Corelight Open NDR Reviews

Name: Corelight Open NDR
Brand: Corelight
Rating: 4.4 (7 reviews)

Vendor: Corelight

4.4 out of 5

7 reviews
100% willing to recommend

Leave a review

What is Corelight Open NDR?

Corelight Open NDR delivers rapid deployment, essential insight, and data for cybersecurity. Known for ease of use, cost-effectiveness, and open-source Zeek code, it enhances security by streamlining traffic monitoring and integrating with threat feeds.

Get the Corelight Open NDR Buyer's Guide and find out what your peers are saying about Corelight Open NDR, Darktrace, TrendAI Vision One and more!

Corelight Open NDR is the #3 ranked solution in Network Traffic Analysis tools and #7 ranked solution in top Network Detection and Response (NDR) solutions. PeerSpot users give Corelight Open NDR an average rating of 8.8 out of 10. Corelight Open NDR is most commonly compared to Darktrace: Corelight Open NDR vs Darktrace. Corelight Open NDR is popular among the large enterprise segment, accounting for 52% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 12% of all views.

Helped 893,221 peers since 2012

Featured Corelight Open NDR reviews

reviewer2834367

Growth And Strategy Lead at a computer software company with 51-200 employees

Before Corelight recently started pushing some of the agentic features, querying at times could be a little difficult, depending on your mastery of log scale. However, I think with a lot of the artificial intelligence that they are building in, it is getting a lot easier to query in the platform. I would definitely encourage them to continue down that path where anybody can hop into the platform and start running queries, whether it is a simple instruction like I want this, and an artificial intelligence process can actually build the query and do it. I think that would be super powerful. Cyber skill sets are in high demand, and there is a huge backlog in cyber talent. We cannot fill all the positions we need. The easier we can make these cyber systems for people to pick up and be effective on, I think is really key. Explainability of data is hyper important. In the past few artificial intelligence related updates we have gotten from Corelight, that has been one of the first questions our team has asked every time or that I have asked: show me what the model is doing, show me how it came to this analysis. Within Investigator platform, they are able to walk through and see exactly what data the artificial intelligence pulled from where and why it did what it did as far as making its suggestions. They have definitely built their system with artificial intelligence in mind up front, and having that openness as one of the key features of any of their artificial intelligence and machine learning processes in the platform is important. The issue with black boxes is obviously hallucinations from artificial intelligence and just not being able to trace to ground truth. When we are talking about these cyber incidents and being able to do forensics, you need to be able to pinpoint and tie everything together, and black boxes really obscure that and prevent you from doing so. Corelight has done a really good job of making sure that everything is explainable and everything is mapped when it comes to leveraging any of their artificial intelligence features.

Read full review

Anthony Budrecki

Principle Security Architect at Eversource Energy

I appreciate the Fleet Manager feature of Corelight Open NDR, which allows me to manage the Suricata policy across my entire fleet of Corelight sensors. I also value the fact that Corelight has embraced the Suricata engine, giving me the benefits of an open-source platform and all that comes with that in terms of the open-source rule set that I can feed into the Suricata engine. I have a professional subscription, so I am getting some of the professional rules and all the open-source rules. The vast array of Suricata rules makes it an excellent model. Corelight Open NDR has had a positive impact on my company. The benefits include visibility, as the Suricata engine can scan huge volumes of traffic. I feed it both north-south and east-west traffic, gaining scans of traffic that I typically do not get a lot of visibility into at a detailed level and seeing signatures in my traffic that I was not expecting. Most of which turn out to be false positives, but the awareness of them being there is very beneficial because they are often associated with old code or bad group policies that have not been cleaned up, leaving holes and exposures that need to be addressed. I can catch these with the Suricata alerts.

Read full review

Dan Jeske

Account Executive at Fishtech Group

We use the solution for packet capture sampling. We offer it as part of our managed service. It's so we can identify east-west traffic on a customer's network Corelight is low-cost and made on open-source, and the code is Zeek. It's an easy way for us to get visibility in a client's environment.…

Read full review

Corelight Open NDR mindshare

Product category:

As of May 2026, the mindshare of Corelight Open NDR in the Network Detection and Response (NDR) category stands at 4.9%, down from 5.5% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Network Detection and Response (NDR) Mindshare Distribution
Product	Mindshare (%)
Corelight Open NDR	4.9%
Darktrace	14.8%
Vectra AI	11.2%
Other	69.1%

Network Detection and Response (NDR)

PeerResearch reports based on Corelight Open NDR reviews

Type	Title	Date
Category	Network Detection and Response (NDR)	May 9, 2026	Download
Product	Reviews, tips, and advice from real users	May 9, 2026	Download
Comparison	Corelight Open NDR vs Darktrace	May 9, 2026	Download
Comparison	Corelight Open NDR vs Vectra AI	May 9, 2026	Download
Comparison	Corelight Open NDR vs TrendAI Vision One	May 9, 2026	Download

Valuable Features

Corelight Open NDR users highly value the Fleet Manager for managing Suricata policies across sensors. The platform offers strong visibility into network traffic, benefiting from extensive Suricata rule sets. Integration with additional feeds like CrowdStrike enhances intelligence. Users appreciate the powerful network analysis capabilities of Investigator, which includes machine learning for alert management. Its open-source foundation, easy deployment, and integration abilities provide valuable insights for cybersecurity.

