Corelight DefeNDRs

Richard Bejtlich sits down with Ali Islam to pull back the curtain on how a security research lab functions within a modern security company. Moving beyond the "ivory tower" of academia, Ali explains why researchers must be battle-hardened by real-world threat actor techniques to remain effective in the field. The conversation dives into Corelight’s unique commitment to the open source community through the direct funding of Zeek and Suricata developers, ensuring that community-driven tools can scale to meet massive enterprise traffic demands. Finally, they explore the accelerating role of artificial intelligence in cybersecurity, weighing its ability to reduce analyst fatigue against the growing sophistication of AI-powered phishing and malware development.

Richard Bejtlich sits down with Stan Kiefer, Corelight’s Senior Manager for Data Science, to discuss how AI serves as a vital "abstraction layer" and "knowledge multiplier" for security analysts. Stan explains that while AI can synthesize complex information, it remains untrustworthy without high-fidelity network data at its center to provide verifiable evidence. The episode explores the shift toward an "agentic ecosystem" and a tiered architecture where a central orchestrator manages specialized sub-agents to accelerate detection and investigation. Looking toward the future, Stan envisions a hybrid SOC environment where adaptive systems learn an analyst's specific workflows to automate routine tasks, acting as a professional companion that can cut the time needed to reach competency in half.

Richard Bejtlich talks with Vijit Nair, VP of Product at Corelight, about the evolving "AI Maturity Journey" for modern security teams. Vijit outlines a three-level spectrum of AI adoption, moving from basic human-driven assistance to automated swarms of agents, and eventually toward fully autonomous systems. They discuss why high-quality, unopinionated data remains the essential foundation for building trust in AI and how technologies like the Model Context Protocol (MCP) are turning human language into the primary interface for tool integration. The conversation explores the partnership between Corelight and CrowdStrike Charlotte AI as a real-world example of this connected ecosystem. Finally, Vijit and Richard reflect on how AI is "eating the craft" of security—automating away the mind-numbing manual tasks of a SOC—to allow analysts to focus on the "art" of judgment, creativity, and strategic defense.

Richard Bejtlich sits down with Greg Bell, Corelight co-founder and Chief Strategy Officer, to explore the transition from elite academic research to the world of venture-backed startups. Greg shares the "light bulb moment" at Lawrence Berkeley National Laboratory that led a group of scientists to turn Zeek (formerly Bro) into a commercial reality. The conversation covers the "virtuous cycle" between open-source projects and sustainable business models, explaining why professional maintenance is critical for mission-critical software. Greg also offers practical perspective for the next generation of defenders, discussing the role of "applied curiosity" in a shifting job market and his personal experience with the "grit" required to leave a secure career for the uncertainty of a startup. Whether you are a network operator or interested in the mechanics of tech entrepreneurship, this episode offers a candid look at the challenges of bridging the gap between research and industry.

Richard Bejtlich sits down with Jean Schaffer, Corelight’s Federal CTO, to discuss the unique hurdles facing government agencies in an era of escalating state-sponsored threats. Jean highlights the persistent challenge of legacy IT infrastructure and the "technical debt" that complicates modernization efforts across the Department of Defense, the intelligence community, and the civilian sector. The conversation explores the strategic shift toward cloud adoption as a means to decommission vulnerable on-premise hardware and the evolving "whole of nation" defense strategy that requires deeper public-private partnerships. Jean also offers her perspective on the risks and rewards of open-source software in government environments, emphasizing the importance of code provenance. Finally, they delve into why Zero Trust architectures still require robust network telemetry as a foundational element to verify that security policies are actually working in the real world.

In this episode of Corelight Defenders, I'm joined by Bernard Brantley, Chief Information Security Officer at Corelight, as we delve into the concept of the enterprise nervous system. Bernard shares insights from his extensive experience in network analysis, explaining how organizations can leverage their network traffic data to enhance security and drive business outcomes. We discuss the importance of understanding the interdependencies between assets, processes, and goals, and how security teams can position themselves as integral to business success rather than just risk mitigators. Join us as we explore how security can effectively align with business strategies, fostering a culture of proactive engagement and intelligence sharing.

