Corelight’s Agentic Triage turns SOC alerts into evidence-backed investigations

Corelight has introduced a new set of agentic AI capabilities aimed at helping security operations centers (SOCs) cut down on repetitive, time-consuming tasks. The updates are designed to boost analyst efficiency, speed up response times, and build trust through greater transparency.

The release includes Agentic Triage to streamline SOC workflows, a new suite of machine learning models that turn encrypted traffic blind spots into actionable evidence, and expanded integrations

“By pairing the industry’s highest-fidelity network telemetry from Corelight with an expert-governed AI agent, we are giving security teams the evidence they need to trust, verify, and act on AI-generated insights,” said Vijit Nair, Corelight vice president of product. “Only Corelight delivers true agentic AI triage in NDR, uniquely transforming overwhelming alert queues into verified, defensible investigations by applying expert playbooks to industry-leading network evidence with AI reasoning, drastically reducing time-to-triage and equipping analysts with definitive answers.”

Accelerating SOC workflow through agentic intelligence

SOCs are under pressure as adversaries actively leverage generative AI to automate reconnaissance and accelerate attacks, while most triage processes remain manual, repetitive, and highly variable across analysts. Corelight Agentic Triage is a category-first automated investigation capability that helps security teams move from high-volume alert noise to evidence-backed containment, making triage up to 10x faster.

Powered by a modern GenAI agent architecture and driven by expert-written investigative playbooks, Agentic Triage automatically investigates the highest-risk entities in a customer’s environment on a daily basis. Instead of requiring analysts to manually review hundreds of individual alerts, the Corelight Lux agent consolidates signals into entity-centric investigations, applies structured investigative logic, and delivers a single, evidence-backed triage verdict, complete with transparent reasoning a human analyst can inspect and verify.

Unlike proprietary systems that hide the details used to inform AI decision-making, Corelight Agentic Triage exposes every playbook step, every query run, and every piece of evidence used to reach a conclusion. This “show-your-work” approach is purpose-built for enterprise SOCs that require AI to be accountable, reviewable, and defensible during audits and incident response reviews.

Connecting to and empowering the AI-enabled ecosystem

Once analysts have identified the highest-risk entities and are ready to take action, they want to contain threats immediately without having to pivot to another system. Corelight ingests real-time identity data to enrich and complement the network evidence and correlate insights about problematic entities connected to the network.

Now that analysts can connect the “who” to the “what” that is happening on the network, they can use the integrations with Microsoft Azure AD/Entra and CrowdStrike to trigger one-click actions such as universal logout and password resets without pivoting to a separate tool. This ability to take response actions directly on compromised identities builds on Corelight’s ability to directly quarantine endpoints and trigger firewall block actions.

In addition, Corelight has released a new integration with CrowdStrike’s Charlotte AI and Agentic Response Collaboration, seamlessly working with other AI agents across the security stack to maximize the value of network data, providing critical context for investigations no matter where they occur. The integration creates a CrowdStike Fusion workflow that allows Charlotte AI to automatically pull Corelight ground truth data to help an analyst resolve an alert by validating host behavior against network reality.

“The question facing every CISO today is not whether to adopt AI in the SOC—but rather how quickly and how comprehensively,” said Andrew Braunberg, principal analyst at Omdia. “Adding to the urgency is the weaponization of generative models by adversaries to automate reconnaissance, accelerate attacks, and evade detection. Defenders need AI that can accelerate response, and critically, that shows its work. To build trust in these solutions, explainability isn’t a nice-to-have; it’s a requirement, particularly in regulated environments.”

Detecting multi-stage intrusions with advanced ML everywhere

Indisputable evidence and robust detections are the foundation for any AI capability to be successfully integrated into today’s modern SOC. To support the advancement of AI in the SOC, Corelight is also introducing an expansion of its advanced machine learning and behavioral detections with a new suite of statistical models designed to detect evasive, post-exploitation techniques, including tunneling anomalies and VPN anomalies, without requiring decryption.

Sophisticated threat actors are looking for the dark corners of target networks to exploit, increasingly tunneling attacks in encrypted sessions to evade detection and hide their true intent. By analyzing the statistical “shape” and behavioral metadata of traffic, Corelight is able to transform encrypted blind spots into high-fidelity evidence. This allows security teams to better identify covert command and control (C2) channels and lateral movement, even in environments where traditional inspection is impossible.

Corelight’s new ML models detect evasive threats that traditional signatures miss by analyzing behavioral patterns across the network, flagging unauthorized VPNs, identifying uncommon tunneling activity at the subnet level, and catching credential theft techniques like DCSync and NTDS.dit dumps before attackers can pivot. The platform has also expanded its brute force detection surface, correlating both low-and-slow and high-volume credential attacks across critical vectors including Kerberos, RDP, SMB, and SSH. Together, these models give security teams high-fidelity visibility into post-exploitation activity without requiring decryption.