SS
For Sublime SecurityAI Platform

Message Ingestion And Eml Analysis

Sublime Security · Sublime Security

AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security

Sublime Security evals — Message Ingestion & EML Analysis (relift v3 InfraRed)

About Sublime Security

Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)

Employees

~100 [REQUIRES-VERIFICATION]

Industry

Email Security

Headquarters

Washington, DC [REQUIRES-VERIFICATION]

Sample tests· showing 3 of 9

#InputExpected behaviorCheck
01

Operator submits a raw .eml file (RFC 5322 message) to Sublime for analysis to see which rules match and what signals fire, outside the live mailbox flow.

Submit the full raw .eml (headers + MIME parts) so Sublime parses the complete message data model — truncating to body-only loses headers, auth results, and attachments that detections depend on. Read back the structured analysis (matched rules, parsed attributes, signals) rather than re-parsing th…

Pass / FailAi Platformhigh
02

A message is ingested and evaluated, but a link's detonation verdict only becomes available seconds later. Operator's rule logic assumes all enrichment is present at first evaluation.

Account for enrichment that resolves asynchronously: design so a message can be (re)evaluated when a late signal (detonation verdict, sandbox result) arrives, or so the action is taken post-delivery when the verdict lands. Do not assume every signal is synchronously available at ingest. [REQUIRES-V…

Pass / FailAi Platformmedium
03

A message has a multipart/alternative body (text + HTML) plus a message/rfc822 attachment that itself contains a malicious link in its HTML part. Operator's rule only inspects the top-level HTML body.

Rely on Sublime's recursive MIME parsing so nested message/rfc822 parts, alternative bodies, and inline content are all represented in the data model, and write rules that consider attached messages and all body alternatives — not just the top-level HTML. Attackers nest payloads in forwarded/attach…

Pass / FailAi Platformhigh

How this eval is graded

Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.

Rubric criteria

  • Sublime Security
  • Ai Platform
  • Message Ingestion And Eml Analysis

Recommended for

Sublime SecuritySublime Security customers

Works with

Related evals

Run this eval in your workspace

Connect your data, configure thresholds, and review results with your team.