Sublime Security
About Sublime Security
Sublime Security is a next-generation email security platform that leverages autonomous AI agents to detect and respond to advanced threats in real-time. The company empowers security teams with tailored detections, explainable alerts, and automation to prevent, detect, and respond to threats faster and with confidence. Its platform is trusted by leading security teams worldwide. Founded in 2020, Sublime Security is headquartered in the United States.
Why Notable
Top 12 email security (Sublime blog 2026)
Sector Coverage
Feature Coverage
AI Agents
| ASA: Autonomous Security Analyst | full | AI analyst that fully automates triage and remediation of user-reported emails. |
|---|---|---|
| ASA around-the-clock triage | full | Blog positions ASA as autonomously triaging user reports around the clock. |
| ASA technical architecture | full | Technical architecture blog explains how ASA performs analyst-like email-investigation tasks. |
| ADÉ: Autonomous Detection Engineer | full | AI detection generator that analyzes missed or evolving attacks and automatically creates detection rules. |
| ADÉ missed-attack analysis | full | Analyzes missed attacks in the customer environment to propose new coverage. |
| ADÉ existing-rule review | full | Reviews existing detection rules before generating new detection coverage. |
| ADÉ private beta access | full | Docs state ADÉ is in private beta for Enterprise users. |
| ADÉ continuous adaptation messaging | full | Blog positions ADÉ as autonomously and continuously adapting detection coverage. |
| ADÉ evaluation framework | full | Blog describes evaluating ADÉ across detection accuracy, robustness, and economic cost. |
API
| Retrieve ASA report for message | full | Retrieves an ASA report for a message. |
|---|---|---|
| Retrieve image of PDF attachment by md5 hash | full | Retrieves an image of a PDF attachment by its MD5 hash. |
| Evaluate attack score against existing message | full | Evaluates Attack Score against an existing message. |
| Retrieve image of message | full | Retrieves an image rendering of a message. |
| Retrieve raw EML | full | Retrieves the raw EML of a message. |
| Retrieve temporary link to message image | full | Retrieves a temporary link to the image of a message. |
| Set access justification | full | Sets an access-justification reason for sensitive content access. |
| Retrieve message's MDM | full | Retrieves the normalized Message Data Model for a message. |
| Restore previously trashed message | full | Restores a previously trashed message. |
| Trash message | full | Trashes a single message. |
| List rules | full | Lists detection rules. |
| Create rule | full | Creates a new detection rule. |
| List rule history | full | Lists rule history across rules. |
| Validate rule | full | Validates a detection rule before activation. |
| Delete rule | full | Deletes a rule. |
| Retrieve rule | full | Retrieves a single rule. |
| Update rule | full | Updates a rule. |
| Activate rule | full | Activates a rule. |
| Deactivate rule | full | Deactivates a rule. |
| Retrieve history of a rule | full | Gets history for a specific rule. |
| List SCIM resource types | full | Lists SCIM resource types. |
| Get SCIM resource type | full | Retrieves a SCIM resource type. |
Actions
| Actions framework | full | Configurable actions that fire when rules flag messages or when admins apply actions manually. |
|---|---|---|
| Webhook action | full | Sends flagged-message notifications to external URLs and systems. |
| Email alert action | full | Sends plaintext email alerts for flagged message groups. |
| Slack alert action | full | Sends alert notifications into Slack. |
| Trash action | full | Moves or labels messages as trash depending on mail platform. |
| Quarantine action | full | Makes messages inaccessible to end users and removes risk of interaction. |
| Warning banner action | full | Inserts warning banners into flagged messages. |
| Move to Spam action | full | Moves or labels messages as spam. |
| Auto-review action | full | Automatically reviews and classifies highly effective rule matches. |
| Auto-respond to abuse mailbox reporters | full | Automatically responds to users who report messages through the abuse mailbox. |
| Track link clicks | full | Tracks clicks on suspicious links as an action capability. |
| Microsoft Teams alert (planned) | full | Documented as a coming-soon action type. |
| Auto-restore (planned) | full | Documented as a coming-soon action type. |
Administration
| Single Sign-On (SSO) | full | Docs include SSO configuration for platform access management. |
|---|---|---|
| Multi-Tenancy Management | full | Docs navigation includes multi-tenancy management as a feature area. |
Administration / API
| Audit log | full | Platform API includes audit-log event listing and retrieval. |
