By Byron V. Acohido
As enterprises brace for a new wave of stealthy intrusions — so-called Typhoon attacks — security leaders are doubling down on network intelligence that goes beyond surface-level alerts.
Related: What is NDR?
In this RSAC 2025 Fireside Chat, I sat down with Corelight CEO Brian Dye to unpack how Network Detection and Response (NDR) is helping defenders cut through the noise and get to “ground truth.”
Dye likens these attacks to a storm system: nation-state-level intrusions that bypass traditional perimeter defenses and burrow in using “living off the land” techniques. Once inside, attackers blend in by hijacking trusted IT tools, often going undetected for months. “What NDR provides is connective tissue,” Dye says. “It helps SOC teams see the full kill chain — from initial access to lateral movement and potential exfiltration.”
We also explore how Corelight—born out of the open-source Zeek project—has steadily evolved from a tool used exclusively by elite defenders into a platform now accessible to mid-sized enterprises increasingly targeted by nation-state-level threats.
Dye recounts how, for years, only the most well-funded security teams could deploy Zeek effectively; Corelight’s contribution has been to package that capability for broader use, enabling SOCs with smaller teams to gain the same high-fidelity internal visibility once reserved for Big Ten banks and federal agencies.
At the same time, generative AI is beginning to make a material impact in daily SOC workflows. Dye notes that GenAI isn’t replacing human analysts—but it is accelerating their work. Smaller teams are already leaning on vendor-integrated LLMs to interpret alerts and suggest investigative next steps. Larger organizations are taking it further, training custom LLMs to enrich and cross-analyze telemetry in real time. Corelight, drawing on its open-source DNA, plays well in both scenarios—serving up structured, trustworthy network data as “fuel” for these AI-assisted investigations.
The bottom line? Visibility is currency. And in a world where threat actors increasingly masquerade as insiders, knowing what’s really happening — and proving it — could save you millions. “There’s a big difference between I think and I know,” Dye notes.
•Listen to the full podcast to hear why ground truth may be the most valuable asset in cybersecurity’s next frontier.