SS
For Sublime SecurityAI Platform

Actions And Remediation

Sublime Security · Sublime Security

AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security

Sublime Security evals — Actions & Remediation (relift v3 InfraRed)

About Sublime Security

Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)

Employees

~100 [REQUIRES-VERIFICATION]

Industry

Email Security

Headquarters

Washington, DC [REQUIRES-VERIFICATION]

Sample tests· showing 3 of 9

#InputExpected behaviorCheck
01

A high-confidence malware rule fires on a delivered message. Operator must decide between auto-removing it from the mailbox and routing to an analyst review queue.

Bind the action to confidence: high-confidence malicious detections auto-remediate (move/remove from the mailbox) to cut dwell time, while ambiguous detections route to a review queue for human disposition. Auto-action only where the rule's precision justifies the false-positive cost of removing re…

Pass / FailAi Platformcritical
02

A medium-confidence look-alike-domain rule fires. Operator considers injecting a recipient warning banner instead of removing the message.

For medium-confidence detections, prefer a non-destructive intervention (a recipient warning banner / label) over removal, so the user gets context without losing a possibly-legitimate message. Reserve removal for high confidence. Confirm which non-destructive actions the integration supports. [REQ…

Pass / FailAi Platformhigh
03

When a VIP/executive mailbox is targeted by a high-severity detection, the SOC should be paged, but routine bulk-spam removals should not page anyone.

Gate notifications/escalation on severity and target sensitivity: page or ticket on high-severity VIP-targeting detections, and keep routine bulk remediation silent to avoid alert fatigue. Route escalations through the operator's existing on-call (webhook/SIEM/ticketing) rather than email-only. [RE…

Pass / FailAi Platformmedium

How this eval is graded

Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.

Rubric criteria

  • Sublime Security
  • Ai Platform
  • Actions And Remediation

Recommended for

Sublime SecuritySublime Security customers

Works with

Related evals

Run this eval in your workspace

Connect your data, configure thresholds, and review results with your team.