Corelight is a network detection and response (NDR) company that transforms network traffic into comprehensive evidence for threat detection, investigation, and hunting. Built on the open-source Zeek framework (formerly Bro), originally developed at Lawrence Berkeley National Laboratory by Dr. Vern Paxson in the 1990s, Corelight provides enterprise-grade network visibility that generates structured logs, extracted files, and protocol-level metadata from network traffic at scale. The company’s mission is to make the network a first-class data source for security operations, providing the evidence SOC analysts and threat hunters need to detect and investigate advanced threats.
Platform
Open NDR Platform
Corelight’s Open NDR Platform combines Zeek-powered network evidence with curated threat detections, machine learning analytics, and Smart PCAP to provide security teams with complete visibility into network activity. The platform deploys as physical sensors, virtual sensors, or cloud-native sensors across on-premises, cloud, and hybrid environments. All components feed into a unified investigation workflow that correlates network evidence with endpoint and log data.
Network Evidence and Zeek Logs
At its core, Corelight generates rich, structured Zeek logs from network traffic covering over 50 protocols including HTTP, DNS, TLS, SMB, SSH, RDP, Kerberos, SMTP, FTP, and QUIC. These logs provide analyst-readable evidence of every network connection, session, and file transfer, feeding SIEMs and data lakes with high-fidelity network telemetry. Unlike raw packet captures, Zeek logs are structured, searchable, and human-readable, making them immediately actionable for analysts.
Smart PCAP
Corelight’s Smart PCAP technology intelligently captures full packet data for security-relevant traffic while discarding benign bulk traffic such as software updates and CDN content. This reduces storage requirements by up to 95% compared to traditional full PCAP. Analysts can retrieve packets for any flagged event for forensic investigation, providing the gold standard of network evidence without the prohibitive storage costs of full packet capture.
Encrypted Traffic Analysis
The platform analyzes encrypted traffic metadata including JA3/JA4 fingerprints, certificate chains, TLS negotiation parameters, and server name indicators to detect threats operating within encrypted channels without requiring decryption. This capability identifies malicious TLS connections, C2 beacons hiding in encrypted traffic, and anomalous certificate usage.
Cloud Sensors
Corelight provides cloud-native sensors for AWS (VPC Traffic Mirroring), Azure (vTAP), and GCP that deliver the same Zeek-based network evidence in cloud environments. These sensors address the critical visibility gap that organizations face as workloads move off-premises, where traditional network taps and SPAN ports are unavailable.
Threat Detection and Hunting
Curated detection rules, behavioral analytics, and ML models identify C2 communication, lateral movement, data exfiltration, credential abuse, DNS tunneling, and malware activity. Detections are mapped to the MITRE ATT&CK framework and integrated with SIEM, SOAR, and XDR platforms including Splunk, Microsoft Sentinel, CrowdStrike, and Palo Alto Cortex XSIAM.
Corelight also provides purpose-built threat hunting tools that allow analysts to pivot across network evidence using investigator-friendly workflows. The platform’s hunting workbooks provide guided investigation paths for common threat scenarios.
Extracted Files and Content
The platform automatically extracts files transferred over the network including executables, documents, scripts, and archives, and can submit them to sandboxes and malware analysis engines for detonation. This capability provides an additional layer of malware detection independent of endpoint security tools.
Entity Analytics
Corelight builds behavioral profiles of network entities (hosts, services, users) over time, establishing baselines and detecting deviations that may indicate compromise. Entity analytics identify beaconing behavior, unusual data transfer volumes, new service activity, and connection patterns that deviate from established norms.
Deployment Flexibility
Corelight offers multiple deployment options to match organizational requirements. Physical sensors are high-performance appliances for data center and campus network monitoring at speeds up to 100 Gbps. Virtual sensors provide software-based monitoring for virtualized environments and remote sites. Cloud sensors handle AWS, Azure, and GCP traffic monitoring natively. Corelight@Home offers lightweight sensors for monitoring remote worker and branch office traffic.
Open-Source Foundation
Corelight’s relationship with Zeek is a core differentiator. The company employs several Zeek core developers, including Zeek’s creator Dr. Vern Paxson, and is the primary commercial sponsor of the Zeek project. This open-source foundation means Corelight customers benefit from community-driven protocol parsers and detection logic contributed by universities, research institutions, and the broader security community. Enterprises gain transparency into what the platform does, avoiding the black-box problem common in commercial NDR solutions.
Funding
Corelight raised $150 million in its Series D in 2022 led by Accel. Earlier rounds included $75 million in Series C from Energy Impact Partners in 2021 and $50 million in Series B from Insight Partners in 2019. With approximately $25 million in seed and Series A funding, the company has raised over $200 million total.
Key investors include Accel, Energy Impact Partners, Insight Partners, CrowdStrike Falcon Fund, and General Catalyst.
Market Position
Corelight was named a Leader in the inaugural 2025 Gartner Magic Quadrant for Network Detection and Response, validating its position as a top-tier NDR vendor. The company serves government agencies including the U.S. Department of Defense, intelligence community organizations, financial services firms, critical infrastructure operators, and large enterprises that require deep network evidence for advanced threat detection and incident response.
Corelight competes against Darktrace, Vectra AI, ExtraHop, and Cisco (Stealthwatch/Secure Network Analytics). The company’s open-source foundation, analyst-centric approach, and network evidence fidelity differentiate it from competitors that focus primarily on automated anomaly detection.
Leadership
Brian Dye serves as CEO, bringing experience as former SVP at Trend Micro and VP at Intel Security. Vern Paxson is co-founder and Chief Scientist, the creator of Zeek/Bro and a UC Berkeley professor. Greg Bell is Chief Product Officer and Mark Thomas serves as Chief Revenue Officer.