Heuristic detection is a security method that looks for suspicious behavior, code traits, or execution patterns instead of matching only known malware signatures. It helps antivirus, EDR, and email filters catch new or modified threats that have not yet been cataloged.
It matters because attackers often change filenames, hashes, or minor code details to evade signature-based defenses. Heuristics can still spot risky clues such as script obfuscation, unusual PowerShell commands, packing, privilege escalation attempts, or file actions that resemble known attack chains. The tradeoff is that legitimate software can also look suspicious, especially update scripts and admin tools. In practice, defenders use heuristic alerts as a triage signal: verify the file’s source, signature, and hash, test it in a safe environment, and confirm whether the behavior is expected. Good tuning reduces false positives without weakening protection.