Loading...
Sublime Security logo

Sublime Security

sublime.security ↗ Enterprise Security 2 sectors

About Sublime Security

Sublime Security is a next-generation email security platform that leverages autonomous AI agents to detect and respond to advanced threats in real-time. The company empowers security teams with tailored detections, explainable alerts, and automation to prevent, detect, and respond to threats faster and with confidence. Its platform is trusted by leading security teams worldwide. Founded in 2020, Sublime Security is headquartered in the United States.

Why Notable

Top 12 email security (Sublime blog 2026)

Sector Coverage

Feature Coverage

AI Agents

ASA: Autonomous Security Analyst full AI analyst that fully automates triage and remediation of user-reported emails.
ASA around-the-clock triage full Blog positions ASA as autonomously triaging user reports around the clock.
ASA technical architecture full Technical architecture blog explains how ASA performs analyst-like email-investigation tasks.
ADÉ: Autonomous Detection Engineer full AI detection generator that analyzes missed or evolving attacks and automatically creates detection rules.
ADÉ missed-attack analysis full Analyzes missed attacks in the customer environment to propose new coverage.
ADÉ existing-rule review full Reviews existing detection rules before generating new detection coverage.
ADÉ private beta access full Docs state ADÉ is in private beta for Enterprise users.
ADÉ continuous adaptation messaging full Blog positions ADÉ as autonomously and continuously adapting detection coverage.
ADÉ evaluation framework full Blog describes evaluating ADÉ across detection accuracy, robustness, and economic cost.

API

Retrieve ASA report for message full Retrieves an ASA report for a message.
Retrieve image of PDF attachment by md5 hash full Retrieves an image of a PDF attachment by its MD5 hash.
Evaluate attack score against existing message full Evaluates Attack Score against an existing message.
Retrieve image of message full Retrieves an image rendering of a message.
Retrieve raw EML full Retrieves the raw EML of a message.
Retrieve temporary link to message image full Retrieves a temporary link to the image of a message.
Set access justification full Sets an access-justification reason for sensitive content access.
Retrieve message's MDM full Retrieves the normalized Message Data Model for a message.
Restore previously trashed message full Restores a previously trashed message.
Trash message full Trashes a single message.
List rules full Lists detection rules.
Create rule full Creates a new detection rule.
List rule history full Lists rule history across rules.
Validate rule full Validates a detection rule before activation.
Delete rule full Deletes a rule.
Retrieve rule full Retrieves a single rule.
Update rule full Updates a rule.
Activate rule full Activates a rule.
Deactivate rule full Deactivates a rule.
Retrieve history of a rule full Gets history for a specific rule.
List SCIM resource types full Lists SCIM resource types.
Get SCIM resource type full Retrieves a SCIM resource type.

Actions

Actions framework full Configurable actions that fire when rules flag messages or when admins apply actions manually.
Webhook action full Sends flagged-message notifications to external URLs and systems.
Email alert action full Sends plaintext email alerts for flagged message groups.
Slack alert action full Sends alert notifications into Slack.
Trash action full Moves or labels messages as trash depending on mail platform.
Quarantine action full Makes messages inaccessible to end users and removes risk of interaction.
Warning banner action full Inserts warning banners into flagged messages.
Move to Spam action full Moves or labels messages as spam.
Auto-review action full Automatically reviews and classifies highly effective rule matches.
Auto-respond to abuse mailbox reporters full Automatically responds to users who report messages through the abuse mailbox.
Track link clicks full Tracks clicks on suspicious links as an action capability.
Microsoft Teams alert (planned) full Documented as a coming-soon action type.
Auto-restore (planned) full Documented as a coming-soon action type.

Administration

Single Sign-On (SSO) full Docs include SSO configuration for platform access management.
Multi-Tenancy Management full Docs navigation includes multi-tenancy management as a feature area.

Administration / API

Audit log full Platform API includes audit-log event listing and retrieval.

Administration / Integrations

Managed instance IP documentation full Webhook docs publish managed platform instance IPs for allowlisting.

