SS
For Sublime SecurityAI Platform

Attack Surface Reduction And Hunting

Sublime Security · Sublime Security

AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security

Sublime Security evals — Attack-Surface Reduction & Hunting (relift v3 InfraRed)

About Sublime Security

Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)

Employees

~100 [REQUIRES-VERIFICATION]

Industry

Email Security

Headquarters

Washington, DC [REQUIRES-VERIFICATION]

Sample tests· showing 3 of 9

#InputExpected behaviorCheck
01

After IOC disclosure (a sender domain + a subject pattern), an analyst runs an ad-hoc MQL query across stored historical messages to find prior delivery of the same campaign.

Express the hunt as an MQL query over the message store, scoped to a time window, combining the IOC domain with a structural signal so the hunt is precise. Export matches for remediation rather than eyeballing. Treat the hunt query as reusable — promote a high-value one to a standing rule. [REQUIRE…

Pass / FailAi Platformhigh
02

A single confirmed phishing detection reveals a sending IP and a payload URL host. Analyst wants to find every related message across the org.

Pivot on the strong, attacker-costly indicators (sending infrastructure, payload host, distinctive headers) rather than the easily-changed ones (display name, subject). Run the pivot as a hunt and feed confirmed clusters into a remediation batch. Capture the pivot as a saved query for the next wave.

Pass / FailAi Platformmedium
03

Leadership asks 'how much credential-phishing targeting finance did we see this quarter, and what got through?' Analyst needs an aggregate, not per-message triage.

Use Sublime's aggregate insights/reporting over the detection corpus, grouped by attack type and recipient population and outcome (detected vs delivered vs remediated), to answer exposure questions. Distinguish 'detected' from 'remediated' from 'delivered un-actioned' — they are different risk stat…

Pass / FailAi Platformmedium

How this eval is graded

Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.

Rubric criteria

  • Sublime Security
  • Ai Platform
  • Attack Surface Reduction And Hunting

Recommended for

Sublime SecuritySublime Security customers

Works with

Related evals

Run this eval in your workspace

Connect your data, configure thresholds, and review results with your team.