Compare to open source Zeek

Corelight makes Zeek easier, faster, and even more powerful.

Minutes not months to full-scale Zeek deployment. Powerful encrypted insights that go well beyond JA3. Up to ten times the peak analysis throughput per sensor. Enterprise support from the people who wrote Zeek.

Products compare data
Features & Benefits
Open-source Zeek
SENSORS
Physical Sensors
Yes—AP 200 (2 Gbps), AP 1001 (10 Gbps), AP 3000 (25 Gbps)
DIY hardware purchase/build
Virtual Sensors
Yes—Virtual Sensor (VMware, Hyper-V)
No
Cloud Sensors
Yes—Corelight Cloud Sensor (AWS, Azure, GCP)
No
Binary Sensors
Yes—Corelight Software Sensor (Linux environments & containers)
Manual configuration
ENCRYPTED INSIGHTS
Encrypted Traffic Collection
Yes—powerful, proprietary SSH & SSL insights
No
JA3 / JA3S
Yes
Yes
HASSH
Yes
Yes
SURICATA
Natively integrated
Yes—AP 200, 1001, and 3000 Sensor
No
PERFORMANCE
Peak throughput
Yes—25+ Gbps per sensor (AP 3000)
3-4 Gbps max per cluster
Optimized file extraction
Yes—10,000+ files/minute extracted with deduplication
No
Performance monitoring
Yes—real time metrics, including definitive packet loss rate
No
Packet loss rate
< 1%
Variable, risk of > 50%
MANAGEMENT
Deployment time
< 15 minutes
Weeks to months
Management Interface
Yes—full web management UI
Command line only
Software updates
Yes—automatic
Manual
Fleet management
Yes—for up to 250 sensors
No
Sensor monitoring
Yes—comprehensive sensor health monitoring
No
API support
Yes—full featured RESTful API for devops
No
Package installation
One-click install for Corelight’s preloaded packages
Manual
DATA EXPORT
SIEM integration
Yes—deep integrations with Splunk, Elastic, & many more.
Manual integration
Services/protocol
Yes—Kafka, syslog, Amazon Kinesis, Apache Avro, SFTP
Writes to files on disk
Default log streaming
Yes
Manual
Log stream forking
Yes—stream data to multiple destinations
No
DATA CONTROL
Log data reduction
Yes—Corelight can reduce log volume by 30-50%
No
Log filtering
Yes—filter by log type and contents
Manual
File filtering
Yes—filter by file type
No
Traffic shunting
Yes—shunt large & long running flows flows (AP 3000)
No
SECURITY & SUPPORT
Jailed processes
Yes
No
FIPS 140-2
Yes
No
Automatic security updates
Yes
No
Disk encryption
Yes
Manual
Enterprise support
Yes—standard & 24/7 support from the Zeek experts
No
ZEEK FUNCTIONALITY
Logging
Yes
Yes
File extraction
Yes
Yes
Package manager
Yes
Yes
Zeek Intel Framework
Yes
Yes
Zeek Input Framework
Yes
Yes
Zeek NetControl Framework
No
Yes
Zeek Notice Framework
Yes
Yes
Zeek PCAP Ingestion
Yes
Yes
SENSORS
Corelight logo
Open-Source Zeek / Bro
Physical Sensors
Corelight logo
Yes—AP 200 (2 Gbps), AP 1001 (10 Gbps), AP 3000 (25 Gbps)
Open-Source Zeek / Bro
DIY hardware purchase/build
Virtual Sensors
Corelight logo
Yes—Virtual Sensor (VMware, Hyper-V)
Open-Source Zeek / Bro
No
Cloud Sensors
Corelight logo
Yes—Corelight Cloud Sensor (AWS, Azure, GCP)
Open-Source Zeek / Bro
No
Binary Sensors
Corelight logo
Yes—Corelight Software Sensor (Linux environments & containers)
Open-Source Zeek / Bro
Manual configuration
ENCRYPTED INSIGHTS
Corelight logo
Open-Source Zeek / Bro
Encrypted Traffic Collection
Corelight logo
Yes—powerful, proprietary SSH & SSL insights
Open-Source Zeek / Bro
No
JA3 / JA3S
Corelight logo
Yes
Open-Source Zeek / Bro
Yes
