Loading summary
A
Foreign. I'm James Wilson from Risky Business and welcome to this sponsored interview with corelight's VP of Product, Vijit Nair. In the last week or so we've seen a US export control that effectively forced Anthropic to take their Fable and Mythos models offline. And while that may have prevented access to that specific model, the advice that we saw issued from the five eyes this week essentially says that really the the genie is out of the bottle in terms of trying to contain these large language models with advanced cybersecurity capabilities. It's no longer just the domain of the frontier models. And in fact the open weight models are not just catching up more rapidly than ever. A lot of them are already demonstrating the ability to find the same class and volume of bugs as these Mythos class or even Codex ChatGPT 5.5 cyber models. So this is placing immense pressure on CISOs and defenders to ensure that they are leveraging these capabilities faster than attackers can integrate them. In this interview Vijit and I talked about how even with an advanced LLM at their disposal, defenders need more. They need structured data, high quality data, and most importantly, a strategy that combines both proactive and reactive elements. Proactive insofar as enumerating assets, understanding your threat models, implementing mitigations. But as Vijay says, it's just as important to make sure that you've got reactive things in place that will help, you know, well, frankly, does reality match the model that you thought? And are these mitigations working as well as you planned? And of course corelight has a role to play here because they make network detection and response hardware that operates at incredible line rates and it's basically a heavily optimized version of the open source Zeek network detection software running on their own custom hardware. But they also recently combined it with some magentic triage features that really help to provide customers with that tool set to give them that ability to create proactive and reactive strategies in the face of this growing threat from immensely capable LLMs. So I'll drop you here into our chat where Vijit talks about the pivots and prioritization calls the Callite is making to assist their customers right now. But then we also branch out into vendor agnostic practical advice to help all defenders. Enjoy.
B
Yeah, two main areas that we are getting a lot of feedback from our customers and we are pivoting the way we think about the product to focus on. Right One is as teams are taking their one management practice into overdrive, one of the big gaps they have is all of your management or tools are focused on your posture, which is a static way of thinking about your environment. It's a picture that doesn't change as much. But what they're missing in terms of visibility is what's actually happening. Right, like what all assets, you know, how are all these assets connected and talking to each other? What do the attack paths look like? I know I have these assets with these CDSS scores on them. Well, which of them are getting popped right now? Right. Like they don't have all of that visibility. So in some ways, you know, what our customers are asking for and what we're bringing to provide is much deeper visibility into what assets you have in your environment, what kind of vulnerabilities those assets have, how are they connected to each other, and what's actually getting exploited so that that can directly drive prioritization into your one man, one patching process and so on. And over time, you know, we want this to be a living, breathing layer of knowledge that can supply other tools, humans, AI, like whoever wants to understand what's actually going on at any time in your network. But that's one of the main things that they're looking for from NDR solutions such as ourselves. We can passively sit in their network and just looking at network traffic and without actively scanning and probing parts of the environment, we can ascertain the ground truth in their environment, provide that data back to their teams, back to their tools, so that they can turn this crank in the engine of patching into a higher velocity pipeline with the data that they have from us, right? So that's a big part of our focus. The other part is kind of what you're referring to, which is, hey, you're in a state of permanent vulnerability, you're in a state of assumed breach. But what's going to happen, right, you're going to have an attacker that gets into your network and they use some of these devices that are at the perimeter that are harder for you to patch, right? Your firewalls, your proxies and so on get a foothold in. And they're going to start moving laterally. And almost immediately they're going to leave footprints in your network. And that's where network monitoring or continuous monitoring of your environment, network monitoring specifically becomes super important. And especially in these environments, you would expect both AI tools to attack in somewhat of a sophisticated, more sophisticated of manner than humans do, because AIR tools have the capability to do that. So you really want to be looking at like, how do these tools or be able to detect how do these tools move laterally? What are some of the living of the land techniques that they're exploiting? How are they escalating privileges and breaching some of the environments inside your network where you don't have kind of proper perimeters and so on. So that's where we are putting a lot more effort as to building kind of deeper and more sophisticated detections based on, you know, AI powered detections based on, with ML and anomaly based techniques that are a lot harder to evade.
