Disclosed herein are system, method, and computer program product embodiments for adapting to malware activity on a compromised computer system. An embodiment operates by detecting an adversary operating malware on a compromised system. A stream of network communications associated with adversary is intercepted. The stream of network communications includes a command and control channel of the adversary. The stream of network communications is accessed. An emulation of the command and control channel is provided. An analysis of the accessed stream of traffic is executed. A plurality of response mechanisms is provided. The plurality of response mechanisms is based in part on the analysis of the stream of network communications and a custom policy language tailored for the malware.