Attack Score

Attack Score ML verdicting full Machine-learning feature that helps teams prioritize potential threats.
Attack Score on flagged messages full Runs after a detection rule flags a message.
Attack Score on user reports full Runs after a user report is received via the abuse mailbox.
Manual Attack Score invocation full Can be triggered manually via the EML Analyzer or APIs.
Verdict: malicious full Attack Score can return a malicious verdict.
Verdict: spam full Attack Score can return a spam verdict.
Verdict: graymail full Attack Score can return a graymail verdict.
Verdict: suspicious full Attack Score can return a suspicious verdict.
Verdict: unknown full Attack Score can return an unknown verdict.
Verdict: likely_benign full Attack Score can return a likely benign verdict.
Explainable signals full Provides verdicts with corresponding signals to explain the result.
Headers as model input full Uses header-derived signals as part of scoring.
Attachment metadata as model input full Uses attachment-metadata signals as part of scoring.
Link analysis as model input full Uses link-analysis signals as part of scoring.
Sender behavior as model input full Uses sender-behavior signals as part of scoring.
Content understanding as model input full Uses content-understanding signals as part of scoring.
Authentication checks as model input full Uses authentication check outcomes as part of scoring.
Sender behavior profiles enrichment full Leverages sender behavior profiles as enrichment.
Natural Language Understanding enrichment full Leverages NLU as enrichment in scoring.
Computer vision enrichment full Leverages computer vision signals as enrichment.
WHOIS enrichment full Leverages WHOIS-based enrichment.
Domain reputation enrichment full Leverages domain-reputation enrichment.
Attachment analysis enrichment full Leverages attachment-analysis enrichment.
Privacy-preserving binary features full Blog says Attack Score uses binary features stripped of PII to preserve privacy.
XGBoost inference engine full Blog says the primary inference engine uses XGBoost.
Local model inference full Blog states model inference occurs locally instead of shipping data to a cloud-based model.
Decision-path explanations full Captures model-decision signals and turns them into explainable natural-language reasoning.

Auto-review

Auto-review classification: Malicious full Auto-review can mark message groups with the malicious classification.
Auto-review classification: Benign full Auto-review can mark message groups with the benign classification.
Auto-review classification: Graymail full Auto-review can mark message groups with the graymail classification.
Auto-review classification: Spam full Auto-review can mark message groups with the spam classification.
Auto-review classification: Simulation full Auto-review can mark message groups with the simulation classification.
Auto-reviewed triage suppression full Auto-reviewed messages do not appear in the default triage view.
Auto-reviewed view full Analysts can view all auto-reviewed messages under Flagged > Auto-Reviewed.
Auto-review classification hierarchy full When multiple classifications apply, Sublime uses a published hierarchy to resolve them.
Auto-review hierarchy order full Published classification precedence: Simulation > Benign > Malicious > Spam > Graymail.

Automations

Auto-quarantine by Malicious Attack Score full Automatically quarantines flagged messages with a malicious Attack Score verdict.
Campaign auto-quarantine by multiple rule flags full Quarantines campaigns when multiple detection rules flag them.
Campaign auto-quarantine by user-report volume full Quarantines entire campaigns after enough user reports are observed.
VIP-report alerting full Triggers an email alert whenever a VIP user reports a message.
VIP-targeted warning banners full Applies warning banners to flagged messages when recipients are VIPs.
Flagged-message trigger full Automations can trigger when detection rules flag a message.
User-report trigger full Automations can trigger when a user reports a message.
Passive mode full Runs automation logic and alerting without remediative actions like quarantine or trash.
Core Feed automation sharing full Sublime shares recommended automations in the Core Feed.
Inactive-by-default core automations full Core automations are inactive by default until the customer enables them.
Default actions in core automations full Core automations come with default actions preconfigured.
Active mode full Enables recommended automations to apply full coverage and response.

Behavioral Threat Hunting

Historical sender context full Tracks historical sender data to inform decisions on future messages from that organization.
Infrastructure-signal hunting full Surfaces threats through hop patterns, SPF/DMARC failures, and suspicious sending hosts.
Hunts ↔ Rules conversion full Allows analysts to convert a hunt into a detection rule and vice versa in a few clicks.
Hunt-and-remediate from one screen full Lets analysts hunt threats and remediate malicious email directly from results.
Deep hunting primitives full Supports hunting with deep primitives, flexible logic, and investigation-oriented signals.
AI-powered functions for hunting full Includes machine-learning-driven functions inside hunting logic.
External enrichments in hunt full Includes link analysis, WHOIS, domain age, logo detection, and other enrichments in hunts.
Behavior/TTP hunting full Supports hunting novel attacks using known behaviors and TTPs.
Contextualized sender data full Incorporates previous verdicts, time-known, and solicited-contact context into hunts.

