Simple & flexible plans

Analyzes email content, attachments, senders, and links using layered detection, including ML (CV, NLU, OCR), behavioral analysis, file and URL inspection, and threat intelligence to stop modern email attacks.

Detects vendor impersonation and compromised vendor accounts used in BEC and payment fraud to catch supply chain attacks that bypass traditional trust and reputation checks.

Builds behavioral profiles for senders over time to detect anomalies that indicate account compromise.

Analyzes links in real time using headless browsers to detect credential phishing, malicious redirects, and brand impersonation.

Detects and mitigates email bombing attacks that flood inboxes to hide fraud or disrupt operations, keeping mailboxes usable during high‑volume campaigns.

Identifies and filters spam messages to maintain inbox hygiene and keep analysts focused on threats.

Identifies and manages promotional and bulk emails to reduce inbox clutter so security teams and users can focus on real threats.

Creates precise, rule‑scoped exceptions to trust specific senders without opening broad security gaps.

Blocks known malicious senders and domains at scale to prevent repeat attacks from identified threat actors.

Automatically turns novel threats into validated detection rules so defenses adapt continuously without manual rule writing or tuning.

Automates analysis and response for user‑reported and system-flagged emails with Suspicious or Unknown Attack Scores, cutting triage time from hours to seconds.

Searches historical email data with MQL to investigate incidents and understand attack patterns.

Runs retroactive hunts over historical email data to uncover threats that evaded initial detection and reveal broader attack campaigns.

Analyzes individual email files without full platform deployment for fast threat assessment and training.

Tests detection rules against historical messages to validate effectiveness and tune accuracy before production deployment.

Mailbox actions to contain threats. Core includes trash and move to spam or junk; Enterprise also adds quarantine, quarantine‑and‑release, and warning banners.

Prebuilt and custom policies that automatically apply standard actions based on Attack Score, ASA, and rule logic – for example auto‑quarantining malicious messages, auto‑handling suspicious‑in‑Spam, and campaign‑level remediation.

Displays customizable warning banners on suspicious emails so users are alerted to risk without blocking legitimate messages.

Finds and remediates malicious calendar invites (ICS phishing) that bypass traditional email defenses and persist in user calendars.

Stores and manages detection rules in GitHub for version control, collaboration, and automated deployment.

Ingests via API to analyze messages and act without altering mail flow. Fast to deploy for Google Workspace and Microsoft 365.

Exposes comprehensive REST APIs to integrate email security data into existing workflows and tools.

Connects to Google Workspace, Microsoft 365, and IMAP‑compatible email platforms to extend protection across the organization.

Ingests external threat feeds, including IOCs, malware hashes, and YARA‑based intelligence, to enhance detection coverage.

Sits in mail flow to scan and enforce before delivery, enabling stricter real-time controls and policy enforcement.

Sends enriched email threat data to SIEM and SOAR platforms via webhooks and S3 exports for centralized monitoring and automation.Admin & Reporting

Supports deployment as fully managed SaaS, single‑tenant SaaS, self‑managed in AWS or Azure (including GovCloud), or Docker‑based environments.

Shows security posture metrics such as mailboxes protected, threats detected, active rules, and remediated attacks so teams can demonstrate value and coverage.

Controls platform access with built-in roles for admins, engineers, and analysts to enforce least privilege.

Defines custom roles with granular permissions to tailor access controls and restrict visibility of message contents.

Integrates with enterprise identity providers for single sign‑on and multi‑factor authentication.

Automates user provisioning and deprovisioning via SCIM to streamline access management.

Tracks platform activity and configuration changes for compliance and investigations.

Exports audit logs for ingestion into SIEM or storage (e.g., via S3).

Exports message and threat data to S3 for long‑term retention and external analysis.

Manages multiple customer organizations with multi‑tier hierarchies for MSPs and complex enterprise structures.

Lets users report suspicious emails via an abuse mailbox or report button, feeding intelligence back 
to security teams and powering automated analysis and response.

Uses user reports and message grouping to automatically remediate all copies of a campaign across the organization when a threat is confirmed or reports reach a threshold.

Alerts or takes action when a VIP reports or receives a high‑risk message, so high‑impact users get prioritized protection and response.

Automatically acknowledges user‑reported emails and closes the loop with templated responses after messages are classified.