Material Security
About Material Security
Material Security provides phishing protection, account takeover prevention, and email DLP for Google Workspace and Microsoft 365. The company offers a detection and response platform built specifically for cloud workspaces, providing holistic security and automation to protect sensitive data and prevent incidents. Founded by engineers who experienced the limitations of traditional tools firsthand, Material is designed to be intuitive and scalable.
Why Notable
Email DLP; workspace detection & response
Sector Coverage
Feature Coverage
Account Security
| Account takeover containment | full | Detects and contains unauthorized account access to limit breach damage. |
|---|---|---|
| Blast-radius reduction | full | Designed on an assume-compromise model to minimize downstream damage. |
| Mailbox-sensitive-data protection | full | Prevents immediate access to the most sensitive mailbox data after compromise. |
| Cloud-file-sensitive-data protection | full | Prevents immediate access to the most sensitive cloud-file data after compromise. |
| Protection beyond password compromise | full | Assumes a stolen password alone should not unlock sensitive data. |
| Protection beyond MFA-token compromise | full | Designed to reduce damage even when MFA tokens are compromised. |
| OAuth app monitoring | full | Monitors and helps restrict third-party OAuth apps. |
| Account activity monitoring | full | Monitors account activity and risk signals. |
| Google Security Center workflow support | full | Positions Material alongside Google Security Center workflows. |
| Investigation support for takeover risk | full | Supports investigation of account-takeover indicators in cloud workspace context. |
| Forwarding-rule change monitoring | full | Can alert on new forwarding-rule creation or modification. |
| Event subscriptions | full | Supports event-subscription-based alerting for selected behaviors. |
| Slack alert delivery | full | Can deliver certain alerts to Slack. |
| Email alert delivery | full | Can deliver alerts by email. |
| Webhook alert delivery | full | Can deliver alerts by webhook. |
| Email-behavior compromise signals | full | Uses email behavior such as forwarding changes as account-compromise indicators. |
| Behavioral anomaly detection | full | Highlights subtle timing, recipient, data-access, device, and location anomalies after takeover. |
| Recipient-pattern anomaly detection | full | Uses unusual recipient behavior as an ATO signal. |
| Device anomaly detection | full | Uses device changes as a possible compromise signal. |
| Location anomaly detection | full | Uses location changes as a possible compromise signal. |
Data Protection
| Sensitive email classification | full | Automatically classifies sensitive email content in inboxes. |
|---|---|---|
| In-place email redaction | full | Redacts sensitive email content in place after a configured period. |
| Out-of-band MFA to unlock email | full | Requires out-of-band MFA to access protected sensitive email. |
| Unlock audit logging | full | Logs successful and unsuccessful attempts to unlock protected email. |
| Email DLP for mailbox content | full | Protects sensitive mailbox content with additional controls. |
| On-demand retrieval for legitimate users | full | Allows legitimate users to retrieve protected content when needed. |
| Duo integration for email unlock | full | Supports Duo as an extra-authentication method for protected email retrieval. |
| Okta integration for email unlock | full | Supports Okta as an extra-authentication method for protected email retrieval. |
| Modern cloud-workspace DLP | full | Frames DLP as identity-aware, automation-driven protection for cloud workspaces. |
| Monitor unauthorized sharing of Docs/Drive/Sheets | full | Supports monitoring for unauthorized sharing across Google collaboration assets. |
| AI-driven scans and alerts | full | Uses AI-driven scans and alerts for risky behavior or potential breaches. |
| Automated incident management | full | Automates incident management to respond quickly to data risk. |
Deployment & Security
| API-based deployment | full | Connects via native Google Workspace and Microsoft 365 APIs. |
|---|---|---|
| No MX record changes | full | Deploys without changing mail routing or MX records. |
| Zero-downtime rollout | full | Designed for rollout with no downtime. |
| Fast deployment | full | Advertised as deployable in minutes. |
| Selective implementation | full | Features can be enabled selectively for specific users or teams. |
| Group sync for targeted rollout | full | Syncs groups from Active Directory, Google, or identity providers for staged rollout. |
| Default opt-in deployment model | full | Supports opt-in style deployment at the user or team level. |
| Agent-free architecture | full | No agents, plug-ins, or end-user software installs required. |
| Admin console controls | full | Features are enabled and managed directly through the admin console. |
| Single-tenant deployment option | full | Can be deployed in an isolated single-tenant instance. |
| Fully managed deployment | full | Material-operated SaaS deployment option. |
