Disrupt attacks by shifting from low priority, reactive tasks to high-impact, proactive defense

Corelight Investigator, a SaaS-based network detection and response solution, integrates rich network evidence with machine learning and other analytics. It dramatically simplifies Tier 1 workflows, so your team has more time for hunting and response — activities that move faster than ever with our intuitive log query engine.

  • Integrates with SOC workflow
  • SaaS deployment, scale, and use
  • Built-in security
  • Access to all alerts + evidence
  • Easily customized
  • Based on open, global standards

Dashboards put context first

Investigator’s intuitive, out-of-the box dashboards make it easy to understand what’s happening in hybrid and multi-cloud environments. Plus, you can customize them to meet the unique needs of your organization.

Transparent + customizable

Our machine learning and new analytics from Corelight Labs are totally open, allowing you to peek under the hood and write new detections.

Focus on alerts that matter

Cut through the backlog with aggregated, prioritized alerts. Severity scoring correlated to evidence means faster decisions and response times.

Turn your analysts into elite hunters

Any analyst can quickly pick up our powerful log query engine and use it to find what they need in live or historic logs.

Investigator turns evidence into insight

How it works illustration of Investigator feed data into next level analytics and displaying to the web ui.


Does Investigator replace my current SIEM?

Not at all. Investigator complements your existing SOC workflow and tools - including SIEMs, SOAR and XDR solutions. If you do not have a SIEM we can work with your existing data lake and other solutions to make sure that the evidence and insights gained through our platform are exported back into other toolsets in your environment.

My SOC doesn’t have dedicated threat hunters, can I still use Investigator?

Yes! The built-in threat hunting queries and intuitive search capabilities can turn almost any Tier 1 analyst into a threat hunter. Investigator provides network evidence and advanced analytics to your entire team, from Tier 1s doing triage, to hunters chasing nation-state actors, to executives who need to get a handle on your security posture.

Can I customize the dashboards and queries?

Yes. And not only that but you can leverage the continuous insights from our Zeek and Suricata communities to further tune your analytics.

Why would I buy Investigator instead of your current Corelight platform?

Both platforms leverage the power of our open source communities (Zeek and Suricata) to transform network and cloud activity into powerful evidence. Investigator is optimized for SOCs that a) want the additional capabilities that machine learning and behavioral analytics bring and b) prefer a SaaS-based solution that has built-in dashboards and queries.

How is Investigator sold?

Investigator is a SaaS-based  solution that is sold as a subscription with various options for log-storage, services and other features. Please contact us to get the latest quotes and pricing information.

Discover more

Investigator data sheet

Download the Splunk integration guideDownload here


Questions? Talk to an expert

Contact us