A security server tracks malicious objects detected by malware detection applications that scan for malicious objects on clients. The security server also receives client information from the clients indicating client states. The client state describes one or more protection applications executing on the client that seek to identify and prevent malicious objects from taking malicious actions based on real-time monitoring. Thus, the security server may identify when the protection application fails to detect a malicious object. In addition, the security server maps detection events of malicious objects with corresponding client states to generate aggregate detection information for a population of clients. Analytical data can be derived from the aggregate detection information to identify trends useful for evaluating different types of protection applications. Furthermore, the security server may initiate automated actions based on the identified trends to improve detection and remediation of the malicious objects on the clients.