Every packet flowing through a Corelight sensor contains both security-relevant data and performance-relevant data. Until now, Corelight has focused exclusively on extracting security value from network traffic: connection logs, protocol analysis, and threat detections. But the same traffic that reveals lateral movement also reveals TCP latency. The same DNS queries that surface potential C2 channels also reveal resolution timing. The same TLS handshakes that identify encryption anomalies also reveal connection establishment delays.
Today, we’re unlocking that value with Performance and Asset Visibility, extending our network evidence to deliver immediate, actionable intelligence for both Security Operations and Network Operations teams from a single sensor deployment.
In most organizations, Security Operations (SecOps) and Network Operations (NetOps) teams operate with separate toolsets, separate workflows, and separate data sources. When users complain that applications are slow, they universally blame NetOps. When a security alert fires on an unfamiliar IP address, analysts waste precious triage time asking, “what is this device?” This fragmentation creates blind spots, delays incident response, and drives up operational costs. Meanwhile, CIOs face mounting pressure to consolidate tools and demonstrate ROI from existing investments. Organizations shouldn’t need separate infrastructure just to answer two fundamental questions:
Corelight sensors already capture the high-fidelity network data required for industry-leading security evidence. Performance and Asset Visibility simply unlocks two new capabilities from information that inherently exists within that same traffic, with no additional hardware, no active polling agents, and no dedicated legacy vendor bloat required.
Corelight now continuously discovers and classifies every device on your network the moment it communicates. By analyzing network evidence, the sensor classifies device types, operating systems, manufacturers, and network roles in real time.
This means the sensor automatically surfaces unmanaged endpoints, IoT devices, and shadow IT from their traffic behavior, even when they bypass traditional inventory tools. Abstract IP addresses become recognizable, real-world devices: A Windows workstation, a domain controller, a network printer. For security teams, this translates to faster investigations, immediate alert prioritization, and an always-current view of the attack surface.
Rather than flooding your SIEM with continuous telemetry, our new network performance monitoring capability takes an anomaly-first approach. It generates alerts only when configurable performance thresholds are crossed, delivering a zero-noise, actionable signal that both SecOps and NetOps can act on immediately.
What makes this different from traditional network performance monitoring:
For more details about the sensor release, read Corelight Sensor v29.1 release highlights: Network evidence powers network operations.
A heavy equipment manufacturer needed accurate device context for their SOC to investigate traffic in a manufacturing environment. They needed a way to accurately classify network assets and reliably validate that data against their existing asset inventory solution.
The Challenge
Abstract IP addresses lacked the immediate device and operational context required for fast, effective threat triage and investigation.
The Solution
The customer deployed the Asset Classification feature on Corelight sensors to parse protocol evidence into immediate asset intelligence.
The Results
Head-to-head testing confirmed Corelight identified assets with the same accuracy as the dedicated tool — while delivering richer investigative context to the SOC. And because Corelight's output flows directly into the existing data pipeline and SIEM, there's no exporting from a standalone console, no manual ingestion, and no extra workflow.
The real power emerges when these capabilities work together. Every security alert is now enriched with both the exact identity of the asset and its network performance context. Every performance anomaly includes a direct path back to the underlying security-grade evidence.
For SecOps: Vital performance context accelerates triage and reduces false positives, while asset classification enables threat hunting for security outliers: anomalous bandwidth spikes, latency deviations, or unmanaged devices communicating externally.
For NetOps: An independent observer provides rapid “Mean Time to Innocence,” the time it takes to show whether the network is the source of an issue. Teams can instantly prove the network is healthy when applications run slowly, without digging through continuous dashboards or managing separate monitoring infrastructure
Performance and Asset Visibility is included in the Corelight Sensor bundle and the Investigator bundle at no additional cost. Pre-built dashboards for Splunk and Investigator are ready out of the box, giving both security and network teams immediate visibility from day one. We’re surfacing the network truth that was always there — turning a single deployment of sensors into a unified platform that serves the entire organization because the best security evidence is also the best network operations evidence.
One sensor. One data source. One truth for both SecOps and NetOps.
Corelight Sensor v29.1 turns your existing sensors into one platform for SecOps and NetOps, with gap-free forensic evidence behind every alert.
We demonstrate how the visibility of network traffic passing between pods and containers within the K8s network can be utilized to detect a log4j...
Corelight v27 software release enhances the platform’s integrated Suricata IDS functionality, further integrating alerts with rich context.