receiving a data set including program code from a first computing device via a computer network interface;

collecting information regarding execution of a portion of the program code by a processor, wherein the collected information includes a first set of context information relating to one or more behaviors of the executed portion of the program code;

identifying that the first set of context information indicates one or more states associated with suspicious behavior;

monitoring the executed portion of the program code to identify a trigger based on one or more indicators that the executed portion of the program code has been previously identified as suspicious;

identifying via a deep packet inspection (DPI) that the executed portion of the program code matches a signature of a known set of malware based on the first set of context information matching a second set of context information associated with the known set of malware stored at a second computing device; and

blocking a remaining portion of the program code based on the match to the signature of the known set of malware.