Corelight’s Open NDR Platform

Additional Info

Company size (employees)100 to 499
Headquarters RegionNorth America
Type of solutionSoftware


Corelight offers the industry’s only open source-based NDR platform, which transforms network and cloud activity into evidence that provides SOCs with greater visibility, enhanced analytics, in-depth threat hunting and accelerated investigation. Easily deployed and available in on-prem and SaaS-based formats, Corelight combines the power of open source and proprietary technologies to deliver a complete Open Network Detection & Response (NDR) Platform that includes intrusion detection (IDS), network security monitoring and Smart PCAP solutions.

Customers can deploy Corelight Sensors in both on-prem and cloud environments (AWS, GCP, Azure). The sensors can be software, virtual, cloud or physical and connect to traffic mirrors within physical networks via packet brokers, span ports, or optical taps and in cloud environments via native traffic mirroring (e.g., VPC traffic mirroring in AWS).

Evidence and insights gathered via the sensors are then feed into existing customer SIEM, XDR, SOAR and other solutions to drive workflow automation and speed response to incidents, vulnerabilities and threats.

Corelight’s newest solution, Corelight Investigator, is a SaaS-based NDR platform that combines comprehensive network evidence with machine learning (ML) and advanced analytics in a fast, intuitive search platform that speeds security operations and consolidates legacy toolsets.

Corelight supports a broad ecosystem of technologies including CrowdStrike, Microsoft, Splunk and AWS. CrowdStrike recently selected Corelight to power their services and solutions portfolio including Incident Response, Compromise Assessment and Network Security Monitoring services.

How we are different

Corelight’s platform is unique because detections and visibility engineering are community driven—with continuous content creation from Zeek®, Suricata IDS, and other Intel communities. This provides significantly more detection and visibility insights than NDR solutions based on proprietary technology. Further, the integration with CrowdStrike XDR enables cross platform (EDR+NDR) analytics. In addition to the depth of insight gained through leveraging open source communities, three things that Corelight does differently than competitors include:

- Our platform correlates alerts with packets to immediately reduce signal noise (alert fatigue) and provide complete unalterable context.
- Our analytics approach is not solely based on ML, which allows users to choose the right tool for the job - they can leverage behavioral analytics, other signatures and machine learning to accelerate detection and engineering response.
- Our open core and broad partner integrations allows customers to easily integrate data into SIEM, XDR and SOAR solutions to help drive SOC automation.