We understood early on that only seeing the aftermath of email attacks wasn’t good enough. I don’t want us chasing fires in full burn, I want us catching smolders before they turn into something expensive for our customers.
Overview
Black Hills Information Security is a practitioner-led security services firm providing managed detection and response (MDR), incident response, and advisory services to organizations across a wide range of industries. The team operates as an extension of its customers’ security programs, combining deep technical expertise with hands-on operational support.
As Black Hills expanded its MDR services, one strategic challenge stood out clearly: email. While widely recognized as the most common initial access vector, email had historically lived outside the scope of managed defense.
Rather than ignore that gap, Black Hills made a deliberate decision to bring email into scope as part of managed defense, but only if it could be done in a way that aligned with how the team already operated and without overwhelming analysts.
When email fell outside managed ownership
Across the broader MDR and MSSP ecosystem, email was widely recognized as critical, but rarely owned end-to-end. Customers typically ran a patchwork of legacy tools, leaving service providers with limited visibility and control.
At Black Hills, this meant email security effectively lived outside the SOC. In some cases, alerts from customer-owned tools were forwarded into the SOC, but without access to message contents, inboxes, or remediation controls, the data was largely unusable.
“We had customers being targeted with BEC every other week, and we were only seeing the aftermath,” Haseeb Khan, SOC SecOps Manager at Black Hills shared. “When you can only catch the second half of a BEC, that gets expensive fast.”
Closing that gap required more than better detection. It required a platform that could integrate cleanly into Black Hills’ API-driven, infrastructure-as-code approach to security operations.
Putting email into managed defense with Sublime
Black Hills selected Sublime because it gave the team a way to understand, tune, and integrate email security directly into how they already operate. With clear visibility and control, email could finally be managed as part of their MDR service across diverse customer environments.
Unlike legacy tools that were difficult to integrate or customize, Sublime aligned naturally with how Black Hills built and operated its MDR services. Its API-first design and detection-as-code model made it possible to deploy and manage email security without creating brittle, one-off workflows.
Just as importantly, Sublime gave analysts confidence in the decisions being made. Instead of redoing work or second-guessing alerts, analysts could see exactly why an email was classified and move quickly.
“With Sublime paired with Black Hills’ existing automation, one analyst can do the work of four without feeling overloaded,” Covington added.
From reactive cleanup to early intervention
With email under management, Black Hills could detect and disrupt attacks earlier in the lifecycle.
“Catching things earlier fundamentally changes how response effort and cost add up,” Covington shared. Instead of spending time and effort remediating compromised accounts and downstream fraud, analysts could focus on preventing those incidents from occurring in the first place.
This shift unlocked meaningful operational leverage. Black Hills layered Tines on top of Sublime’s email signals to standardize response workflows at scale, without increasing analyst overhead.
The result was a managed email security capability that fit naturally into the SOC, reducing noise, improving visibility, and allowing analysts to spend more time on high-value work instead of constant cleanup.
“This makes us more effective, and it allows us to deliver more complete monitoring and response for our customers,” Covington said.
A durable foundation for managed defense
By deliberately bringing email into scope with Sublime, Black Hills closed one of the most significant gaps in managed security services. What was once an avoided problem became a core part of its MDR offering,improving protection for customers and strengthening the overall service.
It is a managed, visible, and actionable signal that Black Hills can use to stop attacks earlier and operate more efficiently.
For Black Hills, the value is clear: better security outcomes for customers, a more complete MDR service, and a foundation that can scale as threats continue to evolve.
.avif)
