SS
For Sublime SecurityAI Platform

Feeds And Open Rule Ecosystem

Sublime Security · Sublime Security

AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security

Sublime Security evals — Feeds & Open Rule Ecosystem (relift v3 InfraRed)

About Sublime Security

Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)

Employees

~100 [REQUIRES-VERIFICATION]

Industry

Email Security

Headquarters

Washington, DC [REQUIRES-VERIFICATION]

Sample tests· showing 3 of 9

#InputExpected behaviorCheck
01

Operator imports rules from the public sublime-security/sublime-rules GitHub feed and enables all of them in active/blocking mode on day one.

Import community feed rules into a passive state first, observe each rule's hit/false-positive profile against this org's mail, then selectively promote high-precision ones to active. The open feed is broad coverage, not a pre-tuned blocklist for your tenant. Pin the imported version for reproducib…

Pass / FailAi Platformhigh
02

Operator edits an imported feed rule in place to add a local exclusion. The next feed sync conflicts with the local edit.

Keep local customizations separable from upstream feed rules (a layered exclusion or a clearly-forked copy) so a feed update does not clobber local tuning and a local edit does not block upstream improvements. Treat it like managing a fork: rebase intentionally, do not hand-merge silently.

Pass / FailAi Platformmedium
03

Operator imported the feed six months ago and has not synced since. New attacker techniques disclosed in the feed are not covered.

Sync feed updates on a regular cadence so newly-added community rules and improvements land, re-running the passive→active observation for genuinely new rules. Diff incoming changes rather than blind-overwriting local tuning. Detection content is perishable. [REQUIRES-VERIFICATION] for the supporte…

Pass / FailAi Platformhigh

How this eval is graded

Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.

Rubric criteria

  • Sublime Security
  • Ai Platform
  • Feeds And Open Rule Ecosystem

Recommended for

Sublime SecuritySublime Security customers

Works with

Related evals

Run this eval in your workspace

Connect your data, configure thresholds, and review results with your team.