How Corelight and Stairwell Close the Loop on Network File Intelligence
Every day, your network detection and response platform is extracting files from the wire through executables transferred over SMB, scripts pulled via FTP, email attachments traversing unencrypted channels. It flags known-bad files, matches against current threat intelligence, and moves on.
What it cannot do is go back.
When a threat actor positions a tool weeks before activation, when a dropper passes cleanly through every sandbox and signature check on the day it arrives, the file gets categorized as benign and the clock starts. Months later, when a variant of that same tool surfaces in an active incident, your team faces the question every responder dreads: how far back does this go, and how many systems touched it?
That question is exactly why teams pair Stairwell with Corelight. Corelight surfaces the file from the networks. Stairwell tells you everywhere it has ever been in your environment. Every sighting, every system, every moment in time is preserved in the secure vault so the instant today’s “benign” file becomes tomorrow’s breach, you already know the full impact.
What Corelight Captures
Corelight’s Open NDR platform is built on Zeek and Suricata. It parses network traffic at wire speed and produces structured, queryable telemetry across DNS, HTTP, NTLM, Kerberos, DCE/RPC, SMB, and connection metadata. It also extracts files transmitted over unencrypted protocols through SMB file transfers, FTP uploads, HTTP downloads, email attachments and makes those files ready for analysis.
This is network ground truth. If the file moved across the wire on a monitored segment, Corelight sees it. Corelight also has native YARA scanning and integrates threat intelligence to match against known indicators. For known-bad, that’s fast and effective. The gap is everything else: files that are clean today but implicated by tomorrow’s intelligence, and files that originated from devices.
What Stairwell Delivers
Stairwell is a file-centric threat intelligence platform. Its core capability is persistent, retroactive and proactive analysis: every file submitted to Stairwell is stored indefinitely and continuously re-evaluated as new threat intelligence, YARA rules, and behavioral models are added. When new intelligence emerges whether it’s a new malware family, a newly attributed dropper, a variant of a known implant; Stairwell automatically sweeps your historical file corpus and surfaces matches.
This is the blast radius story. An implant that entered your environment eight months ago, passed every check at the time, and sat dormant will be flagged by Stairwell when the threat intelligence signals point to malicious. Your team knows not just that the file exists, but the full timeline of every system that ever had contact with it, when, and in what context.
Stairwell’s architecture is API-first. Any system that can send an HTTP request can submit a file. There is no endpoint agent requirement for file ingestion which plays nicely for our customers leveraging Corelight.
The Integration Pattern
Security teams pairing these platforms are using a straightforward pipeline:
Network Traffic → Corelight Sensor (file extraction) → S3 Bucket → Lambda Function (triggered on S3 PUT) → Stairwell Analysis API → SOAR / Alerting
Corelight extracts files from network traffic and stages them to an S3 bucket. A Lambda function monitors the bucket and submits each file to the Stairwell API. From there, Stairwell handles analysis, correlation, and retroactive matching. Alerts and enrichment flow downstream to SOAR platforms for response workflows.
This pattern has been running in production at a major company since 2023. Their use case was straightforward: they needed file intelligence across network-extracted artifacts without deploying additional endpoint agents across their infrastructure. Corelight provided the capture layer. Stairwell provided the analysis layer. A Lambda function connected them.
If your team already uses Corelight, this integration adds memory to what is otherwise a stateless process. Every file Corelight observes gets indexed against your environment in Stairwell, so if something seen months ago is later identified as malicious, you get a retroactive alert tied to when and where it appeared.
Three Scenarios Where This Matters
1. Retroactive Detection After a Threat Intelligence Update
A threat actor deploys a custom loader during an initial access phase. The loader is novel – no existing signatures, no sandbox detections, clean on VirusTotal. It passes Corelight’s real-time analysis and gets filed as benign.
Six weeks later, the loader’s infrastructure is attributed by a threat intelligence vendor. New YARA rules and IOCs are released. Stairwell runs those rules against every file ever submitted by your organization. The loader surfaces. You now know the exact timestamp it crossed your network, which internal systems received it, and whether any lateral movement followed.
Without persistent file storage, that retroactive sweep is impossible. The evidence existed – it just had nowhere to live.
2. Lateral Movement via Internal File Transfer
East-west traffic is where attackers move after initial access, and it is disproportionately unencrypted. SMB file shares, internal FTP, RDP clipboard transfers and these channels rarely get TLS treatment inside the perimeter. Corelight monitors that traffic and extracts files as they move between systems.
When an attacker stages tools across multiple hosts before execution, Corelight captures each transfer. Stairwell correlates those files, identifies shared code or infrastructure between them, and builds a timeline of staging activity – often before any endpoint detection fires.
3. The 20% of Your Network That EDR Can’t Touch
Endpoint detection requires an agent. IoT sensors, OT devices, network appliances, unmanaged contractor machines, legacy systems running end-of-life operating systems — none of these will ever run an EDR agent. They represent a segment of most enterprise networks that exists entirely outside endpoint visibility.
Corelight sees their traffic. Files they send or receive cross monitored network segments and get extracted. With Stairwell in the pipeline, those files get the same retroactive intelligence treatment as anything else in your environment.
This is increasingly relevant as AI-assisted vulnerability research accelerates the discovery and weaponization of flaws in legacy protocols. Unpatched SMB implementations, outdated FTP services, network printers with exposed management interfaces — the attack surface that defenders have historically underweighted is getting more attention from the offensive side. The fact that this traffic is unencrypted means it is fully visible to Corelight, and that visibility is worth preserving.
Where Corelight's Job Ends, Stairwell's Begins
Corelight is purpose-built for network visibility. It sees everything on the wire, structures it, and makes it queryable. Stairwell is purpose-built for file intelligence. It stores, analyzes, and continuously re-evaluates every file it receives. Neither platform is trying to do the other’s job.
The integration pattern described here is being built and operated by security teams today using standard cloud components. A native connector is in development to make this easier to deploy without custom Lambda functions.
If your team is running Corelight and wants to understand what building this pipeline looks like, or if you’re evaluating how Stairwell fits into your existing NDR stack, reach out [email protected] to learn more.