Honeyclients are systems that drive a piece of vulnerable client software to potentially malicious sites, and monitor system behavior for indicators of compromise. Each honeyclient is a virtual host, and drives applications such as web browsers to user-specified URLs, looking for signs of malicious behavior when accessing that URL. The malicious behavior is flagged via an integrity check capability, which monitors for changes in files, registry key values, and processes. Upon detection of suspicious behavior, the honeyclient virtual machine is suspended, a new clone is created, and the spidering process continues.