The present disclosure generally relates to improving network security threat detection and response in multi-tenant cloud environments. Typically, a multi-tenant cloud provider hosts many applications on many virtual machines belonging to many different tenants. The cloud provider may track traffic to and from the tenants, virtual machines and applications, and may track the ebb and flow of traffic. Virtual machines may allow a programmer to quickly scale the deployment of applications to the volume of traffic requesting the applications. Virtual machines may be deployed in a variety of hardware environments. There may be economies of scale in deploying hardware in a large scale. A cloud provider may rent or sell excess computing capacity on extra hardware deployed to, for example, achieve per unit cost savings on hardware, or for the express purpose of creating a revenue stream from such rentals. A programmer may hire one or more cloud providers to provide contingent space for situations where the programmer's applications may require extra compute capacity, becoming a tenant of the cloud provider. A tenant may flexibly launch more or less copies virtual machines and more or less copies of applications in response to the ebb and flow of traffic. The cloud provider may be unaware of the specific contents of the traffic, for example, due to contractual privacy terms or encryption. A tenant is generally responsible for authentication services for the applications owned by the tenant. A tenant is also typically aware of the contents of any traffic handled or generated by the tenant's applications.