EmergingThreats · PhilSchroeder · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -12,7 +12,7 @@ jobs:
 
     strategy:
       matrix:
-        ruby-version: [2.3, 2.4, 2.5, 2.6, 2.7]
+        ruby-version: [2.5, 2.6, 2.7]
 
     steps:
     - uses: actions/checkout@v2
@@ -21,16 +21,14 @@ jobs:
       with:
         ruby-version: ${{ matrix.ruby-version }}
 
-    - uses: actions/cache@v1
+    - uses: actions/cache@v4
       with:
         path: vendor/bundle
         key: gems-${{ runner.os }}-${{ matrix.ruby-version }}-${{ hashFiles('**/Gemfile.lock') }}
 
-    # necessary to get ruby 2.3 to work nicely with bundler vendor/bundle cache
-    # can remove once ruby 2.3 is no longer supported
-    - run: gem update --system
-
+    # Use a local bundle path so caching vendor/bundle works across Ruby versions
+    - run: bundle config set path vendor/bundle
     - run: bundle config set deployment 'true'
-    - run: bundle install
+    - run: bundle install --jobs 4 --retry 3
 
     - run: bundle exec middleman build
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -17,7 +17,7 @@ jobs:
       with:
         ruby-version: ${{ env.ruby-version }}
 
-    - uses: actions/cache@v1
+    - uses: actions/cache@v4
       with:
         path: vendor/bundle
         key: gems-${{ runner.os }}-${{ env.ruby-version }}-${{ hashFiles('**/Gemfile.lock') }}

diff --git a/Gemfile b/Gemfile
@@ -8,5 +8,5 @@ gem 'middleman-autoprefixer', '~> 2.7'
 gem 'middleman-sprockets', '~> 4.1'
 gem 'rouge', '~> 3.20'
 gem 'redcarpet', '~> 3.5.0'
-gem 'nokogiri', '~> 1.10.8'
+gem 'nokogiri', '~> 1.11.0'
 gem 'sass'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -77,10 +77,11 @@ GEM
     middleman-syntax (3.2.0)
       middleman-core (>= 3.2)
       rouge (~> 3.2)
-    mini_portile2 (2.4.0)
+    mini_portile2 (2.5.3)
     minitest (5.14.1)
-    nokogiri (1.10.9)
-      mini_portile2 (~> 2.4.0)
+    nokogiri (1.11.7)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
     padrino-helpers (0.13.3.4)
       i18n (~> 0.6, >= 0.6.7)
       padrino-support (= 0.13.3.4)
@@ -89,6 +90,7 @@ GEM
       activesupport (>= 3.1)
     parallel (1.19.2)
     public_suffix (4.0.5)
+    racc (1.5.2)
     rack (2.2.3)
     rb-fsevent (0.10.4)
     rb-inotify (0.10.1)
@@ -124,7 +126,7 @@ DEPENDENCIES
   middleman-autoprefixer (~> 2.7)
   middleman-sprockets (~> 4.1)
   middleman-syntax (~> 3.2)
-  nokogiri (~> 1.10.8)
+  nokogiri (~> 1.11.0)
   redcarpet (~> 3.5.0)
   rouge (~> 3.20)
   sass

diff --git a/source/includes/_cve.md b/source/includes/_cve.md
@@ -1,4 +1,4 @@
-# CVE Information <sup>BETA</sup>
+# CVE Information
 
 ## Get CVE Details
 

diff --git a/source/includes/_malware.md b/source/includes/_malware.md
@@ -1,4 +1,4 @@
-# Malware Information<sup>BETA</sup>
+# Malware Information
 
 ## Get Malware Family Information 
 

diff --git a/source/includes/_sids.md b/source/includes/_sids.md
@@ -248,53 +248,155 @@ suricata_text | Yes | Example of the rule for Suricata
 snort_text | Yes | Example of rule for Snort 2.9
 
 
-## Get Signature documentation
+## Get Signature Summary and Metadata
 
 ```shell
-curl "https://api.emergingthreats.net/v1/sids/{sid}/documentation"
+curl "https://api.emergingthreats.net/v1/sids/{sid}/summary"
   -H "Authorization: SECRETKEY"
 ```
 
 ```python
 import requests
 api_key = "SECRETKEY"
-url = "https://api.emergingthreats.net/v1/sids/{sid}/documentation"
+url = "https://api.emergingthreats.net/v1/sids/{sid}/summary"
 headers = {'Authorization': f'{api_key}'}
 response = requests.get(url, headers=headers)
 print(response.json())
 ```
 
