A network security system monitors data traffic being transmitted between a first device and a second device in a network to identify a plurality of commands being transmitted between the first device and the second device. The network security system then generates a whitelisting policy based on the plurality of commands being transmitted between the first device and the second device. After generating the whitelisting policy, the network security system receives subsequent data traffic being transmitted between the first device and the second device, and determines, based on the subsequent data traffic, a first command being transmitted between the first device and the second device. In response to determining that the first command is not included in the whitelisting policy, the network security system generates an alert in relation to the first command.