SS
For Sublime SecurityAI Platform

Mql Detection Authoring

Sublime Security · Sublime Security

AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security

Sublime Security evals — MQL Detection Authoring (relift v3 InfraRed)

About Sublime Security

Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)

Employees

~100 [REQUIRES-VERIFICATION]

Industry

Email Security

Headquarters

Washington, DC [REQUIRES-VERIFICATION]

Sample tests· showing 3 of 9

#InputExpected behaviorCheck
01

Operator writes an MQL rule to flag display-name spoofing where the From display name impersonates an exec but sender.email.domain differs from the org's verified domains. They reference headers.reply_to and sender.email.domain i…

Author the rule against the documented MQL message data model: use sender.email.domain.domain, headers.reply_to[], and the org's known-domain list (e.g. an org_vars / external list reference) rather than hardcoding a domain literal. Combine display-name similarity with an authentication signal (DMA…

Pass / FailAi Platformhigh
02

Operator writes a rule that should only fire when the sender has never previously communicated with the recipient org (a classic BEC pre-condition). They reference a sender-profile / message-context attribute.

Use Sublime's documented sender/recipient context attributes (e.g. a first-time-sender or known-correspondent signal derived from the org's mail history) rather than re-implementing communication-history tracking in the rule. Combine first-contact with a content cue so routine new-vendor mail is no…

Pass / FailAi Platformmedium
03

An MQL rule calls strings.icontains(body.current_thread.text, 'urgent') but the message is a calendar invite with no body text, so body.current_thread is null for that message.

Guard attribute access for messages where a field may be absent: MQL evaluates lazily, but the rule should be written so a null body or empty thread yields a clean no-match, not a rule error. Use the documented helper functions (e.g. strings.* / any / all over a possibly-empty list) and test the ru…

Pass / FailAi Platformhigh

How this eval is graded

Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.

Rubric criteria

  • Sublime Security
  • Ai Platform
  • Mql Detection Authoring

Recommended for

Sublime SecuritySublime Security customers

Works with

Related evals

Run this eval in your workspace

Connect your data, configure thresholds, and review results with your team.