This document proposes combining static and dynamic analysis approaches for better network defense. Static analysis provides low false negative rates but takes longer to mature, while dynamic analysis has a faster time to detection but higher false negatives. The complementary approach reconstructs files at the gateway, performs static analysis, and only invokes dynamic analysis when files are deemed suspicious to gain the benefits of both methods. It involves host agents, a dynamic analyzer, static analyzer, and gateway controller working together to tag files based on both analyses.