Integration provides vital data and detections so AI agents investigating security issues can understand the breach, risk, and required mitigation
Corelight, a leader in fueling the AI SOC, today announced that it is providing industry-leading data to power AI investigations of emerging threats through an integration of Corelight Open NDR into Cloud Control Studio. Cloud Control Studio is the design space within Cisco Cloud Control, Cisco’s unified platform for agentic IT operations, where customers can build AI agents and connect them to non-Cisco tools. This integration will provide security teams and the AI agents they employ in AI Canvas with detections and uniquely powerful data to effectively investigate security issues, improving the speed and accuracy of agentic security workflows.
“Defenders have long known that richer evidence improves security outcomes by enabling faster triage, deeper analysis, and more complete investigation,” said Greg Bell, Corelight co-founder and chief strategy officer. “Through a controlled AI experiment, we have proven that higher-quality data enables agentic SOC tools to respond to real-world attack scenarios faster and more accurately. Through this integration, Corelight can now make its data available to our mutual customers through integrations with their security stack of choice.”
While the experiment showed consistent results across different LLMs, even the most advanced models could not overcome limitations imposed by low-quality or incomplete network data. This finding has important implications for the architecture of SOCs going forward, especially because efficiency improvements are compounded in an increasingly automated environment. Assuming that agentic automation will boost SOC efficiency by 10x in the next year or two, then the choice to use better data and lift investigative success rates from 30% to 90% will result in a dramatic increase in overall efficiency.
Corelight data is produced through deep packet inspection, using the underlying power of Zeek and Suricata. It takes the form of structured logs summarizing network conversations across dozens of protocols, interlinked by unique connection identifiers. In addition, it incorporates proprietary content generated from a range of analysis engines, including behavioral, statistical, and machine learning models (with a focus on C2 detection, lateral movement, encrypted traffic analysis, entity analysis, and analysis of extracted files, among other goals). Corelight supports additional detection features, capabilities, and integrations including unsupervised machine learning for anomaly detection, and integrations with EDR, CMDB, and identity providers.
The Corelight team will be available to discuss and demonstrate this integration at the Cisco Cloud Control booth at this week’s Cisco Live event in Las Vegas.