In Episode 7 of Corelight DefeNDRs, join me, Richard Bejtlich, as I sit down with Dr. Keith Jones, Corelight's principal security researcher, to discuss the practical applications of AI in enhancing network security. We delve into how large language models (LLMs) can assist in cleaning up documentation and generating Zeek scripts, sharing insights from our extensive experience in incident response and coding. Keith reveals the challenges and successes he has encountered using LLMs to streamline processes, including their role in analyzing MITRE techniques. Whether you're a seasoned coder or new to the field, this episode offers valuable perspectives on leveraging AI tools to improve efficiency and effectiveness in security operations. Tune in for a thought-provoking conversation that bridges AI innovation with real-world cybersecurity challenges.

In Episode 6 of Corelight DefeNDRs, we delve deeper into the fascinating world of DNS covert channels with Vern Paxson, our chief scientist and co-founder. Continuing from our previous discussion, Vern shares his insights on techniques developed to detect these stealthy channels utilized by intruders to evade security measures. We explore the innovative approach of leveraging time series analysis of DNS lookups, how to distinguish benign traffic from potential threats, and the real-world implications of our findings across significant datasets. This episode is a must-listen for anyone interested in enhancing their understanding of network detection and response, as we uncover the delicate balance between legitimate data communication and covert malicious activity. Join me as we navigate these complex yet critical aspects of cybersecurity.

In Episode 5 of Corelight Defenders, I, Richard Bejtlich, engage with Corelight's co-founder and chief scientist, Vern Paxson, to delve into the intricate world of DNS covert channels. We explore how adversaries exploit DNS lookups to silently communicate within tightly controlled enterprise environments. Vern explains various methods attackers may use, from encoding data in seemingly benign domain names to manipulating the timing of requests. Our discussion highlights the challenges of detecting these covert channels, especially in the presence of network monitoring. Join us as we uncover the nuances of this critical cybersecurity issue and set the stage for part two, where Vern will share insights from his extensive research on detecting these covert channels in production networks. Stay tuned for more on the network.

In Episode 4 of Corelight Defenders, I sit down with Angela Loomis, Corelight's Director of Technical Account Management, to explore her remarkable 25-year journey in cybersecurity. Angela shares her unconventional entry into the field, starting from a background in television production to becoming a leader in security strategy. We delve into the importance of curiosity in cybersecurity, discussing how diverse experiences enrich the profession, and whether formal education might dampen that curiosity. Angela also reflects on her roles across various organizations, emphasizing the value of deep product understanding and customer engagement. Join us for an insightful conversation that highlights the evolving landscape of cybersecurity and the lessons learned from decades of experience.

Richard Bejtlich discusses cloud security from a network-centric perspective with Corelight's cloud security researcher, David Burkett. They explore why monitoring network traffic remains essential in cloud environments, despite the presence of native security features offered by cloud providers. David highlights common threats such as container compromises, coin miners, and supply chain attacks, emphasizing the value of traffic visibility for detecting unusual behaviors and breaches. The episode delves into practical approaches like baselining cloud workloads, analyzing ingress and egress traffic, and the unique advantages of monitoring cloud infrastructure through network-based taps. Tune in to discover how organizations can enhance their cloud security strategies through proactive network visibility.

Richard Bejtlich talks with Corelight Principal Technical Marketing Engineer Mark Overholser about what it takes to run the Black Hat Network Operations Center and keep a "hostile" training network safe. They walk through how partners like Corelight, Cisco, Palo Alto Networks, Arista, and Lumen build and monitor the conference network, how the team tells lab traffic from real infections, and why misconfigured self hosted services still show up in surprising ways. Mark shares how the NOC works together in one room to investigate issues, when they decide to block or intervene, and practical advice for attendees on preparing their devices, monitoring their own traffic with tools like Zeek, and staying safe on conference Wi Fi without living out of a Faraday bag.

Richard Bejtlich sits down with Vince Stoffer, Corelight's Field CTO, to dive into the recent wave of cyberattacks attributed to Chinese threat actors, known as "Typhoon" groups. Vince unpacks the distinctions between "Volt Typhoon," targeting critical infrastructure sectors such as energy and transportation, and "Salt Typhoon," which is infiltrating telecommunications networks for espionage. The conversation explores the evolving tactics, techniques, and procedures (TTPs) used by these groups, including their exploitation of zero-day vulnerabilities and outdated infrastructure. Richard and Vince discuss the challenges of securing public-facing appliances and critical infrastructure and highlight the importance of robust network visibility and proactive threat detection strategies. Tune in to discover actionable insights on how organizations can better defend against sophisticated state-sponsored cyber threats.