Elastic uses Sublime for effortless, effective email security

Elastic, a leader in Search AI with solutions for observability and security, was facing a growing challenge with phishing emails slipping past Elastic’s current email provider's defenses. Their Information Security team was spending significant time manually investigating reports, often navigating multiple platforms to take basic actions.

They needed a solution that could reliably detect threats and automate remediation to free up analyst time for more strategic security initiatives. Elastic evaluated Sublime alongside other API-based email solutions and the choice was clear.

The time savings here is hard to describe adequately. At this volume, it’s already been hundreds of hours.

Chris Cutajar

Principal Security Engineer at Elastic

When Elastic deployed Sublime, the impact was immediate. Within the first month, Sublime automatically remediated over 2,000 phishing emails—before they reached users. Analysts who previously spent 10 to 15 minutes investigating each phishing email were now only reviewing a small subset of user reports. The team has high confidence in Sublime's efficacy  to auto-remediate phishing campaigns.

Elastic’s previous phishing response process was cumbersome and time consuming. Employees forwarded suspicious emails to a security inbox, which then required manual case management. Analysts had to retrieve emails through the email provider's admin interface, review headers, and copy findings into their ticketing system. This process was particularly painful for large phishing campaigns.

If a big phishing attack hit, it could take half a day just to close out all the cases.

Katarina Puskarov

Senior Information Security Analyst

Elastic’s email provider alone wasn’t providing sufficient protection for the types of attack campaigns they were seeing. “It just wasn’t catching enough,” Puskarov explained. “We kept seeing the same phishing attacks getting through—noisy campaigns, VIP impersonations, things that should have been obvious.”

Elastic evaluated multiple modern email security solutions, but found that Sublime provided the highest detection efficacy, simplest automation, and best integration with their existing workflows and tooling.

In the first month alone after the POC, Sublime detected over 2,000 more email attacks that made it past their email provider.

Sublime detected and prevented these malicious messages, which reduced the overall volume of escalations requiring analyst intervention and reduced overall risk.

Time savings and efficiency gains

It’s one of the few tools we’ve implemented that truly just works. Low maintenance, no tuning—it just does what it’s supposed to do.

Chris Cutajar

Principal Security Engineer at Elastic

Before Sublime, analysts were spending hundreds of hours handling phishing cases, with each investigation taking 10-15 minutes and often requiring follow-on actions from Elastic’s Incident Response team.

After deploying Sublime, the number of investigations dropped by 62% within the first quarter, but the percentage is likely higher due to benign reports unrelated to phishing.

By reducing manual phishing triage, and by automatically preventing 20x more unreported attacks, scams, and spam, Sublime has freed up hundreds of analyst hours per year. “We went from spending hours a day on phishing cases to barely thinking about them,” Puskarov said. “Now, when we open Sublime, it’s just to verify that everything is running smoothly.”

With Sublime in place, email attack prevention and abuse mailbox management at Elastic is now automated. Manual investigations are rare. Suspicious emails are detected, analyzed, and removed before they can cause harm.

Transparency and Control

It felt like Sublime was built for analysts by analysts. It’s not a black box. We can see exactly why something was detected and tweak it if needed.

Jordyn Coyne

Sr. Manager of Incident Response at Elastic

Sublime is built differently than other email security solutions. Its Message Query Language provides full transparency into why a message is flagged, and enables rapid adaptation to new threats and instant resolution of false positives. For advanced teams like Elastic, it also gives them the flexibility to create custom detections and do threat hunting. “The flexibility it gives us is something we haven’t seen in other tools,” said Cutajar.

Sublime’s API-first approach also meant Elastic could integrate it into existing workflows without disruption, and export rich metadata into an Elastic Kibana instance for correlation across the rest of their security stack.

Sublime has fundamentally changed how Elastic handles phishing, shifting it from a manual, reactive process to automated with high accuracy. Analysts now spend their time on high-priority security threats rather than phishing reports.

“I can’t imagine going back to the way we used to do things,” Cutajar summarized. “ The time savings alone make it worth it, but the biggest benefit is knowing phishing is being handled before it ever becomes a problem.”