Attack Surface Reduction And Hunting
Sublime Security · Sublime Security
AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security
Sublime Security evals — Attack-Surface Reduction & Hunting (relift v3 InfraRed)
About Sublime Security
Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)
Employees
~100 [REQUIRES-VERIFICATION]
Industry
Email Security
Headquarters
Washington, DC [REQUIRES-VERIFICATION]
Website
sublime.securitySample tests· showing 3 of 9
| # | Input | Expected behavior | Check |
|---|---|---|---|
| 01 | After IOC disclosure (a sender domain + a subject pattern), an analyst runs an ad-hoc MQL query across stored historical messages to find prior delivery of the same campaign. | Express the hunt as an MQL query over the message store, scoped to a time window, combining the IOC domain with a structural signal so the hunt is precise. Export matches for remediation rather than eyeballing. Treat the hunt query as reusable — promote a high-value one to a standing rule. [REQUIRE… | Pass / FailAi Platformhigh |
| 02 | A single confirmed phishing detection reveals a sending IP and a payload URL host. Analyst wants to find every related message across the org. | Pivot on the strong, attacker-costly indicators (sending infrastructure, payload host, distinctive headers) rather than the easily-changed ones (display name, subject). Run the pivot as a hunt and feed confirmed clusters into a remediation batch. Capture the pivot as a saved query for the next wave. | Pass / FailAi Platformmedium |
| 03 | Leadership asks 'how much credential-phishing targeting finance did we see this quarter, and what got through?' Analyst needs an aggregate, not per-message triage. | Use Sublime's aggregate insights/reporting over the detection corpus, grouped by attack type and recipient population and outcome (detected vs delivered vs remediated), to answer exposure questions. Distinguish 'detected' from 'remediated' from 'delivered un-actioned' — they are different risk stat… | Pass / FailAi Platformmedium |
How this eval is graded
Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.
Rubric criteria
- Sublime Security
- Ai Platform
- Attack Surface Reduction And Hunting
Recommended for
Works with
Related evals
Run this eval in your workspace
Connect your data, configure thresholds, and review results with your team.