SS
For Sublime SecurityAI Platform

Detonation Enrichment And Ml Signals

Sublime Security · Sublime Security

AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security

Sublime Security evals — Detonation, Enrichment & ML Signals (relift v3 InfraRed)

About Sublime Security

Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)

Employees

~100 [REQUIRES-VERIFICATION]

Industry

Email Security

Headquarters

Washington, DC [REQUIRES-VERIFICATION]

Sample tests· showing 3 of 9

#InputExpected behaviorCheck
01

Operator references a link-detonation / sandbox verdict in a rule to catch credential-harvesting pages behind benign-looking URLs.

Read the documented detonation verdict field and treat it as one signal among several — a clean verdict is not proof of safety (cloaking, geofencing, time-bombed redirects evade sandboxes), and a malicious verdict is high-value. Combine with sender/auth context. Account for verdicts that arrive asy…

Pass / FailAi Platformhigh
02

Operator references a domain-age / sender-reputation enrichment to weight a first-contact message, treating a brand-new domain as a strong risk factor.

Use reputation/age enrichment as a risk weight, not a verdict: a newly-registered domain combined with financial-language and a first-time external sender is high risk, but new-domain alone false-positives on legitimate new vendors. Combine enrichments rather than thresholding one. [REQUIRES-VERIFI…

Pass / FailAi Platformmedium
03

An attachment is a macro-enabled document that only detonates its payload when opened on a domain-joined host. The sandbox sees benign behavior.

Combine the file-detonation verdict with static/structural signals (macro presence, suspicious auto-exec, sender risk) so an evasion-aware payload that sandboxes clean is still caught by corroborating signals. Do not treat a clean sandbox run as exoneration for a structurally-suspicious file from a…

Pass / FailAi Platformhigh

How this eval is graded

Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.

Rubric criteria

  • Sublime Security
  • Ai Platform
  • Detonation Enrichment And Ml Signals

Recommended for

Sublime SecuritySublime Security customers

Works with

Related evals

Run this eval in your workspace

Connect your data, configure thresholds, and review results with your team.