Concepts and technologies are described herein for evaluating shellcode findings. In accordance with the concepts and technologies disclosed herein, shellcode findings can be evaluated to determine if the shellcode findings are legitimate, or if the shellcode findings are false positive shellcode findings. Legitimate shellcode findings can be determined based not simply upon patterns associated with the suspected shellcode itself, but also based upon a pattern of bit-level entropy in the memory around the suspected shellcode. Mathematical models of the memory can be generated and analyzed to determine if the shellcode finding is legitimate.