Described is a technology by which a signature used by network traffic intrusion prevention/detection systems includes logic that helps a prevention/detection engine detect that signature. A signature to detect is compiled into executable logic that is executed to communicate with an engine that evaluates network traffic. The signature logic provides an expression set (such as group of regular expressions) for the engine to match against a token corresponding to the network traffic. When matched, the engine notifies the logic and receives a further expression set to match, or a communication indicative that that the signature was detected. The signature thus directs the analysis, facilitating a lightweight, generic engine. Safety of the signature logic is described as being accomplished through layers, including by publisher signing, and by compilation and execution (e.g., interpretation) in safe environments.