Name: Corelight Open NDR Platform
Rating: 4.8 (129 reviews)

Overview

Product Information on Corelight Open NDR Platform

Updated 21st October 2025

What is Corelight Open NDR Platform?

Corelight's Open NDR Platform transforms network and cloud activity into evidence so defenders can stay ahead of ever-changing attacks. Delivered through an open, extensible architecture powered by Zeek, Suricata, and YARA, it combines network security monitoring, intrusion detection, static file analysis, AI, and Smart PCAP in one platform. Corelight applies the right detection approach per threat, using machine learning, behavioral analytics, and signatures to reduce false positives and accelerate detection engineering response time. By correlating alerts, packets, and context into structured, comprehensive evidence, Corelight enhances visibility, analytics, and investigation speed while integrating seamlessly with existing SIEM, XDR, and SOAR tools.

Overall experience with Corelight Open NDR Platform

SENIOR SECURITY ANALYST

50M - 250M USD, IT Services

FAVORABLE

“Corelight NDR enabling streamlined and precise incident analysis through network metadata”

5.0

Nov 20, 2025

Corelight NDR is an essential tool that greatly simplifies the detection and triage of security events through network data. Evidence collected through the sensor simplifies detection of malicious behavior, as well as providing immediate insight into all the affected machines. It provides a great platform to analyze and find irregularities and misconfigurations in the network. The provided data can be directly utilized for system and network security hardening as well as a verification method for validating hardening efforts. The solution just works and usually there is no need for customer support. Nevertheless, when needed, customer support is fast to respond and resolve any issues that might arise.

IT Security & Risk Management Associate

50M - 250M USD, Miscellaneous

CRITICAL

“Challenges With Centralized Management In Multi-Environment Deployments Of Sensor Networks”

3.0

Dec 18, 2025

I feel this vendor could be better at listening to and working with customers to provide product improvement in a timely manner

About Company

Company Description

Corelight is a company that primarily focuses on network security. Its objective is to transform network and cloud data into detailed evidence to help counter ever-evolving cyber threats. The company offers an open Network Detection and Response (NDR) platform that provides a comprehensive, correlated view of the network, granting unmatched visibility to users. With the advantage of swift investigation, expert-like cyber threat hunting and potential attack disruption capabilities, Corelight targets to enhance cybersecurity preparedness. It offers both on-premise and cloud-based sensors capable of capturing standard industry telemetry and insights that align with pre-existing user tools and processes. Clients of Corelight span diverse sectors, including large scale businesses, government agencies and research institutions.

Company Details

Company type

Private

Year Founded

2016

Head office location

San Francisco, United States

Number of employees

201 - 500

Website

https://www.corelight.com

Do You Manage Peer Insights at Corelight?

Access Vendor Portal to update and manage your profile.

Key Insights

A Snapshot of What Matters - Based on Validated User Reviews

User Sentiment About Corelight Open NDR Platform

Reviewer Insights for: Corelight Open NDR Platform

Performance of Corelight Open NDR Platform Across Market Features

Corelight Open NDR Platform Likes & Dislikes

Ease of deployment and implementation. Quick deployment in the environment without the need of installing additional agents. After providing network traffic to the sensor, data immediately shows up in the Corelight console. Extraction of network data in a minimal and easily readable format that makes security triage and analysis faster and more straightforward. Additionally, if any alert is detected, it enables in depth analysis of network packets which are captured through the efficient SmartPCAP technology. Encrypted traffic analysis provides high fidelity insights into encrypted traffic (e.g., HTTPS, SSH, VPN, and DNS over TLS) without the need for traffic decryption. The underlying engine enables extraction of all relevant data from the encrypted traffic with no impact on the traffic analysis performance. Enables capturing of files across all analyzed traffic and storage of files for automated analysis. This is further enhanced by the YARA scanning functionality that detects potentially malicious files transferred through the network. Reliability and speed of traffic capture, data collection and data analytics. Traffic is parsed and quickly forwarded to the Corelight SIEM where it is available for analysis in less than a minute. Readiness of technical and customer support to jump on a call and discuss improvements to the platform provides peace of mind when using the solution. The Corelight team really aims at making a quality product that will streamline detection and response activities as much as possible by providing valuable information to security analysts.

FleetManager

The clarity and structure of the data. Corelight gives us high-fidelity, well-enriched logs that are actionable instead of chaotic. The detections are more organized, the data is richer, and investigations move faster because we are able to lay everything out in a way that makes sense. Sensor management is easy and the overall stability of the sensors has been a major plus. The product is consistently working towards reducing the noise and that's rare in this space.