Deployment

Self-managed deployment option full Docs distinguish between Sublime Cloud and self-managed Sublime instances.
Sublime Cloud deployment option full Public docs cover a SaaS/cloud-hosted deployment path.

Deployment / Observability

Metrics collection for self-hosted deployments full Docs include metrics collection guidance for self-hosted deployments.

Detection Engineering / MQL

Rules engine core full At its core the platform ingests messages, evaluates them with MQL, and triggers actions.
Message Query Language (MQL) full Purpose-built query language powering rules, insights, hunts, and automations.
Detection rules on live email flow full Detection rules run on live email flow to identify phishing, DLP, and policy issues.
Open-source detection-rule ecosystem full Public open-source rules are available in Sublime’s GitHub rules repository.
MQL Playground full Provides an environment to create and share detection rules.
Message Data Model (MDM) full Normalized message data model used in rules, hunts, and API responses.
Syntax reference full Documents MQL syntax for writing rules and hunts.
Missing/null handling full Documents how MQL handles missing and null values.
Common snippets full Provides common query snippets for detection engineering.

Detection Engineering / MQL Guides

How to use message header values in a rule full Public how-to guide for common email-detection use cases.
How to detect manual outbound forwards full Public how-to guide for common email-detection use cases.
How to detect text in attachments full Public how-to guide for common email-detection use cases.
How to detect lookalike domains full Public how-to guide for common email-detection use cases.
How to detect keywords or phrases in message bodies full Public how-to guide for common email-detection use cases.

Detection Engineering / Rule Coverage

Executive impersonation full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
Brand impersonation full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
Vendor impersonation full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
Sextortion full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
Homoglyph and lookalike domains full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
Gift card scams full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
Bitcoin scams full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
Free file hosting services full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
Free subdomains full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
Spoofed messages full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
URL shorteners full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
Suspicious Office 365 app authorization requests full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.
COVID-19 scams full Example phishing attack category or technique publicly called out as detectable by MQL detection rules.

Email Alert Action

SMTP-configured email alerts full Email alerts use admin-supplied SMTP credentials and server settings.
Defanged links in email alerts full Any links in the email-alert body are defanged.
Email alert with EML attached full Provides an alert format that includes the EML sample.
Cross-platform push notifications by email full Email alerts are positioned as a cross-platform push mechanism.

Enrichment / ML

file.parse_text full Parses file attachments and returns decoded text for detection logic.
ml.link_analysis full Analyzes links and classifies them as benign or suspicious.
Headless-browser link resolution full LinkAnalysis can open suspicious links in a headless browser to resolve effective URLs.
Link screenshot capture full LinkAnalysis collects page screenshots during analysis.
Brand-logo detection in pages full Computer vision detects brand logos on analyzed landing pages.
Button and input-form detection full Link analysis looks for buttons and login-input forms.
Logo-to-protected-brand comparison full Detected logos are compared with protected brand logos commonly used in phishing.
Aggressive link-analysis mode full Aggressive mode performs extra processing, including click-tracker destination resolution.
Link-analysis exclusion lists full Admins can exclude domains/root domains from Link Analysis.
ml.macro_classifier full Analyzes Office/VBA macro attachments for maliciousness and confidence.
VBA keyword analysis full Macro classifier uses VBA keywords as one signal source.
File metadata analysis full Macro classifier uses file metadata as one signal source.
Oletools-backed analysis full Macro classifier uses oletools output in its analysis chain.
ml.nlu_classifier full Analyzes text content with NLU for intents, entities, and topics.
Email Classification full NLU can classify phishing-related email intent.
Named Entity Recognition full NLU can extract entities like urgency and request language.
Topic Recognition full NLU can classify email content into supported topics.
OCR-text analysis support full NLU can analyze OCR-extracted attachment text in detections.
HTML parsing full Docs show HTML parsing utilities usable in detections.
JSON traversal in MQL full MQL syntax supports traversing JSON structures in rules.

