This is a fascinating moment. Whether you think Generative AI is over-hyped or not, our technology landscape has been shocked by capabilities we couldn’t imagine a few years ago. And I do mean shocked. What’s underway is too rapid and uncanny to describe in terms of evolution. We are living through something different.
At a recent UC Berkeley conference, 2,000 people gathered in person and 40,000 more online, as leading computer scientists and practitioners, including the chief scientists of OpenAI and NVIDIA, reflected on the state of AI. There was little consensus about the future, and many experts noted gaps in our knowledge. For instance, we don’t understand how language models work at a fundamental level, or how to secure them.
To compound this uncertainty, each day brings contradictory reports: AI breakthroughs on the one hand, warnings of over-valuation on the other.
When it comes to the long-term implications of AI, I think we can expect uncertainty to last for several years. But the story for cyber is clearer. Defenders need to start adopting AI today - we can’t afford to wait. That’s because attackers have embraced the new tools quickly. A series of threat reports has settled the question of whether AI is helping attackers or defenders more. Attackers are in the lead, in part because they can adopt emerging tech immediately - without legal and architectural review.
But we shouldn’t count defenders out. As Black Hat 2025 illustrated, dozens of companies are working to harness AI for better defensive outcomes. Setting aside some predictable AI-washing, there is real progress to highlight. For example, AI agents can trounce most human competitors in capture-the-flag exercises, perform high-drudgery SOC tasks such as alert triage, emulate the behavior of intruders, assess code repositories for problems, and monitor written communication for insider risk. In addition, AI-powered detections can uncover both known and unknown attacks and variants. Finally, the entire SOC ecosystem can benefit from the ability of agents to integrate dozens of data sources, tools, and APIs into a coherent view.
Even if SOC adoption is lagging, a few durable patterns are beginning to emerge:
- Barriers (including context limits, latency, and cost) are falling fast
- Model rankings continue to shift weekly, with no permanent leader
- Most enterprises prefer turn-key solutions, though larger firms are rolling their own
- Human analysts are still in the loop, for now
What can we expect next?
As AI agents become deeply embedded in security workflows, and as SOCs become skilled in managing new tools, there will be a growing recognition that the choice of tooling matters less than the quality of data available to it. That insight (‘garbage in, garbage out’) is worth repeating. In a world that focuses so heavily on frontier models, it’s critical to remember that every model will fail when starved of rich data.
For this reason, the new AI-powered SOC must include agentic systems to leverage LLMs, combined with exceptional data to power new workflows. Both elements are important. Together, they can deliver better risk analysis, red-teaming, detection, investigation, remediation, and more.
In our effort to harness AI for improved outcomes, Corelight is pursuing three strategies - all of them grounded on best-in-class data.
- First, we are using a range of AI techniques to deliver accurate, actionable, and deterministic detections with a low false-positive rate.
- Second, we are infusing our platform with AI-powered workflow enhancements to make investigations faster, more efficient, and more accurate.
- Third, we are integrating with customers’ own AI SOC ecosystems by providing agentic tools, playbooks, and data itself.
These building blocks can greatly accelerate the work of analysts, detection engineers, and threat hunters.
Corelight has evangelized the power of rich data since our earliest days. ‘Rich,’ to us, means data that’s highly detailed, broadly contextualized, usefully interlinked, and thoughtfully structured. Because our data is generated by open source tools (Zeek and Suricata), it’s already well-understood by every language model. LLMs are trained on the public Internet, which includes decades of discussion of these tools. As a result, models know how to interpret and work with Corelight data out of the box, giving our customers a significant leg up.
Wherever you are in your AI adoption journey, it’s important to remember that AI is only as good as the evidence it learns from. Even if you’re not quite ready to adopt agentic products or features in the SOC, you can build your strategy on solid foundation by partnering with a company providing exceptional data - the most important raw fuel for AI.
