Corelight

The Company That Sees Everything on Your Network

In a security operations center somewhere - probably more than one - an analyst is staring at an alert about anomalous lateral movement at 2 a.m. They could hunt through gigabytes of raw logs, correlate across five different tools, and maybe find an answer by morning. Or they could open Corelight Investigator, pull up the structured network evidence the platform has already assembled, and have a verdict in under fifteen minutes.

That gap - between flying blind and seeing clearly - is exactly the market Corelight has spent over a decade building into. Founded in San Francisco in 2013 by four researchers who had spent years building the world's most trusted open-source network monitor, the company has grown into the platform that Fortune 500 CISOs, federal agencies, and major financial institutions rely on when they need to answer the one question that matters: what actually happened on my network?

As of 2025, Corelight is a Gartner Magic Quadrant Leader for Network Detection and Response - for the second consecutive year since the inaugural report. It has raised $309.2M in total funding, most recently a $150M Series E led by Accel with strategic participation from Cisco Investments and the CrowdStrike Falcon Fund. Revenue is running at roughly $76.7M annually, growing at 40%+ year-over-year, with AI and SaaS-driven NDR growing at 300% year-over-year.

Security Was Blind in the One Place It Shouldn't Be

Security teams have always had logs. Firewall logs, endpoint logs, authentication logs. What they rarely had - in any structured, searchable, analysis-ready form - was network evidence: a faithful, high-fidelity record of every connection, every protocol exchange, every file transfer, every DNS query that crossed the wire.

Packet capture existed, of course. But capturing every packet at enterprise scale is expensive, unwieldy, and produces data that's nearly impossible to search. The alternative - summarized NetFlow data - strips out exactly the protocol-level detail that matters when an attacker is using legitimate channels to move laterally.

The result was a gap that sophisticated attackers learned to exploit. Advanced persistent threats dwell for an average of hundreds of days inside networks before detection precisely because defenders lack visibility into what the network actually shows them. You cannot find what you cannot see. And for most organizations, the network was effectively invisible.

A Lab Project, Thirty Years in the Making

In 1995, Dr. Vern Paxson was a researcher at Lawrence Berkeley National Laboratory with a specific frustration: network intrusion detection tools were noisy, brittle, and largely useless for serious investigation. So he built something better. He called it Bro - a nod to George Orwell's surveillance state, with the implicit message that if someone's watching the network, it ought to be the defenders.

Over the following two decades, Bro (later renamed Zeek in 2018, shedding the surveillance connotation) became the gold standard in network security monitoring. Dr. Robin Sommer joined in 2001. The National Science Foundation contributed roughly $8M in research funding. Seth Hall, an incident responder at Ohio State, started contributing in 2007 and never really stopped. Dr. Greg Bell, director of the Department of Energy's ESnet network, rounded out the team.

By 2013 they had a problem most open-source researchers dream of: the world wanted their software, but neither they nor anyone else was making it easy to deploy and maintain at enterprise scale. The bet was simple - build a company that sustains Zeek's development while packaging it into something a Fortune 500 security team can actually run.

Corelight was incorporated in 2016. The first Corelight Sensor launched the same year. CEO Brian Dye - a former Chief Product Officer at McAfee with an MIT engineering degree and Stanford MBA - joined to take the platform mainstream.

Open NDR: The Platform Under the Platform

Corelight's core insight - and its core product - is that network traffic is the most honest data source in enterprise security. Every other telemetry source can be manipulated by a sophisticated attacker. Network traffic, captured and analyzed at the infrastructure level, just tells you what happened.

The Open NDR Platform transforms raw network traffic into structured, high-fidelity logs using three complementary engines: Zeek for deep protocol analysis, Suricata for signature-based intrusion detection, and YARA for static file analysis. The result is network evidence - compact, searchable, analyst-ready data that integrates directly with major SIEM and XDR platforms.

In 2024, Corelight layered AI on top with Corelight Investigator, a SaaS threat hunting and triage platform. Guided Triage uses AI-led workflows that reduce alert triage time by up to 50%. The platform cuts SIEM ingest volume by up to 80% without sacrificing security fidelity - a meaningful cost reduction for enterprises spending millions annually on log storage.

When CrowdStrike and Cisco Both Write Checks, Pay Attention

The $150M Series E in April 2024 was notable not just for the size, but for who showed up. Accel led the round, as they have every round since 2017. But Cisco Investments and the CrowdStrike Falcon Fund joined as strategic participants. When the two largest names in enterprise security invest in your platform, they're not just writing a check - they're validating your position in the architecture.

CrowdStrike's involvement is particularly telling. Their incident response team - one of the most respected in the industry - uses Corelight technology during network-based investigations. Corelight Investigator now integrates natively with CrowdStrike Falcon, letting IR teams move between endpoint and network evidence without switching platforms. That's not a marketing partnership. That's operational dependency.

Across the customer base, Corelight's scale is harder to appreciate in the abstract: the platform protects organizations managing over $10 trillion in assets, defends energy infrastructure serving 32 million Americans, and secures the networks behind 16 million annual patient visits. These aren't logos on a website - they're regulated industries where network security failures have real-world consequences.

Evidence at the Heart of Security

Corelight's stated mission - "evidence at the heart of security" - is one of those rare company taglines that actually explains the business model. Evidence means network logs, protocol analysis, packet forensics. It means data that can be cross-referenced against endpoint telemetry, threat intelligence, and behavioral baselines. It means answers, not just alerts.

The open-source dimension matters here too. Zeek has 10,000+ deployments worldwide, many of them universities, government labs, and research institutions that could never afford a commercial platform. Corelight funds Zeek's continued development, ensuring the open-source standard stays current. This creates a flywheel: researchers build skills on Zeek, enterprises want the same standard with commercial support, and Corelight is the obvious bridge.

The company also maintains 50+ open-source repositories on GitHub, including Community ID - a flow-hashing standard now used across the broader security industry, including by competitors. That's either very generous or very strategically smart, depending on how you look at it. Most observers say both.

AI Is Changing What Attackers Can Do. Network Evidence Changes What Defenders Can See.

The threat landscape is accelerating in ways that favor attackers. AI tools make it cheaper to craft convincing phishing at scale, to generate malware variants that evade signature detection, and to automate reconnaissance. Living-off-the-land techniques - where attackers use legitimate tools and protocols to move through networks - are increasingly common precisely because they generate fewer endpoint alerts.

This is the environment in which Corelight has built its next chapter. Corelight Investigator's agentic triage features - expert-authored playbooks that automatically investigate the last seven days of activity when an alert fires - are a direct response to an SOC talent shortage that shows no signs of improving. When there aren't enough analysts to investigate every alert manually, you need AI that can do the initial triage reliably.

The 80% reduction in SIEM ingest volume matters here too. Enterprise SIEM bills have become one of security's most painful budget conversations. If you can cut the volume by 80% without reducing fidelity, you've just made security operations significantly more affordable at exactly the moment when organizations are trying to do more with constrained budgets.

The network has always been the most honest witness in enterprise security. Corelight started as the company that made that witness easier to depose. It's becoming the company that makes the testimony actionable in real time - before the attacker has finished unpacking.