx          | 14 +++++-
 .../unversioned/console/premium_upgrade.mdx   | 50 ++++++++++---------
 .../premium_upgrade/features_overview.mdx     |  2 +-
 3 files changed, 39 insertions(+), 27 deletions(-)

diff --git a/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx b/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
index 1ff453e96..11a85504c 100644
--- a/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
+++ b/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
@@ -2,6 +2,7 @@ import Link from "@docusaurus/Link";
 import React from "react";
 
 export interface FeatureCardProps {
+	id?: string;
 	title: string;
 	metric?: string;
 	description: string;
@@ -35,6 +36,7 @@ const categoryColors = {
 };
 
 export const FeatureCard = ({
+	id,
 	title,
 	metric,
 	description,
@@ -46,8 +48,12 @@ export const FeatureCard = ({
 }: FeatureCardProps): React.JSX.Element => {
 	const colors = categoryColors[category];
 
+	// Generate ID from title if not explicitly provided
+	const generatedId = id || title.toLowerCase().replace(/\s+/g, '-').replace(/[^\w-]/g, '');
+
 	const cardContent = (
 		<div
+			id={generatedId}
 			className={`
 				h-full border border-solid border-border rounded-lg p-5 bg-card
 				hover:shadow-md hover:border-primary/30 transition-all duration-200
@@ -103,6 +109,7 @@ export const FeatureCard = ({
 };
 
 export interface HighlightCardProps {
+	id?: string;
 	title: string;
 	description: string;
 	stats?: Array<{
@@ -113,9 +120,12 @@ export interface HighlightCardProps {
 	category?: "protection" | "scale" | "monitoring" | "intelligence";
 }
 
-export const HighlightCard = ({ title, description, stats, link, category = "protection" }: HighlightCardProps): React.JSX.Element => {
+export const HighlightCard = ({ id, title, description, stats, link, category = "protection" }: HighlightCardProps): React.JSX.Element => {
+	// Generate ID from title if not explicitly provided
+	const generatedId = id || title.toLowerCase().replace(/\s+/g, '-').replace(/[^\w-]/g, '');
+
 	const content = (
-		<div className="border border-solid border-primary/30 rounded-lg p-6 bg-gradient-to-r from-primary/5 to-transparent hover:shadow-md transition-all">
+		<div id={generatedId} className="border border-solid border-primary/30 rounded-lg p-6 bg-gradient-to-r from-primary/5 to-transparent hover:shadow-md transition-all">
 			<h4 className="font-semibold text-lg mb-2 text-gray-900 dark:text-gray-900">{title}</h4>
 			<p className="text-sm text-gray-600 dark:text-gray-700 mb-4 leading-relaxed">{description}</p>
 			{stats && stats.length > 0 && (
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade.mdx b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
index 867169a14..fd7c91bbf 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
@@ -16,8 +16,8 @@ export const personaOptions = [
 		value: "devops",
 		icon: "⚙️",
 		label: "DevOps / SRE",
-		description: "Managing infrastructure solo or in small teams, focused on reducing noise and blocking more threats.",
-		tag: "Solo · SME"
+		description: "Managing solo-infra or in small teams, focused on reducing noise and blocking more threats.",
+		tag: "Solo · SMB"
 	},
 	{
 		value: "secops",
@@ -37,11 +37,13 @@ export const personaOptions = [
 
 <div style={{marginBottom: '2rem'}}>
 
-# Find Premium Features **Made for You**
+## Find Premium Features **Made for You**
 
-CrowdSec Premium features are designed for users who have **commercial usage** of the Console or organizations that want to **enhance the security posture** of their infrastructure. Premium unlocks advanced capabilities based on your role.
+**Premium** is designed if you're seeking **enhanced protection** or want to unlock **commercial use** with advanced features.  
+**Community** covers the basics, **Premium** scales with your projects' needs.
 
-**Select your profile below** to see only the features that matter most to you.
+**Select your profile below** to see only the features that matter most to you.   
+*Or directly browse all premium features in the [**Features Overview**](/u/console/premium_upgrade/features_overview).*
 
 </div>
 
@@ -53,13 +55,13 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 >
 <TabItem value="devops">
 
-## Solo or Small Team Infrastructure Management
+### Solo or Small Team Infrastructure Management
 
 **Best for:** Individual engineers or small teams managing infrastructure, focused on reducing noise and blocking more threats efficiently.
 
 ---
 
-### 🛡️ Enhanced Protection
+#### 🛡️ Enhanced Protection
 
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
@@ -67,12 +69,12 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 	title="Extended Community Blocklist"
 	metric="3k → 50k IPs"
 	category="protection"
-	description="Receive the top 50,000 most aggressive attackers targeting services like yours (up from 3,000 in Community). More attackers blocked before they reach your servers."
+	description="Receive the top 50k most aggressive attackers targeting services like yours (up from 3,000 in Community). More attackers blocked before they reach your servers."
 	comparison={{
 		before: "Community: top 3k",
 		after: "Premium: top 50k (×16)"
 	}}
-	link="/u/console/blocklists/intro"
+	link="/docs/central_api/community_blocklist/#community-blocklist-premium"
 />
 
 <FeatureCard
@@ -115,7 +117,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### ⚡ Automation & Sync
+#### ⚡ Automation & Sync
 
 <HighlightCard
 	title="Remediation Sync"
@@ -143,7 +145,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### 📊 Monitoring
+#### 📊 Monitoring
 
 <FeatureCard
 	title="Am I Under Attack"
@@ -155,7 +157,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### 💡 Why Premium for DevOps/SRE?
+#### 💡 Why Premium for DevOps/SRE?
 
