San Francisco-based Corelight, which is gaining strength in the network detection and response (NDR) market, has announced significant enhancements to its AI-powered threat detection capabilities. These include expanded evasive threat detection, and a new Corelight Threat Intelligence capability that delivers real-time, adversary-driven threat intelligence indicators of compromise feeds from CrowdStrike Falcon Adversary Intelligence. Together, these advancements help security operations teams detect and respond to sophisticated attacks while dramatically reducing false positives and analyst workload.
These enhancements come as attackers increasingly deploy techniques designed to evade traditional security defenses. According to the latest Verizon Data Breach Investigations report, exploitation of edge devices and VPNs jumped from 3% to 22% year-over-year as a breach entry point. In addition, a recent Gigamon report noted that 96% of lateral movement behavior does not trigger a corresponding alert in traditional security tools, creating unknown visibility gaps in the network. Finally, CrowdStrike’s 2025 Global Threat Report says that breakout time – the window for an adversary to move laterally from initial compromise to other systems – dropped to an average of 48 minutes, underscoring the need for actionable intelligence and rapid response. When adversaries can move laterally in less than an hour, defenders must close the gap with continuous visibility, intelligence-driven detection, and automated response to stop attacks efficiently.
Vijit Nair, Corelight vice president of product, said that four numbers set the stage, Verizon DBIR found that the share of breaches that start on edge devices, such as firewalls, VPNs, or routers, grew 8x in one year from 3% to 22%.
CrowdStrike GTR said that 79% of intrusions are malware-free and often disable or evade the EDR agent.
CrowdStrike GTR also found that the fastest breakout from foothold to lateral movement recorded last year was 51 seconds.
Finally, Mandiant said that the global median dwell time inched up after years of decline to 11 days, giving defenders a detection window only if they are watching the right telemetry
“Put together, these numbers map a clear progression,” Nair said. “Edge exposure opens the door and EDR blind spots let attackers slip through. Breakout speed leaves almost no reaction time, and only continuous network visibility can close the gap.”
Nair said that all of these reports agree that the quickest path into today’s networks is an un-patched perimeter box whose CVE goes live and is exploitable within minutes. Verizon shows exploitation of edge devices leaping from 3% to 22% of breaches, with CISA-listed edge vulnerabilities weaponized the very day they are published. Only 54% of edge-device CVEs were fully remediated during the year, and the median patch lag for those that were fixed was 32 days.
“As attackers leverage AI tools and become more sophisticated in their ability to bypass traditional security, organizations need detection capabilities that can identify threats operating in the network layer and using living-off-the-land techniques,” Nair stated. “Corelight’s unique combination of rich network evidence, high-fidelity threat intelligence, and advanced AI-powered detections gives SOC teams the visibility and context they need to detect evasive threats while reducing the manual effort needed to protect their organizations.”
As a result, Corelight has expanded the robustness of its detection strategy, combining the best network evidence with advanced machine learning to address attack sophistication and evasion resilience across multiple layers designed to identify hard-to-detect lateral movement and credential compromise attacks. This new release includes Enhanced Anomaly Detection, in which new machine learning models identify suspicious administrative and lateral movement, including unusual behavior linked to executable file transfers, administrative file shares, and Remote Desktop Protocol (RDP) use.
The new release also includes Advanced East-West Detection, where new capabilities detect sophisticated lateral attacks, including Kerberos-based brute-force attempts, credential theft, and the ability to identify underlying misconfigurations. Additional models detect anonymous network use and malicious SSL certificates in Corelight sensors, with new tuning capabilities to reduce noise and improve signal quality. Finally, additional Command-and-Control (C2) Detection allows new C2 detections to identify the unique fingerprints of advanced adversary tools, which can blend into normal HTTPS traffic and evade generic security controls.
Corelight has also added a new Corelight Threat Intelligence feature, which delivers high-fidelity indicators of compromise from leading vendors, initially featuring CrowdStrike. Combined with Corelight’s network evidence, CrowdStrike’s IOCs provide validated, contextual intelligence that enables real-time and historical threat detection. IP addresses, file hashes, and domains are rigorously scored and continuously updated to minimize false positives. The integration helps security teams cut through noise to prioritize threats according to enterprise risk, accelerating detection and response across environments.
“Adversaries are leveraging AI to find and exploit vulnerabilities faster than ever – turning exposed devices into entry points for major breaches,” said Adam Meyers, head of Counter Adversary Operations, CrowdStrike. “By embedding CrowdStrike’s adversary-driven intelligence feeds into Corelight’s threat detection, we’re giving defenders the same advantage: AI-driven speed, precision, and ultimately the context needed to detect and stop intrusions that others miss.”
Additionally, Corelight now supports integration with third-party threat intelligence platforms such as Analyst1, automating the deployment of Suricata and YARA rules across an organization’s security infrastructure. This feature enables dynamic threat intelligence updates and eliminates manual, error-prone processes and ensures threat intelligence remains consistently up-to-date and correctly configured.
Corelight is the only NDR vendor that offers a single sensor supporting enrichment of network data with endpoint data, vulnerability data, and threat intelligence at the point of observation directly in the sensor. The company uniquely bundles industry-leading sources for Suricata rules, YARA rules, and atomic IOCs into an actionable threat intelligence package.
“The takeaway for 2025 is straightforward,” Nair concluded. “Patch or virtually patch every edge device. Assume your endpoints will miss the first moves. And lean hard into network monitoring — because that’s where the decisive evidence now live”
“The widespread adoption of EDR tools, while it has made endpoints harder to attack, has also shifted threat actors’ focus to edge devices such as VPN gateways, firewalls, and networking gear, precisely because they usually cannot support an EDR client,” said Rik Turner, chief analyst, Cybersecurity, Omdia. “The responsibility for detecting such attacks thus falls to NDR platforms, and these latest enhancements from Corelight show it is moving to address that requirement. The addition of a threat intel feed that is pre-integrated with its sensors, meanwhile, should prove useful to the large enterprise organizations that form the majority of its customer base, as they typically face the challenge of managing multiple feeds, so one that can go straight into the NDR dashboard and get to work reduces their task list. The integration with Analyst1 is also a good first step; Omdia expects to see more such initiatives with other TIPs as customers request them.”
The enhanced detection capabilities and Corelight Threat Intelligence feature are available now as part of the Corelight Open NDR platform.