An information handling system includes a basic input/output system (BIOS), a memory, and a processor. The processor scans a current state of each BIOS attribute in the BIOS, and stores one or more changed attributes in a secure event log in the memory. The processor converts each changed attribute into a different threat event including a first changed attribute into a first threat event. The processor provides a list of threat events to multiple threat chains, each of which determine whether the threat events match threat criteria in a threat chain policy. In response to the threat event matching a threat criterion in the threat chain policy, the threat chain provides a threat state change to the processor, which in turn provides new threat state changes to a threat state change consumer.