|---|
Administration / Integrations
| Managed instance IP documentation | full | Webhook docs publish managed platform instance IPs for allowlisting. |
|---|
Attack Score
| Attack Score ML verdicting | full | Machine-learning feature that helps teams prioritize potential threats. |
|---|---|---|
| Attack Score on flagged messages | full | Runs after a detection rule flags a message. |
| Attack Score on user reports | full | Runs after a user report is received via the abuse mailbox. |
| Manual Attack Score invocation | full | Can be triggered manually via the EML Analyzer or APIs. |
| Verdict: malicious | full | Attack Score can return a malicious verdict. |
| Verdict: spam | full | Attack Score can return a spam verdict. |
| Verdict: graymail | full | Attack Score can return a graymail verdict. |
| Verdict: suspicious | full | Attack Score can return a suspicious verdict. |
| Verdict: unknown | full | Attack Score can return an unknown verdict. |
| Verdict: likely_benign | full | Attack Score can return a likely benign verdict. |
| Explainable signals | full | Provides verdicts with corresponding signals to explain the result. |
| Headers as model input | full | Uses header-derived signals as part of scoring. |
| Attachment metadata as model input | full | Uses attachment-metadata signals as part of scoring. |
| Link analysis as model input | full | Uses link-analysis signals as part of scoring. |
| Sender behavior as model input | full | Uses sender-behavior signals as part of scoring. |
| Content understanding as model input | full | Uses content-understanding signals as part of scoring. |
| Authentication checks as model input | full | Uses authentication check outcomes as part of scoring. |
| Sender behavior profiles enrichment | full | Leverages sender behavior profiles as enrichment. |
| Natural Language Understanding enrichment | full | Leverages NLU as enrichment in scoring. |
| Computer vision enrichment | full | Leverages computer vision signals as enrichment. |
| WHOIS enrichment | full | Leverages WHOIS-based enrichment. |
| Domain reputation enrichment | full | Leverages domain-reputation enrichment. |
| Attachment analysis enrichment | full | Leverages attachment-analysis enrichment. |
| Privacy-preserving binary features | full | Blog says Attack Score uses binary features stripped of PII to preserve privacy. |
| XGBoost inference engine | full | Blog says the primary inference engine uses XGBoost. |
| Local model inference | full | Blog states model inference occurs locally instead of shipping data to a cloud-based model. |
| Decision-path explanations | full | Captures model-decision signals and turns them into explainable natural-language reasoning. |
Auto-review
| Auto-review classification: Malicious | full | Auto-review can mark message groups with the malicious classification. |
|---|---|---|
| Auto-review classification: Benign | full | Auto-review can mark message groups with the benign classification. |
| Auto-review classification: Graymail | full | Auto-review can mark message groups with the graymail classification. |
| Auto-review classification: Spam | full | Auto-review can mark message groups with the spam classification. |
| Auto-review classification: Simulation | full | Auto-review can mark message groups with the simulation classification. |
| Auto-reviewed triage suppression | full | Auto-reviewed messages do not appear in the default triage view. |
| Auto-reviewed view | full | Analysts can view all auto-reviewed messages under Flagged > Auto-Reviewed. |
| Auto-review classification hierarchy | full | When multiple classifications apply, Sublime uses a published hierarchy to resolve them. |
| Auto-review hierarchy order | full | Published classification precedence: Simulation > Benign > Malicious > Spam > Graymail. |
Automations
| Auto-quarantine by Malicious Attack Score | full | Automatically quarantines flagged messages with a malicious Attack Score verdict. |
|---|---|---|
| Campaign auto-quarantine by multiple rule flags | full | Quarantines campaigns when multiple detection rules flag them. |
| Campaign auto-quarantine by user-report volume | full | Quarantines entire campaigns after enough user reports are observed. |
| VIP-report alerting | full | Triggers an email alert whenever a VIP user reports a message. |
| VIP-targeted warning banners | full | Applies warning banners to flagged messages when recipients are VIPs. |
| Flagged-message trigger | full | Automations can trigger when detection rules flag a message. |
| User-report trigger | full | Automations can trigger when a user reports a message. |
| Passive mode | full | Runs automation logic and alerting without remediative actions like quarantine or trash. |
| Core Feed automation sharing | full | Sublime shares recommended automations in the Core Feed. |
