Systems and methods include obtaining data from a log system storing historical transactions monitored by a security system; creating one or more mock transactions based on the data; and analyzing the one or more mock transactions with a signature pattern matching engine having updates provided therein subsequent to a time of the historical transactions. The one or more mock transactions can have a header based on the data from corresponding historical transactions. The systems and methods can include performing a content scan in the one or more mock transactions based on the signature pattern matching engine having the updates, or determining malicious activity in the one or more mock transactions based on the signature pattern matching engine having the updates to determine missed matches in the corresponding historical transactions.