Malicious files are consistently evolving, and won't always be spotted by IDS, IPS, or the other systems involved in the layered defense. There is considerable research that suggests that threats often go undetected for many days, weeks, or even months. 

Files may be identified as malicious, using systems such as Cisco TALOS, sandbox systems, security researchers, or end-user reports. These files may have already spread through the network, and may or may not have completed their nefarious activities.

While anti-virus systems may be able to update and search for new threats, this may not be possible on all systems, particularly legacy systems or device-specific control systems. The retrospective analysis describes the process of applying the new threat intelligence data to existing logs, to identify whether an infection or intrusion had occurred. This is particularly useful if the threat intelligence data has specific signatures or behaviors to look for.