| Semi-managed deployment | full | Material operates it, while customer has full access to infrastructure. |
| Customer-managed deployment | full | Customer owns infrastructure access while Material deploys updates. |
| Infrastructure control | full | Customers can audit usage, manage data and access, and add security tooling. |
| Role-based access control | full | Built-in admin roles help prevent abuse. |
| Immutable audit logs | full | Tracks admin activity and application events in immutable audit logs. |
| Single sign-on for admin console | full | Admin-console access can be gated with existing IdP via SSO. |
| SOC 2 Type II controls | full | Has a SOC 2 Type II report for security-control design and operation. |
| Regular penetration testing | full | Undergoes recurring external penetration testing. |
| Private bug bounty program | full | Runs a private HackerOne bug bounty program. |
Email Security
| API-first email security | full | Replaces perimeter-only SEG approach with direct cloud-workspace integration. |
|---|---|---|
| Post-delivery visibility | full | Sees what happens to messages after delivery inside mailboxes. |
| Internal mail visibility | full | Analyzes internal email activity in addition to inbound mail. |
| Historical email visibility | full | Uses historical message context to improve threat understanding. |
| Behavior-aware email detection | full | Incorporates user behavior into threat detection. |
| Business Email Compromise detection | full | Designed to detect BEC attacks that lack obvious payloads. |
| Spear phishing detection | full | Detects targeted spear-phishing attacks. |
| Partner-account abuse visibility | full | Helps catch attacks coming from compromised legitimate accounts. |
| No added mail latency | full | Avoids SEG-style mail-flow routing delays. |
| Preserves native workflows | full | Avoids breaking native Google Workspace or Microsoft 365 workflows. |
| Automated message finding | full | Can find every instance of a malicious message across inboxes. |
| Delete message remediation | full | Can delete malicious messages as a response action. |
| Move-to-spam remediation | full | Can move malicious messages to spam. |
| Speedbump remediation | full | Can place friction controls on suspicious email based on risk appetite. |
| Continuous in-mailbox monitoring | full | Provides ongoing monitoring inside delivered mailboxes. |
| Real-time environment visibility | full | Maintains real-time view of the mail environment. |
| Cloud-workspace-native email response | full | Uses cloud APIs to investigate and act inside the user environment. |
| Internal BEC prevention | full | Locks down compromised accounts in real time to reduce internal BEC launch risk. |
| Cloud-workspace-native BEC response | full | Approaches BEC through direct workspace visibility rather than gateway-only controls. |
| Phishing protection for Google Workspace | full | Extends anti-phishing coverage beyond the inbox into Drive, Docs, and Sheets exposure risk. |
| Calendar invitation attack coverage | full | Addresses phishing attacks delivered through calendar invitations. |
| Google calendar-attack relevance | full | Frames calendar invite attacks as relevant to Google Workspace accounts. |
| Microsoft 365 calendar-attack relevance | full | Frames calendar invite attacks as relevant to Microsoft 365 accounts. |
Email Security / User Report Response
| User-reported phishing automation | full | Automates the lifecycle of user-reported phishing investigations. |
|---|---|---|
| AI agent for report triage | full | Uses an AI agent to triage reported email. |
| AI agent for investigation | full | AI agent investigates reported threats. |
| AI agent for remediation | full | AI agent carries through to remediation actions. |
| Abuse mailbox automation | full | Turns a user-report mailbox into an automated defense workflow. |
| Duplicate report collapse | full | Reduces repeated analyst work when many users report the same campaign. |
| Instant workforce-wide protection | full | Uses one report to protect the broader user base quickly. |
| Queue reduction | full | Cuts volume and toil in the phishing-report queue. |
| Header-analysis assistance | full | Automates parts of the message-analysis process that analysts usually do manually. |
| Link-analysis assistance | full | Automates link investigation for reported messages. |
| Sender-reputation investigation assistance | full | Automates sender review steps in reported message triage. |
File Security
| Google Drive file-security controls | full | Secures sensitive Google Drive files without broad restrictive blocking. |
|---|---|---|
| Deep file-sharing visibility | full | Shows how files are shared and who has access. |
| Pragmatic automated controls | full | Applies automated risk controls instead of blunt blocking. |
| Collaboration-preserving file security | full | Designed to reduce risk without hampering legitimate collaboration. |
| Context-aware file decisions | full | Lets teams distinguish low-risk shared files from truly sensitive documents. |
| Continuous file-risk management | full | Avoids stale periodic audits with ongoing risk monitoring. |