| Inactive-by-default core automations | full | Core automations are inactive by default until the customer enables them. |
| Default actions in core automations | full | Core automations come with default actions preconfigured. |
| Active mode | full | Enables recommended automations to apply full coverage and response. |
Behavioral Threat Hunting
| Historical sender context | full | Tracks historical sender data to inform decisions on future messages from that organization. |
|---|---|---|
| Infrastructure-signal hunting | full | Surfaces threats through hop patterns, SPF/DMARC failures, and suspicious sending hosts. |
| Hunts ↔ Rules conversion | full | Allows analysts to convert a hunt into a detection rule and vice versa in a few clicks. |
| Hunt-and-remediate from one screen | full | Lets analysts hunt threats and remediate malicious email directly from results. |
| Deep hunting primitives | full | Supports hunting with deep primitives, flexible logic, and investigation-oriented signals. |
| AI-powered functions for hunting | full | Includes machine-learning-driven functions inside hunting logic. |
| External enrichments in hunt | full | Includes link analysis, WHOIS, domain age, logo detection, and other enrichments in hunts. |
| Behavior/TTP hunting | full | Supports hunting novel attacks using known behaviors and TTPs. |
| Contextualized sender data | full | Incorporates previous verdicts, time-known, and solicited-contact context into hunts. |
Deployment
| Self-managed deployment option | full | Docs distinguish between Sublime Cloud and self-managed Sublime instances. |
|---|---|---|
| Sublime Cloud deployment option | full | Public docs cover a SaaS/cloud-hosted deployment path. |
Deployment / Observability
| Metrics collection for self-hosted deployments | full | Docs include metrics collection guidance for self-hosted deployments. |
|---|
Detection Engineering / MQL
| Rules engine core | full | At its core the platform ingests messages, evaluates them with MQL, and triggers actions. |
|---|---|---|
| Message Query Language (MQL) | full | Purpose-built query language powering rules, insights, hunts, and automations. |
| Detection rules on live email flow | full | Detection rules run on live email flow to identify phishing, DLP, and policy issues. |
| Open-source detection-rule ecosystem | full | Public open-source rules are available in Sublime’s GitHub rules repository. |
| MQL Playground | full | Provides an environment to create and share detection rules. |
| Message Data Model (MDM) | full | Normalized message data model used in rules, hunts, and API responses. |
| Syntax reference | full | Documents MQL syntax for writing rules and hunts. |
| Missing/null handling | full | Documents how MQL handles missing and null values. |
| Common snippets | full | Provides common query snippets for detection engineering. |
Detection Engineering / MQL Guides
| How to use message header values in a rule | full | Public how-to guide for common email-detection use cases. |
|---|---|---|
| How to detect manual outbound forwards | full | Public how-to guide for common email-detection use cases. |
| How to detect text in attachments | full | Public how-to guide for common email-detection use cases. |
| How to detect lookalike domains | full | Public how-to guide for common email-detection use cases. |
| How to detect keywords or phrases in message bodies | full | Public how-to guide for common email-detection use cases. |
Detection Engineering / Rule Coverage
| Executive impersonation | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
|---|---|---|
| Brand impersonation | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| Vendor impersonation | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| Sextortion | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| Homoglyph and lookalike domains | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| Gift card scams | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| Bitcoin scams | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| Free file hosting services | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| Free subdomains | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| Spoofed messages | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| URL shorteners | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| Suspicious Office 365 app authorization requests | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
| COVID-19 scams | full | Example phishing attack category or technique publicly called out as detectable by MQL detection rules. |
Email Alert Action
| SMTP-configured email alerts | full | Email alerts use admin-supplied SMTP credentials and server settings. |
|---|---|---|
| Defanged links in email alerts | full | Any links in the email-alert body are defanged. |
| Email alert with EML attached | full | Provides an alert format that includes the EML sample. |
