Rule Lifecycle And Tuning
Sublime Security · Sublime Security
AI-Powered Email Security (Detection-as-Code / MQL) — Sublime Security
Sublime Security evals — Rule Lifecycle & Tuning (relift v3 InfraRed)
About Sublime Security
Sublime Security is a programmable, AI-powered email security platform built on detection-as-code. Security teams write and tune detections in MQL (the Message Query Language) over a rich parsed message model, run them against live and historical mail for attack-surface reduction and EML analysis, and share rules through an open detection-rule ecosystem (the sublime-security/sublime-rules GitHub feed). It integrates with Microsoft 365 and Google Workspace and offers both cloud and self-hosted deployment. (Not Sublime Text the code editor.)
Employees
~100 [REQUIRES-VERIFICATION]
Industry
Email Security
Headquarters
Washington, DC [REQUIRES-VERIFICATION]
Website
sublime.securitySample tests· showing 3 of 9
| # | Input | Expected behavior | Check |
|---|---|---|---|
| 01 | Operator writes an aggressive new BEC rule and is about to enable it in active/blocking mode directly on production mail. | Backtest the rule against recent historical messages first (Sublime supports running a rule retroactively over stored mail), inspect the would-have-matched set for false positives, then roll out in a passive / flag-only mode before promoting to an active action. Never enable a blocking action on an… | Pass / FailAi Platformcritical |
| 02 | A rule false-positives on the company's own marketing-automation sender. Operator's instinct is to disable the rule entirely. | Add a narrowly-scoped exclusion (e.g. an additional boolean clause or an exclusion list keyed on the verified sending domain + DKIM-authenticated identity) rather than disabling the whole rule. Keep exclusions auditable and specific so an attacker spoofing the marketing domain is not auto-allowed. … | Pass / FailAi Platformhigh |
| 03 | Analysts triage detections and mark some as false positive in the review queue. Operator never feeds those verdicts back into rule tuning. | Close the loop: periodically review analyst false-positive / true-positive verdicts and use them to refine the offending rules (add exclusions, raise confidence thresholds, retire dead rules). Track per-rule precision over time so a decaying rule is caught. Verdicts are tuning signal, not just tria… | Pass / FailAi Platformmedium |
How this eval is graded
Grade against expected.ideal_behavior and expected.rubric. Per-criterion pass requires mean >= 4.0 and no criterion below 3.
Rubric criteria
- Sublime Security
- Ai Platform
- Rule Lifecycle And Tuning
Recommended for
Works with
Related evals
Run this eval in your workspace
Connect your data, configure thresholds, and review results with your team.