Phishing is one of the most common ways major breaches begin. An effective response requires understanding whether a site is phishing, if it was active when visited, and if your user entered credentials.
Browser extensions are applications that hook directly into the browser without ever touching the user's filesystem. As such, it can be notoriously hard to detect bad behavior. It is also often lost on end users how much control these extensions have -- anything from modifying data on a webpage to collecting user information as it's typed.
Malware behavior is always interesting for the kinds of activity it performs on a system. But often times malware's communication style and characteristics are enough to help identify it as something worthy of deeper analysis.
Perhaps more important than telling you when something is bad, NetworkSage is also quite adept at telling you when there isn't anything to worry about! This can save analysts from tracking down something that looks interesting on the surface, but is actually benign.