Network security startup Corelight reels in $150M – Business
Corelight Inc., a startup using open-source tools to detect malicious traffic in enterprise networks, today disclosed that it has closed a $150 million Series E funding round.
Returning backer Accel led the investment. It was joined by the venture capital arms of Cisco Systems Inc. and CrowdStrike Holdings Inc., both major players in the cybersecurity market. The two companies provide product integrations for Corelight’s software that allow their respective customers to more easily access the breach data it collects.
Corelight’s flagship product, the Open NDR Platform, analyzes the traffic that flows through a company’s network to find signs of malicious activity. It’s powered by two open-source tools called Suricata and Zeek. The latter tool was developed in 1998 by Corelight co-founder Vern Paxson, a computer science professor who at the time worked at the Lawrence Berkeley National Lab.
Suricata is a threat detection tool that can spot when a network connection exhibits behavior typically associated with hacking attempts. Zeek, in turn, likewise focuses on detecting malicious network activity, but does so in a different manner. It can collect significantly more detailed data about potential breaches than Suricata.
Corelight’s Open NDR Platform combines the two technologies’ feature sets. It uses Suricata to detect threats, then augments the breach data collected by the tool with more detailed incident information from Zeek. The latter software logs the network protocol a malicious connection uses, the amount of data it transmits, any errors that may emerge and a range of other details.
Finding the up to dozens of data points a connection generates can be difficult using traditional breach detection tools. Zeek consolidates that telemetry into well-organized logs, which makes it easier for cybersecurity to find the technical information they require for their work.
The platform integrates the tool and Suricata with a third, internally developed technology called Smart PCAP. It addresses the fact that network connections generate such a large amount of telemetry the data is often prohibitively expensive to retain. As a result, companies often only store a few days’ worth of network information, which makes any breaches that may have occurred earlier difficult to investigate.
Corelight’s Smart PCAP only stores packets that are strictly necessary for breach analysis and discards the rest. According to the company, that arrangement allows customers to retain up to months’ worth of network activity logs without breaking the bank.
Corelight can collect telemetry from both cloud environments and on-premises infrastructure. For in-house data centers, the company provides hardware appliances that can scan more than 100 gigabits per second worth of traffic. The systems work with both copper-based networks that transit packets as electricity and optical networks.
“Attackers have no choice but to traverse networks, creating a unique source of insight for defenders to exploit when finding and disrupting advanced threats,” Chief Executive Brian Dye wrote in a blog post. “That evidence in turn is the critical ingredient for AI in security, amplifying the impact of machine learning and multiplying the power of large language models for workflow automation.”
Customers can send the data that the Open NDR Platform collects to a second Corelight product called Investigator. Delivered as a cloud service, it uses machine learning to analyze malicious activity and determine what breach tactics the hackers are using. The Open NDR Platform can also send data to several third-party cybersecurity platforms including products from CrowdStrike and Cisco, two of the participants in Corelight’s new funding round.
The company will spend the capital on product development. It plans to enhance its software’s threat detection features, as well as upgrade the integrations it provides for third-party cybersecurity products. The latter effort is set to place a particular emphasis on third-party SIEM platforms, which pool data from network monitoring tools and other cybersecurity applications in a centralized repository to ease analysis.