The cybersecurity landscape has fundamentally shifted in the last several years. Adversaries are no longer just using AI to draft phishing emails; they're deploying autonomous AI agents capable of executing end-to-end attack chains, from initial reconnaissance through lateral movement and data exfiltration. Anthropic's analysis of recent incidents indicates a rapid acceleration in attacker adoption of agentic workflows, dramatically shortening the time between initial access and impact. IBM X-Force data confirms AI-assisted phishing attacks have surged by 1,265%, while a 2025 Gartner survey found that 62% of organizations experienced deepfake attacks involving social engineering automation. The era of AI-versus-AI security operations has arrived, and defenders must respond in kind.
1 Disrupting the first reported AI-orchestrated cyber espionage campaign
https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf
2 IBM X-Force 2025 Threat Intelligence Index
https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index?utm_source=chatgpt.com
3 Gartner Survey Reveals GenAI Attacks Are on the Rise:
https://www.gartner.com/en/newsroom/press-releases/2025-09-22-gartner-survey-reveals-generative-artificial-intelligence-attacks-are-on-the-rise?utm_source=chatgpt.com
Security teams are being forced to respond faster and more consistently to keep pace with these evolving tactics. However, as the speed and volume of threats increase, relying on manual, alert-by-alert triage has become entirely unsustainable for modern operations. To defend against GenAI-driven threats, security operations centers (SOCs) urgently require an AI-driven defense.
Today, we are excited to introduce Corelight Agentic Triage, a major new capability within Corelight Investigator. This launch marks the beginning of the AI SOC era, moving beyond simple alerts to provide analysts with a prioritized, evidence-backed view of the riskiest entities in their environment.
Modern SOC teams are operating under a convergence of pressures that have pushed traditional workflows to their breaking point. The industry is grappling with a massive skills gap; (ISC2)4 estimates a global cybersecurity workforce gap of approximately 4.76 million unfilled positions. This directly affects SOC operations, increasing the workload on existing analysts, with over 70% reporting unsustainable workloads. Meanwhile, adversaries operating with agentic AI can now execute multi-step attack chains in minutes, far faster than traditional alert-by-alert triage can possibly respond. The attack asymmetry is no longer just about volume; it's about velocity. Analysts are drowning in screen fatigue, excessive false positives, and the demanding need to pivot across multiple tools to gather context.
4 2024 ISC2 Cybersecurity Workforce Study
https://www.isc2.org/Insights/2024/10/ISC2-2024-Cybersecurity-Workforce-Study
To alleviate these pressures, many organizations previously turned to Security Orchestration, Automation, and Response (SOAR) platforms. Unfortunately, traditional SOAR initiatives frequently fail due to their complexity, heavy ongoing engineering requirements, massive maintenance burdens, and poor alignment with real-world analyst workflows.
The transition to a modernized SOC does not require highly customized, failure-prone SOAR builds, nor does it require fully autonomous AI replacements for human analysts. Instead, security leaders are actively seeking practical, outcome-based automation that meaningfully reduces repetitive toil and accelerates investigations without introducing new operational risk.
While the demand for AI-driven automation is clear, the market's current offerings have created massive hesitation. In a rush to capitalize on the AI trend, many security vendors are practicing what Gartner calls "agentwashing," rebranding legacy machine learning as modern "agentic" solutions. This marketing-first approach creates confusion in the market and leaves customers unsure who is truly prepared to defend against AI-driven threats.
More importantly, these proprietary systems erode trust. Traditional "black box" AI tools conceal their reasoning, evidence, and decision-making logic from users. For a SOC practitioner, an AI system that simply outputs a verdict without explaining how it arrived at that conclusion introduces significant risk during internal audits, incident response reviews, and regulatory scrutiny. It is no surprise that 38%5 of senior cybersecurity leaders cite trusting AI recommendations as a top concern.
The stakes for transparent AI are rapidly rising. Gartner6 predicts that by the end of 2026, "death by AI" legal claims related to safety and security failures will exceed 2,000, leading to a massive surge in regulatory involvement. Security decisions must be verifiable and explainable to survive this growing legal and regulatory landscape. Analysts need AI that provides transparent, defensible, and trustworthy reasoning.
Entity-centric, expert-driven Corelight Agentic Triage addresses these exact challenges by completely transforming alert-driven workflows into entity-centric investigations. Instead of forcing security analysts to manually review hundreds of noisy alerts, Agentic Triage automatically consolidates the signals associated with a specific entity, such as a compromised workstation or user.
