Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Episode 18 - Live Fire Defense at Locked Shields

In this episode, host Richard Bejtlich sits down with Corelight Senior Sales Engineers Adam Donadeo and Nico Roosenboom to unpack their firsthand experiences at Locked Shields, the world’s largest international live-fire cyber defense exercise. The conversation dives deep into the chaotic, real-world friction of defending a massive virtualized network alongside 4,000 global experts against aggressive red team waves.

What is CEN/TS 18099? A guide to the injection attack detection standard

For years, the dominant threat against remote identity verification was the presentation attack: someone holding a printed photo up to a camera, wearing a mask, or playing a pre-recorded video on a phone screen. The industry responded with increasingly sophisticated anti-spoofing technology and vision-based detection models, and the standards to test their effectiveness followed. But many of today’s most sophisticated fraudsters don’t bother with the camera at all.

What the Black Hat NOC taught me about MCP & agentic SOCs (Chapter 1 of 4)

The first time an MCP (Model Context Protocol) server felt real to me, it wasn't because of a clean demo. It was because of the noise. TL;DR: The harness matters more than the protocol, and the evidence matters more than both. MCP earns its keep when it shortens the path from a good security question to trustworthy evidence, and almost everything interesting about making that work happens in the harness wrapped around the model. In this series, I will cover how to build an MCP for an AI SOC.

AI Powered Threat Detection: CISO's Guide

The market is giving CISOs a blunt signal. AI-powered threat detection and response was valued at USD 5.59 billion in 2024 and is projected to reach USD 23.52 billion by 2032, at a 20.00% CAGR according to Kings Research on the AI-powered threat detection and response market. That kind of growth doesn't happen because security teams like new tooling. It happens because modern environments generate more telemetry than analysts can realistically review, and attackers move faster than rule updates.

Strengthening modern detection with Open NDR and integrated threat intelligence

Adversaries are evolving faster than defenders can respond, and they're weaponizing AI to accelerate their attacks. We’ve seen “living-off-the-land”, lateral movement, and the abuse of legitimate administrator tools enable hackers to hide in plain sight, diluting the effectiveness of traditional detection methods. Meanwhile, defenders are nervously trying to keep up with the accelerating pace of AI-empowered threats hitting them at machine speed.

Episode 17 - Home Labs and Tinted Windows: Why Network Visibility Starts at Your Front Door

In this episode, host Richard Bejtlich and guest Ricky Lin explore the practical—and often personal—side of network defense: monitoring the home network. Ricky shares how he uses Corelight and Zeek to track everything from his children's YouTube habits to the constant chatter of IoT devices like Tesla vehicles and smart appliances. They delve into the "tinted windows" analogy to explain why visibility into encrypted traffic is still possible through network metadata, even when the contents are hidden.

Threat Detection and Response Solutions: A Complete Guide

For those evaluating threat detection and response solutions, the underlying issues are often a persistent reality: The firewall says one thing, the endpoint tool says another, cloud alerts pile up in a separate console, and the compliance team still asks for evidence that no one can assemble quickly. Analysts waste time pivoting between tools when they should be deciding whether an incident is real and what to contain first.

Corelight Sensor v29.1 release highlights: Network evidence powers network operations

Corelight Sensor v29.1 and Fleet Manager v29.1.1 fundamentally expand what a Corelight Sensor delivers. The release turns existing network evidence into a shared source of truth for SecOps, NetOps, triage, and forensic investigation. Network performance monitoring and asset classification unlock new value from traffic you're already collecting.

Extending the value of network evidence: Introducing Performance and Asset Visibility

Every packet flowing through a Corelight sensor contains both security-relevant data and performance-relevant data. Until now, Corelight has focused exclusively on extracting security value from network traffic: connection logs, protocol analysis, and threat detections. But the same traffic that reveals lateral movement also reveals TCP latency. The same DNS queries that surface potential C2 channels also reveal resolution timing.