Adaptive, transparent, and effective detection from day one
Selection criteria
When exploring new email security solutions, Snowflake identified three critical requirements:
Advanced Threat Detection: Effective detection and prevention of sophisticated, targeted email threats out-of-the-box.
Abuse Mailbox Automation: Automate the triage, investigation, and remediation of user-reported messages.
Control and Transparency: Access to advanced detections without tuning or additional headcount.
These would enable additional defense in depth controls for email and in turn, give the team the ability to extend Sublime into advanced use cases including policy-as-code for streamlined rule management and threat intelligence operationalization.
Snowflake's rigorous selection criteria aimed at significantly improving email threat visibility, operational efficiency, and overall security posture.
The Snowflake team was hands-on with Sublime at the start of the proof of concept (POC), and immediately had historical production data to review Sublime's efficacy.
Sublime’s Proof of Value (POV)
To thoroughly assess Sublime's capabilities, Snowflake’s Security Team conducted a detailed comparison against leading email security solutions. Their Red Team created a representative test of 45 diverse, sophisticated attack types:
The evaluation results were definitive as Sublime had a 100% success rate in blocking attacks and by far exceeded other solutions examined by Snowflake's Security Team.
Phishing is still a top attack vector across the industry and there’s no silver bullet solution. To effectively combat the evolving threat landscape, you need a partner that can empower security teams to build tailored detections for your organization.

Haider Dost
Head of Global Threat Detection and Threat Intelligence
Results: Enhanced security and control
In the first few months after implementation, Snowflake experienced enhanced security capabilities with Sublime and fewer false positives. The team now benefits from advanced capabilities including:
Granular detection and exclusion logic
Attack surface reduction by flagging domains from suspicious registrars
Advanced threat hunting and backtesting
In addition, Sublime uses a standardized JSON schema to represent email messages with the ability to export to S3. This data can be integrated with Snowflake’s existing security controls such as managed browser settings or splash pages if a user visits an identified suspicious domain.
From a Threat Intelligence perspective, Sublime is offering us a whole new paradigm in detection opportunities and controls. Leveraging Sublime's API, we can push our collections of indicators to include domains, IPs, hashes, etc. to Sublime and have immediate enforcement and blocking in real time.

Haider Dost
Head of Global Threat Detection and Threat Intelligence
The Threat Intelligence team can now extract Indicators of Compromise (IOCs) from Sublime and feed them into other detections from other data sources.