| Drive data classification | full | Analyzes Google Drive content to identify sensitive data. |
| Overexposure detection | full | Detects sensitive Drive content that is overexposed. |
| Public-sharing detection | full | Identifies publicly shared sensitive data. |
| Risky-third-party-access detection | full | Identifies sensitive files accessible by risky third parties. |
| Automated least-privilege remediation | full | Revokes unnecessary access to enforce least privilege. |
| Drive security gap analysis | full | Frames Drive protection as an ongoing process requiring visibility and automation. |
| Automated remediation for Drive | full | Automates responses to Google Drive exposure issues. |
File Security / AI Governance
| Gemini labeling enhancement for Drive | full | Improves sensitive-data labeling in Google Drive for AI-era workflows. |
|---|---|---|
| AI-search-era Drive lockdown | full | Positions Drive controls to reduce exposure before enterprise AI search broadens data access. |
Google Workspace Operations
| Unified view across Google security domains | full | Unifies visibility across email, identity, data, posture, and files in Google Workspace. |
|---|---|---|
| Reduction of manual phishing triage | full | Automates triage of user-reported phishing in Google Workspace. |
| Reduction of manual data-exposure audits | full | Reduces manual auditing of sensitive Google Drive files and permissions. |
| Google misconfiguration risk reduction | full | Helps surface and fix configuration complexity and misconfiguration. |
| Google-drive toxic-combination detection | full | Identifies combinations of sensitive data, excessive permissions, and risky external sharing. |
| Automated revoke-access workflow | full | Can revoke access when a risky file-sharing condition is found. |
| File quarantine workflow | full | Can quarantine a risky file when conditions warrant. |
| Zero-trust mailbox access protection | full | Requires MFA to access sensitive mailbox data even after compromise. |
| No in-house engineering requirement | full | Aims to operationalize Google security without custom in-house engineering work. |
| Risk analysis of user behaviors | full | Assesses user-behavior risk in Google Workspace. |
| Risk analysis of sensitive data in files | full | Assesses sensitive-data risk in shared files. |
| Risk analysis of posture settings | full | Assesses risky posture settings. |
| Google API integration support | full | Integrates directly with Google via API to streamline security operations. |
| Detection and response for strategy gaps | full | Adds detection and response where native controls need operational help. |
Google Workspace Security
| Gmail protection | full | Protects Gmail as part of unified Google Workspace coverage. |
|---|---|---|
| Google Drive protection | full | Protects Google Drive as part of unified workspace coverage. |
| Account protection for Google | full | Protects Google accounts and related identity risks. |
| Configuration visibility for Google | full | Covers Google Workspace configuration and posture visibility. |
| Automatic issue fixing | full | Designed to identify and fix issues across email, files, and accounts. |
| Automated investigation and response | full | Provides automated investigation and response to email attacks. |
| Flexible message remediation options | full | Supports multiple remediation choices for detected messages. |
| Search and investigate incidents in real time | full | Includes interactive incident search and investigation workflows. |
| Out-of-box protection | full | Positioned as providing immediate protection without lengthy tuning. |
| Control over Drive sharing | full | Extends visibility and control into Drive-sharing risk. |
Integrations
| Cloud Office integrations | full | Provides integration category for core cloud-office platforms. |
|---|---|---|
| SIEM and logging integrations | full | Provides integration category for SIEM and log-management tools. |
| SOAR and automation integrations | full | Provides integration category for SOAR and automation tools. |
| IT and ticketing integrations | full | Provides integration category for IT and ticketing tools. |
| Cloud platform integrations | full | Provides integration category for cloud platforms. |
| Team notification integrations | full | Provides integration category for team-notification tools. |
| Identity integrations | full | Provides integration category for identity tools. |
| High-fidelity enriched context export | full | Exports workspace events with user behavior, file exposure, malicious-artifact details, and other context. |
| Noise reduction before downstream export | full | Filters noise before sending intelligence into the rest of the stack. |
| Flexible architecture for broad interoperability | full | Designed to connect with virtually any tool in the environment. |
| Webhook-based universal connection model | full | Uses flexible webhooks to enable near-universal connections. |
Material Integrations
| Cloud workspace intelligence | full | Exports cloud-workspace detection and response context into the rest of the security and IT ecosystem. |
