I have been thinking, and wonder if your "first seen" detection issue could be solved with a class of "Generic-Unknown" Where you could have a pop-up alert that says something along the lines of. Generic-Unknown. File has not been seen before in cloud database. This file has no classification and could be potentially dangerous. Would you like to allow this program to run? (Y / N) (Y) This file has been added to the temporary permissions list and will continue to be monitored until a cloud classification can be found. (N) File has been blocked. This would work well, as it works similar to a HIPS but will very "rarely" go off in the rare occasion that a file has not been seen before. This gives users a chance to know a file could be dangerous before it is. It would also perhaps if integrated in the correct way stop testing organisations from giving webroot such a low score. I would also add that a push system should be put in place to make sure all "unknown" files get put at the head of the line for a webroot/prevx guy to look at and classify, this way you get your very quick turn-around for unknowns. Can you get where i'm coming from here guys?