diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf
index a06fa429..ae859c53 100644
--- a/modules/kubernetes/crowdsec/main.tf
+++ b/modules/kubernetes/crowdsec/main.tf
@@ -64,6 +64,28 @@ resource "kubernetes_config_map" "crowdsec_custom_scenarios" {
   }
 }
 
+# Whitelist for trusted IPs that should never be blocked
+resource "kubernetes_config_map" "crowdsec_whitelist" {
+  metadata {
+    name      = "crowdsec-whitelist"
+    namespace = kubernetes_namespace.crowdsec.metadata[0].name
+    labels = {
+      "app.kubernetes.io/name" = "crowdsec"
+    }
+  }
+
+  data = {
+    "whitelist.yaml" = <<-YAML
+      name: crowdsecurity/whitelist-trusted-ips
+      description: "Whitelist for trusted IPs that should never be blocked"
+      whitelist:
+        reason: "Trusted IP - never block"
+        ip:
+          - "176.12.22.76"
+    YAML
+  }
+}
+
 
 resource "helm_release" "crowdsec" {
   namespace        = kubernetes_namespace.crowdsec.metadata[0].name
diff --git a/modules/kubernetes/crowdsec/values.yaml b/modules/kubernetes/crowdsec/values.yaml
index f644d5f9..034d803a 100644
--- a/modules/kubernetes/crowdsec/values.yaml
+++ b/modules/kubernetes/crowdsec/values.yaml
@@ -31,10 +31,17 @@ agent:
       mountPath: /etc/crowdsec/scenarios/http-429-abuse.yaml
       subPath: "http-429-abuse.yaml"
       readonly: true
+    - name: whitelist
+      mountPath: /etc/crowdsec/parsers/s02-enrich/whitelist.yaml
+      subPath: "whitelist.yaml"
+      readonly: true
   extraVolumes:
     - name: custom-scenarios
       configMap:
         name: crowdsec-custom-scenarios
+    - name: whitelist
+      configMap:
+        name: crowdsec-whitelist
 lapi:
   replicas: 3
   extraSecrets:
@@ -117,6 +124,34 @@ lapi:
     type: RollingUpdate
   
 config:
+  # Custom profiles: captcha for rate limiting, ban for attacks
+  profiles.yaml: |
+    # Captcha for rate limiting and 403 abuse (user can unblock themselves)
+    name: captcha_remediation
+    filters:
+      - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["crowdsecurity/http-429-abuse", "crowdsecurity/http-403-abuse", "crowdsecurity/http-crawl-non_statics", "crowdsecurity/http-sensitive-files"]
+    decisions:
+      - type: captcha
+        duration: 4h
+    on_success: break
+    ---
+    # Default: Ban for serious attacks (CVE exploits, scanners, brute force)
+    name: default_ip_remediation
+    filters:
+      - Alert.Remediation == true && Alert.GetScope() == "Ip"
+    decisions:
+      - type: ban
+        duration: 4h
+    on_success: break
+    ---
+    name: default_range_remediation
+    filters:
+      - Alert.Remediation == true && Alert.GetScope() == "Range"
+    decisions:
+      - type: ban
+        duration: 4h
+    on_success: break
+
   config.yaml.local: |
     db_config:
       type:     mysql