"Corelight Open NDR has had a positive impact on my company, providing visibility as the Suricata engine can scan huge volumes of traffic, including north-south and east-west, revealing signatures and exposures I was not expecting and enabling me to catch them with Suricata alerts."
"Our company has seen massive improvements in cybersecurity position for our clients."
"Corelight makes much easier the remediation of cyber attacks; instead of facing a chaotic amount of logs, Corelight provides correlated metrics that allow pivoting to find, in seconds, all the data related to an alert, detection, or asset."

Room for Improvement

Some users suggest improving Corelight Open NDR's interface to be more interactive and user-friendly. Others mention the complexity of the architecture and the absence of a graphical user interface. While some appreciate Corelight's integration with artificial intelligence, the price remains a concern for several users. There is a suggestion for consolidating features into a single platform to simplify its usage. Users acknowledge the importance of explainable artificial intelligence in the system.

"Before Corelight recently started pushing some of the agentic features, querying at times could be a little difficult, depending on your mastery of log scale."
"Machine learning could be a good improvement, but it's very costly."
"They can enhance the interface of the product. They can make it more interactive and also easier to use for feature access."

ROI

Users reported significantly positive ROI from Corelight due to enhanced visibility into network traffic and efficient threat detection. Teams have reduced incident response times and operational costs. Financial investments in Corelight were justified by improved network security and lower manual intervention.

Pricing

Enterprise buyers find Corelight Open NDR's pricing to vary based on specific needs and knowledge level. It's perceived as both appropriately priced and expensive compared to alternatives. The licensing is subscription-based, offered as a yearly fee that includes software as a service and sensor costs. Although some consider it surprisingly affordable, others view it as pricey if lacking technical expertise. Corelight Investigator leverages open-source benefits while integrating hardware maintenance.

"It's a yearly fee and depends on what you are looking for."

Popular Use Cases

Corelight Open NDR is primarily used for network monitoring and threat detection. Users leverage features such as Suricata for alerting on indicators of compromise. It is deployed in various environments, including defense sectors, to protect critical industries. Organizations utilize it for incident response and threat hunting, involving packet capture sampling and cyber visibility enhancement. Corelight is deployed with physical, cloud, and virtual sensors to monitor internet, data center, and LAN traffic.

Service and Support

Corelight Open NDR customer service and support are praised for their effectiveness and dedication. Users find the support team responsive, helpful, and knowledgeable, often guiding them with technical challenges and automated processes. The availability of a customer success manager and technical account manager is highly regarded. Those engaging with Corelight Open NDR enjoy close collaboration, proactive communication, and beneficial involvement in advisory boards, reflecting their commitment to continuous improvement and strong partnership.

Deployment

Corelight Open NDR's initial setup is generally viewed as straightforward and easy, with many deployments being handled remotely. Users appreciate the simplicity, quickness, and minimal configuration requirements, involving virtual machines or pre-installed sensors. A few users mention the necessity for expertise in complex environments and note possible challenges with larger customers. It requires basic network integration, and initial monitoring involves tuning to enhance threat detection. Some stress the effective remote execution for configuration and deployment.

Scalability

Corelight Open NDR demonstrates versatility and ease in scaling, accommodating diverse organizational needs with flexible throughput capabilities. Users report seamless management and growth potential with deployments ranging from one to ten gigabits per second, effectively supporting both large, complex enterprises and smaller companies. Those in various locations, like the Middle East, find it easy to expand, especially within Kubernetes environments, simply through machine addition, ensuring continued performance without complications.

Stability

Corelight Open NDR is praised for its stable performance and reliability. Users note that it operates smoothly as standard LAMP stacks and Linux kernel appliances. Fleet Manager enhances sensor management. New updates are clean without causing problems or disruptions. Based on Zeek, a trusted solution for over two decades, Corelight impresses with its consistent functionality. Users consistently report no significant technical issues, emphasizing its maturity and predictability.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Corelight Open NDR Buyer's Guide for additional reliable information.

Review data by company size

By reviewers
Company Size	Count
Small Business	4
Midsize Enterprise	2
Large Enterprise	1

By reviewers

By visitors reading reviews
Company Size	Count
Small Business	130
Midsize Enterprise	83
Large Enterprise	232

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

12%

Government

12%

Real Estate/Law Firm

Computer Software Company

Manufacturing Company

Healthcare Company

Educational Organization

Media Company

Comms Service Provider

University

Performing Arts

Retailer

Energy/Utilities Company

Pharma/Biotech Company

Insurance Company

Construction Company

Non Profit

Legal Firm

Outsourcing Company

Hospitality Company

Security Firm

Transportation Company

Recreational Facilities/Services Company

Sports Company

Wholesaler/Distributor

Compare Corelight Open NDR with alternative products

Learn more about Corelight Open NDR

Corelight Open NDR offers organizations enhanced network security and visibility, utilizing physical sensors in addition to cloud, virtual, and software variants. It supports incident response with packet capture sampling, monitoring internet, data center, and LAN traffic while facilitating east-west traffic identification. Despite its complexity, users suggest architectural simplifications and a graphical interface to boost usability and reduce costs. Features like Smart PCAP and service catalogs contribute positively, but an interactive interface with more seamless feature access is desired.