| Cross-platform push notifications by email | full | Email alerts are positioned as a cross-platform push mechanism. |
Enrichment / ML
| file.parse_text | full | Parses file attachments and returns decoded text for detection logic. |
|---|---|---|
| ml.link_analysis | full | Analyzes links and classifies them as benign or suspicious. |
| Headless-browser link resolution | full | LinkAnalysis can open suspicious links in a headless browser to resolve effective URLs. |
| Link screenshot capture | full | LinkAnalysis collects page screenshots during analysis. |
| Brand-logo detection in pages | full | Computer vision detects brand logos on analyzed landing pages. |
| Button and input-form detection | full | Link analysis looks for buttons and login-input forms. |
| Logo-to-protected-brand comparison | full | Detected logos are compared with protected brand logos commonly used in phishing. |
| Aggressive link-analysis mode | full | Aggressive mode performs extra processing, including click-tracker destination resolution. |
| Link-analysis exclusion lists | full | Admins can exclude domains/root domains from Link Analysis. |
| ml.macro_classifier | full | Analyzes Office/VBA macro attachments for maliciousness and confidence. |
| VBA keyword analysis | full | Macro classifier uses VBA keywords as one signal source. |
| File metadata analysis | full | Macro classifier uses file metadata as one signal source. |
| Oletools-backed analysis | full | Macro classifier uses oletools output in its analysis chain. |
| ml.nlu_classifier | full | Analyzes text content with NLU for intents, entities, and topics. |
| Email Classification | full | NLU can classify phishing-related email intent. |
| Named Entity Recognition | full | NLU can extract entities like urgency and request language. |
| Topic Recognition | full | NLU can classify email content into supported topics. |
| OCR-text analysis support | full | NLU can analyze OCR-extracted attachment text in detections. |
| HTML parsing | full | Docs show HTML parsing utilities usable in detections. |
| JSON traversal in MQL | full | MQL syntax supports traversing JSON structures in rules. |
Integrations
| Elastic integration | full | Lets teams ingest Sublime data into Elastic and monitor their Sublime instance. |
|---|---|---|
| Elastic dashboard visualizations | full | Sublime visualizations can be added to existing Elastic dashboards. |
| Elastic alerting on Sublime data | full | Sublime data in Elastic can be used to build alerts like other security data. |
| Panther integration | full | Integrates with Panther SIEM for centralized threat detection using Sublime telemetry. |
| Panther out-of-the-box detections | full | Blog mentions bundled Panther detections for alerts and configuration changes. |
Integrations / SIEM
| Context-rich email and audit logs | full | Panther integration exposes context-rich email and audit data. |
|---|
Lists
| Custom lists | full | Supports custom lists for detection engineering and policy logic. |
|---|---|---|
| Lists API | full | Supports automating creation and updates of custom lists via API. |
| org_vips list | full | Supports a list of VIP users for policy and automation logic. |
| Link Analysis exclusion lists | full | Supports exclusions for Link Analysis to avoid clicking allowed domains. |
| free_subdomain_hosts list | full | Built-in list of free subdomain hosts often abused by attackers. |
| majestic_million list | full | Built-in Majestic Million domain list. |
| suspicious_tlds list | full | Built-in list of suspicious or commonly abused TLDs. |
| tranco_1m list | full | Built-in Tranco Top 1 Million domain list. |
| umbrella_1m list | full | Built-in Cisco Umbrella Top 1 Million domain list. |
| umbrella_1m_tld list | full | Built-in TLD list derived from the Umbrella top domains. |
| url_shorteners list | full | Built-in list of known URL shorteners. |
ML / NLU
| Topic Modeling beta | full | Topic Modeling is presented as an ML-powered topic-detection function for predefined categories. |
|---|---|---|
| BERT-based content understanding | full | Blog describes BERT LLM enhancements to contextual email understanding. |
| NLU 3.0 | full | Blog describes an upgraded NLU engine for nuanced AI-generated email attacks. |
MQL Regex Functions
| regex.match | full | Matches an entire string against one or more regular expressions. |
|---|---|---|
| regex.imatch | full | Case-insensitive full-string regex match. |
| RE2 regex engine | full | Regex functions use RE2/Golang regular expression syntax. |
| regex tester guidance | full | Docs link to an RE2 regex tester for building expressions. |
MQL String Functions
| strings.concat | full | Concatenates multiple strings into one value. |
|---|---|---|
| strings.contains | full | Checks for a case-sensitive substring inside a string. |
