In the following description of various illustrative embodiments, reference is made to the accompanying drawings, which form a part hereof, and in which is shown, by way of illustration, various embodiments in which aspects of the disclosure may be practiced. It is to be understood that other embodiments may be utilized, and structural and functional modifications may be made, without departing from the scope of the present disclosure. Various connections between elements are discussed in the following description. It is noted that these connections are general and, unless specified otherwise, may be direct or indirect, wired or wireless, and that the specification is not intended to be limiting in this respect.

As a brief introduction to the concepts described further below, one or more aspects of the disclosure relate to systems and methods for using neural networks to process forensics and generate threat intelligence information. By combining a data ingestion pipeline and a neural network, as described further herein, a software tool implementing one or more aspects of this concept may generate clusters of threats (which may, e.g., be used as a starting point for a threat investigation process). In some instances, this tool may be used to identify email attachment-based threats, uniform resource locator (URL)-based threats, and/or other threats. As an example, this tool may receive information identifying thousands of attachment-based threats per day and may reduce this dataset to hundreds of threat clusters (which may, e.g., be a much more manageable set of threats to further investigate).