C
Yeah, as you were explaining that, it almost sounds like what you're building for customers is sort of like this virtuous cycle of like on one hand you give them the visibility of the network assets. You can do that enumeration of what's out there. You know, that, that helps them, to your point, not just think about what to patch first, but understanding the attack paths, which is the ultimate, I guess, way to prioritize. You know, you. I think that when we talk about assume breach, it's not assume breach and exfiltrate, it's assumed breach. But then look at what's the lateral steps that we can prevent. How do we make it slower? Right. We're. Gone are the days when we're trying to prevent attacks. It's just slow them down, contain them, minimize them. But it almost is like that's a theoretical exercise where you're planning for what the potential attacks are.
A
You're patching as fast as you can
C
in the right areas, managing your risk. But then you've got kind of the other side of this as well, which is then once you've got your theoretical, I guess, understanding of what might happen and your mitigation is in place, how do you then know whether those are actually happening?
B
Right.
C
And then at the network level you can sort of see, well, we know that there's a vulnerability here, but we don't believe that there can be a lateral movement from there. But the network will tell you whether or not you're right about that. So is that kind of the way these things sort of attach in a cycle? It's like plan in the theory and then monitor on the network level to prove and to detect whether your theory is holding up absolutely right.
B
Like the data that we generate from the product absolutely fuels both of these use cases. Right. Like you call it theoretical, I call it kind of proactive and reactive. Right. Like proactive is one where you're defending, you're building all these guardrails, you're building the moat and all of that outside your environment and then the reactive is like as soon as you see an attacker, you see some kind of anomalous incident in your network. How quickly can you respond to that and how much data that can you use to kind of power the analyst to go respond to that? So I think that's kind of bringing those two pieces together. And the thing that ties it all together is you've got to now start doing this at machine speed, at light speed even. Right. Because I was talking to CISO recently about this idea of AI powered attacks, and these are not theoretical anymore. So I had one CISO talk about how they had an active attack in their environment that was going after SharePoint vulnerability. The vulnerability came out Thursday or Friday of the week. The attack started about Saturday. And he was saying over the course of 48 hours they saw 17,000 different variations of attack on that same SharePoint.
C
Right.
B
And their teams are. And they know that this is one actor or group of actors and this is absolutely an AI powered attack. Right. So this is not theoretical for a lot of CISOs anymore. They're absolutely seeing this, they're seeing a lot more of this on the simple stuff, the phishing stuff and so on. But we know how some of these agentic systems are getting really good. So they're going to start seeing like you combine, hey, models are really powerful at finding vulnerabilities not only from source code, even from binaries, and then agentic systems that are really able to take that and crank on like high speed attacks. So the other thing that we're building to kind of tie all of this together is what you referred to earlier, which is agentic triads.
A
Right.
B
Can't, you can't only have humans responding at human speed to some of these attacks. You need to give humans the AI superpower so that they can respond at high speed to some of these attacks as well. So that's one of the things we've been investing quite a bit of time on is how do you give your humans these AI superpowers? And that's where we built agentic TRIA and all the functionality of that.
C
Yeah, And I imagine that's quite a challenge because the strength of corelight being that you guys run at crazy high line rates to deal with, you know, epic scale, but, you know, a poor little large language model, even the best ones in the Frontier Labs, ain't nothing going to be handling like 10 gigabits per second, 20, 100, 200 gigabits per second. So like, I mean, you know, at the risk of getting Too much into the sort of nerdy details here. How do you think about that in terms of, you know, you've got this fire hose of data, but you can't throw a fire hose at an LLM, right?
B
Yeah, you absolutely can't. Well, you can. You need a small nuclear reactor and the GDP of a small country to like pay for that, right? Yes, but yeah, so the way we think about it is you've got massive volumes of network traffic. And what CoreLife's really good at doing is processing all this massive volume of network traffic and distilling it down to a small amount of metadata that security folks actually care about. And we've been doing this for 25 years. If you think of the models on which we have built, which are the open source models, they've been in the security world, built by security professionals around the world for about 25 years. And they've all been using it as humans to understand what's actually going on in the network. So the good news is the foundational data we needed, you know, is something that we've been slowly building over time. And you know, arguably I could look back and say we knew the AI wave was coming, so we were building the data for the AI wave. But, you know, humans needed the data too, right? There's no, no getting away from that. But with the advent of AI, what we realized was that that data now becomes a powerful kind of accelerator boost for the AI system. So instead of throwing, you know, massive volume of network traffic@LLMs, now you can choose, you know, very, very finely kind of tuned and curated precise data that you can throw at it. So just to get into a little bit of nerdy details, the way we built the Agentix system is the agents. There's an agent that goes and identifies what is the riskiest entity in your environment, right? Like, what are some of the big detections going on? What you know, how are some of these assets classified and so on. And based on, based on an algorithm that comes up that these are the riskiest entities. And then within those entities, it goes into every alert that the entity has had over the past several days. It goes and sucks in all the data and context associated with the alert. And then we've got pretty firm guardrails so that the AI doesn't go off the reservation and like do a bunch of hallucinations. We put a lot of guardrails around. Go judge, like if you got a DGA alert, right? Like, here's how you go investigate a DGA alert. Like go through these steps and figure out is this actually an alert or not? So it'll go kind of crunch through all of that data. And then we've got other agents judging this agent, the output of this agent, to make sure that it's accurate. So we put a lot of effort into making sure the accuracy of LLMs are high. And LLMs are in general non deterministic. So there's only so much you can do with accuracy, but you provide a lot more context behind what LLMs are generating that allows the analyst to confirm that they are accurate. But we can do all of that with a very precise amount of data that doesn't blow the budget of what customers want to do.
