My Day Getting My Hands Dirty with an NDR System  The Hacker News  Feb 17, 2026 Network Security / Threat Detection My objective The role of NDR in SOC workflows Starting up the NDR system How AI complements the human response What else did I try out? What could I see with NDR that I wouldn’t otherwise? Am I ready to be a network security analyst now? My objective As someone relatively inexperienced with network threat hunting, I wanted to get some hands-on experience using a network detection and response (NDR) system. My goal was to understand how NDR is used in hunting and incident response, and how it fits into the daily workflow of a Security Operations Center (SOC). Corelight’s Investigator software , part of its Open NDR Platform, is designed to be user-friendly (even for junior analysts) so I thought it would be a good fit for me. I was given access to a production version of Investigator that had been loaded with pre-recorded network traffic. This is a common way to learn how to use this type of software. While I’m new to threat hunting, I do have experience looking at network traffic flows. I was even an early user of one of the first network traffic analyzers called Sniffer. Sniffers were specialized PCs equipped with network adapters designed to capture traffic and packets. These computers were the foundation on which more advanced network monitoring platforms were built. Back in the mid-1980s, these tools were expensive and required a lot of training. Interpreting the terse, cryptic data they produced was challenging, and knowing how to translate those insights into actionable next steps took patience and expertise. Now, almost forty years later, I wanted to see how security teams are conducting everyday network hunting when complex, fast attacks are the norm—and how quickly I could pick up the new tools. The role of NDR in SOC workflows Before I jump into my experience, let me explain how NDR integrates with the SOC. NDR systems are most frequently used by mid- to elite-level security operations. In these environments, NDR is a key part of incident response and threat hunting workflows. The systems provide deep visibility across networks while also detecting intrusions and anomalies. This visibility is important not just for spotting more complex attacks, but also for uncovering misconfigurations or vulnerabilities that can lead to breaches or outages. NDR helps analysts triage events and can provide direction and related insights to determine the right response. Integrating NDR with the SOC’s Security Information and Event Managers (SIEMs), endpoint detection and response (EDR) solutions , and firewalls enables analysts to gather, enrich, and correlate network data with widespread events. Together, these integrations let analysts respond faster and more efficiently by connecting network insights with alerts and actions from other tools, especially when finding more advanced attacks that can evade EDR, for example. Knowing NDR is a central component of the SOC, I was eager to see how the workflows functioned. Starting up the NDR system When you first open Investigator, you’re greeted by a dashboard that displays a ranked list of the latest highest risk detections, listed by IP address and their frequency of occurrence. Most investigations start because some suspicious activity on the network triggered an alert. This prompts an analyst to form a hypothesis about why the event appeared on the dashboard, then drill down into the alert’s details to validate or disprove the idea. Clicking through the list, I could see robust details about the specific issues that were flagged. In my case, I was looking at evidence of a couple of exploit tools in use (including an old favorite of mine, NMAP). These were also using reverse command shells to execute malware, a dodgy DNS server, and a series of packets that documented a conversation between a suspicious pair of IP addresses. I saw right away how Investigator’s added context is important. Rather than having to figure out network traffic patterns and their meaning, Investigator’s dashboard explained this for me and added even more context; each listing also showed which techniques from the MITRE ATT&CK® framework were involved, helping me understand the broader significance of the event. This level of detail is a great way to educate yourself about unfamiliar exploits, because you can quickly drill down into the specifics of each alert to gain deeper insights into the contents of the network packets involved. This was also my chance to explore the GenAI features built into the tool. I could ask some pre-set questions, such as “ What type of attack is associated with this alert?” It would respond with a recommended course of action in step-by-step detail. For example, it advised me to search particular logs for telltale signs that a node was communicating with an external command-and-control server and to check if it had sent a particular malware payload. It explained how to see if the threat was moving laterally to some other part of the network. It may sound complicated, but my explanation actually takes longer than it did to click around and get these details when I was inside the product. This investigative process is fundamental for any SOC analyst who must piece together fragments of information to form a coherent picture of what the adversary is doing. In this case, the GenAI was surfacing insights and actionable next steps, clarifying the investigation process and allowing me to focus on my analysis. How AI complements the human response Integrated AI is certainly not unique in today’s collection of security products, but this was a helpful feature. What I liked about the AI hints was that they were truly useful, and not annoying, as some of the consumer-grade chatbots can be. There are clear workflow steps, such as: • Figure out the exploit timeline and use your various log files to correlate connected IP addresses • Figure out the DNS origins • Suss out HTTP requests and file transfers, and so forth. These bulleted items were not just some dry features mentioned in marketing materials but actual elements of my threat hunting. Certainly, I knew—at least from afar—about why these were important and how these various pieces fit together from my previous experience using network analyzers. But having these workflows spelled out by the AI brought my own thoughts into focus and helped me build and explain the narrative of an attack. I saw how these AI-based suggestions could enable a human analyst to determine how to more quickly respond to the incident and begin mitigating its impact. For example, when seeing a file transfer, you can figure out the file’s destination as well as whether it contains malware or other suspicious content. Also, the generated hints and explanations are located in just the right place on-screen so as to be a natural fit into an analyst’s workflow. Given the number of ways malware can enter a network, it is nice to have these tips and hints that can upskill analysts and serve as timely reminders on how to sift through various alerts. Again, the AI tool helps me understand the details associated with each alert, such as why it occurred, where it came from, and the potential damage it caused. Finally, Corelight makes pains to state that Investigator “only shares data with the model when an analyst is investigating a threat, and we do not use customer data for training the AI model.” To that end, there are two distinct integrations: one for private data (like IP addresses and customer details) and one for public data (that doesn’t reveal anything specific about the underlying network traffic), which can be operated independently. To enable both of these integrations, you just go to the Settings page and simply turn them on. What else did I try out? Investigator comes with dozens of specialized dashboards that enable deeper analysis. For example, three dashboards are related to anomaly detection: one provides an overall summary, another offers detailed information, and a third displays the first time something has been observed on the network. This last display is particularly useful because it could show analysts novel techniques: signs of a new anomaly, for example. With this level of granularity, analysts have the data they need to determine whether an event is truly malicious, simply the result of a software misconfiguration, or just an unusual but harmless occurrence. Another complementary approach I checked out was the Investigator’s built-in command line panel, where I could search for specific conditions. A good way to learn more about the syntax and use for this portion of the product can be found in Corelight’s Threat Hunting Guide , where you can cut and paste the sample command strings directly into your Investigator searches, and copy their syntax for your own purposes. This can help analysts become more familiar with the data so they can use it to threat hunt unknown attacks in the future. What could I see with NDR that I wouldn’t otherwise? An NDR platform provides two important benefits: enrichment and integration. Each network connection is enriched with data collected by the Investigator. This can include not just which IP address triggered an alert, but how the activity compares to your normal network baseline activity. Analyzing traffic from normal baseline periods is invaluable because it lets you quickly spot the difference between, say, everyday access to a SQL server and unusual activity flagged by the system. When something seems off, all the context you need is right at your fingertips. You don’t, for example, need to recall that port 123 is used for the Network Time Protocol, nor what kinds of exploits can happen if someone is messing with it. Enrichment also helps to correlate a particular event with other related data points that explain what you’re seeing. This gets to its other benefit: integration