Network communication events are filtered to remove the network communication events having a predicted unrelatedness to beaconing. Each network communication event has a timestamp, a source entity, and a destination entity. The filtered network communication events are aggregated by unique source entity-destination entity pairs. For each unique source entity-destination entity pair, the network communication events are timestamp-sorted, time differentials between the timestamps of adjacent network communication events are calculated, and a beacon likelihood metric is calculated from the calculated time differentials. Which of the unique source entity-destination entity pairs are indicative of beaconing are identified based on the beacon likelihood metric calculated for each unique source entity-destination entity pair.