Systems and methods for detecting malicious resources by analyzing communication between multiple resources coupled to a network are provided. According to one embodiment, a method of client reputation monitoring is provided. A monitoring unit executing on a network security device operable to protect a private network observes activities relating to multiple monitored devices within the private network. For each of the observed activities, a score is assigned by the monitoring unit based upon a policy of multiple polices established within the monitoring unit. For each of the monitored devices, a current reputation score is maintained by the monitoring unit based upon the score and a historical score associated with the monitored device. A monitored is classified by the monitoring unit as potentially being a malicious resource based upon the current reputation score for the monitored device.