Integration with EDR vendors - Integration exists but is limited to querying EDR vendors API endpoints. This can provide great context but it is far from a fully integrated console that would integrate EDR and NDR telemetry into one timeline. Limitations on Alerting capabilities - Currently one can only create alerts based on Zeek and Suricata detections. There is no ability to create custom alerts in the Investigator SIEM based on the collected network data. Cloud traffic inspection can incur sizeable additional costs - If using a cloud provider that doesn't natively support Cloud Network TAPs the price hike for monitoring cloud network infrastructure is significant.

The lack of having fully centralized operational management in environments with a large number of sensors deployed across multiple environments

The product is incredibly powerful, but some tuning requires trial and error before everything aligns the way you want. Certain detections and log types can feel a bit rigid in terms of customization, and more granular configuration options would help streamline deployments. Additionally, scaling log volume can overwhelm our SIEM licensing, so it requires careful planning to avoid ingest bloat. None of these are deal-breakers, but they are areas where more flexibility could make the experience better.

Top Corelight Open NDR Platform Alternatives

4.8

(612 Ratings)

4.8

(451 Ratings)

4.7

(258 Ratings)

View All Alternatives

Peer Discussions

Corelight Open NDR Platform Reviews and Ratings

Recommended Gartner Insights

Magic Quadrant for Network Detection and Response

50M-1B USD

IT Services

Review Source

Corelight NDR enabling streamlined and precise incident analysis through network metadata

IT SECURITY & RISK MANAGEMENT ASSOCIATE

Transportation

Corelight Improves Network Visibility But Requires Careful Tuning and SIEM Planning

Our experience with Corelight has been consistently strong. The platform delivers reliable, high-quality network visibility without drowning us in noise, and it has integrated strongly with our existing SIEM and workflows. The sensors have remained stable and easy to manage through the management application, and the data fidelity has improved our ability to investigate suspicious activity in both IT and OT. The support team has been responsive, knowledgeable, and genuinely invested in assisting us optimize our deployment. Corelight has made our detection and response efforts significantly more efficient and more confident.

Manager of IT Services

10B+ USD

Corelight's data and evidence is the real hero

Feb 12, 2026

It's been a breath of fresh air compared to the "black box" AI tools that dominate the NDR market. Most tools give you a high-level alert and then leave you to guess what actually happened. Corelight gives you evidence first. It is a large data volume, but once we turned on our ingest and got Zeek logs flowing into our SIEM, the speed of our investigations doubled. It's an impactful pro tool that doesn't hold your hand, but doesn't lie to you.

Manager, IT Security and Risk Management

Gov't/PS/Ed

Government

Death of NDR is greatly exaggerated

Jan 14, 2026

Corelight have been great and engaged with us from initial deployment stages through to ongoing maintenance in production. Product gets updated frequently with new functionality that is genuinely useful capability additions.

Engineering Manager

Excellent customer support and GUI makes administration simple

Corelight staff have been friendly, knowledgeable, and prompt about providing support whenever we have asked, which has occurred on a range of topics over the course of the last year. I have been impressed with their level of responsiveness compared to other vendors, and I have not had a single negative interaction with Corelight even while troubleshooting product problems or issues, which says a lot about their staff's professionalism and courtesy.

Overview

Product Information on Corelight Open NDR Platform

What is Corelight Open NDR Platform?

Corelight Open NDR Platform Pricing

Corelight Open NDR Platform Product Images

Overall experience with Corelight Open NDR Platform

“Corelight NDR enabling streamlined and precise incident analysis through network metadata”

“Challenges With Centralized Management In Multi-Environment Deployments Of Sensor Networks”

About Company

Company Description

Company Details

Key Insights

A Snapshot of What Matters - Based on Validated User Reviews

User Sentiment About Corelight Open NDR Platform

Reviewer Insights for: Corelight Open NDR Platform

Performance of Corelight Open NDR Platform Across Market Features

Corelight Open NDR Platform Likes & Dislikes

Top Corelight Open NDR Platform Alternatives

1. Darktrace / NETWORK

2. Vectra AI Platform

3. RevealX

Peer Discussions

Corelight Open NDR Platform Reviews and Ratings

Recommended Gartner Insights

About Company

Company Description

Company Details

User Sentiment About Corelight Open NDR Platform

Reviewer Insights for: Corelight Open NDR Platform

Performance of Corelight Open NDR Platform Across Market Features

Corelight Open NDR Platform Likes & Dislikes

Top Corelight Open NDR Platform Alternatives

1. Darktrace / NETWORK

2. Vectra AI Platform

3. RevealX

Corelight Open NDR Platform Reviews and Ratings

Corelight NDR enabling streamlined and precise incident analysis through network metadata

Corelight Improves Network Visibility But Requires Careful Tuning and SIEM Planning

Corelight's data and evidence is the real hero

Death of NDR is greatly exaggerated

Excellent customer support and GUI makes administration simple

4.8

(129 Ratings)

Rating Distribution

Customer Experience

Product Capabilities