Detonation Enrichment And Ml Signals
Sublime Security · Sublime Security
AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security
Sublime Security evals — Detonation, Enrichment & ML Signals (relift v3 InfraRed)
About Sublime Security
Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)
Employees
~100 [REQUIRES-VERIFICATION]
Industry
Email Security
Headquarters
Washington, DC [REQUIRES-VERIFICATION]
Website
sublime.securitySample tests· showing 3 of 9
| # | Input | Expected behavior | Check |
|---|---|---|---|
| 01 | Operator references a link-detonation / sandbox verdict in a rule to catch credential-harvesting pages behind benign-looking URLs. | Read the documented detonation verdict field and treat it as one signal among several — a clean verdict is not proof of safety (cloaking, geofencing, time-bombed redirects evade sandboxes), and a malicious verdict is high-value. Combine with sender/auth context. Account for verdicts that arrive asy… | Pass / FailAi Platformhigh |
| 02 | Operator references a domain-age / sender-reputation enrichment to weight a first-contact message, treating a brand-new domain as a strong risk factor. | Use reputation/age enrichment as a risk weight, not a verdict: a newly-registered domain combined with financial-language and a first-time external sender is high risk, but new-domain alone false-positives on legitimate new vendors. Combine enrichments rather than thresholding one. [REQUIRES-VERIFI… | Pass / FailAi Platformmedium |
| 03 | An attachment is a macro-enabled document that only detonates its payload when opened on a domain-joined host. The sandbox sees benign behavior. | Combine the file-detonation verdict with static/structural signals (macro presence, suspicious auto-exec, sender risk) so an evasion-aware payload that sandboxes clean is still caught by corroborating signals. Do not treat a clean sandbox run as exoneration for a structurally-suspicious file from a… | Pass / FailAi Platformhigh |
How this eval is graded
Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.
Rubric criteria
- Sublime Security
- Ai Platform
- Detonation Enrichment And Ml Signals
Recommended for
Works with
Related evals
Run this eval in your workspace
Connect your data, configure thresholds, and review results with your team.