Feeds And Open Rule Ecosystem
Sublime Security · Sublime Security
AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security
Sublime Security evals — Feeds & Open Rule Ecosystem (relift v3 InfraRed)
About Sublime Security
Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)
Employees
~100 [REQUIRES-VERIFICATION]
Industry
Email Security
Headquarters
Washington, DC [REQUIRES-VERIFICATION]
Website
sublime.securitySample tests· showing 3 of 9
| # | Input | Expected behavior | Check |
|---|---|---|---|
| 01 | Operator imports rules from the public sublime-security/sublime-rules GitHub feed and enables all of them in active/blocking mode on day one. | Import community feed rules into a passive state first, observe each rule's hit/false-positive profile against this org's mail, then selectively promote high-precision ones to active. The open feed is broad coverage, not a pre-tuned blocklist for your tenant. Pin the imported version for reproducib… | Pass / FailAi Platformhigh |
| 02 | Operator edits an imported feed rule in place to add a local exclusion. The next feed sync conflicts with the local edit. | Keep local customizations separable from upstream feed rules (a layered exclusion or a clearly-forked copy) so a feed update does not clobber local tuning and a local edit does not block upstream improvements. Treat it like managing a fork: rebase intentionally, do not hand-merge silently. | Pass / FailAi Platformmedium |
| 03 | Operator imported the feed six months ago and has not synced since. New attacker techniques disclosed in the feed are not covered. | Sync feed updates on a regular cadence so newly-added community rules and improvements land, re-running the passive→active observation for genuinely new rules. Diff incoming changes rather than blind-overwriting local tuning. Detection content is perishable. [REQUIRES-VERIFICATION] for the supporte… | Pass / FailAi Platformhigh |
How this eval is graded
Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.
Rubric criteria
- Sublime Security
- Ai Platform
- Feeds And Open Rule Ecosystem
Recommended for
Works with
Related evals
Run this eval in your workspace
Connect your data, configure thresholds, and review results with your team.