SS
For Sublime SecurityAI Platform

Rule Lifecycle And Tuning

Sublime Security · Sublime Security

AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security

Sublime Security evals — Rule Lifecycle & Tuning (relift v3 InfraRed)

About Sublime Security

Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)

Employees

~100 [REQUIRES-VERIFICATION]

Industry

Email Security

Headquarters

Washington, DC [REQUIRES-VERIFICATION]

Sample tests· showing 3 of 9

#InputExpected behaviorCheck
01

Operator writes an aggressive new BEC rule and is about to enable it in active/blocking mode directly on production mail.

Backtest the rule against recent historical messages first (Sublime supports running a rule retroactively over stored mail), inspect the would-have-matched set for false positives, then roll out in a passive / flag-only mode before promoting to an active action. Never enable a blocking action on an…

Pass / FailAi Platformcritical
02

A rule false-positives on the company's own marketing-automation sender. Operator's instinct is to disable the rule entirely.

Add a narrowly-scoped exclusion (e.g. an additional boolean clause or an exclusion list keyed on the verified sending domain + DKIM-authenticated identity) rather than disabling the whole rule. Keep exclusions auditable and specific so an attacker spoofing the marketing domain is not auto-allowed. …

Pass / FailAi Platformhigh
03

Analysts triage detections and mark some as false positive in the review queue. Operator never feeds those verdicts back into rule tuning.

Close the loop: periodically review analyst false-positive / true-positive verdicts and use them to refine the offending rules (add exclusions, raise confidence thresholds, retire dead rules). Track per-rule precision over time so a decaying rule is caught. Verdicts are tuning signal, not just tria…

Pass / FailAi Platformmedium

How this eval is graded

Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.

Rubric criteria

  • Sublime Security
  • Ai Platform
  • Rule Lifecycle And Tuning

Recommended for

Sublime SecuritySublime Security customers

Works with

Related evals

Run this eval in your workspace

Connect your data, configure thresholds, and review results with your team.