Systems and methods for accurate detection and identification of application-level threats in a computer network include one or more nodes instantiated at protected systems and a network-based security platform communicatively coupled to receive data collected by the one or more nodes. Each node is configured to inspect application-level requests in inbound network traffic to a respective protected system. The security platform includes a three-layer machine learning engine to iteratively reconstruct each protected system's application business logic, identify associated application endpoints, data boundaries, and customary user behaviors based on the data collected by the one or mode nodes, and to create customized profiles for the protected systems and make those profiles available to the nodes instantiated at the protected systems. The security platform detects anomalies in the data provided by the nodes through comparisons with the behavior profile for each of the application endpoints.