Sublime Security

What is it?

Sublime Security is an email security platform built on a programmable detection engine. Instead of a black box ML model shared across every customer, Sublime deploys a detection engine per customer environment. All detections are written in a detection language that draws on signals including computer vision, NLU, file and URL analysis, and sender profiling. Every detection is readable and editable. The platform covers inbound, outbound, and internal email, and includes AI agents that automate abuse mailbox triage and generate coverage for novel threats.

Sublime deploys as a cloud SaaS, single-tenant SaaS, in your own cloud (AWS, Azure, GovCloud, or Docker), or as a mail transfer agent (MTA) for inline filtering. The core product is free and covers the detection engine, API-based protection, threat hunting, and community detections. The paid enterprise tier adds AI agents, automated remediation, inline mail filtering, warning banners, SIEM/SOAR integrations, reporting, and multi-tenancy. Email DLP is available as a separate add-on.

How does detection work in practice?

Every detection is written in Sublime’s detection language and stored transparently. When a message arrives, the engine evaluates it against active detections. Those detections can reference signals from Sublime’s analysis pipeline (NLU for BEC intent and tone analysis, computer vision for brand logo detection, file analysis for recursive payload extraction) and combine them with contextual signals like sender reputation profiles, header anomalies, domain age, and sender history.

The detection format is open. Sublime publishes community detections on GitHub, and customers can subscribe to third-party detection feeds. This is modelled on the Suricata/Sigma/Snort community approach applied to email.

How does Sublime handle BEC?

BEC attacks manipulate trust rather than exploit vulnerabilities - impersonation, urgency, and hijacked threads that blend into legitimate conversations - making language analysis and behavioural context critical. Sublime runs a locally-resident LLM (no data is shared with third-party model providers) that classifies message intent, tone, and urgency. That output is combined with sender behaviour profiles: has this sender communicated with this recipient before, who initiated first contact, does the display name resemble a known contact, do the headers match the expected sending infrastructure.

Detections can scope to specific user groups. A common deployment pattern is applying stricter BEC detection to finance teams and executives while using lighter detections for lower-risk groups.

How does phishing remediation work?

For API-based deployments, Sublime can quarantine messages, move to junk or trash, insert warning banners, rewrite links, and remove messages post-delivery. The MTA deployment mode analyses messages before delivery, eliminating the window between delivery and analysis entirely.

Sublime also ingests user-reported phishing from any source: Microsoft’s report button, Gmail’s report button, third-party tools, or an abuse mailbox. It retrieves the original message with headers intact and runs triage detections over it. When users report messages in the same campaign (Sublime groups related messages automatically), auto-remediation can pull matching messages from all affected inboxes.

Does it automate beyond detection?

The enterprise tier includes two AI agents. ASA (Autonomous Security Analyst) handles abuse mailbox triage. It analyses user-reported and system-flagged emails, investigates them, and in autonomous mode remediates and classifies them without human intervention, escalating only uncertain verdicts to analysts. ADE (Autonomous Detection Engineer) generates new detections in response to novel threats, backtests them against historical data, and deploys them. This closes the gap between a new attack appearing and coverage existing for it, without requiring someone to write and tune detections by hand.

What about outbound and internal email?

Sublime applies the same detection engine to outbound and internal messages. The primary use case is email DLP: detecting sensitive data leaving the organisation via email. Detections can match on content patterns, attachment types, recipient domains and other behavior using the same detection primitives as inbound threat detection.

What does it not do?

Sublime is email security. It does not cover endpoint, network, or cloud workload detection. It is designed to work alongside EDR and browser security as part of a defence-in-depth stack.

Risky Business appearances

Sources

Sublime Security is a recurring Risky Business sponsor.