 - **Less noise, more signal**: Filter out scanner noise and focus on real threats
 - **Automation-first**: Sync decisions automatically, enroll engines without manual steps
@@ -166,13 +168,13 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 <TabItem value="secops" label="🛡️ SecOps / Blue Team">
 
-## Team Collaboration & Investigation
+### Team Collaboration & Investigation
 
 **Best for:** Security teams that need to collaborate, investigate incidents, and maintain data retention for compliance and audits.
 
 ---
 
-### 👥 Team Collaboration
+#### 👥 Team Collaboration
 
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
@@ -204,7 +206,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### 🔍 Investigation & Forensics
+#### 🔍 Investigation & Forensics
 
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
@@ -255,7 +257,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### 🔔 Monitoring & Alerting
+#### 🔔 Monitoring & Alerting
 
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
@@ -283,7 +285,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### 🛡️ Enhanced Protection
+#### 🛡️ Enhanced Protection
 
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
@@ -315,7 +317,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### 💡 Why Premium for SecOps/Blue Team?
+#### 💡 Why Premium for SecOps/Blue Team?
 
 - **Team collaboration**: Multiple seats with role-based access
 - **Long-term retention**: 1 year of alerts for compliance and forensics
@@ -326,13 +328,13 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 <TabItem value="msp" label="🏢 MSP / Integrator">
 
-## Multi-Tenant Management & Automation
+### Multi-Tenant Management & Automation
 
 **Best for:** MSPs and integrators managing security for multiple clients, requiring isolation, automation, and API-driven workflows.
 
 ---
 
-### 🏗️ Multi-Tenancy & Isolation
+#### 🏗️ Multi-Tenancy & Isolation
 
 <HighlightCard
 	title="Multi-Organization"
@@ -346,7 +348,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### 🤖 Automation & API
+#### 🤖 Automation & API
 
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
@@ -394,7 +396,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### 👥 Team & Client Management
+#### 👥 Team & Client Management
 
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
@@ -418,7 +420,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### 🛡️ Protection at Scale
+#### 🛡️ Protection at Scale
 
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
@@ -457,7 +459,7 @@ CrowdSec Premium features are designed for users who have **commercial usage** o
 
 ---
 
-### 💡 Why Premium for MSPs?
+#### 💡 Why Premium for MSPs?
 
 - **Multi-tenant architecture**: Complete client isolation with unlimited organizations
 - **API-first**: Full Service API for automation and integration
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
index 5e386e1a4..3c60e01f7 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
@@ -122,7 +122,7 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 		before: "Community: top 3k",
 		after: "Premium: top 50k (×16)"
 	}}
-	link="/u/console/blocklists/intro"
+	link="/docs/central_api/community_blocklist/#community-blocklist-lite"
 />
 
 <FeatureCard

From f0eef9993587986bb32bb27594f4d9c9e68d6a64 Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Mon, 23 Mar 2026 15:11:43 +0100
Subject: [PATCH 10/14] uniformisation of metric tag

---
 .../unversioned/console/premium_upgrade.mdx   | 49 ++++++++++---------
 .../premium_upgrade/features_overview.mdx     | 38 +++++++-------
 2 files changed, 44 insertions(+), 43 deletions(-)

diff --git a/crowdsec-docs/unversioned/console/premium_upgrade.mdx b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
index fd7c91bbf..6867d50cf 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
@@ -66,10 +66,10 @@ export const personaOptions = [
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
 <FeatureCard
-	title="Extended Community Blocklist"
+	title="Expanded Community Blocklist Coverage"
 	metric="3k → 50k IPs"
 	category="protection"
-	description="Receive the top 50k most aggressive attackers targeting services like yours (up from 3,000 in Community). More attackers blocked before they reach your servers."
+	description="Receive the top 50k most aggressive attackers targeting services like yours (up from 3k in Community). More attackers blocked before they reach your servers."
 	comparison={{
 		before: "Community: top 3k",
 		after: "Premium: top 50k (×16)"
@@ -78,8 +78,8 @@ export const personaOptions = [
 />
 
 <FeatureCard
-	title="Threat Forecast Blocklist"
-	metric="Organization-specific"
+	title="Threat Forecast Blocklists"
+	metric="Up to 40% more blocks"
 	category="protection"
 	description="Automatically generated blocklists from signals shared by your organization. More precise than community lists—tailored to your specific infrastructure."
 	comparison={{
@@ -91,7 +91,7 @@ export const personaOptions = [
 
 <FeatureCard
 	title="Background Noise Filtering"
-	metric="−75% to −92% noise"
+	metric="~80% noise reduction"
 	category="protection"
 	description="Automatically filter internet background radiation (mass scanners, crawlers) to focus on real threats. Configurable levels: Low, Medium, High."
 	comparison={{
@@ -121,6 +121,7 @@ export const personaOptions = [
 
