Methods and systems for detecting threats using threat signatures loaded in a computing device. The methods include receiving a first plurality of threat signatures at a computing device, at least one threat signature of the first plurality of threat signatures having been assigned a score based on at least one metadata attribute having been added to the at least one threat signature; receiving a selection of a second plurality of threat signatures from the first plurality of threat signatures to load into random access memory (RAM) of the computing device, wherein at least one threat signature of the selected plurality of threat signatures is selected based on its assigned score; scanning network traffic accessible by the computing device using the at least one threat signature of the selected plurality of threat signatures; detecting a threat in the network traffic based on the scanning using the at least one threat signature of the selected plurality of threat signatures; and performing a remedial action upon detecting the threat in the network traffic.