This is powered by a modern GenAI agent architecture designed specifically for real-world security operations. To ensure absolute reliability, these autonomous agents execute structured, expert-designed security playbooks. These playbooks act as strict guardrails that dictate the investigative process, mirroring the exact methodology a highly skilled tier 3 threat hunter would use.
5 KPMG Survey: C-Suite Cyber Leaders Optimistic about Defenses, but Large Percentage Suffered Recent Cyber Attack
https://kpmg.com/us/en/media/news/2024-cybersecurity-survey.html
6 Gartner Unveils Top Predictions for IT Organizations and Users in 2026 and Beyond
https://www.gartner.com/en/newsroom/press-releases/2025-10-21-gartner-unveils-top-predictions-for-it-organizations-and-users-in-2026-and-beyond?utm_source=chatgpt.com
By operating on Corelight's high-fidelity forensic data, the agents do not just "guess" at a verdict; they "prove” it with logic and evidence. This prevents AI hallucinations and ensures that every conclusion is anchored directly to raw, empirical network evidence.
Agentic Triage runs daily, scanning for critical detections and prioritizing the highest-risk IP entities based on detection severity, volume, and open status. Behind the scenes, AI seamlessly correlates alert triggers, historical patterns, and network traffic to build a complete behavioral profile of the entity. It then automatically synthesizes these findings to produce an actionable, evidence-backed threat assessment with prioritized recommendations. This expert analysis is designed to answer the most critical question an analyst faces.
Corelight Agentic Triage fundamentally changes the economics of the SOC by delivering three core outcomes: exponential speed, verifiable trust, and massive efficiency gains.
By automating the heavy lifting of data fetching, correlation, and initial analysis, Agentic Triage runs background investigations at machine speed without waiting for human intervention. The system automatically interrogates the top 30 riskiest entities in your environment daily. Shifting the investigative lens from hundreds of isolated alerts to fully consolidated entity cases enables triage up to 10x faster, reducing the Mean Time to Recover (MTTR) from hours to minutes for critical threats.
Unlike closed, “black box” security vendors that hide their underlying machine learning and LLM models, Corelight operates Agentic Triage with full transparency. Every automated investigation is documented through open playbooks that clearly explain the reasoning behind each step.
Corelight exposes the investigative logic, displays the outcome of every step, and links directly to the underlying evidence, including Zeek logs, Suricata alerts, and packet capture (PCAP) data, along with the queries used. Analysts can trace the AI’s reasoning and validate conclusions against raw network evidence without leaving the workflow.
Analysts are never asked to blindly trust AI. They can instantly pivot to pre-correlated data to verify every finding.
By grounding every verdict in empirical network evidence rather than opaque AI systems, Corelight reduces the risk of hallucinations, preserves analyst oversight, and enables defensible investigations that lower operational and audit risk.
We recognize that enterprise SOCs cannot send their highly sensitive network data to train public AI models. Corelight guarantees safe AI modernization with clear privacy handling: no customer data is ever retained, used to train, or used to fine-tune our models. Furthermore, existing customers must explicitly opt in and turn on the Private Data GPT integration for Agentic Triage to function, ensuring organizations maintain complete governance over their data.
Agentic Triage focuses on replacing time-consuming tasks, not human roles. By encoding the expertise of elite defenders into automated playbooks, it acts as a massive force multiplier for junior team members. It hands Tier 1 analysts a pre-investigated case as a "great starting point," allowing them to validate complex threats with the same rigor as a senior hunter without requiring deep query expertise. Eliminating this repetitive toil allows analysts to focus on high-value decision-making, increasing the number of cases handled per analyst by up to three times.
The daily life of a SOC analyst is drastically different before and after implementing Agentic Triage.
Before Agentic Triage: A SOC analyst arrives at 8 AM to find 147 open alerts across 89 entities. They must manually query multiple data sources, correlate alerts across detection categories, and navigate 6-7 tools to determine which threats are real. By 10 AM, they'd fully investigated 4 entities and determined they were likely benign, while the queue kept growing.
After Agentic Triage: The same analyst sees a prioritized list of 5 likely malicious entities requiring review, each with pre-correlated evidence, behavioral context, and AI-generated confidence ratings. By coffee time, they've validated two true positives and escalated to response. Agentic Triage handled the investigative legwork; the analyst made the final call.
The continued proliferation of adversarial AI demands robust GenAI defenses that leverage the same capabilities attackers already use. Corelight Agentic Triage delivers trusted, transparent, expert-governed investigations that automate the heaviest lifting in the SOC while strictly preserving analyst control and oversight. This capability provides immediate operational value today while establishing a powerful, extensible foundation for the emerging era of AI-versus-AI defense.
Step beyond basic alerts and transform your SOC with the industry's most trusted, evidence-backed AI.
