An example computer-implemented method includes receiving, via a processor, an application to be tested, a set of intrusive monitoring capabilities, and a set of external monitoring capabilities. The method includes executing, via the processor, the application in a clean environment to generate unmonitored application behavior. The method includes executing, via the processor, the application with intrusive monitoring based on two randomly generated seeds to generate trigger events and external monitoring to detect changes of application behavior in response to the intrusive monitoring. The method includes computing, via the processor, a correlation measure between the trigger events and the detected changes in the application behavior. The method includes modifying, via the processor, the application in response to detecting the application is evasive based on the correlation measure.