Corelight Expands Leadership in Evasive Threat Detection with AI-Powered Enhancements and Integrated Threat Intelligence

Enhancements combine Corelight's rich network evidence with CrowdStrike's adversary-driven indicator feed to empower defenders with enhanced detection and response

SAN FRANCISCO, Oct. 30, 2025 /PRNewswire/ -- Corelight, the fastest growing leader in network detection and response (NDR), today announced significant enhancements to its AI-powered threat detection capabilities, including expanded evasive threat detection, and a new Corelight Threat Intelligence capability that delivers real-time, adversary-driven threat intelligence indicators of compromise (IOC) feeds from CrowdStrike Falcon® Adversary Intelligence. Together, these advancements help security operations teams detect and respond to sophisticated attacks while dramatically reducing false positives and analyst workload.

The expansion comes as attackers increasingly deploy techniques designed to evade traditional security defenses. According to the latest Verizon Data Breach Investigations report, exploitation of edge devices and VPNs jumped from 3% to 22% year-over-year as a breach entry point. In addition, a recent Gigamon report noted that 96% of lateral movement behavior does not trigger a corresponding alert in traditional security tools, creating unknown visibility gaps in the network. According to CrowdStrike's 2025 Global Threat Report, breakout time – the window for an adversary to move laterally from initial compromise to other systems – dropped to an average of 48 minutes, underscoring the need for actionable intelligence and rapid response. When adversaries can move laterally in less than an hour, defenders must close the gap with continuous visibility, intelligence-driven detection, and automated response to stop attacks efficiently.

"As attackers leverage AI tools and become more sophisticated in their ability to bypass traditional security, organizations need detection capabilities that can identify threats operating in the network layer and using living-off-the-land techniques," said Vijit Nair, Corelight vice president of product. "Corelight's unique combination of rich network evidence, high-fidelity threat intelligence, and advanced AI-powered detections gives SOC teams the visibility and context they need to detect evasive threats while reducing the manual effort needed to protect their organizations."

Comprehensive Enhancements to Evasive Threat Detection

Corelight expands its already robust detection strategy, combining the best network evidence with advanced machine learning to address attack sophistication and evasion resilience across multiple layers designed to identify hard-to-detect lateral movement and credential compromise attacks. This new release includes:

• Enhanced Anomaly Detection: New machine learning models identify suspicious administrative and lateral movement, including unusual behavior linked to executable file transfers, administrative file shares, and Remote Desktop Protocol (RDP) use.
• Advanced East-West Detection: New capabilities detect sophisticated lateral attacks, including Kerberos-based brute-force attempts, credential theft, and the ability to identify underlying misconfigurations.
• Expanded Supervised Machine Learning: Additional models detect anonymous network use and malicious SSL certificates in Corelight sensors, with new tuning capabilities to reduce noise and improve signal quality.
• Additional Command-and-Control (C2) Detection: New C2 detections identify the unique fingerprints of advanced adversary tools, which can blend into normal HTTPS traffic and evade generic security controls.

New Corelight Threat Intelligence Feature

The new Corelight Threat Intelligence feature delivers high-fidelity indicators of compromise (IOCs) from leading vendors, initially featuring CrowdStrike. Combined with Corelight's rich network evidence, CrowdStrike's IOCs provide validated, contextual intelligence that enables real-time and historical threat detection. IP addresses, file hashes, and domains are rigorously scored and continuously updated to minimize false positives.

The integration helps security teams cut through noise to prioritize threats according to enterprise risk, accelerating detection and response across environments.

"Adversaries are leveraging AI to find and exploit vulnerabilities faster than ever – turning exposed devices into entry points for major breaches," said Adam Meyers, head of Counter Adversary Operations, CrowdStrike. "By embedding CrowdStrike's adversary-driven intelligence feeds into Corelight's threat detection, we're giving defenders the same advantage: AI-driven speed, precision, and ultimately the context needed to detect and stop intrusions that others miss."

Additionally, Corelight now supports integration with third-party threat intelligence platforms such as Analyst1, automating the deployment of Suricata and YARA rules across an organization's security infrastructure. This feature enables dynamic threat intelligence updates and eliminates manual, error-prone processes and ensures threat intelligence remains consistently up-to-date and correctly configured.

Unique Advantages of the Corelight Approach

Corelight is the only NDR vendor that offers a single sensor supporting enrichment of network data with endpoint data, vulnerability data, and threat intelligence at the point of observation directly in the sensor. The company uniquely bundles industry-leading sources for Suricata rules, YARA rules, and atomic IOCs into an actionable threat intelligence package.

"The widespread adoption of EDR tools, while it has made endpoints harder to attack, has also shifted threat actors' focus to edge devices such as VPN gateways, firewalls, and networking gear, precisely because they usually cannot support an EDR client. The responsibility for detecting such attacks thus falls to NDR platforms, and these latest enhancements from Corelight show it is moving to address that requirement," said Rik Turner, chief analyst, Cybersecurity, Omdia "The addition of a threat intel feed that is pre-integrated with its sensors, meanwhile, should prove useful to the large enterprise orgs that form the majority of its customer base, as they typically face the challenge of managing multiple feeds, so one that can go straight into the NDR dashboard and get to work reduces their task list. The integration with Analyst1 is also a good first step; Omdia expects to see more such initiatives with other TIPs as customers request them."

Availability

The enhanced detection capabilities and Corelight Threat Intelligence feature are available now as part of the Corelight Open NDR platform. For more information, visit https://corelight.com/blog/enhanced-threat-detection.

About Corelight

Corelight transforms network and cloud activity into evidence that security teams use to proactively hunt for threats, accelerate response to incidents, gain complete network visibility, and create powerful analytics. Corelight's customers include Global 2000 companies, major government agencies, and large research universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely used open source network security technology. For more information, visit www.corelight.com.

SOURCE Corelight