diff --git a/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx b/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx
index 9ad761a08..c98e18228 100644
--- a/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx
+++ b/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx
@@ -36,6 +36,7 @@ A summary of the main classification category is provided below, and you can use
 * `device:*`: The IP is associated with a device having known security weaknesses.
 * `proxy:*`: Hosts identified as proxies based on the services they expose and/or their behaviour. IPs be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/65a56839ec04bcd4f51670be).
 * `group:*`: Cohort of machines seen attacking in a coordinated fashion. IPs belonging to the same cohort or cluster have been seen to exhibit a new behaviour in a synchronised manner, such as starting to exploit a known vulnerability at the same time (experimental feature).
+* `bot:*`: IPs associated with known bots, such as web scrapers, scanners, or other automated tools.
 
 <TableRender
     columns={columns}