|---|---|---|
| Real-time event streaming | full | Pushes workspace events to SIEM or SOAR in real time for faster response. |
Material Platform
| Cloud workspace security platform | full | Unified detection and response platform for email, identity, and data threats in Google Workspace and Microsoft 365. |
|---|---|---|
| Google Workspace support | full | Protects Gmail, Drive, accounts, configuration, and posture for Google Workspace environments. |
| Microsoft 365 support | full | Adds advanced visibility and controls across Microsoft 365 for email threats, data sprawl, posture, and risky user behavior. |
| Built for cloud workspaces | full | Positioned as purpose-built for Google Workspace and Microsoft 365 instead of retrofitted legacy gateway tooling. |
| Unified detection and response | full | Combines visibility plus automatic remediation across email, files, and accounts. |
| Continuous security posture visibility | full | Delivers ongoing visibility into workspace security posture, not just point-in-time checks. |
| 5 Minute Workspace Evaluation | full | Free scorecard workflow that evaluates email, file, and account security and returns actionable recommendations. |
| Actionable recommendations | full | Scorecard produces recommended fixes for gaps in email, file, account, and configuration security. |
Microsoft 365 Security
| Advanced Microsoft 365 visibility | full | Adds visibility in hard-to-address areas of Microsoft 365 security. |
|---|---|---|
| AI/ML threat detection | full | Uses AI/ML techniques to identify advanced email attacks. |
| Threat-research-backed detections | full | Combines proactive threat research with automated detection. |
| Impersonation attack detection | full | Detects impersonation threats. |
| Smart data classification | full | Automatically classifies sensitive data. |
| Sensitive-content protection | full | Protects sensitive content against unauthorized access. |
| Security posture maintenance | full | Detects misconfiguration and risky behavior across the cloud office. |
| Deep context for Microsoft 365 issues | full | Provides broader visibility and deeper context for remediation. |
| Contain lateral movement after takeover | full | Helps limit attacker expansion and lateral movement after account compromise. |
| Resource-level controls | full | Applies controls at the resource level, not just account level. |
| Open-source library enriched detections | full | Detection engine incorporates open-source libraries. |
| IOC-enriched detections | full | Detection engine incorporates indicators of compromise. |
| Native-alert-enriched detections | full | Detection engine incorporates native alerts. |
| User-report-enriched detections | full | Detection engine incorporates user-reported signals. |
Operations / Investigation
| Actionable-signal focused UX | full | Design philosophy emphasizes removing friction and surfacing actionable signal clearly. |
|---|---|---|
| Security-data visualization emphasis | full | Focuses on clear visualizations to make complex security data easier to use. |
| Simplified investigation search | full | January 2026 update highlights simpler search during investigations. |
| Cross-risk context linking | full | Connects disparate risks across the cloud workspace for faster triage. |
| Faster triage workflows | full | Improves triage speed by correlating related risks. |
| Automated remediation across calendar, inbox, and Drive | full | Latest updates highlight automated remediation spanning calendar invites, inboxes, and Google Drive. |
| Deeper detection context | full | Adds deeper context and transparency into detection logic. |
| Detection-logic transparency | full | Provides more transparency into why detections fired. |
Shadow IT / AI Governance
| Shadow IT discovery from email metadata | full | Discovers third-party app usage by analyzing password resets, account confirmations, and security alerts in email. |
|---|---|---|
| Unauthorized AI tool discovery | full | Surfaces use of unauthorized AI tools connected to the workspace. |
| Third-party app inventorying | full | Helps create visibility into applications employees are using. |
| SSO-independent app discovery | full | Can identify tools even when they are not managed by SSO. |
| Third-party app risk understanding | full | Helps teams understand employee usage of connected apps. |
| Controls to reduce third-party data leakage | full | Supports controls intended to prevent data leakage through connected apps. |
| Controls to reduce third-party ATO risk | full | Supports controls intended to reduce account-takeover risk introduced by third-party apps. |
| OAuth scope risk visibility | full | Surfaces the risk of overly broad OAuth scopes granted to third-party apps. |
| Compliance exposure visibility for shadow apps | full | Highlights compliance risks from use of unvetted applications. |
| Unsanctioned-app ATO risk management | full | Describes containing and remediating risky app data access linked to shadow OAuth apps. |
| Shadow-app attack-surface visibility | full | Shows how untracked apps expand the attack surface. |