C
I mean, it's such a great point, right? Because it's not that you're suddenly taking a fire hose of network detection data and throwing it at LLM. You guys have been in the business of distilling that down into stuff that's useful for humans for a long time. And so of course that immediately becomes very valuable as a signal that you can throw to an LLM.
B
One more point on the data and the value of it, right? And this is something that we've always known, that the data itself is pretty powerful and there's a lot of value in kind of combining that with AI systems. But we've never had a way to kind of really quantify that. So what one of our teams ended up doing is we have this capture the flag challenge that we take new customers through, right? And we use that. We come up with like a sophisticated attack campaign and build a cyber range and then toss around some breadcrumbs so that, you know, a new trainee can like, follow the breadcrumbs, do the investigation, learn a little bit about the product on their way. And one of our teams was like, well, wouldn't it be interesting if we threw some agents at this and started comparing, you know, how agents can actually solve the CTF system. So they built up a pretty sophisticated list of agents. And then we said, okay, let's actually try and benchmark the different models against this and figure out which models are better at this. And the interesting thing was you go from model to model, you get incremental improvement, but they're all. And you can see that even today, right? OpenAI to anthropic to Gemini, they're all pretty neck to neck with the latest model. So you get kind of incremental improvement going from model to model. And the thing that makes the most amount of difference is the data, right? So we Tried to give it, like, let's just throw a lot of our customers say, hey, we've got flow data. Like, why do we need ndr? We've got firewall data. Why do we need ndr? And we started throwing those kinds of. Only those kinds of data added versus Corelight data. And you can see without Corelight data, you are half or maybe 25% as likely to be able to actually solve the CTF than you are with the corelight data. Right, because you just don't have enough data. Like, we call it internally a ceiling on inference. Right. Like, you can throw all the GPUs you want at it, but if you don't have the right data, the right context, the agents are just not going to be able to get to the inference of reheating that they need to.
C
Yeah, we've covered so much interesting stuff, but I'm also mindful of the fact that a CISO at the moment probably isn't in the mode of sitting back and going, wow, that's really interesting. They're more in a mode of what do I need to do right now? Like, you know, it's kind of in these moments of panic where it's like, what's the old analogy, you know, you can't teach religion to hungry people. And I think at the moment, CISOs are just hungry, hungry people. And I imagine what they're looking for is not so much product features and product specs and what's possible, but more like, I want a blueprint. I want to know how I've get
A
from here to here.
C
Is that true? And how do you think about wrapping this up into something that requires less thought, less exploration, and just is a playbook of how to be better protected moving forward?
B
Yeah, always the first things I'll tell sisters out there is like, don't panic. It feels like doom and gloom and everything is falling down upon you. But the reality is, right, like, this is just an evolution of models getting better. Even the old models can do a lot of this. The newer models can do it better. This is just the evolution. So, you know, don't panic. There's obviously as a security team and as a defender team, we need to evolve and this is just another step in our evolution. But in terms of blueprint, I think that the main thing I would say is, you know, it's in some ways first principles, right? Back to the basics. You've got to think about the top 10 or 15 controls that need to be hardened and need to be in place, and you just Got to go make sure those are in because there's no getting away from that. Right. You've got to have your perimeter defenses in place. You've got your continuous monitoring. You need your teams that are kind of bridging those groups together. So you've got to have that in place. It is clear that your one management team and what they do that needs to go into overdrive. So you really need to think about how to go from a classic way of doing this every few months to doing it on a continuous basis and then having the teams and processes and tools that will allow you to go fix this on an ongoing basis. And the biggest one to keep in mind is continuous monitoring for threat detection becomes super important in this world because you have to assume that you're going to get popped at some point or another. So how do you make sure that you've got the right tools to do continuous threat detection and ultimately having the right view of assets in your environment that you can use for operational resilience. Right. For organizational resilience. When you get knocked down, you need to get back up. You need to know what kind of assets you have in your environment, how do they talk to each other so that you can get operational quickly. So getting a good fair view of what those assets look like, bridging that across multiple teams, especially one management teams, that becomes absolutely critical.
