Brian
Dye

Somewhere in a defense contractor's SOC, a network sensor is quietly logging every packet, flagging the ones that look wrong, and handing a structured record to analysts who can prove, with evidence rather than suspicion, that something happened. That sensor runs Zeek. The company behind it is Corelight. The CEO who scaled it from a scrappy open-source project into a $900M security platform is Brian Dye.

Dye joined Corelight in 2018 as Chief Product Officer - employee number not-quite-double-digits - after a career that had taken him through the product and executive ranks at Symantec, McAfee, Citrix, and Intel. He was not the founder. He was the operator. The person you bring in when the idea has proven itself and needs someone to build the machine around it.

Two years after joining, in August 2020, he was named CEO. It was not a coronation. By Dye's own account, the question he asked himself before accepting was blunt: "Am I actually the best person for this job at this company right now? If I'm not, I shouldn't take it." He decided he was. The board agreed. Michele Bettencourt moved to Executive Chair and Dye took the controls just as enterprise demand for network detection was about to outrun the cybersecurity industry's ability to explain why it mattered.

The Corelight thesis is simple to state and hard to replicate: network traffic does not lie. Endpoints can be compromised and their logs manipulated. Attackers can blind agents, delete files, cover tracks. But the packets still crossed the wire. Corelight's platform - built on the Zeek network analysis framework, an open-source project originally called Bro, developed at Berkeley and Lawrence Berkeley National Lab - captures that evidence before anyone can touch it. High-fidelity telemetry. Structured logs. A forensic record that tells the whole story.

Dye spent a decade at Symantec before Corelight, rising to Senior Vice President of the Information Security Group and overseeing gateway security, data loss prevention, trust services, and managed security. He ran the enterprise mobility business at Citrix. He took a turn at Intel. The résumé reads as a grand tour of the security industry's prior generation - the one that built the perimeter, bought the firewall, and slowly realized the perimeter was already gone.

That tour ended at a startup with 30 employees and a product category that barely had a name yet. Network Detection and Response. NDR. The acronym now shows up on every analyst briefing, every CISO checklist, every vendor comparison matrix. Dye helped make that happen. He hired a full-time recruiter when the company had 30 people - not 300, not 100, thirty - because he understood that the culture you build in the first 50 hires is the culture you scale, and culture cannot be retrofitted.

The AI moment found Corelight well-positioned. While other security vendors rushed to bolt large language models onto their products and call it intelligence, Dye made a different argument: the models are only as good as the data they train on. Endpoint telemetry is incomplete. SIEM logs are noisy. Network evidence is structured, contextual, and cannot be tampered with post-collection. "Strong detections begin with evidence, not algorithms," he wrote in a Corelight blog post. That positioning - AI needs ground truth, and ground truth comes from the network - has become the company's central narrative heading into its next phase of growth.

The April 2024 Series E told the story in numbers. Accel led the round. Cisco Investments and CrowdStrike participated. $150 million raised at a $900 million post-money valuation. Total funding stands at $309 million across six rounds. Annual revenue is estimated around $77 million, with a 40% annual growth rate. The SaaS and cloud business grew 300% year-over-year. The customer list includes every branch of the U.S. military, major banks, utilities, and critical infrastructure operators who cannot afford to not know what is happening on their networks.

Dye's path to that boardroom started, improbably, in a chemistry lab. He holds a degree in Chemical Engineering from MIT - class of 1996 - and an MBA in Marketing and Strategy from Stanford's Graduate School of Business, completed around 2003. The MIT degree explains something about how he thinks: systems, flows, what moves through pipes and what gets filtered out. The Stanford MBA explains the rest: how to find the market, tell the story, build the team.

At RSAC 2025, Dye took the stage with a title that could have been written by a security columnist daring the industry to disagree: "What Endpoint Security Isn't Catching: Why Network Visibility Still Matters." His argument was not anti-endpoint. It was additive. Layers. The network does not replace the agent; it sees what the agent cannot. Encrypted traffic. Lateral movement. The quiet scan at 3am that happens once and never repeats. Behavioral analytics across the entire environment, not just the machines where software happens to be installed.

That layered logic is the architecture of Corelight's platform: Zeek for structured log generation, Suricata for signature-based detection, curated community-contributed detection rules, smart PCAP for selective packet capture, and increasingly, machine learning models trained on the high-fidelity telemetry the sensors produce. Open architecture. Open-source community. Enterprise distribution. The same playbook that MongoDB and Elastic used to build developer adoption before converting it to enterprise revenue - but applied to a tool that security practitioners had been quietly building their defenses around for twenty years.

Dye talks about leadership like someone who had to unlearn a few things first. On Accel's "Spotlight On" podcast in April 2025, he described the transition from CPO to CEO as "a journey of maturity and self-awareness" - acknowledging that running a product function and running a company require different instruments. The CPO optimizes for the product. The CEO has to hold the culture, the strategy, the story, and the team simultaneously, often under conditions that would make the product decisions look easy.

He does not oversell. His public persona is measured, precise, occasionally dry - the manner of someone who spent years at companies big enough to punish overstatement. When he says Corelight has the best network evidence platform in the industry, he tends to follow it with a proof point: the customer who rejected the $10 million ransom, the military branch that achieved MITRE ATT&CK coverage it couldn't get from any other tool, the insurance company that tripled detection coverage in months. The numbers do the bragging. He keeps his voice flat.

On CNBC's Fortt Knox in February 2026, discussing AI-powered attackers, Dye returned to the ground-truth theme: the threat landscape is accelerating because attackers are automating too, and the organizations that will survive are the ones with the clearest picture of what is actually happening - not what an algorithm inferred might be happening based on incomplete data. The network is the evidence. Corelight captures it. That is still the pitch, five years in. Which means either the pitch was right from the start or Dye has been exceptionally good at refusing to change it for the wrong reasons.

Probably both.