-> The JSON response should look something like:
+> Example 1: AI-Generated Description (SID 2032904)
 
 ```json
 {
   "success": true,
-  "response":
-    {
-      "sid": 2000005,
-      "summary": "This alert is triggered when an attempt is made to exploit a vulnerability in a system or application.",
-      "description": "An EXPLOIT Attempt event likely occurs when an attacker has attempted to gain
-      unauthorized access to an asset or service by exploiting a direct vulnerability in an application or
-      operating system. A successful exploitation of an asset or service may lead to malicious code being left
-      behind to facilitate remote control. Further investigation may be needed to ascertain if an attacker successfully exploited this asset or service.",
-      "impact": "Compromised Server"
+  "response": {
+    "sid": 2032904,
+    "metadata": {
+      "rev": "1",
+      "sid": "2032904",
+      "tag": "CISA_KEV, Description Generated By Proofpoint Nexus",
+      "name": "[FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1",
+      "type": "SID",
+      "ruleset": "ET",
+      "category": "EXPLOIT",
+      "severity": "Major",
+      "classtype": "attempted-admin",
+      "tls_state": null,
+      "mitre_tags": [],
+      "description": "This Suricata rule detects exploitation attempts targeting Pulse Secure VPN appliances, specifically CVE-2021-22893. The rule alerts when HTTP traffic contains suspicious requests to Pulse Secure's web interface paths.\n\nThe rule looks for HTTP requests directed to the home network or HTTP servers with URIs starting with \"/dana\" followed by specific paths like \"/meeting\", \"/fb/smb\", \"/namedusers\", or \"/metric\". It excludes legitimate traffic containing \"welcome.cgi\" to reduce false positives.\n\nCVE-2021-22893 is a critical authentication bypass vulnerability in Pulse Connect Secure 9.0R3/9.1R1 and higher. The vulnerability affects the Windows File Share Browser and Pulse Secure Collaboration features, allowing unauthenticated attackers to execute arbitrary code on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.\n\nThe rule references FireEye's research and countermeasures for this vulnerability. The classification \"attempted-admin\" indicates attackers are trying to gain administrative access to the affected systems.\n\nThis is a high-severity threat as it allows unauthenticated remote code execution on VPN appliances that typically serve as critical network entry points for organizations.",
+      "attack_target": "Server",
+      "creation_date": "2021-05-05",
+      "cve_reference": "CVE-2021-22893",
+      "url_reference": "url,github.com/fireeye/pulsesecure_exploitation_countermeasures|url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html|cve,2021-22893",
+      "malware_family": null,
+      "affected_products": "Pulse_Secure",
+      "deprecation_reason": null,
+      "last_modified_date": "2021-05-05",
+      "performance_impact": "Low",
+      "signature_deployment": "Perimeter"
     }
+  }
 }
 ```
-This endpoint retrieves the most recent documentation available for the specified sid.
+
+> Example 2: Standard Description (SID 2029740)
+
+```json
+{
+  "success": true,
+  "response": {
+    "sid": 2029740,
+    "metadata": {
+      "rev": "1",
+      "sid": "2029740",
+      "tag": null,
+      "name": "Cobalt Strike Malleable C2 (Havex APT)",
+      "type": "SID",
+      "ruleset": "ET",
+      "category": "MALWARE",
+      "severity": "Major",
+      "classtype": "command-and-control",
+      "tls_state": null,
+      "mitre_tags": [
+        {
+          "mitre_tactic_id": "TA0011",
+          "mitre_tactic_name": "Command_And_Control",
+          "mitre_technique_id": "T1001",
+          "mitre_technique_name": "Data_Obfuscation"
+        }
+      ],
+      "description": "Also classifies as MITRE ATT&CK subtechnique .003 - Protocol Impersonation",
+      "attack_target": "Client_Endpoint",
+      "creation_date": "2020-03-26",
+      "cve_reference": "",
+      "url_reference": "url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/havex.profile",
+      "malware_family": "Cobalt Strike",
+      "affected_products": "Windows_XP/Vista/7/8/10/Server_32/64_Bit",
+      "deprecation_reason": null,
+      "last_modified_date": "2020-03-26",
+      "performance_impact": null,
+      "signature_deployment": "Perimeter"
+    }
+  }
+}
+```
+
+This endpoint retrieves comprehensive metadata and documentation for the specified signature (SID), including AI-generated descriptions when available. The metadata includes detailed threat information, MITRE ATT&CK mappings, affected products, CVE references, and deployment recommendations. This is the primary endpoint used by the ET Intelligence UI for displaying signature information.
 
