Skip to content

icon picker
Research on Corelight

Value Propostion: Corelight transforms your network and cloud activity into evidence to keep you ahead of ever-changing attacks.
Last edited 58 seconds ago by Shilpa Vishwambharan
Executive Summary: Corelight offers network detection and response (NDR) solutions. Their services are based on the open-source network monitoring tool Zeek (formerly 'Bro') and are designed to expand network visibility, improve detection coverage, and speed up the incident response process. Corelight's product lineup includes Investigator, cloud and on-prem sensors, sensor Fleet manager, and Smart PCAP; each offering various features and benefits such as accelerated threat hunting and investigation, visibility across major cloud providers, and efficient packet capture. Corelight's customer base typically falls into one of three analytics architectures, and the company tailors its solutions to meet the diverse needs of its clients. While Corelight faces competition from other NDR providers like Darktrace, ExtraHop, and Vectra AI, customer feedback on Gartner G2 highlights Corelight's strong points such as its open-source foundation, ease of use, and performance, leading to its selection for driving innovation and improving compliance and risk management.
" While EDR is essential to help detect and prevent threats in the endpoints, the logical next step is network detection via NDR. The endpoint gives depth and the network provides breadth... From a infrastructure perspective the TAP, SPAN or packet broker architecture is already in place and we come in and replace this 2-3 solutions with one simple solution." - Corelight CEO, Brian Dye in interview with TAG Cyber

About Corelight

Corelight specializes in open network detection and response (NDR) solutions for large enterprises and government customers. Corelight reported significant growth, with an increase of over 40% in annual recurring revenue for the fiscal year ending on January 31st, 2024.
There are main ways in which Corelight helps its customers.
expand visibility into network.
improves detection coverage, thereby accelerating incident response process.
foundations in the open source world (Zeek). Corelight makes it easy to adopt and scale Zeek for enterprise customers.
Corelight helps reduce the false positives, which reduces the alert backlog and thus accelerates incident response process.

Corelight Solutions: The Opportunity Space

Corelight focuses on taking the pain out of deploying Zeek at enterprises and provides in-depth visibility. Corelight customers typically have three different types of analytics architecture. Corelight sells its solutions to match these data analytics architectures.
Customer Persona: Data lake architecture
Customer Needs: These customers prefer to store all their data in a central repository and customize their own security workflows, automation and detection engineering.
Corelight Solution: Sensor Portfolio that generates rich data, rich evidence, analytics and detections
Customer Persona: SIEM and XDR
Customer Needs:
customers who need the network centric data and analytics but also need help with alert aggregations, tuning & triage.
Typically do threat hunting and incidence response in XDR or SIEM tools.
Corelight Solution: Sensor Portfolio + Analytics offering that goes on top of the sensors
Customer Persona: Full Stack NDR (the SOC Triad)
Customer Needs: customers who prefer to use EDR for endpoint detection, NDR for network incident response & threat hunting, and finally send alerts downstream to their SIEM
Corelight Solution: Clorelight Investigator


Classic Speeds and Feeds of the Sensors (has deployed and scaled solutions with upto 1 Tbps)
Cloud/On-Prem/Hybrid Deployment models that align with customer preferred data-analytics architecture
Open Source heritage (CTO Vern Baxton founded Zeek in 1995)
Best High-Quality Data (learning from high-end defenders, partnership with Mandiant & others),
Broad ecosystem (Zeek, Seracata, adoption of chatGPT to understand threats, community learnings & work that help accelerate threat detections)

What is

Zeek is an open source network monitoring tool that was created in 1995 by (co-founder of Corelight). Vern Paxson designed and implemented the initial version in 1995 as a researcher at the Lawrence Berkeley National Lab. Today, Corelight develops and sells an enterprise grade version of Zeek to large enterprises and governments.
Zeek offers three key network security capabilities - traffic logging, file extraction and custom traffic analysis. Network or SOC engineers can look at the logs based on timestamp, connection identifier, protocols and so on to find meaningful insights. Zeek sensors are deployed out of band and the network traffic is captured and sent to Zeek sensors via a SPAN port or TAP. The network feed is turned to Zeek Logs, which can then be sent to SIEM or data lakes for analysis.


NDR Market Snapshot

Market Characteristics:

Customer base -
Primarily deployed by large enterprises with mature security practices, and governments
Seeing accelerated demand from Energy & Utilities industry.
Large enterprises with mature EDR program, buying NDR for added network visibility benefits.
By 2027, Worldwide NDR spending to be $2.63B (14% YoY growth from 2022 → 2027). Gartner 2023 report

Buyer Trends:

In 2029, as per Gartner > 50% incidents found will be from cloud deployments, up from < 10% in 2023. Public cloud traction driving NDR deployments for security in IaaS & SaaS environments, but majority of NDR investment still made by large enterprises.
Cloud sensors for application and workload protection in public cloud.
Cloud-native firewalls have limitations in performing decryption and payload inspection.
Software supply-chain attacks cannot be just protected by cloud-native signature-based security solutions. It needs NDR.
XDR emerging as a competing technology, but large enterprises continue to deploy stand-alone NDR solutions. Opportunity for NDR vendors to partner with EDR & MDR solutions.
Need for MDR on the rise - Partnership or Expansion opportunity
Staff shortage leading to increase in outsourcing - MDR is a growing opportunity as more enterprises look at outsourcing security (60% customers in 2025, up from 20% in 2023). Growing interest from SMBs too.
Market Synergies - MDR & NDR have high adoption in government, finance & healthcare.
Opportunity to broaden scope by including OT/IoT protection as customers look to consolidate vendors. OT/IoT are more specialized markets and MDR differentiation in this area can further help.