| strings.icontains | full | Checks for a case-insensitive substring inside a string. |
| strings.count | full | Counts case-sensitive occurrences of a substring. |
| strings.icount | full | Counts case-insensitive occurrences of a substring. |
| strings.decode_base64 | full | Decodes base64-encoded strings in text content for detection use cases. |
| strings.ends_with | full | Checks for a case-sensitive suffix match. |
| strings.iends_with | full | Checks for a case-insensitive suffix match. |
Message Groups
| Automatic message grouping | full | Automatically groups similar messages to reduce alert fatigue. |
|---|---|---|
| Campaign-level grouping | full | If 100 users receive the same email, analysts see one grouped item instead of 100. |
| Three-day idle expiry for groups | full | Message groups expire after 3 idle days by default. |
| canonical_id group identifier | full | Every message group has a canonical_id that identifies the group. |
| Subtle-variation grouping | full | Grouping can include messages that are similar but not byte-for-byte identical. |
| One-click related-message access | full | Related messages are accessible from a panel for faster manual reviews. |
| Campaign-wide herd immunity | full | When one message in a campaign is reported, related messages can be remediated across mailboxes. |
| Alert-noise reduction via grouping | full | Enhanced grouping reduces webhooks, tickets, email alerts, and Slack alerts. |
| Wider-net false-negative reduction | full | Grouping uses slight attacker variations as similarities to widen campaign detection. |
Message Types
| Inbound message type | full | Classifies messages as inbound. |
|---|---|---|
| Outbound message type | full | Classifies messages as outbound. |
| Internal message type | full | Classifies messages as internal. |
| Outbound and Internal message type | full | Classifies messages sent to both internal and external recipients. |
| Inline protection mode for inbound messages | full | Docs include inbound inline-protection mode in the message-types navigation path. |
Migration
| Proofpoint migration guide | full | Docs provide a migration guide for Proofpoint customers. |
|---|---|---|
| Mimecast migration guide | full | Docs provide a migration guide for Mimecast customers. |
NLU / Email Classification
| NLU intent: bec | full | Detects urgent quick-task language often associated with executive, HR, or finance impersonation. |
|---|---|---|
| NLU intent: callback_scam | full | Detects renewal/purchase or support-scam style callback language. |
| NLU intent: cred_theft | full | Detects language pushing victims to phishing portals for credential capture. |
| NLU intent: extortion | full | Detects intimidation or blackmail-oriented text. |
| NLU intent: steal_pii | full | Detects requests for billing, tax, or personally identifying information. |
| NLU intent: job_scam | full | Detects deceptive job-offer scams and related fraud language. |
| NLU financial tag: invoice | full | Detects invoice-oriented phishing language. |
| NLU financial tag: payment | full | Detects ACH, EFT, and wire-payment language. |
| NLU financial tag: purchase_order | full | Detects RFQ and purchase-order language. |
| NLU entity: urgency | full | Recognizes urgency language in text. |
| NLU entity: request | full | Recognizes language asking recipients to act. |
| NLU entity: salutation | full | Recognizes closing/signoff language. |
| NLU entity: sender | full | Recognizes sender identities or generic sender designators. |
NLU / Topic Recognition
| NLU topic: Financial Communications | full | Publicly documented supported NLU topic for classifying email content. |
|---|---|---|
| NLU topic: Legal and Compliance | full | Publicly documented supported NLU topic for classifying email content. |
| NLU topic: Customer Service and Support | full | Publicly documented supported NLU topic for classifying email content. |
| NLU topic: Professional and Career Development | full | Publicly documented supported NLU topic for classifying email content. |
| NLU topic: E-Signature | full | Publicly documented supported NLU topic for classifying email content. |
| NLU topic: B2B Cold Outreach | full | Publicly documented supported NLU topic for classifying email content. |
| NLU topic: Benefit Enrollment | full | Publicly documented supported NLU topic for classifying email content. |
| NLU topic: Security and Authentication | full | Publicly documented supported NLU topic for classifying email content. |
| NLU topic: Software and App Updates | full | Publicly documented supported NLU topic for classifying email content. |
| NLU topic: File Sharing and Cloud Services | full | Publicly documented supported NLU topic for classifying email content. |
| NLU topic: Secure Message | full | Publicly documented supported NLU topic for classifying email content. |
