Behavioral detection is security monitoring that flags suspicious actions instead of relying only on known malware signatures or file hashes. It watches what a process, user, or host does: launching unusual child processes, opening scripts, contacting rare network destinations, or chaining several actions after a simple click. This matters because attackers often change file names, packers, and code to evade signature-based tools, while their behavior still leaves detectable traces.
In real attacks, behavioral detection can catch a malicious Windows shortcut that starts PowerShell, spawns another process, and immediately reaches out to a webhook or other remote service. Defenders use it in EDR, sandboxing, and SIEM rules to spot abnormal process trees, suspicious command lines, and rapid user-to-network transitions. It is especially useful when trusted tools or legitimate services are abused, because the traffic may look normal by reputation but not by context.