From detecting attacks to profiling behavior, Corelight Labs creates new ways to deepen network insight and strengthen enterprise security. We work in close partnership with other innovators at Corelight, and we take pride in the robust, deeply technical capabilities we create.
Impostors who have stolen a user's SSH login credentials can inflict significant harm to the systems to which the user has remote access. We consider the problem of identifying such imposters when they conduct interactive SSH logins by detecting discrepancies in the timing and sizes of the client-side data packets, which generally reflect the typing dynamics of the person sending keystrokes over the connection.
When employing supervised machine learning to analyze network traffic, the heart of the task often lies in developing effective features for the ML to leverage. We develop GGFAST, a unified, automated framework that can build powerful classifiers for specific network traffic analysis tasks, built on interpretable features. The framework uses only packet sizes, directionality, and sequencing, facilitating analysis in a payload-agnostic fashion that remains applicable in the presence of encryption.
Ground your defense against React2Shell in verifiable network evidence. Deploy high-fidelity Suricata detections to spot unauthenticated remote code execution on the wire immediately.
Learn how to hunt F5 BIG-IP exploitation when no PoCs exist: spot Client Authentication Bypass, baseline incoming SSH, and detect SSH imposters.
Learn how Corelight data and the PEAK threat-hunting framework turn rich network evidence into a practical playbook for hunting Salt Typhoon.
Proactively defend against zero-days. Learn how with Cisco exploit lessons learned, warning signs from GreyNoise, F5 threats, and NDR.
Recapping our learnings from the Black Hat NOC, using packet captures and Zeek scripting to decode threat payloads.
Speed up technical documentation with the open-source llm-styleguide-helper. It pairs Vale linting and AI to fix Microsoft Style Guide violations in minutes.
Learn how to use Open WebUI knowledge bases to enhance your LLMs with private, local cybersecurity data for better queries, analysis, and incident response.
Learn how Map-Reduce and LLMs can be used to efficiently analyze huge datasets and improve threat hunting, incident response, and forensic analysis.
Learn how to run DeepSeek AI locally with Ollama and Open WebUI for secure Zeek script analysis.
Read how to identify C2 activities and agent downloads associated with MITRE Caldera agents using this Zeek Caldera detector via GitHub.
To learn more about Corelight Labs, contact our team.