Systems and methods for multi-tiered sandbox based network threat detection are provided. According to one embodiment, a file is received by a computer system. The file is caused to exhibit a first set of behaviors by processing the file within a virtualization application based environment of the computer system. The virtualization application based environment is created based on an application to which the file pertains. The file is further caused to exhibit a second set of behaviors by processing the file within a container based environment of the computer system. Differences, if any, between the first set of behaviors and the second set of behaviors. Finally, the file is classified as malicious when the differences are greater than a predefined or configurable threshold.