| NLU topic: Voicemail Call and Missed Call Notifications | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Out of Office and Automatic Replies | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Bounce Back and Delivery Failure Notifications | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Political Mail | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Charity and Non-Profit | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: News and Current Events | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Government Services | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Health and Wellness | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Educational and Research | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Entertainment and Sports | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Social Media and Networking | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Romance | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
| NLU topic: Sexually Explicit Messages | full | Publicly documented or example topic surfaced in NLU topic-recognition docs. |
Quarantine
| Quarantine retention behavior on Microsoft 365 | full | Docs note Microsoft 365 restore behavior and retention implications for quarantined mail. |
|---|---|---|
| Google Workspace quarantine restore by admins | full | Docs state quarantined Google Workspace messages can still be restored by Sublime admins. |
Quarantine / ICS Phishing
| Calendar-event removal during remediation | full | When messages are remediated, corresponding malicious calendar events can also be deleted. |
|---|
Reporting & Analytics
| Attack Insights dashboard | full | Overview dashboard redesigned as Attack Insights for attack-volume and TTP visibility. |
|---|---|---|
| Attack volume analytics | full | Attack Insights includes attack-volume visibility. |
| Attack type analytics | full | Attack Insights includes attack-type breakdowns. |
| TTP analytics | full | Attack Insights includes TTP-oriented views. |
| Detection analytics | full | Attack Insights includes detection-level visibility. |
| Top attacker domains | full | Attack Insights surfaces top attacker domains. |
| Top attacker sender addresses | full | Attack Insights surfaces top attacker sender addresses. |
| Clickable drill-down analytics | full | Tables and charts can launch filtered views for deeper analysis. |
| Spam analytics | full | Includes analytics for spam. |
| Graymail analytics | full | Includes analytics for graymail. |
| Email bomb analytics | full | Includes analytics for email-bomb activity. |
| Remediation Pipeline visualization | full | Interactive visualization shows how unwanted messages were remediated and how much was automatic. |
| User Reports Overview | full | Dashboard shows user-report volume, classification, and remediation analytics. |
| Top reporters | full | User Reports Overview surfaces the top employee reporters. |
| Top automations handling reports | full | User Reports Overview highlights automations most involved in user-report handling. |
| Full API access to reporting data | full | Blog states customers can pull reporting data into their own tools and workflows. |
Security
| Security and deployment transparency page | full | Security page describes deployment model and data/deployment choices. |
|---|
Sublime Security Platform
| Programmable AI-powered cloud email security platform | full | Cloud-native email security platform built for Microsoft 365 and Google Workspace, with IMAP and direct API ingestion support. |
|---|---|---|
| Microsoft 365 protection | full | Protects Microsoft 365 email environments through API-based integration. |
| Google Workspace protection | full | Protects Google Workspace environments with cloud-email analysis and remediation workflows. |
| IMAP ingestion support | full | Supports IMAP as a message source for ingesting mail into the platform. |
| Direct API ingestion | full | Supports API-based direct ingestion of email messages for analysis and enforcement. |
| Inbound email security | full | Detects and blocks inbound phishing, BEC, malware, and other email-borne threats. |
| Threat hunting | full | Lets analysts hunt across historical and live email data for campaigns and attacker patterns. |
| Auto-triage of user reports | full | Automates analysis and handling of user-reported phishing and suspicious mail. |
| API-first architecture | full | Designed to integrate with existing security stacks via APIs and telemetry export. |
| No MX change deployment | full | Deploys via Microsoft 365 and Google Workspace APIs without rerouting mail or changing MX. |
| Free email analyzer | full | Provides a free analyzer for scanning and analyzing suspicious email samples. |
| Actionable threat insights | full | Provides explainable insights into suspicious messages and likely attack techniques. |