Adoption Inhibitors:

Cost & Complexity (to deploy & maintain) of incumbent NDR solutions.
Large number of false positives.
Market confusion caused by proliferation of XDR positioning. Although, XDRs aren’t capable of the same level of behavioral analysis as NDRs.

NDR For Cloud:

support multiple cloud providers
Strict compliance & regulatory standards must be met.
Anomalous behavior based detection becomes more important in cloud.
Source: Gartner, 2023

Products Sold by Corelight
Benefits to Customer
A SaaS analytics and incident response platform that helps accelerate threat hunting and investigation.
Helps consolidate legacy toolsets such as IDS
Ability to drill down on rich details to perform root-cause analysis
Intuitive Log Query engine
Integrates with SOC workflows
Intelligent alert scoring that helps reduce noise by using ML.
Automated investigative recommendations.
Cloud Sensors
Supports all three major cloud providers - AWS, GCP and Azure.
Complete visibility into network traffic traversing the three major clouds as well as hybrid or on-prem.
Accelerate time to investigate, identify and prevent threats
Traffic mirroring of AWS VPC logs, Google Cloud logs and Azure traffic logs. Can work with 3rd party traffic mirroring tools.
Appliance Sensors
Appliance-based, software or virtual sensors can deliver NDR, IDS, Smart PCACP and file extraction capabilities.
AP 5k/3k/1k/200 with speeds of 100/35/20/2 Gbps
VM Sensors
Stream from virtual, software or hardware based sensors and send to preferred on-premise or SaaS based SIEM/XDR/data lake environments.
Hyper-V Sensors and VMWare Sensors
Software Sensors
Deployed on Linux machines
Fleet Manager
Provides sensor management as a virtual machine.
Manage the sensors via a single pane of glass.
View their health.
Support compliance audits.
Smart PCAP
Cut down on the packet capture and storage costs by ~50%.
Access packets directly in SIEM for faster investigations.
Create rules to only capture packets that you need.

There are no rows in this table

GenAI in NDR

Summary: GenAI can help in assisting in Threat Response use cases by leveraging Large Language Models in providing more context and accelerating validation and triage.

Today Generative AI is good at:

Translating alerts from one language to another.
Generating summary from existing data
Investigation Guidance - providing helpful steps to begin detecting common type of known attacks.
Help write simple queries or scripts for automated workflows

When they become Good Then:

Speed - Help Reduce MTTD for common attack types.
Augment staff-shortage by offloading low-value tasks from Security Teams.
How should I begin to detect advanced threats?
Help writing advanced threat investigation queries.
Generating Hypothesis and investigating previously unknown attacks
Help simulate diverse attack scenarios.

SOC Analyst Pain Points
SOC Analyst
Protect enterprise resources, workforce and workload by analyzing endpoint & network traffic to detect suspicious activities, and respond to them in a timely manner.
Pain Points
High burnout, Drowning in Alerts and many False Positives, Lack of right tools and High-Quality data, Ever-changing threat landscape (lack of timely software patching, rapid rise in SaaS/BYOD/IoT/OT adoption, perimeter-less organizations), state-sponsored advanced threat actors
Ability to get high-quality data with minimal false positives. Much better additional context that accelerates incident response.


Customers also that they considered these vendors prior to selecting Corelight
67% considered Darktrace
67% considered ExtraHop
50% considered Vectra AI
Why did you purchase this product or service?
Drive innovation, Improve compliance & risk management
What were the key factors that drove your decision?
Strong consulting partnership & Overall cost


Customer Quotes from G2

Wonderful team to work with
Ease of Use
Open Source foundations
Outstanding performance
Supports Wide range of Integrations
Replaced IDS

Corelight - Significant Events Timeline

Series A funding - July 18, 2017 — Corelight, provider of the most powerful network visibility solution for cybersecurity, today announced that it has closed a $9.2 million Series A funding round led by Accel Partners, with participation from Osage University Partners and Riverbed Technology Co-founder Dr. Steve McCanne.
Customers → 6 out of Fortune 100 and 1 large enterprise
Integration with ElasticSearch API: “As a network traffic analysis solution, Corelight is focused on turning high-volume network traffic into high-fidelity data for incident response, intrusion detection, and forensics,” said Vince Stoffer, Director of Customer Solutions at Corelight. “Making it easy for companies adopting Elasticsearch to ingest Bro logs is really important. Whether they ingest data into Elasticsearch directly, or into Logstash, the depth and granularity that Bro provides about network traffic can be a real game changer for cybersecurity forensics.” -
March 28, 2018 — Corelight, the most powerful network visibility solution provider for cybersecurity, today announced Brian Dye has joined as the company’s Chief Product Officer.
Value Proposition in 2018 - Corelight delivers the most powerful network visibility solutions for information security professionals, helping them understand network traffic and defend their organizations more effectively. Corelight solutions are built on the Zeek framework
InfoSec Startup of the Year RSA Conference, San Francisco, Calif. (Booth #1043) — April 18, 2018 — Corelight, the most powerful network visibility solution provider for cybersecurity, today announced it has been named InfoSec Startup of the Year and a Leader in the Network Traffic Analysis category in CyberDefense Magazine’s annual InfoSec Awards at the RSA Conference this week.

Key Metrics

Used by Incident Detection & Response Teams (defined by Mandiant)
DWELL Time - how long was the attacker in your network before being found?
Also of interest are the qualitative insights into:
Do you have visibility into when they entered first? → visibility matters
What did the attacker do?
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
) instead.