Combines Network Forensics, Expert Playbooks, and Transparent AI Evidence to Deliver Trusted, Defensible, Analyst-Friendly Automated Triage
SAN FRANCISCO – March 18, 2026 – Corelight, the fastest growing leader of network detection and response solutions, today announced category-first agentic AI capabilities that help modern security operations centers (SOCs) automate the most repetitive tasks consuming security teams, dramatically improving analyst efficiency and speed while also building trust through complete transparency. The company has released Agentic Triage to accelerate SOC workflows, a new suite of machine learning models to turn encrypted blind spots into evidence, and integrations across the AI-enabled SOC ecosystem to facilitate immediate containment of compromised accounts.
"By pairing the industry's highest-fidelity network telemetry from Corelight with an expert-governed AI agent, we are giving security teams the evidence they need to trust, verify, and act on AI-generated insights,” said Vijit Nair, Corelight vice president of product. “Only Corelight delivers true agentic AI triage in NDR, uniquely transforming overwhelming alert queues into verified, defensible investigations by applying expert playbooks to industry-leading network evidence with AI reasoning, drastically reducing time-to-triage and equipping analysts with definitive answers.”
Accelerating SOC Workflow through Agentic Intelligence
Modern SOCs are under relentless pressure as adversaries actively leverage generative AI to automate reconnaissance and accelerate attacks, while most triage processes remain manual, repetitive, and highly variable across analysts. Corelight Agentic Triage is a category-first automated investigation capability that helps security teams move from high-volume alert noise to rapid, evidence-backed containment, making triage up to 10x faster.
Powered by a modern GenAI agent architecture and driven by expert-written investigative playbooks, Agentic Triage automatically investigates the highest-risk entities in a customer's environment on a daily basis. Instead of requiring analysts to manually review hundreds of individual alerts, the Corelight Lux agent consolidates signals into entity-centric investigations, applies structured investigative logic, and delivers a single, evidence-backed triage verdict, complete with transparent reasoning a human analyst can inspect and verify.
Unlike proprietary systems that hide the details used to inform AI decision-making, Corelight Agentic Triage exposes every playbook step, every query run, and every piece of evidence used to reach a conclusion. This "show-your-work" approach is purpose-built for enterprise SOCs that require AI to be accountable, reviewable, and defensible during audits and incident response reviews.
Connecting to and Empowering the AI-Enabled Ecosystem
Once analysts have identified the highest-risk entities and are ready to take action, they want to contain threats immediately without having to pivot to another system. Corelight now ingests real-time identity data to enrich and complement the robust network evidence and correlate insights about problematic entities connected to the network. Now that analysts can connect the “who” to the “what” that is happening on the network, they can use the integrations with Microsoft Azure AD/Entra and CrowdStrike to trigger one-click actions such as universal logout and password resets without pivoting to a separate tool. This ability to take response actions directly on compromised identities builds on Corelight’s ability to directly quarantine endpoints and trigger firewall block actions.
In addition, Corelight has released a new integration with CrowdStrike’s Charlotte AI and Agentic Response Collaboration, seamlessly working with other AI agents across the security stack to maximize the value of network data, providing critical context for investigations no matter where they occur. The integration creates a CrowdStike Fusion workflow that allows Charlotte AI to automatically pull Corelight ground truth data to help an analyst resolve an alert by validating host behavior against network reality.
“The question facing every CISO today is not whether to adopt AI in the SOC—but rather how quickly and how comprehensively,” said Andrew Braunberg, principal analyst at Omdia. “Adding to the urgency is the weaponization of generative models by adversaries to automate reconnaissance, accelerate attacks, and evade detection. Defenders need AI that can accelerate response, and critically, that shows its work. To build trust in these solutions, explainability isn't a nice-to-have; it's a requirement, particularly in regulated environments.”
Detecting Multi-Stage Intrusions with Advanced ML Everywhere
Indisputable evidence and robust detections are the foundation for any AI capability to be successfully integrated into today’s modern SOC. To support the advancement of AI in the SOC, Corelight is also introducing an expansion of its advanced machine learning and behavioral detections with a new suite of statistical models designed to detect evasive, post-exploitation techniques, including tunneling anomalies and VPN anomalies, without requiring decryption.
Today’s sophisticated threat actors are looking for the dark corners of target networks to exploit, increasingly tunneling attacks in encrypted sessions to evade detection and hide their true intent. By analyzing the statistical “shape” and behavioral metadata of traffic, Corelight is able to transform encrypted blind spots into high-fidelity evidence. This allows security teams to better identify covert command and control (C2) channels and lateral movement, even in environments where traditional inspection is impossible.
Corelight's new ML models detect evasive threats that traditional signatures miss by analyzing behavioral patterns across the network — flagging unauthorized VPNs, identifying uncommon tunneling activity at the subnet level, and catching credential theft techniques like DCSync and NTDS.dit dumps before attackers can pivot. The platform has also expanded its brute force detection surface, correlating both low-and-slow and high-volume credential attacks across critical vectors including Kerberos, RDP, SMB, and SSH. Together, these models give security teams high-fidelity visibility into post-exploitation activity without requiring decryption.
Learn More
Customers are invited to come see the Corelight team in booth N-5683 at RSAC March 23-26 in San Francisco to see Agentic Triage in action. For more information, please visit https://corelight.com/blog/agentic-triage-soc-t....
About Corelight
Corelight transforms network and cloud activity into evidence that security teams use to proactively hunt for threats, accelerate response to incidents, gain complete network visibility, and create powerful analytics. Corelight's global customers include Global 2000 companies, major government agencies, and large research universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely used open-source network security technology. For more information, visit www.corelight.com.
