Mql Detection Authoring
Sublime Security · Sublime Security
AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security
Sublime Security evals — MQL Detection Authoring (relift v3 InfraRed)
About Sublime Security
Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)
Employees
~100 [REQUIRES-VERIFICATION]
Industry
Email Security
Headquarters
Washington, DC [REQUIRES-VERIFICATION]
Website
sublime.securitySample tests· showing 3 of 9
| # | Input | Expected behavior | Check |
|---|---|---|---|
| 01 | Operator writes an MQL rule to flag display-name spoofing where the From display name impersonates an exec but sender.email.domain differs from the org's verified domains. They reference headers.reply_to and sender.email.domain i… | Author the rule against the documented MQL message data model: use sender.email.domain.domain, headers.reply_to[], and the org's known-domain list (e.g. an org_vars / external list reference) rather than hardcoding a domain literal. Combine display-name similarity with an authentication signal (DMA… | Pass / FailAi Platformhigh |
| 02 | Operator writes a rule that should only fire when the sender has never previously communicated with the recipient org (a classic BEC pre-condition). They reference a sender-profile / message-context attribute. | Use Sublime's documented sender/recipient context attributes (e.g. a first-time-sender or known-correspondent signal derived from the org's mail history) rather than re-implementing communication-history tracking in the rule. Combine first-contact with a content cue so routine new-vendor mail is no… | Pass / FailAi Platformmedium |
| 03 | An MQL rule calls strings.icontains(body.current_thread.text, 'urgent') but the message is a calendar invite with no body text, so body.current_thread is null for that message. | Guard attribute access for messages where a field may be absent: MQL evaluates lazily, but the rule should be written so a null body or empty thread yields a clean no-match, not a rule error. Use the documented helper functions (e.g. strings.* / any / all over a possibly-empty list) and test the ru… | Pass / FailAi Platformhigh |
How this eval is graded
Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.
Rubric criteria
- Sublime Security
- Ai Platform
- Mql Detection Authoring
Recommended for
Works with
Related evals
Run this eval in your workspace
Connect your data, configure thresholds, and review results with your team.