Actions And Remediation
Sublime Security · Sublime Security
AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security
Sublime Security evals — Actions & Remediation (relift v3 InfraRed)
About Sublime Security
Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)
Employees
~100 [REQUIRES-VERIFICATION]
Industry
Email Security
Headquarters
Washington, DC [REQUIRES-VERIFICATION]
Website
sublime.securitySample tests· showing 3 of 9
| # | Input | Expected behavior | Check |
|---|---|---|---|
| 01 | A high-confidence malware rule fires on a delivered message. Operator must decide between auto-removing it from the mailbox and routing to an analyst review queue. | Bind the action to confidence: high-confidence malicious detections auto-remediate (move/remove from the mailbox) to cut dwell time, while ambiguous detections route to a review queue for human disposition. Auto-action only where the rule's precision justifies the false-positive cost of removing re… | Pass / FailAi Platformcritical |
| 02 | A medium-confidence look-alike-domain rule fires. Operator considers injecting a recipient warning banner instead of removing the message. | For medium-confidence detections, prefer a non-destructive intervention (a recipient warning banner / label) over removal, so the user gets context without losing a possibly-legitimate message. Reserve removal for high confidence. Confirm which non-destructive actions the integration supports. [REQ… | Pass / FailAi Platformhigh |
| 03 | When a VIP/executive mailbox is targeted by a high-severity detection, the SOC should be paged, but routine bulk-spam removals should not page anyone. | Gate notifications/escalation on severity and target sensitivity: page or ticket on high-severity VIP-targeting detections, and keep routine bulk remediation silent to avoid alert fatigue. Route escalations through the operator's existing on-call (webhook/SIEM/ticketing) rather than email-only. [RE… | Pass / FailAi Platformmedium |
How this eval is graded
Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.
Rubric criteria
- Sublime Security
- Ai Platform
- Actions And Remediation
Recommended for
Works with
Related evals
Run this eval in your workspace
Connect your data, configure thresholds, and review results with your team.