Individuals and organizations typically seek to protect their computing resources from attackers and malicious threats. In some examples, enterprise organizations may hire a computing security vendor to provide security services to protect corresponding computing resources. More specifically, some security vendors may deploy a variety of endpoint security products on client machines of associated customers. The endpoint security products may detect the triggering of signature matches on the client machines that indicate the potential presence of a security threat, such as an intrusion or infection. The security vendors may collect information about the signature matches on one or more backend security servers. Moreover, the security vendors may process and analyze the collected information to prepare one or more reports about potential security threats on the client machines, thereby helping to protect the customers from corresponding security threats. Accordingly, in some examples, security vendors may leverage insights gained from one customer to help protect another customer.
Nevertheless, a computing security vendor that maintains a sufficiently large database of information about detected signature matches, and/or that provides security services for a sufficiently large number of customers, may encounter situations where the number of potential security threats becomes difficult to manage. The instant disclosure, therefore, identifies and addresses a need for systems and methods for categorizing security incidents, as discussed further below.