A computer implemented method of protecting a network of computer systems, the method comprising: receiving security data for the network, the security data comprising threat event data for threat events detected within the network over a period of time; extracting, from the received security data, one or more features indicative of a computer system being compromised by a particular threat; generating a forecast of a number of computer systems in the network compromised by the particular threat at a future point in time based on the one or more features; determining whether action should be taken to mitigate the particular threat based on the forecast; and in response to determining that action should be taken, causing one or more predetermined actions to be taken to mitigate the particular threat.