Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

From days of training to three better rules in a minute

A few years ago, I was part of a team responding to a high-profile security incident. After the incident was resolved, I was given a list of NDR rules to add to my firewalls. The issue was that the rules were not made for Suricata, the IDS I was using in this position at that time, so they generated false positives. With all that extra noise, I made it my goal to eliminate that excess noise.

What the Black Hat NOC taught me about MCP & agentic SOCs (Chapter 2 of 4)

The first time an MCP (Model Context Protocol) server felt real to me, it wasn't because of a clean demo. It was because of the noise. TL;DR: The harness matters more than the protocol, and the evidence matters more than both. MCP earns its keep when it shortens the path from a good security question to trustworthy evidence, and almost everything interesting about making that work happens in the harness wrapped around the model. In this series, I will cover how to build an MCP for an AI SOC.

Identifying and detecting ScoutC2 malware

At Corelight Labs, our mission is to help organizations stay a step ahead of evolving threats. When our researchers came across Censys' detailed write-up on ScoutC2, a rapidly growing open-source command-and-control (C2) framework favored by threat actors, we knew we needed to bolster community defenses quickly.

Stop Chasing Alerts, Start Hunting Adversaries: The New NDR Essentials

It was time to write another book. That’s what I thought when I heard that Corelight wanted to update its 2021 book on network detection and response (NDR). Tamara Crawford, who owned the project, scheduled a meeting with me and asked if I might be interested in helping, depending on who might write the text.

Episode 18 - Live Fire Defense at Locked Shields

In this episode, host Richard Bejtlich sits down with Corelight Senior Sales Engineers Adam Donadeo and Nico Roosenboom to unpack their firsthand experiences at Locked Shields, the world’s largest international live-fire cyber defense exercise. The conversation dives deep into the chaotic, real-world friction of defending a massive virtualized network alongside 4,000 global experts against aggressive red team waves.

What the Black Hat NOC taught me about MCP & agentic SOCs (Chapter 1 of 4)

The first time an MCP (Model Context Protocol) server felt real to me, it wasn't because of a clean demo. It was because of the noise. TL;DR: The harness matters more than the protocol, and the evidence matters more than both. MCP earns its keep when it shortens the path from a good security question to trustworthy evidence, and almost everything interesting about making that work happens in the harness wrapped around the model. In this series, I will cover how to build an MCP for an AI SOC.

Strengthening modern detection with Open NDR and integrated threat intelligence

Adversaries are evolving faster than defenders can respond, and they're weaponizing AI to accelerate their attacks. We’ve seen “living-off-the-land”, lateral movement, and the abuse of legitimate administrator tools enable hackers to hide in plain sight, diluting the effectiveness of traditional detection methods. Meanwhile, defenders are nervously trying to keep up with the accelerating pace of AI-empowered threats hitting them at machine speed.

Episode 17 - Home Labs and Tinted Windows: Why Network Visibility Starts at Your Front Door

In this episode, host Richard Bejtlich and guest Ricky Lin explore the practical—and often personal—side of network defense: monitoring the home network. Ricky shares how he uses Corelight and Zeek to track everything from his children's YouTube habits to the constant chatter of IoT devices like Tesla vehicles and smart appliances. They delve into the "tinted windows" analogy to explain why visibility into encrypted traffic is still possible through network metadata, even when the contents are hidden.

Corelight Sensor v29.1 release highlights: Network evidence powers network operations

Corelight Sensor v29.1 and Fleet Manager v29.1.1 fundamentally expand what a Corelight Sensor delivers. The release turns existing network evidence into a shared source of truth for SecOps, NetOps, triage, and forensic investigation. Network performance monitoring and asset classification unlock new value from traffic you're already collecting.

Extending the value of network evidence: Introducing Performance and Asset Visibility

Every packet flowing through a Corelight sensor contains both security-relevant data and performance-relevant data. Until now, Corelight has focused exclusively on extracting security value from network traffic: connection logs, protocol analysis, and threat detections. But the same traffic that reveals lateral movement also reveals TCP latency. The same DNS queries that surface potential C2 channels also reveal resolution timing.