 <HighlightCard
 	title="Remediation Sync"
+	metric="Streamlined"
 	category="protection"
 	description="Automatically sync security decisions to all Security Engines and integrations. One blocklist update propagates everywhere—zero manual work."
 	stats={[
@@ -133,7 +134,7 @@ export const personaOptions = [
 <div className="mt-4">
 <FeatureCard
 	title="Auto Enroll"
-	metric="Zero-touch"
+	metric="Streamlined"
 	category="scale"
 	description="Automatically enroll new Security Engines into your organization as they're deployed. Perfect for infrastructure-as-code (Terraform, Ansible, K8s)."
 	comparison={{
@@ -179,7 +180,7 @@ export const personaOptions = [
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
 <FeatureCard
-	title="Multi-Seat Access"
+	title="Expanded Organization Seats"
 	metric="3 seats included"
 	category="scale"
 	description="Give view/edit/admin access to your team. Multiple members work simultaneously without access conflicts. Add more seats as needed."
@@ -211,7 +212,7 @@ export const personaOptions = [
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
 <FeatureCard
-	title="Extended Alert Retention"
+	title="Increased Alert Quotas and Extended Retention"
 	metric="2 months → 1 year"
 	category="monitoring"
 	description="Keep up to 1 year of alerts with custom quotas (up to millions/month). Essential for audits, forensic investigation, and trend analysis."
@@ -235,19 +236,19 @@ export const personaOptions = [
 
 <FeatureCard
 	title="CTI API Access"
-	metric="30 → 100 calls/week"
+	metric="40 → 120 calls/month"
 	category="intelligence"
 	description="Query CrowdSec IP reputation from your SIEM, SOAR or custom tools. Includes MITRE ATT&CK mappings for contextual threat qualification."
 	comparison={{
-		before: "Community: 30 calls/week",
-		after: "Premium: 100 calls/week"
+		before: "Community: 40 calls/month",
+		after: "Premium: 120 calls/month"
 	}}
 	link="/u/cti_api/api_integration/integration_intro"
 />
 
 <FeatureCard
 	title="Background Noise Filtering"
-	metric="Focus on real threats"
+	metric="~80% noise reduction"
 	category="monitoring"
 	description="Filter internet background radiation automatically. Configurable levels (Low, Medium, High) to match security requirements."
 	link="/u/console/alerts/background_noise"
@@ -271,7 +272,7 @@ export const personaOptions = [
 
 <FeatureCard
 	title="Push Notifications Integrations"
-	metric="Slack · PagerDuty"
+	metric="Messaging & Webhooks"
 	category="monitoring"
 	description="Receive alerts in existing tools when Security Engines go offline or become outdated. Native integrations with major SecOps tools."
 	comparison={{
@@ -290,7 +291,7 @@ export const personaOptions = [
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
 <FeatureCard
-	title="Extended Community Blocklist"
+	title="Expanded Community Blocklist Coverage"
 	metric="3k → 50k IPs"
 	category="protection"
 	description="Top 50,000 most aggressive attackers (up from 3,000 in Community)."
@@ -298,8 +299,8 @@ export const personaOptions = [
 />
 
 <FeatureCard
-	title="Threat Forecast Blocklist"
-	metric="Organization-specific"
+	title="Threat Forecast Blocklists"
+	metric="Up to 40% more blocks"
 	category="protection"
 	description="Automatically generated blocklists from your organization's shared signals."
 	link="/u/console/threat_forecast"
@@ -307,7 +308,7 @@ export const personaOptions = [
 
 <FeatureCard
 	title="Remediation Sync"
-	metric="Automatic"
+	metric="Streamlined"
 	category="protection"
 	description="Sync security decisions across all engines and integrations automatically."
 	link="/u/console/remediation_sync"
@@ -367,7 +368,7 @@ export const personaOptions = [
 
 <FeatureCard
 	title="Auto Enroll"
-	metric="Zero-touch"
+	metric="Streamlined"
 	category="scale"
 	description="Automatically enroll new Security Engines into your organization as deployed. Perfect for infrastructure-as-code deployments (Terraform, Ansible, K8s)."
 	comparison={{
@@ -386,7 +387,7 @@ export const personaOptions = [
 
 <FeatureCard
 	title="Remediation Sync"
-	metric="Automatic"
+	metric="Streamlined"
 	category="protection"
 	description="Sync security decisions across all client engines and integrations automatically."
 	link="/u/console/remediation_sync"
@@ -401,7 +402,7 @@ export const personaOptions = [
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
 <FeatureCard
-	title="Multi-Seat Access"
+	title="Expanded Organization Seats"
 	metric="3 seats included"
 	category="scale"
 	description="Provide view/edit/admin access to team members or clients. Add seats as your business grows."
@@ -425,7 +426,7 @@ export const personaOptions = [
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
 <FeatureCard
-	title="Extended Community Blocklist"
+	title="Expanded Community Blocklist Coverage"
 	metric="3k → 50k IPs"
 	category="protection"
 	description="Access to 50,000 most aggressive IPs (vs 3,000 in Community)."
@@ -440,8 +441,8 @@ export const personaOptions = [
 />
 
 <FeatureCard
-	title="Threat Forecast Blocklist"
-	metric="Per organization"
+	title="Threat Forecast Blocklists"
+	metric="Up to 40% more blocks"
 	category="protection"
 	description="Each organization gets tailored blocklists from their shared signals."
 	link="/u/console/threat_forecast"
@@ -449,7 +450,7 @@ export const personaOptions = [
 
