Described herein are systems and methods for performing detection operations on secure ticket data to detect potentially malicious activity. Embodiments may involve obtaining encrypted data from an encrypted portion of a secure ticket, the obtained encrypted data having been communicated over a network; obtaining a decryption key corresponding to the encrypted data; decrypting the encrypted data using the obtained decryption key to generate decrypted data elements; comparing the decrypted data elements to at least one of known valid data elements and known invalid data elements; and generating an assessment based on the comparison, the assessment identifying whether the secure ticket is indicative of potentially malicious activity in the network.