Methods, systems and media are shown for detecting a heap spray event involving examining user allocated portions of heap memory for a process image, determining a level of entropy for the user allocated portions, and, if the level of entropy is below a threshold, performing secondary heuristics, and detecting a heap spray event based on results of the secondary heuristics. In some examples, performing the secondary heuristics may include analyzing a pattern of memory allocation for the user allocated portions, analyzing data content of the user allocated portions of heap memory, or analyzing a heap allocation size for the user allocated portions of heap memory.