Corelight Bets on Transparent AI to Automate and Empower the Modern SOC

SAN FRANCISCO, CA – March 18, 2026 – As security teams grapple with an escalating arms race against AI-powered adversaries, network security firm Corelight has unveiled a new suite of tools designed to automate cyber defense with a crucial emphasis on trust and transparency. The company today announced its Agentic AI Suite, featuring an automated investigation capability called Agentic Triage, which aims to slash the time analysts spend on repetitive tasks and provide clear, defensible evidence for every action the AI takes.

At the heart of the announcement is a direct response to one of the most pressing challenges in cybersecurity: the overwhelming volume of security alerts that plagues modern Security Operations Centers (SOCs). Corelight claims its new approach can make the initial investigation, or triage, process up to 10 times faster by transforming high-volume alert noise into focused, evidence-backed investigations.

"By pairing the industry's highest-fidelity network telemetry from Corelight with an expert-governed AI agent, we are giving security teams the evidence they need to trust, verify, and act on AI-generated insights," said Vijit Nair, Corelight's vice president of product. The new suite combines network forensics, expert-written playbooks, and AI reasoning to tackle the manual, often burnout-inducing, work that consumes a security analyst's day.

Fighting AI with Explainable AI

The launch arrives at a critical juncture for the cybersecurity industry. Threat actors are increasingly leveraging generative AI to automate reconnaissance, craft sophisticated phishing campaigns, and accelerate the speed of their attacks. This has placed immense pressure on enterprise defenders, who often rely on manual processes to sift through thousands of daily alerts.

In response, the industry is turning to AI-powered automation. However, this pivot has been met with a healthy dose of skepticism. Many AI security tools operate as a 'black box,' delivering conclusions without revealing the underlying data or logic. This lack of transparency creates a significant barrier to adoption, particularly in regulated industries where every security action must be auditable and defensible.

Corelight aims to solve this trust deficit with what it calls a "show-your-work" approach. The Agentic Triage system is designed to expose every step of its investigative process. Analysts can inspect the specific playbooks the AI used, the queries it ran against the network data, and the exact pieces of evidence that led to its final verdict. This level of explainability is not just a feature but a foundational requirement for building confidence in automated systems.

"The question facing every CISO today is not whether to adopt AI in the SOC—but rather how quickly and how comprehensively," noted Andrew Braunberg, principal analyst at Omdia, in a statement accompanying the release. "To build trust in these solutions, explainability isn't a nice-to-have; it's a requirement."

This sentiment is echoed across the industry, with frameworks like the NIST AI Risk Management Framework emphasizing the need for accountable and transparent AI systems. By providing a clear, auditable trail, Corelight is betting that security leaders will be more willing to integrate deep automation into their critical defense workflows.

Automating the Analyst: A Look at Agentic Triage

The term 'agentic AI' describes a new class of AI systems that can operate with a degree of autonomy. Unlike simpler AI models that merely respond to prompts, an AI agent can decompose a high-level goal into smaller tasks, orchestrate different tools, and execute multi-step workflows to achieve an objective. In the context of a SOC, this means the AI acts less like a simple filter and more like a junior analyst.

Corelight's Lux agent, which powers the Agentic Triage feature, automatically investigates the highest-risk entities—such as users or devices—in an environment. Instead of presenting an analyst with hundreds of disparate alerts, it consolidates related signals into a single, entity-centric investigation. It then applies structured logic from expert-written playbooks to analyze the situation and deliver a verdict on whether the activity is malicious, suspicious, or benign.

While Corelight touts this as a "category-first," it enters a competitive field where other major players are also developing and deploying agentic AI concepts. Vendors like Vectra AI and CrowdStrike have been vocal about their use of AI agents to automate threat detection and response. However, Corelight's differentiation lies in combining this agentic architecture with its deep roots in open-source network evidence via Zeek (formerly Bro) and its unwavering commitment to explainability.

This automation promises to fundamentally shift the role of the SOC analyst. By offloading the monotonous, high-volume work of initial alert triage, analysts are freed to focus on higher-value activities that require human intuition and critical thinking, such as proactive threat hunting, deep forensic investigations, and strategic defense improvement.

Piercing the Encrypted Veil

Underpinning any effective AI is the quality of the data it analyzes. Recognizing this, Corelight has also introduced a new suite of machine learning models designed to detect threats hidden within encrypted network traffic—a notorious blind spot for security teams. As more of the web moves to mandatory encryption, adversaries have learned to hide their command-and-control (C2) channels and lateral movement within these protected tunnels.

Traditionally, inspecting this traffic required computationally expensive and often privacy-infringing decryption. Corelight's new models bypass this need by applying statistical and behavioral analysis. Instead of reading the content of the traffic, the AI analyzes its 'shape' and metadata—factors like packet size, timing, and session duration. By learning what normal encrypted traffic looks like, it can accurately identify anomalies that signal malicious activity.

These models are specifically tuned to detect evasive, post-exploitation techniques that traditional signatures often miss. This includes flagging unauthorized VPN usage, identifying uncommon data tunneling activity that could indicate data exfiltration, and catching sophisticated credential theft techniques like DCSync attacks, where an attacker impersonates a domain controller to steal credentials.

From Insight to Action: Integrating the SOC Ecosystem

Detecting a threat is only half the battle; responding quickly is paramount. To close the gap between detection and response, Corelight has also deepened its integration with key platforms across the security ecosystem. The platform now ingests real-time identity data, allowing analysts to connect the 'who' (the user) to the 'what' (the network activity).

Armed with this context, analysts can now trigger immediate containment actions in other tools directly from the Corelight interface. New integrations with Microsoft Azure AD/Entra and CrowdStrike enable one-click responses such as forcing a universal logout for a compromised user account or triggering a password reset. This builds on the platform's existing capabilities to quarantine endpoints or push block rules to firewalls.

Furthermore, the company announced an integration with CrowdStrike's Charlotte AI, enabling a seamless collaboration between different AI agents across the security stack. This allows CrowdStrike's AI to automatically query Corelight for ground-truth network evidence to validate host behavior, creating a more holistic and robust investigation process. This move reflects a broader industry trend toward creating an interconnected web of AI-driven tools that work together to strengthen an organization's overall security posture.