Integrations

Elastic integration full Lets teams ingest Sublime data into Elastic and monitor their Sublime instance.
Elastic dashboard visualizations full Sublime visualizations can be added to existing Elastic dashboards.
Elastic alerting on Sublime data full Sublime data in Elastic can be used to build alerts like other security data.
Panther integration full Integrates with Panther SIEM for centralized threat detection using Sublime telemetry.
Panther out-of-the-box detections full Blog mentions bundled Panther detections for alerts and configuration changes.

Integrations / SIEM

Context-rich email and audit logs full Panther integration exposes context-rich email and audit data.

Lists

Custom lists full Supports custom lists for detection engineering and policy logic.
Lists API full Supports automating creation and updates of custom lists via API.
org_vips list full Supports a list of VIP users for policy and automation logic.
Link Analysis exclusion lists full Supports exclusions for Link Analysis to avoid clicking allowed domains.
free_subdomain_hosts list full Built-in list of free subdomain hosts often abused by attackers.
majestic_million list full Built-in Majestic Million domain list.
suspicious_tlds list full Built-in list of suspicious or commonly abused TLDs.
tranco_1m list full Built-in Tranco Top 1 Million domain list.
umbrella_1m list full Built-in Cisco Umbrella Top 1 Million domain list.
umbrella_1m_tld list full Built-in TLD list derived from the Umbrella top domains.
url_shorteners list full Built-in list of known URL shorteners.

ML / NLU

Topic Modeling beta full Topic Modeling is presented as an ML-powered topic-detection function for predefined categories.
BERT-based content understanding full Blog describes BERT LLM enhancements to contextual email understanding.
NLU 3.0 full Blog describes an upgraded NLU engine for nuanced AI-generated email attacks.

MQL Regex Functions

regex.match full Matches an entire string against one or more regular expressions.
regex.imatch full Case-insensitive full-string regex match.
RE2 regex engine full Regex functions use RE2/Golang regular expression syntax.
regex tester guidance full Docs link to an RE2 regex tester for building expressions.

MQL String Functions

strings.concat full Concatenates multiple strings into one value.
strings.contains full Checks for a case-sensitive substring inside a string.
strings.icontains full Checks for a case-insensitive substring inside a string.
strings.count full Counts case-sensitive occurrences of a substring.
strings.icount full Counts case-insensitive occurrences of a substring.
strings.decode_base64 full Decodes base64-encoded strings in text content for detection use cases.
strings.ends_with full Checks for a case-sensitive suffix match.
strings.iends_with full Checks for a case-insensitive suffix match.

Message Groups

Automatic message grouping full Automatically groups similar messages to reduce alert fatigue.
Campaign-level grouping full If 100 users receive the same email, analysts see one grouped item instead of 100.
Three-day idle expiry for groups full Message groups expire after 3 idle days by default.
canonical_id group identifier full Every message group has a canonical_id that identifies the group.
Subtle-variation grouping full Grouping can include messages that are similar but not byte-for-byte identical.
One-click related-message access full Related messages are accessible from a panel for faster manual reviews.
Campaign-wide herd immunity full When one message in a campaign is reported, related messages can be remediated across mailboxes.
Alert-noise reduction via grouping full Enhanced grouping reduces webhooks, tickets, email alerts, and Slack alerts.
Wider-net false-negative reduction full Grouping uses slight attacker variations as similarities to widen campaign detection.

Message Types

Inbound message type full Classifies messages as inbound.
Outbound message type full Classifies messages as outbound.
Internal message type full Classifies messages as internal.
Outbound and Internal message type full Classifies messages sent to both internal and external recipients.
Inline protection mode for inbound messages full Docs include inbound inline-protection mode in the message-types navigation path.

Migration

Proofpoint migration guide full Docs provide a migration guide for Proofpoint customers.
Mimecast migration guide full Docs provide a migration guide for Mimecast customers.

NLU / Email Classification

NLU intent: bec full Detects urgent quick-task language often associated with executive, HR, or finance impersonation.
NLU intent: callback_scam full Detects renewal/purchase or support-scam style callback language.
NLU intent: cred_theft full Detects language pushing victims to phishing portals for credential capture.
NLU intent: extortion full Detects intimidation or blackmail-oriented text.
NLU intent: steal_pii full Detects requests for billing, tax, or personally identifying information.
NLU intent: job_scam full Detects deceptive job-offer scams and related fraud language.
NLU financial tag: invoice full Detects invoice-oriented phishing language.
NLU financial tag: payment full Detects ACH, EFT, and wire-payment language.
NLU financial tag: purchase_order full Detects RFQ and purchase-order language.
NLU entity: urgency full Recognizes urgency language in text.
NLU entity: request full Recognizes language asking recipients to act.
NLU entity: salutation full Recognizes closing/signoff language.
NLU entity: sender full Recognizes sender identities or generic sender designators.

