Sublime’s AI agents are just the tip of the platform

In 2025, Sublime released two different AI agents to automate some of the most time-consuming aspects of email security.

Released in April, our Autonomous Security Analyst (ASA) triages the bulk of user-reported messages without analyst intervention. Most user reports aren't malicious, but prior to ASA, they still required manual review. Depending on org size, ASA can save security teams weeks of analyst time each year.

Our follow-up agent, the Autonomous Detection Engineer (ADÉ), picks up where ASA leaves off. When ASA identifies a gap in coverage, ADÉ fills it. ASA determines a user-reported message is malicious, passes findings to ADÉ, and ADÉ analyzes the attack, iteratively develops new coverage through backtesting, then hands the new detection to your team for review and one‑click publish to your Sublime instance. Security teams can close gaps in hours, not weeks.

Those are just the first two in a family of AI agents on our roadmap, each designed to bolster security while improving the lives of security teams. Having led the development of these agents, I can confirm that while we frequently talk about their accuracy and efficacy, we haven't discussed enough how much work goes into building, maintaining, and integrating them.

The fact is, our agents are powerful, autonomous tools that wouldn’t be possible if it wasn’t for the power of the entire Sublime platform – and all of the teams that are responsible for keeping it at the leading edge of email security. In this post, we’ll take a deeper dive into what it takes to build and maintain an email security agent, as well as the technologies that enable their high level of accuracy, efficacy, and autonomy.

Tooling: More than an LLM

The prevalence and accessibility of foundational AI models has changed the agentic game for many security companies. That said, an agent needs more than a connection to an LLM. An LLM is just a reasoning engine, not a security analyst.

Google's Threat Intelligence team recently identified malware families, such as PROMPTFLUX, that dynamically query LLMs during execution to generate evasion code. Attackers are using "just-in-time" AI to mutate faster than static defenses can adapt. Their malware literally asks an LLM how to evade your security, then rewrites itself based on the answer.

Since email security agents are going head-to-head with these adversarial AI systems with access to powerful tooling, we’ve given our agents full access to all the cutting-edge tools our platform offers. And since this is native, our agents don’t just consume outputs, they interact and use tools we’ve built at a lower level:

• Message rendering: We screenshot the message body as the end user would see it, then run computer vision and use vision tokens to detect logos, analyze layout, and identify brand impersonation that text analysis would miss.
• Message grouping: In order for agents to accurately and efficiently campaigns, they have first have to understand how to group messages. A problem with more more nuance than you might expect.
• Behavioral context: Our agents use threat intelligence from multiple feeds (including our own Core Feed), Natural Language Understanding (NLU) for intent classification (BEC, callback scam, credential theft, etc.), logo detection for brand impersonation, and historical sender profiling to know what “normal” is.
• Deep content analysis: Our agents decode base64-encoded payloads, unpack archives, follow QR codes in attachments, parse nested EML files, run OCR on attachments, macro analysis, and much more – all within the agent's reasoning loop.
• Link analysis: Our agents click links and follow CTAs through redirects, click trackers, and shorteners to reach actual landing pages. They don't just check if a URL is on a blocklist; they navigate to the destination, screenshot it, run logo detection, and analyze the DOM for credential harvesting forms.
• Infrastructure analysis: Our agents perform WHOIS and domain analysis of the infrastructure within a message (header, body, attachments, etc.), using that data to inform further decisions.
• Sandbox interaction: Rather than just receiving a "malicious/benign" verdict from a sandbox, our agents can interact within the sandbox environment to observe real behavior.

Sublime has built and maintains these native tools, as well as dozens more, for use via Message Query Language (MQL). MQL is the foundational language of our detections, threat hunts, automations, and more – including the agents we build.

MQL gives our agents a common language to work and coordinate in, ensures precise handoffs with zero ambiguity. For Sublime’s users, MQL turns probabilistic intent into deterministic action that you can see, audit, and trust. Using ADÉ as an example, if you disagree with its logic, you can tweak the MQL code directly. We don’t build black box agents, we build a collaborative AI experience.

Intelligence: The only constant is change

Because the threat landscape evolves weekly and novel TTPs surface constantly, our prompts, knowledge bases, and context engineering flows are tuned continuously. This is just not a maintenance task – it’s an arms race against attackers.

Adversarial attacks on ML-based email filters have been documented in academic literature since 2004. Attackers systematically craft inputs to evade detection. They probe, test, and exploit.

At Sublime, our Detection and Machine Learning teams work full-time on this:

• Updating threat intel as new campaigns emerge
• Refining prompt structures as we learn what the model misses
• Tuning enrichment pipelines based on false positive feedback
• Generating synthetic, AI-powered attacks internally to close gaps before attackers find them

Furthermore, we can take advantage of collective intelligence. Because Sublime serves multiple organizations, we see attacks across environments. When a novel campaign hits one customer, we learn from it – and every other customer benefits. Our agents can detect variants of an attack you've never seen because we've already seen it somewhere else.

Privacy: Agents that keep secrets

Your emails are some of the most sensitive data in your organization, and our platform (and our agents) take that very seriously. No customer data is shared with third-party model providers. Our fine-tuned models run within our infrastructure. We built it this way because email security and data sovereignty shouldn't be in conflict.

Agent orchestration: The power of many

A single agent is a tool. A coordinated system of agents is a team. ASA and ADÉ were designed to act as a team, handing off work to each other in production:

1. ASA triages a user-reported message.
2. ASA identifies it as malicious and passes findings to ADÉ.
3. ADÉ analyzes the attack patterns.
4. ADÉ writes a behavioral detection rule.
5. ADÉ backtests the rule against historical data.
6. ADÉ proposes the validated rule to your team for review.

This handoff happens automatically so coverage gaps get closed in hours, not weeks.

To give context on the complexity of agent interactions, Microsoft, Google, and OpenAI have all published patterns for agent coordination, documenting failure modes like context loss during handoffs, state management complexity, and error amplification through chains. These aren't theoretical concerns, they're documented reasons why multi-agent systems fail in production.

Our architecture is built for a future where agents collaborate on increasingly sophisticated tasks, allowing us to add to our team of agents without experiencing growing pains.

Accuracy: Measurable and hallucination free

LLM hallucinations are well documented. Studies consistently show that 5-10% of responses contain inaccuracies. In a chatbot, that's annoying. In security, it's a vulnerability. And in agentic systems, hallucinations compound. Research describes this as the "error amplifier" effect: a small initial mistake gets magnified and propagated through subsequent actions, ultimately leading to catastrophic failures. If an agent confidently misclassifies one email, that misclassification informs the next decision, and suddenly there’s a cascade.

We take this seriously enough that we published a peer-reviewed paper on our evaluation framework for ADÉ, which we presented at CAMLIS 2025. We measure detection accuracy, robustness against adversarial evasion, and economic cost. We compare agent-generated rules against human-authored counterparts. We test against attacks designed specifically to evade detection. And we give you the last say in any agent-generated rule before it reaches production.

Email security agents need an email security platform

Sublime’s agents are underpinned by years of tooling development, threat intelligence pipelines, purpose-built ML models, deep platform integration, operational expertise, rigorous evaluation frameworks, and a company whose entire focus is email security.

Our agents find gaps and fix them automatically. They triage the noise so your analysts can focus on what matters. They adapt to new attacks faster than any manual process could and harden your security around the clock.

We can only do that because Sublime isn’t just a set of agents, it’s an email security platform. The only way to effectively shut down challenging attacks is with purpose-built, expert AI that is focused on one thing and one thing only: email security.

Get a live demo of Sublime to see ASA and ADÉ in action.