HASSH
Corelight logo
Yes
Open-Source Zeek / Bro
Yes
SURICATA
Corelight logo
Open-Source Zeek / Bro
Natively integrated
Corelight logo
Yes—AP 200, 1001, and 3000 Sensor
Open-Source Zeek / Bro
No
PERFORMANCE
Corelight logo
Open-Source Zeek / Bro
Peak throughput
Corelight logo
Yes—25+ Gbps per sensor (AP 3000)
Open-Source Zeek / Bro
3-4 Gbps max per cluster
Optimized file extraction
Corelight logo
Yes—10,000+ files/minute extracted with deduplication
Open-Source Zeek / Bro
No
Performance monitoring
Corelight logo
Yes—real time metrics, including definitive packet loss rate
Open-Source Zeek / Bro
No
Packet loss rate
Corelight logo
< 1%
Open-Source Zeek / Bro
Variable, risk of > 50%
MANAGEMENT
Corelight logo
Open-Source Zeek / Bro
Deployment time
Corelight logo
< 15 minutes
Open-Source Zeek / Bro
Weeks to months
Management Interface
Corelight logo
Yes—full web management UI
Open-Source Zeek / Bro
Command line only
Software updates
Corelight logo
Yes—automatic
Open-Source Zeek / Bro
Manual
Fleet management
Corelight logo
Yes—for up to 250 sensors
Open-Source Zeek / Bro
No
Sensor monitoring
Corelight logo
Yes—comprehensive sensor health monitoring
Open-Source Zeek / Bro
No
API support
Corelight logo
Yes—full featured RESTful API for devops
Open-Source Zeek / Bro
No
Package installation
Corelight logo
One-click install for Corelight’s preloaded packages
Open-Source Zeek / Bro
Manual
DATA EXPORT
Corelight logo
Open-Source Zeek / Bro
SIEM integration
Corelight logo
Yes—deep integrations with Splunk, Elastic, & many more.
Open-Source Zeek / Bro
Manual integration
Services/protocol
Corelight logo
Yes—Kafka, syslog, Amazon Kinesis, Apache Avro, SFTP
Open-Source Zeek / Bro
Writes to files on disk
Default log streaming
Corelight logo
Yes
Open-Source Zeek / Bro
Manual
Log stream forking
Corelight logo
Yes—stream data to multiple destinations
Open-Source Zeek / Bro
No
DATA CONTROL
Corelight logo
Open-Source Zeek / Bro
Log data reduction
Corelight logo
Yes—Corelight can reduce log volume by 30-50%
Open-Source Zeek / Bro
No
Log filtering
Corelight logo
Yes—filter by log type and contents
Open-Source Zeek / Bro
Manual
File filtering
Corelight logo
Yes—filter by file type
Open-Source Zeek / Bro
No
Traffic shunting
Corelight logo
Yes—shunt large & long running flows flows (AP 3000)
Open-Source Zeek / Bro
No
SECURITY & SUPPORT
Corelight logo
Open-Source Zeek / Bro
Jailed processes
Corelight logo
Yes
Open-Source Zeek / Bro
No
FIPS 140-2
Corelight logo
Yes
Open-Source Zeek / Bro
No
Automatic security updates
Corelight logo
Yes
Open-Source Zeek / Bro
No
Disk encryption
Corelight logo
Yes
Open-Source Zeek / Bro
Manual
Enterprise support
Corelight logo
Yes—standard & 24/7 support from the Zeek experts
Open-Source Zeek / Bro
No
ZEEK FUNCTIONALITY
Corelight logo
Open-Source Zeek / Bro
Logging
Corelight logo
Yes
Open-Source Zeek / Bro
Yes
File extraction
Corelight logo
Yes
Open-Source Zeek / Bro
Yes
Package manager
Corelight logo
Yes
Open-Source Zeek / Bro
Yes
Zeek Intel Framework
Corelight logo
Yes
Open-Source Zeek / Bro
Yes
Zeek Input Framework
Corelight logo
Yes
Open-Source Zeek / Bro
Yes
Zeek NetControl Framework
Corelight logo
No
Open-Source Zeek / Bro
Yes
Zeek Notice Framework
Corelight logo
Yes
Open-Source Zeek / Bro
Yes
Zeek PCAP Ingestion
Corelight logo
Yes
Open-Source Zeek / Bro
Yes