By Byron V. Acohido
For years, network security has revolved around the perimeter: firewalls, antivirus, endpoint controls. But as attackers grow more sophisticated — and as operations scatter to the cloud, mobile, and IoT — it’s increasingly what happens inside the network that counts.
Related: The NDR evolution story
Enter Network Detection and Response (NDR) — a space once reserved for elite security teams at Big Ten banks and federal agencies. Today, thanks in part to pioneers like Corelight, these capabilities are being democratized.
I sat down with Brian Dye, CEO of Corelight, at RSAC 2025, to trace the evolution of NDR and how companies can better transform “ground truth” visibility into real-world defense. At the heart of this movement is Zeek, the open-source engine powering Corelight — and once used only by high-end IR teams.
With Corelight, Zeek’s power is now operational at scale across mid-sized enterprises, who face the same adversaries but lack the thousand-person SOCs. Here are excerpts of our conversation, edited for clarity and length.
LW: What’s driving the renewed urgency around visibility — especially in the face of campaigns like Volt Typhoon?
Dye: We’re seeing a new class of attacker that’s not trying to crash your front door — they’re already inside. Campaigns like Volt Typhoon target the infrastructure layer: VPNs, firewalls, edge devices. Once in, they move laterally using “living off the land” techniques — legitimate IT tools like RDP, WMI, PowerShell. You need behavioral visibility across internal traffic — not just endpoint logs or SIEM alerts. That’s where network evidence comes in.
LW: You’ve described Corelight’s approach as rooted in structured network evidence. How does that differ from traditional NDR?
Dye: NDR historically fell into two extremes: raw packet capture, which is noisy and expensive, or NetFlow-style logs, which lack detail. Corelight strikes a balance by transforming traffic into structured logs — essentially a readable record of what happened, at protocol depth. This makes it possible to detect attacker behavior in real time, while also generating the kind of “ground truth” needed for incident response and compliance. It’s clarity over alert fatigue. And because it’s Zeek-based, it’s an open, inspectable data model — not locked behind proprietary logic.
LW: Let’s back up — for readers unfamiliar with Zeek, what is it and why does it matter?
Dye: Zeek, formerly known as Bro, is a powerful open-source network analysis framework created by Vern Paxson at Berkeley. It’s been used for years by elite IR teams and government agencies to investigate incidents with high fidelity. What Corelight has done is package and commercialize Zeek — making it scalable, easier to deploy, and fully supported for enterprise use. That’s a big deal. We’ve taken a tool that was once exclusive to intelligence agencies and top-tier banks, and made it scalable for commercial SOCs — even those with lean teams and hybrid environments.
LW: How does Corelight help SOC teams do more with less — without sacrificing accuracy?
Dye: Most security teams are overloaded — too many alerts, not enough people, and too much noise. What we hear over and over again is: “I don’t need more alerts, I need clarity.” That’s where Corelight comes in. We provide structured network evidence — what we call “ground truth” — so teams can see the full story: how the attacker got in, how they moved laterally, and what data they touched.
That evidence becomes the connective tissue between your detection layers. Instead of jumping between tools trying to stitch together partial views, teams get a coherent narrative they can act on. And now we’re adding GenAI acceleration on top of that — so the system can summarize alerts, provide next steps, and help analysts focus on the stuff that really needs their brainpower. It’s not about replacing humans — it’s about making their time count.
LW: How are you seeing organizations apply GenAI meaningfully in security operations?
Dye: We’re seeing GenAI used in two primary ways. For smaller teams, it’s often embedded into vendor tools — summarizing alerts, translating findings into plain English, and proposing actions. That’s a great way to scale lean teams. Larger enterprises, on the other hand, are going deeper — building multi-stage pipelines that feed internal LLMs with structured inputs, like our Zeek-based logs, to automate richer parts of the investigation process.
The key in both cases is precision. GenAI doesn’t fix bad input. It amplifies whatever it’s given. So if you’re feeding it vague logs or inconsistent telemetry, it’s going to deliver fuzzy results. But if you give it clean, structured network data — the kind Corelight provides — then you get clarity, not hallucination.
LW: Where do you draw the line with GenAI — what’s useful, and what’s still hype?
Dye: It’s a fair question, and one we wrestle with constantly. GenAI is great at the routine stuff — summarizing alerts, classifying activity, proposing initial triage steps. But as soon as an investigation starts to branch into something unique or unexpected, you hit the edge of what these models can handle. They don’t have intuition. They don’t weigh nuance. That’s still on the human analyst.
What we’re seeing is a bimodal approach. Smaller SOCs are leaning into vendor-delivered AI to help them scale. Larger orgs are building out pipelines with multiple models tuned to their own environment. In both cases, though, the AI is only as good as the data it’s fed — and that’s where Corelight fits in. We give you clean, trustworthy network evidence to fuel those workflows, whatever stage you’re at.
LW: So how should companies think about network evidence in the AI era?
Dye: Think of it as your foundation. You can’t build AI workflows on noisy or incomplete data. Network evidence — when it’s structured and transparent — helps you correlate across detection tools, validate what actually happened, and scale decision-making. Whether you’re an enterprise building GenAI playbooks or a lean team trying to stay ahead of threats, that kind of clarity is what makes AI useful — not risky. Detection won’t improve until visibility improves. The future of cybersecurity isn’t about flooding teams with alerts — it’s about giving them the clarity to act.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)