Looking through a site that has been compromised I found a file that looked VERY dodgy. After reformatting the minified code and unobfuscating some of it, it does indeed look to be a threat.
I removed this from the live site but kept it in a local site. I enable high sensitivy scanning and everything else in the scan options, and Wordfence was still unable to pick it up.
What is the protocol for sending samples in so that you can improve your detection methods?