NLU / Topic Recognition

NLU topic: Financial Communications full Publicly documented supported NLU topic for classifying email content.
NLU topic: Legal and Compliance full Publicly documented supported NLU topic for classifying email content.
NLU topic: Customer Service and Support full Publicly documented supported NLU topic for classifying email content.
NLU topic: Professional and Career Development full Publicly documented supported NLU topic for classifying email content.
NLU topic: E-Signature full Publicly documented supported NLU topic for classifying email content.
NLU topic: B2B Cold Outreach full Publicly documented supported NLU topic for classifying email content.
NLU topic: Benefit Enrollment full Publicly documented supported NLU topic for classifying email content.
NLU topic: Security and Authentication full Publicly documented supported NLU topic for classifying email content.
NLU topic: Software and App Updates full Publicly documented supported NLU topic for classifying email content.
NLU topic: File Sharing and Cloud Services full Publicly documented supported NLU topic for classifying email content.
NLU topic: Secure Message full Publicly documented supported NLU topic for classifying email content.
NLU topic: Voicemail Call and Missed Call Notifications full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Out of Office and Automatic Replies full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Bounce Back and Delivery Failure Notifications full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Political Mail full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Charity and Non-Profit full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: News and Current Events full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Government Services full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Health and Wellness full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Educational and Research full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Entertainment and Sports full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Social Media and Networking full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Romance full Publicly documented or example topic surfaced in NLU topic-recognition docs.
NLU topic: Sexually Explicit Messages full Publicly documented or example topic surfaced in NLU topic-recognition docs.

Quarantine

Quarantine retention behavior on Microsoft 365 full Docs note Microsoft 365 restore behavior and retention implications for quarantined mail.
Google Workspace quarantine restore by admins full Docs state quarantined Google Workspace messages can still be restored by Sublime admins.

Quarantine / ICS Phishing

Calendar-event removal during remediation full When messages are remediated, corresponding malicious calendar events can also be deleted.

Reporting & Analytics

Attack Insights dashboard full Overview dashboard redesigned as Attack Insights for attack-volume and TTP visibility.
Attack volume analytics full Attack Insights includes attack-volume visibility.
Attack type analytics full Attack Insights includes attack-type breakdowns.
TTP analytics full Attack Insights includes TTP-oriented views.
Detection analytics full Attack Insights includes detection-level visibility.
Top attacker domains full Attack Insights surfaces top attacker domains.
Top attacker sender addresses full Attack Insights surfaces top attacker sender addresses.
Clickable drill-down analytics full Tables and charts can launch filtered views for deeper analysis.
Spam analytics full Includes analytics for spam.
Graymail analytics full Includes analytics for graymail.
Email bomb analytics full Includes analytics for email-bomb activity.
Remediation Pipeline visualization full Interactive visualization shows how unwanted messages were remediated and how much was automatic.
User Reports Overview full Dashboard shows user-report volume, classification, and remediation analytics.
Top reporters full User Reports Overview surfaces the top employee reporters.
Top automations handling reports full User Reports Overview highlights automations most involved in user-report handling.
Full API access to reporting data full Blog states customers can pull reporting data into their own tools and workflows.

Security

Security and deployment transparency page full Security page describes deployment model and data/deployment choices.