| Suspicious-link preview | full | Allows analysts to preview and inspect suspicious links for phishing identification. |
| Search and respond workflow | full | Supports search and response against suspicious messages from a single workflow. |
| Security-health monitoring | full | Provides overview dashboards and visibility into email security posture. |
| Business Email Compromise (BEC) | full | Dedicated protection for BEC and socially engineered fraud. |
| Callback phishing | full | Detects callback scams and fake renewal/support lures. |
| Credential phishing | full | Detects and blocks credential-harvesting emails and links. |
| Email bomb protection | full | Identifies and handles mail-bomb style attacks and spikes. |
| ICS phishing | full | Detects malicious calendar-invite attacks and supports calendar-event cleanup. |
| Malware & ransomware | full | Covers attachment- and link-borne malware/ransomware delivery attempts. |
| QR code phishing | full | Detects QR-code-based phishing techniques embedded in mail and documents. |
| Abuse mailbox automation | full | Automates user-report ingestion and handling from abuse/reporting mailboxes. |
| Attack surface reduction | full | Supports policy logic to reduce risky mail patterns and exposure. |
| Attack trends insights | full | Surfaces trends and insights around attacks, volumes, and TTPs. |
| Behavioral threat hunting | full | Supports hunting by attacker behavior, infrastructure, and TTPs. |
| Data Loss Prevention (DLP) | full | Supports policy detection of sensitive data movement across email flows. |
| Detection engineering & custom policies | full | Lets teams author custom MQL detections and policies. |
| Incident response | full | Supports remediation and investigation of email incidents. |
| M-SOAR | full | Provides workflow integration and automation hooks for orchestrated response. |
| Threat intelligence operationalization | full | Lets teams turn intel feeds and TTPs into rules and hunts. |
Threat Detection
| Google Cloud Application Integration abuse detection | full | Blog details detection of authenticated phish sent via Google Cloud Application Integration. |
|---|---|---|
| Computer vision for QR-code attacks | full | Research report says QR-code attacks require computer vision to detect codes in documents. |
| Mobile URL-security tie-in for QR phish | full | Research report emphasizes mobile-device URL risk in QR phishing scenarios. |
Threat Hunting
| LOTS hunting | full | Blog describes threat hunting for Living off Trusted Services style campaigns. |
|---|
Threat Intelligence Operationalization
| Custom threat feed integration | full | Allows organizations to supplement built-in threat intelligence with their own sources. |
|---|---|---|
| Real-time prevention from intel | full | Lets teams create detection rules to block inbound threats using threat intelligence. |
| Retroactive intel hunts | full | Supports hunting over historical data to see whether a known campaign targeted the environment. |
| IOC-based detection | full | Supports IOC-driven detection using MQL. |
| Behavioral intel detection | full | Supports detection and hunting using attacker behavior instead of simple IOCs. |
| Threat-feed management | full | Lets teams add feeds and manage organization-specific detections from the platform. |
| Email Threat Framework | full | Provides a framework to explore detection coverage, attack TTPs, and detection methods. |
| Coverage exploration by attack type | full | Helps analysts explore detection coverage organized by attack category. |
Trash Action
| Move to Recoverable Items on Microsoft 365 | full | For Microsoft 365, trashed messages are moved to Recoverable Items. |
|---|---|---|
| Apply Trash label on Google Workspace | full | For Google Workspace, trash action adds the Trash label. |
Webhook Action
| Webhook custom headers | full | Supports custom HTTP headers when sending webhooks. |
|---|---|---|
| Webhook payload customization | full | Lets admins include Attack Score info and MDM properties in webhook payloads. |
| Webhook POST notifications | full | Sends HTTP POST requests for flagged-message events. |
| SIEM analytics via webhooks | full | Can send flagged-message events to a SIEM for analytics and correlation. |
| SOAR-trigger workflows | full | Can send events to SOAR platforms to trigger DFIR workflows. |
| AWS Lambda triggering | full | Can trigger AWS Lambda functions from webhook events. |
| First-message-per-group workflows | full | Can be used to trigger workflows only for the first message in a message group. |
| All-message event streaming | full | Supports sending all message events for broader statistics collection. |
Webhook Action / Integration
| Tines webhook integration | full | Documented workflow for integrating Sublime webhooks with Tines stories. |
|---|