Corelight Review

A basic component for enriching cyber security analysis


What is our primary use case?

Corelight is a network traffic analysis product. It is an enterprise solution of Zeek and Suricata. It is deployed mostly with physical sensors, although cloud, virtual and software sensors are available as well. We deploy it for our customers, and MSSP.

How has it helped my organization?

Cyber Security Operators barely need to learn how Corelight works because it is integrated with the SIEM of the company. That's why Corelight is very useful since the very first moment it is deployed. Corelight makes much easier the remediation of cyber attacks. Instead of facing a chaotic amount of logs, Corelight provide correlated metrics that allow pivoting to find, in seconds all the data related to an alert, detection or asset. It can be used both on-premise and cloud, and it can be easily scaled.

What is most valuable?

Corelight provides a insight, visibility and a lot of data. No matter if you need detection for proactive defense or you need data for forensics, Corelight is the primary source of information for cyber security. The deployment is very quick and you are using it from the very beginning.

What needs improvement?

Al the beginning I was surprised that it didn't include Machine learning based detection, but after some months, I understand why. Our SIEM and our SOAR already includes Machine Learning detection, and Corelight already make behavior based detection as well as signature based detection. Everything in Corelight is useful, and adding ML to an NDR would just make it more expensive, and I'm not sure if it would really improve the final result since Corelight sees everything and ML can be used in other solutions.

Last release included Smart PCAP, a tool that makes PCAP storing easier (and more cost-effective).

For how long have I used the solution?

We have been using the product, about four months. First time I used it was in April '21

What do I think about the stability of the solution?

Corelight is very stable. It is based on Zeek, a solution that has been used for more than 20 years.

What do I think about the scalability of the solution?

It is a simple procedure to scale the installation.

How are customer service and technical support?

Excellent. They are dedicated to the customer from the first moment.

How was the initial setup?

It is very straightforward to choose one physical sensor because you have a sensor with all the installation pre-installed. It is a very straightforward solution because it has a sensory set already configured. You have to adapt it to integrate with your network, with packet brokers. This is the main step that we have to do to integrate with a network. It's not a complicated process.

What's my experience with pricing, setup cost, and licensing?

It is surprisingly affordable

Which other solutions did I evaluate?


What other advice do I have?

It depends on the kind of customer, but I would recommend it for most companies that had a SOC. It is instrumental. I would rate this product a 10 out of 10. Corelight, including Zeek (former BRO) and Suricata, is well known by most cyber security analysts. For that reason, we have seen that people liked Corelight and Zeek. It adapts perfectly to the day to day work for people in security analytics.

Which deployment model are you using for this solution?

On-premises
**Disclosure: My company has a business relationship with this vendor other than being a customer: Distributor
Find out what your peers are saying about Corelight, Darktrace, ExtraHop Networks and others in Network Traffic Analysis (NTA). Updated: September 2021.
534,768 professionals have used our research since 2012.
Add a Comment
ITCS user
Guest