SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Soc san francisco night ai cyber map wall minimalist scene
#
Firewalls
#
Network Security
#
Advanced Persistent Threat Protection

Corelight unveils AI triage to speed transparent SOC ops

Wed, 18th Mar 2026
Author image
By Sofiah Nichole Salivio, News Editor

Corelight has launched an agentic AI suite for security operations teams, led by an automated triage product that groups related security signals and generates evidence-backed investigation outcomes for analyst review.

The release comes as security teams have less time to disrupt intrusions once attackers gain an initial foothold. Research cited by Corelight from ReliaQuest puts the average time before lateral movement at 34 minutes, down from last year.

Agentic Triage

The new product, Agentic Triage, applies structured investigative workflows to handle repetitive triage work in security operations centres. Corelight positions it as a way to reduce manual, alert-by-alert analysis amid high volumes of detections across multiple tools.

Agentic Triage uses expert-written investigative playbooks and an AI agent design. It runs investigations each day against what Corelight calls the highest-risk entities in a customer environment, then produces a single triage verdict for each investigation, with supporting evidence and reasoning an analyst can review.

Corelight says the product can make triage up to 10 times faster and aims to reduce inconsistencies in how different analysts assess similar alerts.

Corelight Vice President of Product Vijit Nair described the product as a combination of network evidence and governed automation.

"By pairing the industry's highest-fidelity network telemetry from Corelight with an expert-governed AI agent, we are giving security teams the evidence they need to trust, verify, and act on AI-generated insights," said Vijit Nair, Vice President of Product, Corelight.

Show your work

A central feature of the release is an emphasis on transparency in automated decisions. Corelight says the system exposes each step in a playbook, each query it runs, and the evidence used to reach its conclusions.

Security teams increasingly face internal requirements to justify incident-handling decisions, especially in regulated sectors and during post-incident reviews. Vendors have also come under scrutiny for opaque AI systems whose recommendations can be difficult to audit.

Andrew Braunberg, Principal Analyst at Omdia, said SOC adoption decisions now hinge on speed and breadth, and he tied that urgency to attackers' increasing use of generative AI.

"The question facing every CISO today is not whether to adopt AI in the SOC-but rather how quickly and how comprehensively," Braunberg said.

"Adding to the urgency is the weaponization of generative models by adversaries to automate reconnaissance, accelerate attacks, and evade detection," he said.

"Defenders need AI that can accelerate response, and critically, that shows its work," he added.

"To build trust in these solutions, explainability isn't a nice-to-have; it's a requirement, particularly in regulated environments," Braunberg said.

Ecosystem integrations

Alongside the new triage workflow, Corelight announced integrations intended to shorten the path from investigation to containment. It now ingests real-time identity data to enrich network evidence and correlate activity to specific entities on a network.

Corelight says analysts can use integrations with Microsoft Azure AD and Entra, as well as CrowdStrike, for one-click identity actions such as universal logout and password resets. These identity response options sit alongside existing actions, including endpoint quarantine and firewall blocks.

Corelight also announced an integration with CrowdStrike's Charlotte AI and Agentic Response Collaboration. Using a CrowdStrike Fusion workflow, Charlotte AI can pull Corelight data as investigation context. Corelight says the workflow validates host activity against network observations to help analysts resolve alerts.

Encrypted traffic models

Corelight also expanded its machine learning detections with statistical models focused on behaviour in encrypted traffic. The company says the models identify tunnelling and VPN anomalies without requiring decryption.

Encrypted traffic remains a persistent challenge for defenders, who often balance inspection needs against privacy rules and operational constraints. Attackers increasingly exploit encrypted channels for command and control and for movement inside compromised environments.

Corelight says its approach relies on traffic "shape" and behavioural metadata, producing signals that can indicate covert command and control and lateral movement when content inspection is not possible.

The new models identify unauthorised VPN use and uncommon tunnelling at the subnet level, Corelight says. The company also says the models can detect credential theft techniques such as DCSync and NTDS.dit dumps, and that it has expanded brute force detection across Kerberos, RDP, SMB, and SSH, including low-and-slow and high-volume attack patterns.

Corelight is expected to demonstrate Agentic Triage at the RSA Conference in San Francisco later this month.

Related stories
Black Box Automation vs. Engineer Control: The partnership redefining Kubernetes FinOps
Automotive microcontroller market set to hit USD $15.1bn
BlackBox Hosting partners Everpure for sovereign cloud
Locai Labs deploys AI coding assistant at First Light Fusion
Vodafone & Google Cloud launch AI & security tools

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack