Corelight Sensor v29.1 release highlights: Network evidence powers network operations

Corelight Sensor v29.1 and Fleet Manager v29.1.1 fundamentally expand what a Corelight Sensor delivers. The release turns existing network evidence into a shared source of truth for SecOps, NetOps, triage, and forensic investigation. Network performance monitoring and asset classification unlock new value from traffic you're already collecting. Guided wizards and intelligent automation make sensors self-service, and a redesigned Smart PCAP framework ensures every alert is backed by complete forensic evidence. This release is targeted for general availability on June 24, 2026.

One sensor, one truth for security and network operations

Every organization has heard it: "The network is slow." What follows is usually hours of finger-pointing between teams, each armed with different tools telling different stories. Corelight now extends the value of network evidence beyond security, transforming your existing sensors into a unified platform for both SecOps and NetOps, — without additional hardware, active polling, or dedicated NetOps tools.

Network performance monitoring

Network performance monitoring delivers intelligent, threshold-based alerting for TCP round-trip time, DNS resolution latency, and TLS/QUIC handshake timing. Unlike traditional tools that rely on ephemeral IP addresses, these performance alerts are correlated to actual service names so teams know exactly which service is degraded.

Placement-aware RTT decomposition splits metrics into client-side and server-side latency, instantly answering "Which side is the problem?" in a single log entry. Every alert includes a direct forensic pivot to the exact connection that triggered the threshold, allowing analysts to jump from a performance anomaly to supporting evidence without needing to reproduce the issue. When teams need to definitively prove the network is healthy, an on-demand enrichment toggle appends full-resolution delay metrics directly into standard connection logs.

Asset classification

Asset classification passively identifies and classifies every device on your network — servers, workstations, IoT, and printers, by analyzing protocol fingerprints captured in traffic. It continuously discovers device type, OS, manufacturer, and network role without requiring agents or active scanning.

Abstract IP addresses become recognizable, real-world devices, enriching alerts with critical context so analysts instantly know whether they're looking at a printer or a domain controller. Devices that bypass traditional inventory tools (unmanaged endpoints, IoT, and shadow IT) — are automatically surfaced from their traffic behavior.

Together, these capabilities deliver a single source of network truth that bridges the gap between organizational silos. For SecOps, every security alert now includes the exact asset identity alongside network performance context, accelerating triage, reducing false positives, and enabling hunting for security outliers like anomalous latency deviations. Network performance monitoring and asset classification are included in the Corelight Sensor bundle and the Investigator bundle at no additional cost.

Improve operational experience with sensors your team can deploy and manage confidently

V29.1 makes Corelight Sensors easier to deploy and manage than ever with guided wizards, intelligent automation, and self-service tools that let your team focus on security outcomes instead of sensor administration.

• Day-0 sensor provisioning wizard:
  Provides guided setup from first boot to fully configured in minutes, enforcing security hardening, validating network configuration in real-time, and testing Fleet connectivity. No CLI expertise required.
• Scheduled sensor updates: Let teams define maintenance windows by day, time, and sensor group. Updates align with your change management process, not ours, with override controls for emergencies.
• Fleet policy configuration wizard: Provides quick-start templates (North-South, East-West, and Blended) to reduce policy creation time by up to 80%. No deep Zeek expertise required.
• 4-Level health status: Provides Green/White/Yellow/Red classification with actionable indicators that distinguish critical issues from informational messages, so your team knows when to act and when to monitor.
• Productized CVE detection bundles: The sensor integrates 25+ CVE packages with automatic updates and intelligent deconfliction. CVE protection arrives in hours, not weeks, without Zeek crashes from package conflicts.

Gap-free forensic evidence for every alert

Smart PCAP in v29.1 delivers what every SOC team wants: complete, reliable packet capture automatically linked to every Suricata-triggered alert across all supported sensor form factors. One click from any alert takes you directly to full packet-level evidence, providing instant forensic context exactly when you need it.

Built-in telemetry continuously monitors capture health, and enhanced retention performance means more evidence stays accessible longer. The best part: Simply upgrade to v29.1, and these improvements are immediate, with zero configuration required. Security teams can build SOC playbooks and compliance workflows knowing that every single alert is backed by complete network evidence, ready for investigation, escalation, or audit.

The network holds the evidence

V29.1 represents a fundamental expansion of what a Corelight Sensor delivers. Every capability in this release is derived from the same high-fidelity network evidence you're already collecting. No new infrastructure. No additional agents. Just more value from the traffic flowing through your network.

Key takeaways for security leaders

• Unified platform ROI: One sensor now serves both SecOps and NetOps, eliminating duplicate tooling and bridging organizational silos.
• Faster triage, fewer false positives: Every alert includes exact asset identity and network performance context, so analysts know immediately what they're looking at and whether behavior is anomalous.
• Compliance-ready forensics: Every Suricata-triggered alert is automatically backed by complete packet-level evidence, ready for investigation, escalation, or audit.
• Reduced operational burden: Guided wizards, scheduled updates, and productized CVE bundles mean your team focuses on security outcomes, not sensor administration.
• No additional cost: Network performance monitoring and asset classification are included in the Sensor and Investigator bundles.

Ready to upgrade? Log in to see full release notes on docs.corelight.cloud.