This case study details how a major U.S. university adopted Corelight to address significant network visibility gaps, particularly among unmanaged student devices. During a live, hands-on training session with Corelight, the security team immediately uncovered two active, evasive threats—including URSNIF malware and suspicious ICMP tunneling—that had been missed by their existing endpoint security tools. This discovery not only validated Corelight's ability to provide richer network evidence but also provided the team with the practical skills and confidence to proactively hunt for threats.