Malicious payloads may, or may not, originate from a malicious site. There are plenty of instances in which sites have been hijacked or corrupted by malicious actors. More complex attacks are, in fact, more likely to target trusted organizations as people and systems become better at detecting and blocking dangerous ones.

Inspecting the payload requires the network traffic to be de-encapsulated up to the application layer for analysis. This is obviously a slow process and, to a certain extent, reduces the utility of a layered network model. However, it is only seeing what the payload is, and potentially what the payload does, that will confirm or deny a threat. The following elements are the broad categories of indicators that might flag a payload as dangerous.