|
By Cynthia Gonzalez
Corelight Sensor v29.1 and Fleet Manager v29.1.1 fundamentally expand what a Corelight Sensor delivers. The release turns existing network evidence into a shared source of truth for SecOps, NetOps, triage, and forensic investigation. Network performance monitoring and asset classification unlock new value from traffic you're already collecting.
|
By Tyler Hill
Every packet flowing through a Corelight sensor contains both security-relevant data and performance-relevant data. Until now, Corelight has focused exclusively on extracting security value from network traffic: connection logs, protocol analysis, and threat detections. But the same traffic that reveals lateral movement also reveals TCP latency. The same DNS queries that surface potential C2 channels also reveal resolution timing.
|
By Ben Reardon
There is a saying you will hear from veterans in the Black Hat Network Operations Center (NOC): “Threat hunting on the Black Hat network is like trying to find a needle in a stack of needles." With dozens of training classes running live exploit chains, capture-the-flag traffic, and researchers probing every corner of the internet, our Corelight sensors generate a rich set of Zeek logs, many of which can look suspicious in varying degrees.
|
By Tim Chiu
The threat is coming from inside the organization. It is coming from a laptop farm three states over, routed through a proxy, and operated by a threat actor sitting on the other side of the globe. We are witnessing a massive shift in how adversaries breach organizations. They no longer need to spend weeks probing your external firewalls or crafting the perfect zero-day exploit. Instead, they simply update their resumes, pass your interview process, and your IT department ships them a corporate device.
|
By Richard Petrie
Long gone are the days where usernames were all you needed to secure a network. The same is true for your Security Operations Center (SOC) analysts trying to investigate a threat. "Who is jdoe05 and why are they logging into this server?" is a critical question to answer during an investigation, one that neither NDR (Network Detection and Response) nor EDR (Endpoint Detection and Response) can answer directly. Enter the Identity Provider (IdP).
|
By Adam Pumphrey
For years, SOC analysts have lived in a world of swivel-chair analysis. When an alert fires in an endpoint tool, the next step is almost always a manual pivot to a network console to see if the network reality matches the host behavior. This manual back-and-forth isn't just tiring; it’s a window of opportunity for attackers. Corelight is excited to highlight a new integration with CrowdStrike Charlotte AI.
|
By Corelight
Corelight, a leader in fueling the AI SOC, today announced that it is providing industry-leading data to power AI investigations of emerging threats through an integration of Corelight Open NDR into Cloud Control Studio. Cloud Control Studio is the design space within Cisco Cloud Control, Cisco’s unified platform for agentic IT operations, where customers can build AI agents and connect them to non-Cisco tools.
|
By Gregory Bell
Defenders have long known that richer evidence improves security outcomes by enabling faster triage, deeper analysis, and more complete investigation. Although Corelight was founded on this premise, it’s been hard for us to quantify the impact of better network data - until now. Recently, we built an agentic test harness to measure the success of frontier LLMs in responding to real-world attack scenarios, using a range of source data.
|
By Matt Ellison
You already know the immense value of open-source Zeek. It provides the absolute gold standard of network evidence, giving you the deep visibility required to defend your organization. You have the right strategic foundation, but the operational workload of managing a do-it-yourself (DIY) deployment at scale is likely draining your energy.
|
By Josh Porto
Network Detection and Response (NDR) is a glorious tool for spotting the stuff that slips past the velvet ropes. The weird lateral movement. The "why is Finance talking to a printer in Moldova" moment. The internal reconnaissance that looks harmless until it's suddenly not. What can't NDR do? Trick question. It can't walk the dog, run a marathon, or explain to leadership why "just block Russia" isn't a complete strategy. NDR is your truth serum.
|
By Corelight
Network security depends on clear visibility across every digital asset. This detailed walkthrough covers Corelight's new Network Performance and Asset Classification logs. You will learn about these two logs, how to configure them, and how to use them during cyber investigations. Network Performance and Asset Visibility logs are available as part of the Sensor v29.1 general availability release to customers with Sensor and Investigator Bundle licenses.
|
By Corelight
Network security depends on clear visibility across every digital asset. In this brief demo, we will see how Corelight's new Network Performance and Asset Classification logs can be referenced when doing a threat hunt. You will learn about the logs and what information they contain. Network Performance and Asset Visibility logs are available as part of the Sensor v29.1 general availability release to customers with Sensor and Investigator Bundle licenses.
|
By Corelight
In this episode, host Richard Bejtlich sits down with Dave Getman to discuss the evolution of Corelight Investigator and the paradigm shift from delivering raw sensor data to providing agentic triage. They explore how AI can synthesize millions of log lines into concise, actionable determinations—categorizing activity as malicious or benign—while maintaining transparency by "bringing the receipts" of raw evidence. Dave explains why the security pendulum is swinging back toward network detection to counter sophisticated EDR evasion and shares a roadmap for the future of auto-containment.