 ### HTTP Request
 
-`GET https://api.emergingthreats.net/v1/sids/{sid}/documentation`
+`GET https://api.emergingthreats.net/v1/sids/{sid}/summary`
 
 ### Response Parameters
 
 Parameter | Optional? | Description
 --------- | --------- | -----------
-sid | No | Sid that was requested
-summary | No | Summary of the information this alert is trying to convey.
-description | No | Detailed description of the exploit being caught.
-impact | No | What kinds of systems does this impact
+sid | No | Signature ID that was requested
+metadata | No | JSON object containing all signature metadata and documentation
+
+### Metadata Object Fields
+
+Field | Optional? | Description
+----- | --------- | -----------
+sid | No | Signature ID as a string
+rev | No | Revision number of the signature
+name | No | Full name of the signature/rule
+tag | Yes | Comma-separated tags indicating special properties (e.g., "CISA_KEV, Description Generated By Proofpoint Nexus")
+description | No | Detailed description of the threat. May be AI-generated (indicated by tag field) or manually written by threat researchers
+type | No | Type of signature (typically "SID")
+ruleset | No | Ruleset name (e.g., "ET" for Emerging Threats, "ETPRO" for ET Pro)
+category | No | Threat category (e.g., "EXPLOIT", "MALWARE", "TROJAN", "POLICY")
+severity | No | Severity level (e.g., "Major", "Minor", "Critical")
+classtype | No | Snort/Suricata classification type (e.g., "attempted-admin", "trojan-activity")
+tls_state | Yes | TLS/SSL state information if applicable
+mitre_tags | Yes | Array of MITRE ATT&CK framework mappings
+attack_target | Yes | Primary attack target (e.g., "Server", "Client_Endpoint", "Network")
+creation_date | No | Date the signature was created (YYYY-MM-DD format)
+last_modified_date | No | Date the signature was last modified (YYYY-MM-DD format)
+cve_reference | Yes | Related CVE identifier(s), pipe-separated if multiple
+url_reference | Yes | Related reference URLs, pipe-separated
+malware_family | Yes | Associated malware family name if applicable
+affected_products | Yes | Products/systems affected by this threat
+deprecation_reason | Yes | Reason for deprecation if signature is deprecated
+performance_impact | Yes | Expected performance impact (e.g., "Low", "Medium", "High")
+signature_deployment | Yes | Recommended deployment location (e.g., "Perimeter", "Internal")
+
+### MITRE Tags Object Fields
+
+Field | Description
+----- | -----------
+mitre_tactic_id | MITRE ATT&CK Tactic ID (e.g., "TA0011")
+mitre_tactic_name | MITRE ATT&CK Tactic name (e.g., "Command_And_Control")
+mitre_technique_id | MITRE ATT&CK Technique ID (e.g., "T1001")
+mitre_technique_name | MITRE ATT&CK Technique name (e.g., "Data_Obfuscation")
+
+### Important Notes
+
+- **AI-Generated Descriptions**: When the `tag` field contains "Description Generated By Proofpoint Nexus" or similar text, the description has been generated or augmented using AI/LLM technology to provide more comprehensive threat context.
+- **Description Length**: AI-generated descriptions are typically much longer and more detailed than manually written descriptions, often including technical details, attack vectors, impact analysis, and mitigation context.
+- **MITRE ATT&CK Integration**: The `mitre_tags` array provides direct mapping to the MITRE ATT&CK framework for threat intelligence correlation.
+- **Null Values**: Some fields may be `null` if the information is not applicable or not available for that particular signature.
+- **ETPro Access**: If you request a signature that requires an ETPro subscription and you don't have access, this endpoint will return a 402 Payment Required status.
 
 ## Get Signature references
 

diff --git a/source/includes/_threatactors.md b/source/includes/_threatactors.md
@@ -1,4 +1,4 @@
-# Threat Actor Information<sup>BETA</sup>
+# Threat Actor Information
 
 ## Get Threat Actor Bio Information 
 

diff --git a/source/includes/_trends.md b/source/includes/_trends.md
@@ -1,4 +1,4 @@
-# Trends Information<sup>BETA</sup>
+# Trends Information
 
 ## Get Trends Information 
 

diff --git a/source/index.html.md b/source/index.html.md
@@ -27,6 +27,9 @@ code_clipboard: true
 
 # Introduction
 
+**API Version:** v1  
+**Last Updated:** January 2026
+
 > Summary of Resource URL Patterns
 
 ```plaintext
@@ -51,7 +54,7 @@ code_clipboard: true
 /v1/ips/{ip}/samples
 /v1/ips/{ip}/urls
 
-/v1/malare/{malware_family}
+/v1/malware/{malware_family}
 /v1/samples/{md5}
 /v1/samples/{md5}/connections
 /v1/samples/{md5}/dns
@@ -62,6 +65,9 @@ code_clipboard: true
 /v1/sids/{sid}/ips
 /v1/sids/{sid}/domains
 /v1/sids/{sid}/samples
+/v1/sids/{sid}/text
+/v1/sids/{sid}/summary
+/v1/sids/{sid}/references
 
 /v1/actors/{threatactor}
 ```