 <FeatureCard
 	title="Background Noise Filtering"
-	metric="Reduce fatigue"
+	metric="~80% noise reduction"
 	category="monitoring"
 	description="Filter internet noise automatically across all client organizations."
 	link="/u/console/alerts/background_noise"
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
index 3c60e01f7..aba1fd66d 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
@@ -18,11 +18,11 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 
 <FeatureCard
 	title="Remediation Sync"
-	metric="Automatic"
+	metric="Streamlined"
 	category="scale"
 	description="Automatically synchronize security decisions across your entire organization. Syncs to all Security Engines and Blocklists Integration endpoints, ensuring consistent protection across your infrastructure."
 	comparison={{
-		before: "Community: manual sync",
+		before: "Community: no sync",
 		after: "Premium: automatic sync"
 	}}
 	link="/u/console/remediation_sync"
@@ -30,7 +30,7 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 
 <FeatureCard
 	title="Console Decision Management"
-	metric="Centralized"
+	metric="Organization-wide"
 	category="scale"
 	description="Add, delete, and manage security decisions directly from the Console. Force pull blocklists when subscribing or unsubscribing, giving you complete control over your security posture from a central interface."
 	link="/u/console/decisions/decisions_management"
@@ -50,7 +50,7 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 
 <FeatureCard
 	title="Service API (SAPI)"
-	metric="REST + webhooks"
+	metric="Automation-enabler"
 	category="scale"
 	badges={["API"]}
 	description="Access APIs for console management. Automate blocklist creation, decision management, and enrollment operations via API."
@@ -63,7 +63,7 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 
 <FeatureCard
 	title="Blocklist Creation & Sharing"
-	metric="Custom via API"
+	metric="Automation-enabler"
 	category="scale"
 	badges={["API"]}
 	description="Distribute custom blocklists across multiple organizations or partners, enabling coordinated security operations across your business ecosystem."
@@ -72,7 +72,7 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 
 <FeatureCard
 	title="Auto Enroll"
-	metric="Zero-touch"
+	metric="Streamlined"
 	category="scale"
 	description="Automatically enroll new security engines into your organization for streamlined deployment and management. Perfect for infrastructure-as-code deployments."
 	comparison={{
@@ -83,12 +83,12 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 
 <FeatureCard
 	title="Expanded Organization Seats"
-	metric="3 seats included"
+	metric="5 seats included"
 	category="scale"
 	description="Provide view/edit/admin access to your customers or collaborate with team members by adding more seats to your organization. Base Premium plan includes 3 seats, with options to add more."
 	comparison={{
 		before: "Community: 1 user only",
-		after: "Premium: full team (3+)"
+		after: "Premium: full team (5+)"
 	}}
 	link="/u/console/organizations/intro"
 />
@@ -102,8 +102,8 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
 <FeatureCard
-	title="Threat Forecast Blocklists"
-	metric="Organization-specific"
+	title="Threat Forecast Blocklist"
+	metric="Up to 40% more blocks"
 	category="protection"
 	description="Access exclusive, organization-specific blocklists generated from the signals your organization shares with CrowdSec. These blocklists are more precise than community blocklists and provide tailored protection for your infrastructure."
 	comparison={{
@@ -126,7 +126,7 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 />
 
 <FeatureCard
-	title="Premium Tier Blocklist Access"
+	title="Premium Tier Blocklists Access"
 	metric="Curated lists"
 	category="protection"
 	description="Get access to our Premium tier blocklists, providing enhanced protection with curated specialized blocklists tailored for different attack vectors."
@@ -163,7 +163,7 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 
 <FeatureCard
 	title="Push Notifications Integrations"
-	metric="Slack · PagerDuty"
+	metric="Messaging & Webhooks"
 	category="monitoring"
 	description="Receive alerts when security engines go offline or become outdated, ensuring your security infrastructure remains operational. Native integrations with major SecOps tools."
 	comparison={{
@@ -180,16 +180,16 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 	description="Upgrade from the Community Plan's 500 alerts per month and 2-month retention to custom quotas (up to several million alerts) and up to 1 year of retention. This enables comprehensive monitoring of large-scale infrastructures and long-term security analysis."
 	comparison={{
 		before: "Community: 500/month, 2 months",
-		after: "Premium: millions/month, 365 days"
+		after: "Premium: 10k/SE/month, 365 days"
 	}}
 	link="/u/console/alerts/quotas#why-upgrade-to-premium-"
 />
 
 <FeatureCard
 	title="Background Noise Filtering"
-	metric="−75% to −92% noise"
+	metric="~80% noise reduction"
 	category="monitoring"
-	description="Automatically filter out internet background radiation and mass scanning activity to focus on genuine threats. Customize noise cancellation levels (Low, Medium, High) to match your security requirements."
+	description="Automatically filter out internet background radiation and mass scanning activity from your alert board to focus on genuine threats. Customize noise cancellation levels (Low, Medium, High) to match your security requirements."
 	comparison={{
 		before: "Community: all signals",
 		after: "Premium: real threats only"
@@ -210,13 +210,13 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 
 <FeatureCard
 	title="CTI API Access"
-	metric="30 → 100 calls/week"
+	metric="40 → 120 calls/month"
 	category="intelligence"
 	badges={["API"]}
-	description="Leverage CrowdSec IP reputation data into your vendors. Get 100 CTI API calls per week (compared to 30 in Community) for integration with SIEM, SOAR, and other security tools."
+	description="Leverage CrowdSec IP reputation data into your vendors. Get 120 CTI API calls per month (compared to 40 in Community) for integration with SIEM, SOAR, and other security tools."
 	comparison={{
-		before: "Community: 30 calls/week",
-		after: "Premium: 100 calls/week"
+		before: "Community: 40 calls/month",
+		after: "Premium: 120 calls/month"
 	}}
 	link="/u/cti_api/api_integration/integration_intro"
 />

