Turn network traffic into security visibility.

Corelight Sensors transform network traffic into rich logs, extracted files, and custom insights via Zeek (formerly known as Bro), a powerful, open-source network security monitor used by thousands of organizations worldwide. Make quick sense of traffic so you can resolve incidents faster and threat hunt more effectively.

aws-webcast icon Watch our webcast to learn how it works in AWS.



  • Cloud Sensor
  • Sensor Appliances
  • Virtual Sensor

Powerful encrypted traffic insights, without breaking and inspecting.

Case Study

Incident response up to 20x faster.

Education First is a global firm with 40,000 employees. After deploying Corelight Sensors, their security team saw incredible impact. Their average incident response time dropped from hours to minutes thanks to Corelight’s network logs that allowed them to make lightning-fast sense of their traffic.

Download the case study

Download the case study

Corelight is the foundation for a modern network security stack.

  • Transform raw packets into security "ground truth"
  • Better network data = better security analytics
  • A flexible technology stack for all environments

White Paper

Why Corelight is your best next move in enterprise security.

Your next security investment should maximize attack surface coverage, deploy fast, generate reliable data, and (ideally) have zero impact on operations. Corelight excels on all counts.

Read the white paper to learn more

Read the white paper to learn more

Got a SIEM? Make it better with Corelight.

Your SIEM success depends on the data you feed it. Stop sending Netflow and other low quality, “side-effect” network logs to your SIEM and replace them with Corelight’s rich, protocol-comprehensive logs that accelerate incident response and threat hunting workflows in your SIEM. Export Corelight’s Zeek logs to Splunk, Elastic, QRadar, Spark or just about any data tool of your choice in a matter of minutes.


Recent release features

Find Lateral Movement with MITRE BZAR

Corelight Sensors now ship with the MITRE BZAR package in the Core Collection, which detects lateral movement techniques in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy. It can also extracts detection-related files to enable investigations of suspicious traffic.

Pivot to Suricata and PCAP with Community ID

Community ID is an industry flow-identification standard that creates a common hash of the 5-tuple and appends it to Corelight’s conn.log so analysts can quickly pivot on a connection in Corelight to and from equivalent flows in tools such as Suricata, Elastic, Moloch and more.