C
Yeah, absolutely. Well, Vijit, thank you so much for dropping by for this chat. I really like that sort of combination of the proactive response coupled with a reactive monitoring to sort of build that self reinforcing cycle that hopefully helps us weather this interesting storm. And I think we do end up better overall. The question is just how rough is it going to be along the way? Yeah.
B
And we're all in it together as a defender team, so.
C
Exactly.
B
Thanks for having me on, James.
Podcast: Risky Bulletin (Risky Business Media)
Episode: Sponsored Interview with Corelight’s VP of Product, Vijit Nair
Date: June 29, 2026
Host: James Wilson
Guest: Vijit Nair (Corelight)
This episode dives into the rapidly evolving cybersecurity landscape as advanced AI models become tools for both attackers and defenders. James Wilson interviews Vijit Nair, Corelight’s VP of Product, about how defenders can stay ahead by developing a blueprint that leverages structured, high-quality data and integrates both proactive and reactive defense strategies. The conversation covers what organizations can and should do right now to protect themselves, with a focus on practical steps and vendor-agnostic advice—plus insight into Corelight’s approach and new feature developments.
"The genie is out of the bottle...open weight models are not just catching up more rapidly than ever. A lot of them are already demonstrating the ability to find the same class and volume of bugs as these Mythos class or even Codex ChatGPT 5.5 cyber models." (00:46)
(02:28 – 06:00)
"We want this to be a living, breathing layer of knowledge that can supply other tools, humans, AI—like, whoever wants to understand what's actually going on at any time in your network." (03:36)
(04:30 – 06:00)
(06:00 – 09:30)
Understanding attack paths helps prioritize the right patches.
Once theoretical mitigations are in, network-level monitoring validates and surfaces any gaps in real-time.
James summarizes:
"It's not ‘assume breach and exfiltrate,’ it's ‘assume breach, but then look at what's the lateral steps that we can prevent—slow them down, contain them, minimize them.’" (06:26)
Vijit responds:
“You call it theoretical, I call it proactive and reactive… The thing that ties it all together is you’ve got to now start doing this at machine speed, at light speed even.” (07:23)
CISOs are seeing “17,000 different variations of attack on that same SharePoint” in 48 hours, clearly AI-driven. (08:15)
Human response at human speed is insufficient; analysts need "AI superpowers" to respond at scale and speed.
(09:30 – 13:30)
"You need a small nuclear reactor and the GDP of a small country to like pay for [LLMs processing full network flow]..." (10:31)
(13:48 – 15:55)
“Without Corelight data, you are half or maybe 25% as likely to be able to actually solve the CTF than you are with the Corelight data... You can throw all the GPUs you want at it, but if you don’t have the right data, the right context, the agents are just not going to be able to get to the inference.” (14:57)
(15:55 – 18:50)
“It feels like doom and gloom… but this is just an evolution… just another step in our evolution.” (16:41)
“Getting a good fair view of what those assets look like, bridging that across multiple teams… becomes absolutely critical.” (18:22)
“Gone are the days when we're trying to prevent attacks—it's just slow them down, contain them, minimize them.” (06:31)
“Can't only have humans responding at human speed to some of these attacks… That's where we built agentic triage.” (09:30)
“You can throw all the GPUs you want at it, but if you don’t have the right data, the right context, the agents are just not going to be able to get to the inference…” (15:14)
“The biggest one to keep in mind is continuous monitoring for threat detection becomes super important in this world because you have to assume that you're going to get popped at some point or another.” (17:53)
This episode provides a balanced, practical guide to AI-era cybersecurity—combining insight into cutting-edge attacker and defender tactics, vendor-neutral advice, and a compelling case for integrating both proactive asset and risk management with continuous, machine-speed monitoring. Vijit Nair makes a clear call: focus on critical controls and real-time data, foster resilience through continuous asset visibility, and equip defenders with both foundational best practices and AI-augmented tools.