From 04acf6b1a28278667f1c5d53f352afe8edf252de Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Mon, 23 Mar 2026 15:30:15 +0100
Subject: [PATCH 11/14] uniformisation of feature cards

---
 .../unversioned/console/premium_upgrade.mdx   | 26 +++++++++----------
 .../premium_upgrade/features_overview.mdx     | 10 +++----
 .../console/premium_upgrade/optimal_setup.mdx |  4 +--
 .../premium_upgrade/testing_premium.mdx       |  2 +-
 .../unversioned/console/threat_forecast.mdx   |  2 +-
 5 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/crowdsec-docs/unversioned/console/premium_upgrade.mdx b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
index 6867d50cf..3e489e9ea 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
@@ -78,10 +78,10 @@ export const personaOptions = [
 />
 
 <FeatureCard
-	title="Threat Forecast Blocklists"
+	title="Threat Forecast Blocklist"
 	metric="Up to 40% more blocks"
 	category="protection"
-	description="Automatically generated blocklists from signals shared by your organization. More precise than community lists—tailored to your specific infrastructure."
+	description="Automatically generated blocklist from signals shared by your organization. Complements the community blocklist for extra protection tailored to your infrastructure."
 	comparison={{
 		before: "Community: generic list",
 		after: "Premium: org-specific"
@@ -91,9 +91,9 @@ export const personaOptions = [
 
 <FeatureCard
 	title="Background Noise Filtering"
-	metric="~80% noise reduction"
+	metric="60~90% noise reduction"
 	category="protection"
-	description="Automatically filter internet background radiation (mass scanners, crawlers) to focus on real threats. Configurable levels: Low, Medium, High."
+	description="Filter out background noise from your alert board (mass scanners, crawlers) to focus on real threats. Configurable levels: Low, Medium, High."
 	comparison={{
 		before: "Community: all signals",
 		after: "Premium: real threats only"
@@ -248,7 +248,7 @@ export const personaOptions = [
 
 <FeatureCard
 	title="Background Noise Filtering"
-	metric="~80% noise reduction"
+	metric="60~90% noise reduction"
 	category="monitoring"
 	description="Filter internet background radiation automatically. Configurable levels (Low, Medium, High) to match security requirements."
 	link="/u/console/alerts/background_noise"
@@ -294,15 +294,15 @@ export const personaOptions = [
 	title="Expanded Community Blocklist Coverage"
 	metric="3k → 50k IPs"
 	category="protection"
-	description="Top 50,000 most aggressive attackers (up from 3,000 in Community)."
+	description="Top 50k most aggressive attackers (up from 3,000 in Community)."
 	link="/u/console/blocklists/intro"
 />
 
 <FeatureCard
-	title="Threat Forecast Blocklists"
+	title="Threat Forecast Blocklist"
 	metric="Up to 40% more blocks"
 	category="protection"
-	description="Automatically generated blocklists from your organization's shared signals."
+	description="Automatically generated blocklist from signals shared by your organization. Complements the community blocklist for extra protection tailored to your infrastructure."
 	link="/u/console/threat_forecast"
 />
 
@@ -429,7 +429,7 @@ export const personaOptions = [
 	title="Expanded Community Blocklist Coverage"
 	metric="3k → 50k IPs"
 	category="protection"
-	description="Access to 50,000 most aggressive IPs (vs 3,000 in Community)."
+	description="Access to 50k most aggressive IPs (vs 3k in Community)."
 	link="/u/console/blocklists/intro"
 />
 
@@ -441,16 +441,16 @@ export const personaOptions = [
 />
 
 <FeatureCard
-	title="Threat Forecast Blocklists"
+	title="Threat Forecast Blocklist"
 	metric="Up to 40% more blocks"
 	category="protection"
-	description="Each organization gets tailored blocklists from their shared signals."
+	description="Automatically generated blocklist from signals shared by your organization. Complements the community blocklist for extra protection tailored to your infrastructure."
 	link="/u/console/threat_forecast"
 />
 
 <FeatureCard
 	title="Background Noise Filtering"
-	metric="~80% noise reduction"
+	metric="60~90% noise reduction"
 	category="monitoring"
 	description="Filter internet noise automatically across all client organizations."
 	link="/u/console/alerts/background_noise"
@@ -476,7 +476,7 @@ export const personaOptions = [
 
