Corelight adds passive asset visibility to Open NDR

Corelight has added native network performance monitoring and passive asset classification to its Open NDR platform, expanding its network detection and response offering to include asset visibility.

The update is aimed at security teams that want to identify devices and services communicating on a network without using software agents or scheduled scans. The same Zeek-based analysis engine used for detections now classifies assets from traffic already being collected.

Corelight said this approach is designed to cover systems often missed by endpoint tools and configuration databases, including operational technology, internet-connected devices, unmanaged endpoints and unauthorised artificial intelligence tools. The platform also extends visibility to more than 180 AI services.

Asset visibility

Passive asset classification identifies devices by analysing protocol fingerprints in observed traffic. Each asset is classified by device type, operating system, hardware manufacturer, model and network role, such as client, server, gateway or DNS resolver.

Because the system works from live traffic rather than periodic polling, the inventory updates when a device communicates on the network. That gives security teams a more current view of assets than agent-based or scan-based tools alone, according to Corelight.

The release also adds network performance monitoring. The feature extracts signals including TCP round-trip time, client-side and server-side latency, DNS resolution timing, and TLS or QUIC handshake metrics.

Instead of sending a constant stream of telemetry into monitoring and security systems, the feature uses alerts triggered when thresholds are crossed. Those alerts are tied to service names, including DNS query names, TLS server name indication, HTTP host headers and QUIC, rather than relying only on IP addresses.

Each alert includes the connection identifier of the first connection that triggered the threshold, allowing analysts to move from a performance issue to the underlying connection log. Corelight said this is intended to help network and security teams investigate incidents from the same underlying data.

AI pressure

The launch comes as cyber security suppliers and enterprise users focus more closely on the use of AI in attacks as well as defence. Corelight framed the new features as a response to what it described as a growing gap between the speed at which vulnerabilities can be exploited and the speed at which organisations can patch systems.

"AI-powered tools enabled by Mythos-class models can now discover and weaponize zero-day vulnerabilities at machine speed, creating a state of permanent vulnerability where no organization can patch its way to safety. In this environment, you cannot defend what you cannot see," said Vijit Nair, Vice President of Product at Corelight.

"Every unmanaged device, shadow IT endpoint, shadow AI platform and service, and OT asset that cannot be seen by agent-based tools is a potential entry point for an adversary. Corelight closes that gap, turning the network itself into a continuously current inventory of everything that communicates, with no agents, no scan cycles, and no blind spots. The same sensor that classifies assets also detects the exploitation that follows if one of them is compromised," Nair said.

Corelight said the asset inventory feeds into anomaly detection that combines machine learning methods with behavioural and signature-based techniques. It added that the data can also be used with endpoint detection and response, identity and firewall products through integrations.

The company also argued that the structured metadata generated from network traffic can support AI tools used inside security operations centres. In its view, adding asset, identity and performance context to alerts can help analysts sort incidents more quickly and reduce false positives.

A user at a large manufacturing business said the additional visibility could speed up investigations in mixed IT and OT environments. "In incident response, a fast mean-time-to-understanding is everything," said the Head of Network Incident and Response at a Fortune 100 manufacturing enterprise.

"Corelight's passive asset classification provides our security operations team with immediate, accurate IT and OT device visibility right where we are already analyzing traffic, allowing network defenders to drastically accelerate triage and investigate alerts with confidence," the executive said.

Industry analysts also linked the launch to a broader shift in cyber risk management. "Mythos-class AI capabilities have effectively ended the era in which organizations could manage cyber risk through patching discipline alone," said Chris Kissel, Research Vice President at IDC Security & Trust.

"The unknown attack surface - unmanaged endpoints, OT devices, unauthorized AI tooling, assets that have never appeared in a CMDB - is precisely where AI-powered adversaries will look first, because it is where defenders are least prepared. Network-level asset classification that operates continuously and passively is the only mechanism that scales to match that reality," Kissel said.