Sublime Security Platform

Programmable AI-powered cloud email security platform full Cloud-native email security platform built for Microsoft 365 and Google Workspace, with IMAP and direct API ingestion support.
Microsoft 365 protection full Protects Microsoft 365 email environments through API-based integration.
Google Workspace protection full Protects Google Workspace environments with cloud-email analysis and remediation workflows.
IMAP ingestion support full Supports IMAP as a message source for ingesting mail into the platform.
Direct API ingestion full Supports API-based direct ingestion of email messages for analysis and enforcement.
Inbound email security full Detects and blocks inbound phishing, BEC, malware, and other email-borne threats.
Threat hunting full Lets analysts hunt across historical and live email data for campaigns and attacker patterns.
Auto-triage of user reports full Automates analysis and handling of user-reported phishing and suspicious mail.
API-first architecture full Designed to integrate with existing security stacks via APIs and telemetry export.
No MX change deployment full Deploys via Microsoft 365 and Google Workspace APIs without rerouting mail or changing MX.
Free email analyzer full Provides a free analyzer for scanning and analyzing suspicious email samples.
Actionable threat insights full Provides explainable insights into suspicious messages and likely attack techniques.
Suspicious-link preview full Allows analysts to preview and inspect suspicious links for phishing identification.
Search and respond workflow full Supports search and response against suspicious messages from a single workflow.
Security-health monitoring full Provides overview dashboards and visibility into email security posture.
Business Email Compromise (BEC) full Dedicated protection for BEC and socially engineered fraud.
Callback phishing full Detects callback scams and fake renewal/support lures.
Credential phishing full Detects and blocks credential-harvesting emails and links.
Email bomb protection full Identifies and handles mail-bomb style attacks and spikes.
ICS phishing full Detects malicious calendar-invite attacks and supports calendar-event cleanup.
Malware & ransomware full Covers attachment- and link-borne malware/ransomware delivery attempts.
QR code phishing full Detects QR-code-based phishing techniques embedded in mail and documents.
Abuse mailbox automation full Automates user-report ingestion and handling from abuse/reporting mailboxes.
Attack surface reduction full Supports policy logic to reduce risky mail patterns and exposure.
Attack trends insights full Surfaces trends and insights around attacks, volumes, and TTPs.
Behavioral threat hunting full Supports hunting by attacker behavior, infrastructure, and TTPs.
Data Loss Prevention (DLP) full Supports policy detection of sensitive data movement across email flows.
Detection engineering & custom policies full Lets teams author custom MQL detections and policies.
Incident response full Supports remediation and investigation of email incidents.
M-SOAR full Provides workflow integration and automation hooks for orchestrated response.
Threat intelligence operationalization full Lets teams turn intel feeds and TTPs into rules and hunts.

Threat Detection

Google Cloud Application Integration abuse detection full Blog details detection of authenticated phish sent via Google Cloud Application Integration.
Computer vision for QR-code attacks full Research report says QR-code attacks require computer vision to detect codes in documents.
Mobile URL-security tie-in for QR phish full Research report emphasizes mobile-device URL risk in QR phishing scenarios.

Threat Hunting

LOTS hunting full Blog describes threat hunting for Living off Trusted Services style campaigns.

Threat Intelligence Operationalization

Custom threat feed integration full Allows organizations to supplement built-in threat intelligence with their own sources.
Real-time prevention from intel full Lets teams create detection rules to block inbound threats using threat intelligence.
Retroactive intel hunts full Supports hunting over historical data to see whether a known campaign targeted the environment.
IOC-based detection full Supports IOC-driven detection using MQL.
Behavioral intel detection full Supports detection and hunting using attacker behavior instead of simple IOCs.
Threat-feed management full Lets teams add feeds and manage organization-specific detections from the platform.
Email Threat Framework full Provides a framework to explore detection coverage, attack TTPs, and detection methods.
Coverage exploration by attack type full Helps analysts explore detection coverage organized by attack category.

Trash Action

Move to Recoverable Items on Microsoft 365 full For Microsoft 365, trashed messages are moved to Recoverable Items.
Apply Trash label on Google Workspace full For Google Workspace, trash action adds the Trash label.

Webhook Action

Webhook custom headers full Supports custom HTTP headers when sending webhooks.
Webhook payload customization full Lets admins include Attack Score info and MDM properties in webhook payloads.
Webhook POST notifications full Sends HTTP POST requests for flagged-message events.
SIEM analytics via webhooks full Can send flagged-message events to a SIEM for analytics and correlation.
SOAR-trigger workflows full Can send events to SOAR platforms to trigger DFIR workflows.
AWS Lambda triggering full Can trigger AWS Lambda functions from webhook events.
First-message-per-group workflows full Can be used to trigger workflows only for the first message in a message group.
All-message event streaming full Supports sending all message events for broader statistics collection.

Webhook Action / Integration

Tines webhook integration full Documented workflow for integrating Sublime webhooks with Tines stories.

Related Email Security Vendors

Vendor Directory
Lookup Tools
Analysis
Bulk & Enterprise
Resources
Close