 | Feature | Community | Premium |
 |---------|-----------|---------|
-| **Community Blocklist** | Top 3,000 IPs | Top 50,000 IPs |
+| **Community Blocklist** | Top 3k IPs | Top 50k IPs |
 | **Blocklist Subscriptions** | 3 max | Unlimited |
 | **Alerts per Month** | 500 | Up to millions |
 | **Alert Retention** | 2 months | 12 months |
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
index aba1fd66d..cb4fd9e46 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/features_overview.mdx
@@ -105,10 +105,10 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 	title="Threat Forecast Blocklist"
 	metric="Up to 40% more blocks"
 	category="protection"
-	description="Access exclusive, organization-specific blocklists generated from the signals your organization shares with CrowdSec. These blocklists are more precise than community blocklists and provide tailored protection for your infrastructure."
+	description="Access exclusive, organization-specific blocklist generated from the signals your organization shares with CrowdSec. Complements the community blocklist for extra protection tailored to your infrastructure."
 	comparison={{
-		before: "Community: generic list",
-		after: "Premium: org-specific"
+		before: "Community: unavailable",
+		after: "Premium: signals-based blocklist"
 	}}
 	link="/u/console/threat_forecast"
 />
@@ -117,7 +117,7 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 	title="Expanded Community Blocklist Coverage"
 	metric="3k → 50k IPs"
 	category="protection"
-	description="Unlock the premium Community Blocklist as a network participant. Receive up to 50,000 of the most aggressive attackers targeting similar services as yours (up from top 3k in Community)."
+	description="Unlock the premium Community Blocklist as a network participant. Receive up to 50k of the most aggressive attackers targeting similar services as yours (up from top 3k in Community)."
 	comparison={{
 		before: "Community: top 3k",
 		after: "Premium: top 50k (×16)"
@@ -187,7 +187,7 @@ Make the best use of the premium features for your needs in: **Scaling, Multi-te
 
 <FeatureCard
 	title="Background Noise Filtering"
-	metric="~80% noise reduction"
+	metric="60~90% noise reduction"
 	category="monitoring"
 	description="Automatically filter out internet background radiation and mass scanning activity from your alert board to focus on genuine threats. Customize noise cancellation levels (Low, Medium, High) to match your security requirements."
 	comparison={{
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
index 9b22c6003..df430001c 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/optimal_setup.mdx
@@ -35,7 +35,7 @@ Most teams have a mix of environments with different security requirements:
 - Higher alert quotas (millions/month)
 - Organization-wide blocklists
 - CTI API access for SIEM integration
-- Threat Forecast blocklists
+- Threat Forecast Blocklist
 - Multi-seat team access
 
 </div>
@@ -48,7 +48,7 @@ Most teams have a mix of environments with different security requirements:
 
 - Basic alert monitoring (500/month)
 - Short retention (2 months)
-- Community blocklists (3k IPs)
+- Community blocklist (3k IPs)
 - Individual engine management
 - Single-user access
 
diff --git a/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx b/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
index e0d84929e..a6ba3a2a4 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade/testing_premium.mdx
@@ -79,7 +79,7 @@ Cleaner logs, reduced alert fatigue, fewer false positives
 	description="Enable Background Noise Filtering (Low/Medium/High) and compare your alert dashboard before/after. You should see 75-92% fewer scanner and crawler alerts within 24 hours."
 	stats={[
 		{ value: "24h", label: "to see results" },
-		{ value: "75-92%", label: "noise reduction" }
+		{ value: "60~90%", label: "noise reduction" }
 	]}
 	link="/u/console/alerts/background_noise"
 />
diff --git a/crowdsec-docs/unversioned/console/threat_forecast.mdx b/crowdsec-docs/unversioned/console/threat_forecast.mdx
index dd109a774..e4d78b10a 100644
--- a/crowdsec-docs/unversioned/console/threat_forecast.mdx
+++ b/crowdsec-docs/unversioned/console/threat_forecast.mdx
@@ -15,7 +15,7 @@ It provides an additional layer of security on top of the community blocklist. I
 
 ## Enabling the Threat Forecast
 
-The Threat Forecast is automatically enabled after a plan upgrade. Similar to the community blocklist, the Threat Forecast blocklist is also automatically pushed to all your security engines. Users that want more finegrained control over their subscription can manage the blocklist under the blocklist tab in their console. For more detail, check the [blocklist page](/console/blocklists/subscription.md).
+The Threat Forecast is automatically enabled after a plan upgrade. Similar to the community blocklist, the Threat Forecast Blocklist is also automatically pushed to all your security engines. Users that want more finegrained control over their subscription can manage the blocklist under the blocklist tab in their console. For more detail, check the [blocklist page](/console/blocklists/subscription.md).
 
 ## Disabling the Threat Forecast
 

From 0daf9965ea5818b7ba76977aaa8890b9897884b0 Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Mon, 23 Mar 2026 17:14:54 +0100
Subject: [PATCH 12/14] more reco for secops

---
 .../unversioned/console/premium_upgrade.mdx   | 41 ++++++++++++++-----
 1 file changed, 31 insertions(+), 10 deletions(-)

diff --git a/crowdsec-docs/unversioned/console/premium_upgrade.mdx b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
index 3e489e9ea..a1ba2aaa4 100644
--- a/crowdsec-docs/unversioned/console/premium_upgrade.mdx
+++ b/crowdsec-docs/unversioned/console/premium_upgrade.mdx
@@ -83,8 +83,8 @@ export const personaOptions = [
 	category="protection"
 	description="Automatically generated blocklist from signals shared by your organization. Complements the community blocklist for extra protection tailored to your infrastructure."
 	comparison={{
-		before: "Community: generic list",
-		after: "Premium: org-specific"
+		before: "Community: unavailable",
+		after: "Premium: tailor-made blocklist"
 	}}
 	link="/u/console/threat_forecast"
 />
@@ -175,7 +175,7 @@ export const personaOptions = [
 
