A computer system is provided. The computer system includes a memory and at least one processor coupled to the memory and configured to detect triggering of one or more threat detectors and activate a subset of nodes associated with the triggered threat detectors from a plurality of nodes in a Bayesian network in response to the detection. The at least one processor is further configured to determine that feedback associated with the triggered threat detectors is available and, if so, accumulate the feedback to a feedback node of the network, the feedback node associated with the triggered threat detectors. The at least one processor is further configured to calculate a probability of malicious action using the network to combine probabilities associated with the activated subset of nodes and the feedback node, determine that the probability exceeds a threshold value, and perform a security action in response to the determination.