Unified Detection and Asset Intelligence Helps Security Teams Outpace Automated Exploitation Enabled by Mythos-Class AI Models
SAN FRANCISCO — June 17, 2026 — Corelight, a leader in fueling the AI SOC, today announced the expansion of its Open NDR platform to include native network performance monitoring and passive asset classification capabilities. The release adds complete asset visibility to the existing anomaly detection foundation that security teams need to defend against AI-powered threats, enabled by Mythos-class models, that are capable of discovering and weaponizing vulnerabilities faster than any patching program can respond.
This new AI-driven threat landscape renders strategies that rely on endpoint controls and patching alone insufficient. With this release, the same Zeek-based analysis engine that powers Corelight's detections now continuously classifies every communicating asset and AI service all from traffic already being collected, with no active polling agents or dedicated infrastructure required. In an era where vulnerability scores alone are no longer an adequate map of immediate risk, Corelight adds a critical new signal in the form of real-time evidence about which hosts are reachable and under active attack, giving security teams a stronger foundation for prioritization and leadership more confidence about what is actually happening in critical environments.
"AI-powered tools enabled by Mythos-class models can now discover and weaponize zero-day vulnerabilities at machine speed, creating a state of permanent vulnerability where no organization can patch its way to safety. In this environment, you cannot defend what you cannot see,” said Vijit Nair, vice president of product, Corelight. “Every unmanaged device, shadow IT endpoints, shadow AI platforms and services , and OT asset that cannot be seen by agent-based tools is a potential entry point for an adversary. Corelight closes that gap — turning the network itself into a continuously current inventory of everything that communicates, with no agents, no scan cycles, and no blind spots. The same sensor that classifies assets also detects the exploitation that follows if one of them is compromised."
Continuous Visibility, Anomaly Detection, and AI-Ready Evidence
Delivering on that promise requires visibility that starts at the asset layer and extends across every stage of an attack. Corelight passively classifies every device the moment it communicates — including ICS/OT, IoT, unmanaged endpoints, unauthorized AI tools, and LLM endpoints that conventional scanners can miss — so organizations always know precisely what they are defending. That inventory feeds anomaly detection that combines unsupervised ML baselining and supervised ML with behavioral and signature-based confirmation, capturing post-breach activity regardless of whether a CVE exists. With this information, it allows defenders to address issues through direct integrations with EDR, identity, and firewall providers.
The same high-fidelity, structured Zeek metadata that powers those detections also serves as clean fuel for the AI-driven SOC. By feeding AI tools and LLM agents with real-time asset, identity, and performance context, defenders can automate complex workflows, enabling 10x faster triage with auditable reasoning at every step.
"In incident response, a fast mean-time-to-understanding is everything,” said the head of network incident and response at a Fortune 100 manufacturing enterprise. “Corelight's passive asset classification provides our security operations team with immediate, accurate IT and OT device visibility right where we are already analyzing traffic, allowing network defenders to drastically accelerate triage and investigate alerts with confidence."
Unlocking Two New Capabilities from One Sensor
Corelight sensors passively analyze network traffic and parse it into rich protocol logs. The update delivers two new capabilities to complement Corelight’s industry-leading data:
Passive Asset Classification automatically identifies and categorizes every device communicating on the network — including workstations, servers, IoT devices, printers, unmanaged endpoints, more than 180 AI services, and AI platforms and BYOD — by analyzing protocol fingerprints in observed traffic. Each asset is classified by device type, operating system, hardware manufacturer, model, and network role (client, server, gateway, DNS resolver), and captured in a dedicated log. Because classification is derived from live traffic rather than scheduled polls or agent deployment, the inventory is always current and covers device classes that endpoint security and CMDB tools can routinely miss.
Network Performance Monitoring passively extracts performance signals, including TCP round-trip time decomposed into client-side and server-side latency, DNS resolution timing, and TLS/QUIC handshake metrics. Rather than flooding SIEMs with continuous telemetry, the Network Performance package operates on an anomaly-first architecture, generating alerts only when a configurable threshold is crossed. Performance alerts are domain-aware, correlated to actual service names — such as DNS query names, TLS SNI, HTTP host headers, and QUIC — rather than ephemeral IP addresses. Every alert includes the unique connection identifier (uid) of the first connection that triggered the threshold, enabling analysts to pivot directly from a performance anomaly to the exact underlying connection log.
"Mythos-class AI capabilities have effectively ended the era in which organizations could manage cyber risk through patching discipline alone,” said Chris Kissel, research vice president, IDC Security & Trust. “The unknown attack surface — unmanaged endpoints, OT devices, unauthorized AI tooling, assets that have never appeared in a CMDB — is precisely where AI-powered adversaries will look first, because it is where defenders are least prepared. Network-level asset classification that operates continuously and passively is the only mechanism that scales to match that reality."
For security operations teams, this latest advancement enriches every security alert with the exact identity of the involved asset and its real-time performance context, accelerating triage and reducing false positives. For network operations teams, the platform acts as an independent observer that delivers a rapid "mean time to innocence" — the ability to definitively prove the network is healthy when applications run slowly, without managing a separate monitoring stack.
About Corelight
Corelight transforms network and cloud activity into evidence that security teams use to proactively hunt for threats, accelerate response to incidents, gain complete network visibility, and create powerful analytics. Corelight’s customers include Global 2000 companies, major government agencies, and large research universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely used open-source network security technology. For more information, visit www.corelight.com.