|
By Corelight
Every security vendor says their data is better. Corelight decided to test that claim directly. Using real nation-state attack scenarios, including Salt Typhoon-related activity, the same AI model was evaluated against multiple security data sources to measure investigation accuracy, threat visibility, and incident response coverage. The only variable was the data.
|
By Corelight
Modern SOCs face a difficult reality: attackers are moving faster while analysts are being asked to investigate more alerts than ever. Learn how agentic triage helps security teams move from alert overload to evidence-backed investigations. Rather than relying on opaque AI outputs, the approach uses expert-written playbooks and exposes the underlying queries and evidence so analysts can verify conclusions against raw network data.
|
By Corelight
The emergence of advanced large language models like Anthropic's Mythos represents an epochal shift in cybersecurity, fundamentally altering how zero-day vulnerabilities are surfaced and remediated. In this episode, host Richard Bejtlich sits down with Corelight Co-founder Greg Bell to analyze the security implications of this AI-driven bug explosion, highlighting recent AI-assisted vulnerability discoveries across infrastructure mainstays like FreeBSD and Firefox.
|
By Corelight
Every security vendor says their data is better. Corelight decided to test that claim directly. Using real nation-state attack scenarios, including Salt Typhoon-related activity, the same AI model was evaluated against multiple security data sources to measure investigation accuracy, threat visibility, and incident response coverage. The only variable was the data.
|
By Corelight
A global cruise line operating across maritime and resort environments was struggling with inconsistent detections, alert overload, and limited visibility from its existing NDR platform. In this customer story, Jay Miller from Corelight walks through how the organization evaluated its network visibility strategy, identified long-standing gaps in detection coverage, and improved investigation workflows across a complex environment with intermittent connectivity at sea.
|
By Corelight
The emergence of quantum computing has introduced a definitive expiration date for classical encryption, fueling a "harvest now, decrypt later" strategy among sophisticated nation-state actors. In this episode, Vince Stoffer joins Richard Bejtlich to demystify Post-Quantum Cryptography (PQC) and explain why organizations must move beyond a "set it and forget it" mentality regarding their encryption standards.
|
By Corelight
Richard Bejtlich sits down with Ali Islam to pull back the curtain on how a security research lab functions within a modern security company. Moving beyond the "ivory tower" of academia, Ali explains why researchers must be battle-hardened by real-world threat actor techniques to remain effective in the field. The conversation dives into Corelight’s unique commitment to the open source community through the direct funding of Zeek and Suricata developers, ensuring that community-driven tools can scale to meet massive enterprise traffic demands.
- June 2026 (11)
- May 2026 (7)
- April 2026 (9)
- March 2026 (7)
- February 2026 (5)
- January 2026 (3)
- December 2025 (6)
- November 2025 (1)
- October 2025 (9)
- September 2025 (6)
- August 2025 (3)
- July 2025 (6)
- June 2025 (6)
- May 2025 (4)
- April 2025 (5)
- March 2025 (4)
- February 2025 (4)
- January 2025 (1)
- December 2024 (6)
- November 2024 (2)
- October 2024 (1)
- September 2024 (6)
- August 2024 (1)
- July 2024 (4)
- June 2024 (1)
- May 2024 (5)
- April 2024 (3)
- March 2024 (3)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (4)
- October 2023 (6)
- September 2023 (5)
- August 2023 (3)
- July 2023 (3)
- June 2023 (4)
- May 2023 (5)
- April 2023 (4)
- March 2023 (2)
- February 2023 (2)
- January 2023 (3)
- December 2022 (4)
- November 2022 (3)
- October 2022 (5)
- September 2022 (4)
- August 2022 (7)
- July 2022 (3)
- June 2022 (3)
- May 2022 (11)
- April 2022 (8)
- March 2022 (6)
- February 2022 (7)
- January 2022 (1)
- December 2021 (7)
- November 2021 (7)
- October 2021 (3)
- September 2021 (3)
- August 2021 (7)
- July 2021 (7)
Corelight gives you the high ground—a commanding view of your network that lets you outsmart and outlast adversaries.
From the Acropolis to the edge of space, defenders have sought the high ground in order to see farther and turn back attacks. Corelight delivers a commanding view of your network so you can outsmart and outlast adversaries. We capture, interpret, and connect the data that means everything to defenders.
Corelight gives apex defenders the information and tools they need to successfully detect and respond to threats. Corelight is built on Zeek, an open-source, global standard technology. Zeek provides rich, structured, security-relevant data to your entire SOC, making everyone from Tier 1 analysts to seasoned threat hunters far more effective.
The Open NDR Platform:
- Suricata: Suricata generates alerts that we embed directly into Zeek logs, putting every detection into context to save time, cut alert backlogs, and improve analytics.
- Zeek: The Zeek open source network security monitor generates lightweight metadata and detections to enable threat hunting and speed incident response.
- Smart PCAP: Smart PCAP links logs, extracted files, and insights with just the packets you need, to reduce storage costs while expanding retention times by a factor of 10.
Faster investigations, more effective threat hunts with the world's best network evidence.