 ---
 
-#### 👥 Team Collaboration
+#### 👥 Team Collaboration & Access Control
 
 <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
 
@@ -203,6 +203,27 @@ export const personaOptions = [
 	link="/u/console/allowlists"
 />
 
+<FeatureCard
+	title="Blocklist Creation & Sharing"
+	metric="Custom via API"
+	category="scale"
+	description="Create and distribute custom blocklists across multiple organizations or partners. Enable coordinated security operations across your ecosystem."
+	link="/u/console/service_api/blocklists"
+/>
+
+<FeatureCard
+	title="Service API (SAPI)"
+	metric="REST + webhooks"
+	category="scale"
+	badges={["API"]}
+	description="Automate Console management: create and share custom blocklists, manage decisions and enrollments via API. Integrate into CI/CD or SOAR pipelines."
+	comparison={{
+		before: "Community: no API access",
+		after: "Premium: full SAPI"
+	}}
+	link="/u/console/service_api/getting_started"
+/>
+
 </div>
 
 ---
@@ -484,10 +505,10 @@ export const personaOptions = [
 | **Background Noise Filter** | ✗ | ✓ |
 | **Am I Under Attack** | ✗ | ✓ |
 | **Threat Forecast Blocklist** | ✗ | ✓ |
-| **Organization Seats** | 1 | 3 included + more |
-| **CTI API Lookups/Week** | 30 | 100 |
+| **Organization Seats** | 1 | 5 included + more |
+| **CTI API Lookups/Week** | 30 | 100 + more |
 | **Service API (SAPI)** | ✗ | ✓ |
-| **Multi-Organization (MSP)** | ✗ | ✓ (option) |
+| **Multi-Organization (MSP)** | ✗ | ✓ |
 
 ---
 
@@ -507,7 +528,7 @@ Review available plans and pricing based on your volume and requirements.
 
 ### 2️⃣ Upgrade or Contact
 
-Upgrade self-service in minutes, or contact our team for custom plans (enterprise, MSP, volume).
+[Upgrade self-service](https://app.crowdsec.net/pricing) with 30 days free trial, or contact our team for custom plans (enterprise, MSP, volume).
 
 </div>
 
@@ -515,7 +536,7 @@ Upgrade self-service in minutes, or contact our team for custom plans (enterpris
 
 ### 3️⃣ Immediate Access
 
-All Premium features available instantly in your organization. No migration required.
+Premium features available instantly in your organization. No migration required.
 
 </div>
 
@@ -529,7 +550,7 @@ All Premium features available instantly in your organization. No migration requ
 
 ### Start with a trial or discuss your needs with our team
 
-No immediate commitment required. All Premium features available instantly upon upgrade.
+No immediate commitment required. Premium features available instantly upon upgrade.
 
 <div style={{display: 'flex', gap: '1rem', marginTop: '1.5rem', flexWrap: 'wrap'}}>
 	<a href="https://app.crowdsec.net/pricing" className="button button--primary button--lg">View Pricing →</a>
@@ -540,7 +561,7 @@ No immediate commitment required. All Premium features available instantly upon
 
 ---
 
-## Getting Started with Premium
+## Need more help deciding?
 
 To help you make the most of your Premium upgrade, explore these guides:
 

From 6a6334ae2d21185e89ec51f15d7c5383bbcf2df2 Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Tue, 7 Apr 2026 15:03:51 +0200
Subject: [PATCH 13/14] fixed biom warning

---
 .../premium-upgrade/feature-card.tsx          | 31 +++++++++++--------
 .../src/components/premium-upgrade/index.ts   | 11 +++----
 .../premium-upgrade/tabs-with-persona.tsx     |  4 +--
 crowdsec-docs/src/css/premium-upgrade.css     |  2 +-
 4 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx b/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
index 11a85504c..dc08ed792 100644
--- a/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
+++ b/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
@@ -49,7 +49,12 @@ export const FeatureCard = ({
 	const colors = categoryColors[category];
 
 	// Generate ID from title if not explicitly provided
-	const generatedId = id || title.toLowerCase().replace(/\s+/g, '-').replace(/[^\w-]/g, '');
+	const generatedId =
+		id ||
+		title
+			.toLowerCase()
+			.replace(/\s+/g, "-")
+			.replace(/[^\w-]/g, "");
 
 	const cardContent = (
 		<div
@@ -89,11 +94,7 @@ export const FeatureCard = ({
 					<span className="font-semibold text-primary">{comparison.after}</span>
 				</div>
 			)}
-			{link && (
-				<div className="mt-3 text-sm font-medium text-primary hover:underline">
-					Learn more →
-				</div>
-			)}
+			{link && <div className="mt-3 text-sm font-medium text-primary hover:underline">Learn more →</div>}
 		</div>
 	);
 
