For years, SOC analysts have lived in a world of swivel-chair analysis. When an alert fires in an endpoint tool, the next step is almost always a manual pivot to a network console to see if the network reality matches the host behavior.
This manual back-and-forth isn't just tiring; it’s a window of opportunity for attackers. Corelight is excited to highlight a new integration with CrowdStrike® Charlotte AI™. By turning Corelight Investigator into a member of the agentic investigation team, we are moving from manual data retrieval to automated, collaborative investigation that spans the security ecosystem.
At its heart, this integration is about solving the manual analysis problem. Instead of an analyst manually hunting for network telemetry to investigate an alert, the integration enables Charlotte AI’s Response Agent and Corelight Investigator to talk to one another.
The flow works through a policy-guarded process that translates analyst questions into precise technical queries:
This isn't about one tool replacing another; it's about the power of combining complementary, cross-domain evidence to accelerate and improve investigations with complete context. Endpoint data provides detailed insights into host behavior. Corelight's network evidence provides the other half: a semantic understanding of network traffic and protocol-level transaction details that serve as ground truth for any investigation.
When an AI agent like Charlotte AI’s Response Agent has access to both sources, the result is a more complete and accurate picture of what happened.
Data quality matters here more than most people realize. As Greg Bell, Corelight Co-Founder and Chief Strategy Officer, wrote in a recent post on AI in the SOC: "In a world that focuses so heavily on frontier models, it's critical to remember that every model will fail when starved of rich data." Corelight’s structured, context-rich network data is grounded in open-source standards that are already understood by LLMs, and designed to feed seamlessly into SIEMs and AI / ML pipelines out of the box. The result is structured, high-fidelity network evidence that AI agents can interpret and reason over effectively, without requiring custom training or fine-tuning.
This integration is designed to deliver instant value across the SOC by automating the "toil" out of the investigation process:
| Persona | Situation | The "Agentic" outcome |
|---|---|---|
| SOC Analyst | Validating host behavior against network reality. | Charlotte AI asks the network-related question, and Corelight Investigator automatically answers—reducing the manual steps required to corroborate a finding. |
| Incident Responder | Triaging a high volume of lateral movement alerts. | The workflow handles the API calls and data formatting, freeing the responder to focus on analysis and remediation. |
For AI to be useful in a security context, it must be consistent and controlled. This integration includes guardrails and state management to ensure repeatable results. To achieve this, queries follow a standardized validation path, and built-in controls prevent redundant data retrieval and investigation relevance and completeness. The goal is a triage process that analysts can trust to behave the same way every time.
This Charlotte AI integration is one part of a broader investment Corelight is making in the AI-powered SOC. We are pursuing three complementary strategies, all grounded in the quality of our network evidence:
By making Corelight's network evidence a native, agentic part of the CrowdStrike experience, we're helping SOC teams work more effectively, ensuring their primary investigation console has access to high-fidelity network context alongside endpoint telemetry. It's a more complete and unified way to defend the enterprise.