A computer-implemented process for two-tier deep analysis of hypertext transport protocol data, monitors Web traffic, receives a packet of Web traffic from a network to form a received packet, wherein the received packet represents Web traffic, and stores the Web traffic temporarily to form stored Web traffic. The computer-implemented process further determines whether the Web traffic is suspicious using a first tier analysis and responsive to a determination that the Web traffic is suspicious, consumes the stored Web traffic using a deep analysis module. The computer-implemented process further determines whether the stored Web traffic is a case of misuse using a second tier analysis and responsive to a determination that the stored Web traffic is a case of misuse, feeding back data about a malicious connection to an intrusion protection system before returning to monitor the Web traffic.