Corelight

Corelight is a cybersecurity company focused on open network detection and response, transforming network and cloud activity into high-fidelity evidence for threat detection, investigation, and threat hunting. Its platform combines network monitoring, intrusion detection, packet capture, file analysis, and AI-assisted workflows to give defenders durable visibility across on-premises, hybrid, and cloud environments.

Corelight traces its roots to the creation of Zeek and continues to steward that technology while packaging it for enterprise security operations. The company positions evidence at the center of security and has expanded its portfolio across physical, virtual, software, and cloud sensors for sensitive enterprise and government use cases.

Offerings, Capabilities, and Integrations

Corelight delivers an open-core NDR architecture built around security telemetry, detections, and investigation workflows. Its capabilities span network security monitoring, IDS, packet capture, static file analysis, threat intelligence, and AI-driven triage, with detections that combine machine learning, behavioral analytics, curated signatures, and threat intelligence to prioritize real threats and speed analyst response.

Corelight is designed to plug into existing security operations stacks rather than force a rip-and-replace approach. It supports integrations with SIEM, XDR, and SOAR platforms, maintains technology alliances with vendors including Microsoft, Google Cloud Security, CrowdStrike, Splunk, and Elastic, and supports data export to destinations such as Splunk, Elastic, Kafka, Syslog, and S3.

Products and Services

• Open NDR Platform: Corelight’s flagship platform unifies dynamic detections, IDS, network security monitoring, threat intelligence, static file analysis, and PCAP in a single open NDR environment powered by Zeek, Suricata, and YARA.
• Investigator: A SaaS-based, evidence-first investigation platform that automates triage, consolidates alerts into entity-centric cases, and provides explainable reasoning and recommended next steps for analysts.
• Zeek: Corelight’s foundational network monitoring technology that transforms traffic into rich, structured logs and files for evidence-based defense across on-premises and cloud environments.
• IDS: Corelight’s IDS offering deeply integrates Suricata signature alerts with Zeek network evidence so teams can investigate detections with fuller context in their SIEM, XDR, or Investigator workflows.
• Smart PCAP: A selective packet capture capability that links packets to logs, files, and detections so teams can retain relevant traffic longer and retrieve the right evidence quickly during investigations.
• Cloud Sensors: Cloud-native sensors that transform traffic into security-centric evidence for threat detection and response in AWS, GCP, and Azure, with SaaS and self-managed deployment options.
• Fleet Manager: A centralized management layer for Corelight Sensors that supports configuration templates, updates, health monitoring, role-based access controls, and policy management from one console.
• Encrypted Traffic Collection: A detection and visibility collection that analyzes encrypted protocols such as SSL, SSH, RDP, DNS, and VPN traffic to surface threats and misconfigurations without decrypting traffic.
• Entity Collection: An asset discovery and inventory collection that identifies applications, hosts, devices, services, certificates, and other entities to support profiling, search, and environment mapping.
• ICS/OT Collection: A visibility collection for industrial and operational environments that logs common ICS and OT protocols and helps teams monitor anomalous interactions across enterprise and operational networks.
• Static file analysis: A YARA-powered file analysis capability that scans files traversing the network for malicious patterns and sends resulting alerts into investigation and response workflows.
• Corelight Threat Intelligence, powered by CrowdStrike: A recently introduced threat intelligence capability that combines CrowdStrike intelligence with Corelight network evidence to validate indicators, improve prioritization, and reduce analyst noise.
• Flow Log Sensor: A recently introduced flow monitoring product that transforms raw flow logs from AWS and other native sources into enriched, standardized security metadata for detection, investigation, and cost-efficient visibility.
• Software Sensor: A lightweight software-based sensor for existing hardware that extends Corelight visibility into hybrid, distributed, and multi-cloud environments where appliance deployment is impractical.
• Virtual Sensors: Virtual sensors for Hyper-V and VMware that generate high-fidelity network evidence and detections for incident response and intrusion detection in virtualized environments.

Target Customers

Corelight targets security operations teams that need defensible network evidence instead of opaque alerts. Its primary users include SOC analysts, incident responders, threat hunters, detection engineers, and security architects working across enterprise, hybrid-cloud, and distributed environments, especially where teams need visibility into east-west traffic, encrypted traffic, unmanaged assets, and cloud workloads.

Corelight serves larger and mission-critical organizations, including enterprises, government agencies, and research institutions. Its industry focus includes financial services, healthcare, energy, federal and public sector, and education, and its customer examples span financial firms, retailers, manufacturers, universities, energy companies, law firms, and mortgage lenders.

Cloud Integrations and Marketplace

• AWS Marketplace: Corelight has an AWS Marketplace listing for Corelight Cloud Sensor, which delivers AWS traffic visibility and threat detection for cloud workloads.
• Microsoft Azure Marketplace: Corelight has Microsoft marketplace listings for Cloud Sensor for Azure and Corelight for Microsoft Sentinel, extending Azure workload visibility and Sentinel-based investigation workflows.
• Google Cloud: Corelight supports Cloud Sensors for GCP and maintains Google Cloud Security integrations that help customers use Corelight evidence in Google Cloud and Chronicle-centered workflows.

Key People

• Brian Dye: Chief Executive Officer
• Gregory Bell: Co-Founder & Chief Strategy Officer
• Vern Paxson: Co-Founder & Chief Scientist
• Russ Keefe: Chief Financial Officer
• Rajiv Taneja: Chief Development Officer
• Kevin Williams: Chief Revenue Officer
• Julie Parrish: Chief Marketing Officer
• Bernard Brantley: Chief Information Security Officer
• Steve Smoot: Chief Customer Officer
• Loree Farrar: Chief People Officer
• Rebecca Hazard: General Counsel
• Vijit Nair: Vice President, Product

Key Facts

• Headquarters: San Francisco, California, United States
• Employees: Approximately 470
• Annual Revenue: Approximately $98M
• Parent Company: None
• Subsidiaries: Corelight Federal, LLC; Corelight GmbH; Corelight UK, Ltd.
• Publicly Listed: No

Analyst Recognitions

• Gartner: Leader in Gartner Magic Quadrant for Network Detection and Response, 2025.
• Forrester: Leader in The Forrester Wave: Network Analysis and Visibility Solutions, Q4 2025.