[Update] Deception.Pro ET PRO May 2026

Written By MalBeacon

Operations now using ET Pro Suricata Ruleset

We've integrated Emerging Threats Pro (ET Pro) — Proofpoint's premium commercial Suricata ruleset — into the Suricata sensors running across every Deception.Pro honeynet node. Every session, packet capture, and alert flowing out of the platform is now classified against the industry's most comprehensive Suricata rule corpus.

Why This Matters

Our honeynets exist to capture authentic adversary behavior — real malware, real C2 traffic, real lateral movement against instrumented Windows Active Directory environments. The fidelity of that telemetry depends entirely on how well our Suricata sensors can identify what they're seeing on the wire.

ET Open, the free community Suricata ruleset, is good. ET Pro is better. The delta is meaningful:

  • ~50,000+ additional Suricata rules covering current malware families, exploit kits, phishing infrastructure, and C2 protocols not present in the open ruleset

  • Daily rule updates for emerging threats, often within hours of public disclosure

  • Higher-fidelity malware family attribution — fewer "generic trojan" hits, more named-family classifications (PureLogs, AsyncRAT, Lumma, RedLine, etc.)

  • CVE-tagged exploit detection for vulnerabilities being actively weaponized

  • Improved coverage of evasive families including those that specifically target enterprise AD environments

Because ET Pro is a Suricata-native ruleset, it plugs directly into the IDS layer we've already built around every honeynet — no additional inspection point, no parallel pipeline, no added latency to the capture path.

What changes for data consumers

If you license EDR telemetry, Suricata alert feeds, or full-PCAP datasets from Deception.Pro, you'll see this reflected immediately:

  • Richer Suricata alert metadata on every session — named families, threat categories, and references attached to each event

  • Better signal-to-noise when filtering captured traffic for specific threat types

  • Faster coverage of newly-observed campaigns. When an ET Pro signature ships for a new loader on Tuesday, your enrichment catches it on Tuesday

  • More accurate threat-family grouping for ML training, retro-hunts, and campaign clustering

For partners building detection content, this also means our PCAPs are now classified against the same Suricata rules your production sensors are likely running — which makes the data immediately useful for tuning, validation, and regression testing.

What's unchanged

Everything else. The capture stack is the same: LimaCharlie EDR on the endpoints, Suricata at the network edge, full-packet PCAPs preserved indefinitely. ET Pro is an enrichment layer on top of Suricata, not a replacement for the underlying telemetry — the raw evidence stays intact regardless of what the ruleset says about it.

Availability

Live now across all production Suricata sensors. No action required for existing data licensees — your feeds are already classified against the new ruleset. New PCAPs, alert exports, and EDR-correlated session bundles will reflect the expanded coverage from this point forward.

If you're evaluating Deception.Pro telemetry and want a sample with the new classification metadata attached, get in touch!

Deception.Pro is a persistent honeynet platform operated by PKB Communications LLC. We deploy instrumented Windows Active Directory environments to capture authentic, long-dwell adversary telemetry and license that data to security vendors, ML teams, and threat intelligence consumers.

MalBeacon https://MalBeacon.com
Next

[Update] Deception.Pro May 2026