@@ -122,10 +123,18 @@ export interface HighlightCardProps {
 
 export const HighlightCard = ({ id, title, description, stats, link, category = "protection" }: HighlightCardProps): React.JSX.Element => {
 	// Generate ID from title if not explicitly provided
-	const generatedId = id || title.toLowerCase().replace(/\s+/g, '-').replace(/[^\w-]/g, '');
+	const generatedId =
+		id ||
+		title
+			.toLowerCase()
+			.replace(/\s+/g, "-")
+			.replace(/[^\w-]/g, "");
 
 	const content = (
-		<div id={generatedId} className="border border-solid border-primary/30 rounded-lg p-6 bg-gradient-to-r from-primary/5 to-transparent hover:shadow-md transition-all">
+		<div
+			id={generatedId}
+			className="border border-solid border-primary/30 rounded-lg p-6 bg-gradient-to-r from-primary/5 to-transparent hover:shadow-md transition-all"
+		>
 			<h4 className="font-semibold text-lg mb-2 text-gray-900 dark:text-gray-900">{title}</h4>
 			<p className="text-sm text-gray-600 dark:text-gray-700 mb-4 leading-relaxed">{description}</p>
 			{stats && stats.length > 0 && (
@@ -138,11 +147,7 @@ export const HighlightCard = ({ id, title, description, stats, link, category =
 					))}
 				</div>
 			)}
-			{link && (
-				<div className="mt-4 text-sm font-medium text-primary hover:underline">
-					Learn more →
-				</div>
-			)}
+			{link && <div className="mt-4 text-sm font-medium text-primary hover:underline">Learn more →</div>}
 		</div>
 	);
 
diff --git a/crowdsec-docs/src/components/premium-upgrade/index.ts b/crowdsec-docs/src/components/premium-upgrade/index.ts
index a8599e4c2..d1e65d0fa 100644
--- a/crowdsec-docs/src/components/premium-upgrade/index.ts
+++ b/crowdsec-docs/src/components/premium-upgrade/index.ts
@@ -1,11 +1,8 @@
-export { FeatureCard, HighlightCard } from "./feature-card";
 export type { FeatureCardProps, HighlightCardProps } from "./feature-card";
-
-export { PersonaSelector } from "./persona-selector";
+export { FeatureCard, HighlightCard } from "./feature-card";
 export type { PersonaOption as PersonaSelectorOption, PersonaSelectorProps } from "./persona-selector";
-
-export { PersonaTabsHeader } from "./persona-tabs";
+export { PersonaSelector } from "./persona-selector";
 export type { PersonaOption as PersonaTabsOption, PersonaTabsHeaderProps } from "./persona-tabs";
-
-export { TabsWithPersona } from "./tabs-with-persona";
+export { PersonaTabsHeader } from "./persona-tabs";
 export type { PersonaOption, TabsWithPersonaProps } from "./tabs-with-persona";
+export { TabsWithPersona } from "./tabs-with-persona";
diff --git a/crowdsec-docs/src/components/premium-upgrade/tabs-with-persona.tsx b/crowdsec-docs/src/components/premium-upgrade/tabs-with-persona.tsx
index 656254628..83e70c648 100644
--- a/crowdsec-docs/src/components/premium-upgrade/tabs-with-persona.tsx
+++ b/crowdsec-docs/src/components/premium-upgrade/tabs-with-persona.tsx
@@ -1,7 +1,7 @@
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
-import React, { useState } from "react";
+import Tabs from "@theme/Tabs";
 import type { ReactElement } from "react";
+import React, { useState } from "react";
 
 export interface PersonaOption {
 	value: string;
diff --git a/crowdsec-docs/src/css/premium-upgrade.css b/crowdsec-docs/src/css/premium-upgrade.css
index 6b8fc87df..5d8ccd3e3 100644
--- a/crowdsec-docs/src/css/premium-upgrade.css
+++ b/crowdsec-docs/src/css/premium-upgrade.css
@@ -57,7 +57,7 @@
 }
 
 .feature-card-highlight::before {
-	content: '';
+	content: "";
 	position: absolute;
 	top: 0;
 	left: 0;

From 6d7cba6e9415cff239022d75c5d1a35b8a8f1ea9 Mon Sep 17 00:00:00 2001
From: jdv <julien@crowdsec.net>
Date: Tue, 7 Apr 2026 15:28:37 +0200
Subject: [PATCH 14/14] code quality pass

---
 .../src/components/premium-upgrade/feature-card.tsx         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx b/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
index dc08ed792..a0f2c330c 100644
--- a/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
+++ b/crowdsec-docs/src/components/premium-upgrade/feature-card.tsx
@@ -121,7 +121,7 @@ export interface HighlightCardProps {
 	category?: "protection" | "scale" | "monitoring" | "intelligence";
 }
 
-export const HighlightCard = ({ id, title, description, stats, link, category = "protection" }: HighlightCardProps): React.JSX.Element => {
+export const HighlightCard = ({ id, title, description, stats, link }: HighlightCardProps): React.JSX.Element => {
 	// Generate ID from title if not explicitly provided
 	const generatedId =
 		id ||
@@ -139,8 +139,8 @@ export const HighlightCard = ({ id, title, description, stats, link, category =
 			<p className="text-sm text-gray-600 dark:text-gray-700 mb-4 leading-relaxed">{description}</p>
 			{stats && stats.length > 0 && (
 				<div className="flex gap-8 mt-4">
-					{stats.map((stat, idx) => (
-						<div key={idx} className="text-center">
+					{stats.map((stat) => (
+						<div key={`${stat.value}-${stat.label}`} className="text-center">
 							<div className="text-3xl font-bold text-primary">{stat.value}</div>
 							<div className="text-xs text-gray-500 dark:text-gray-600 mt-1">{stat.label}</div>
 						</div>