By Byron V. Acohido
For years, community safety has revolved across the perimeter: firewalls, antivirus, endpoint controls. However as attackers develop extra subtle — and as operations scatter to the cloud, cellular, and IoT — it’s more and more what occurs inside the community that counts.
Associated: The NDR evolution story
Enter Community Detection and Response (NDR) — an area as soon as reserved for elite safety groups at Large Ten banks and federal businesses. At present, thanks partially to pioneers like Corelight, these capabilities are being democratized.
I sat down with Brian Dye, CEO of Corelight, at RSAC 2025, to hint the evolution of NDR and the way corporations can higher rework “floor reality” visibility into real-world protection. On the coronary heart of this motion is Zeek, the open-source engine powering Corelight — and as soon as used solely by high-end IR groups.
With Corelight, Zeek’s energy is now operational at scale throughout mid-sized enterprises, who face the identical adversaries however lack the thousand-person SOCs. Listed here are excerpts of our dialog, edited for readability and size.
LW: What’s driving the renewed urgency round visibility — particularly within the face of campaigns like Volt Storm?
Dye: We’re seeing a brand new class of attacker that’s not making an attempt to crash your entrance door — they’re already inside. Campaigns like Volt Storm goal the infrastructure layer: VPNs, firewalls, edge gadgets. As soon as in, they transfer laterally utilizing “residing off the land” methods — respectable IT instruments like RDP, WMI, PowerShell. You want behavioral visibility throughout inside visitors — not simply endpoint logs or SIEM alerts. That’s the place community proof is available in.
LW: You’ve described Corelight’s method as rooted in structured community proof. How does that differ from conventional NDR?
Dye: NDR traditionally fell into two extremes: uncooked packet seize, which is noisy and costly, or NetFlow-style logs, which lack element. Corelight strikes a stability by reworking visitors into structured logs — basically a readable file of what occurred, at protocol depth. This makes it doable to detect attacker conduct in actual time, whereas additionally producing the sort of “floor reality” wanted for incident response and compliance. It’s readability over alert fatigue. And since it’s Zeek-based, it’s an open, inspectable information mannequin — not locked behind proprietary logic.
LW: Let’s again up — for readers unfamiliar with Zeek, what’s it and why does it matter?
Dye: Zeek, previously generally known as Bro, is a strong open-source community evaluation framework created by Vern Paxson at Berkeley. It’s been used for years by elite IR groups and authorities businesses to research incidents with excessive constancy. What Corelight has carried out is package deal and commercialize Zeek — making it scalable, simpler to deploy, and totally supported for enterprise use. That’s an enormous deal. We’ve taken a software that was as soon as unique to intelligence businesses and top-tier banks, and made it scalable for business SOCs — even these with lean groups and hybrid environments.
LW: How does Corelight assist SOC groups do extra with much less — with out sacrificing accuracy?
Dye: Most safety groups are overloaded — too many alerts, not sufficient individuals, and an excessive amount of noise. What we hear time and again is: “I don’t want extra alerts, I would like readability.” That’s the place Corelight is available in. We offer structured community proof — what we name “floor reality” — so groups can see the complete story: how the attacker obtained in, how they moved laterally, and what information they touched.
That proof turns into the connective tissue between your detection layers. As an alternative of leaping between instruments making an attempt to sew collectively partial views, groups get a coherent narrative they’ll act on. And now we’re including GenAI acceleration on high of that — so the system can summarize alerts, present subsequent steps, and assist analysts deal with the stuff that actually wants their brainpower. It’s not about changing people — it’s about making their time rely.
LW: How are you seeing organizations apply GenAI meaningfully in safety operations?
Dye: We’re seeing GenAI utilized in two major methods. For smaller groups, it’s usually embedded into vendor instruments — summarizing alerts, translating findings into plain English, and proposing actions. That’s a good way to scale lean groups. Bigger enterprises, alternatively, are going deeper — constructing multi-stage pipelines that feed inside LLMs with structured inputs, like our Zeek-based logs, to automate richer components of the investigation course of.
The important thing in each circumstances is precision. GenAI doesn’t repair dangerous enter. It amplifies no matter it’s given. So should you’re feeding it obscure logs or inconsistent telemetry, it’s going to ship fuzzy outcomes. However should you give it clear, structured community information — the sort Corelight offers — then you definitely get readability, not hallucination.
LW: The place do you draw the road with GenAI — what’s helpful, and what’s nonetheless hype?
Dye: It’s a good query, and one we wrestle with continually. GenAI is nice on the routine stuff — summarizing alerts, classifying exercise, proposing preliminary triage steps. However as quickly as an investigation begins to department into one thing distinctive or sudden, you hit the sting of what these fashions can deal with. They don’t have instinct. They don’t weigh nuance. That’s nonetheless on the human analyst.
What we’re seeing is a bimodal method. Smaller SOCs are leaning into vendor-delivered AI to assist them scale. Bigger orgs are constructing out pipelines with a number of fashions tuned to their very own surroundings. In each circumstances, although, the AI is simply nearly as good as the info it’s fed — and that’s the place Corelight suits in. We provide you with clear, reliable community proof to gas these workflows, no matter stage you’re at.
LW: So how ought to corporations take into consideration community proof within the AI period?
Dye: Consider it as your basis. You possibly can’t construct AI workflows on noisy or incomplete information. Community proof — when it’s structured and clear — helps you correlate throughout detection instruments, validate what really occurred, and scale decision-making. Whether or not you’re an enterprise constructing GenAI playbooks or a lean staff making an attempt to remain forward of threats, that sort of readability is what makes AI helpful — not dangerous. Detection received’t enhance till visibility improves. The way forward for cybersecurity isn’t about flooding groups with alerts — it’s about giving them the readability to behave.
Acohido
Pulitzer Prize-winning enterprise journalist Byron V. Acohido is devoted to fostering public consciousness about tips on how to make the Web as non-public and safe because it should be.
(LW offers consulting providers to the distributors we cowl.)