What Are Corelight Open NDR's Key Features?

Quick Deployment: Allows rapid implementation in varied environments.
Comprehensive Insight: Offers in-depth data and visibility for effective cybersecurity.
Ease of Handling: Designed for simplicity and cost-efficiency in complex networks.
Open-Source Zeek Code: Provides transparency and flexibility in operations.
Integrated Threat Feeds: Streamlines threat detection and analysis.
Suricata IDS: Enhances existing security frameworks effectively.
Custom Dashboards: Enables tailored task-specific visualizations.

What Benefits Should Users Consider?

Cost-Effectiveness: Delivers impressive cybersecurity capabilities at a competitive price.
Scalability: Offers solutions from physical to cloud-based implementations.
Enhanced Security: Strengthens incident response and threat detection efforts.
Ease of Use: Simplifies complex security processes for improved efficiency.

Primarily utilized by organizations to bolster network security, Corelight Open NDR is deployed in various sectors to increase visibility and streamline incident response. Its deployment spans physical, cloud, virtual, and software models, focusing on comprehensive packet capture sampling for effective traffic monitoring. Across industries, it serves managed services by identifying lateral network traffic, optimizing internet, data center, and LAN performance.

Corelight Open NDR was previously known as Corelight Open NDR.

Corelight Open NDR customers

Carrefour
Ednon
Grand Canyon Education
SektorCERT
Tietoevry
Volkswagen Financial Services

Product Categories

Network Detection and Response (NDR)

Network Traffic Analysis (NTA)

Popular Comparisons

Darktrace vs Corelight Open NDR

TrendAI Vision One vs Corelight Open NDR

Vectra AI vs Corelight Open NDR

VMware NSX vs Corelight Open NDR

Cisco Secure Network Analytics vs Corelight Open NDR

Gigamon Deep Observability Pipeline vs Corelight Open NDR

Stellar Cyber Open XDR vs Corelight Open NDR

NetWitness NDR vs Corelight Open NDR

ExtraHop Reveal(x) vs Corelight Open NDR

Trellix Network Detection and Response vs Corelight Open NDR

SolarWinds NetFlow Traffic Analyzer vs Corelight Open NDR

Flowmon vs Corelight Open NDR

Lumu vs Corelight Open NDR

ExtraHop Reveal(x) 360 vs Corelight Open NDR

Plixer Scrutinizer vs Corelight Open NDR

See all alternatives

Corelight Open NDR Reviews Summary
Author info	Rating	Review Summary
Growth And Strategy Lead at a computer software company with 51-200 employees	4.5	No summary available
Principle Security Architect at Eversource Energy	4.0	I've used Corelight Open NDR for three years, finding its Suricata engine crucial for IoC alerting and visibility. It's an excellent, stable product with great support, delivering positive ROI and vital structured evidence for AI.
Account Executive at Fishtech Group	4.0	I use Corelight for east-west traffic visibility, finding it stable, scalable, and offering immediate ROI due to its low cost and easy setup. However, I note that new features haven't been added recently.
Technical Sales Manager at Spire Solutions	3.5	I rate Corelight a 7/10. It's excellent for traffic monitoring, stable, and scalable with powerful threat detection and integrations. However, I found its architecture complex, setup difficult, and pricing high.
Manage Consultant at SITE	4.0	I use Corelight for customer incident response. It's easy to deploy, handle, and scalable, with good support. I'd improve the interface's interactivity and feature access. Despite this, I rate it 8/10, preferring it for its rule-based approach over alternatives.
Pre Sales Technician at DotForce	5.0	I find Corelight an excellent, stable, and affordable solution for network traffic analysis, providing crucial data for cyber security. It integrates well and simplifies incident remediation, despite initially lacking machine learning. I highly recommend it.
Chief Executive Officer at NetMetrix	4.0	I use Corelight for security, valuing its embedded Suricata IDS. While stable and scalable, it is expensive and needs a GUI. Setup is easy, and support is good. I rate it 8/10.

Title	Rating	Mindshare	Recommending
Darktrace	4.1	14.8%	95%	84 interviews Add to research
TrendAI Vision One	4.3	3.4%	98%	107 interviews Add to research

Corelight Open NDR Reviews

What is Corelight Open NDR?

Featured Corelight Open NDR reviews

Corelight Open NDR mindshare

PeerResearch reports based on Corelight Open NDR reviews

Valuable Features

Room for Improvement

ROI

Pricing

Popular Use Cases

Service and Support

Deployment

Scalability

Stability

Review data by company size

Top industries

Compare Corelight Open NDR with alternative products

Learn more about Corelight Open NDR

Corelight Open NDR customers

Related questions

Product Categories

Popular Comparisons