Advanced Email Threat Hunting Platform

From a threat intelligence perspective, Sublime is offering us a whole new paradigm in detection opportunities and controls. Leveraging Sublime's API, we can push our collections of indicators to include domains, IPs, hashes, etc. to Sublime and have immediate enforcement and blocking in real time.

Haider Dost

Head of Global Threat Detection and Threat Intelligence, Snowflake

Your email threat hunting platform

Sublime gives you the tools you need to find the threat patterns hidden across your inboxes with our comprehensive threat hunting platform.

Historical sender context

Sublime tracks historical sender data to make decisions about future messages from that sender’s organization.

Signals within infrastructure

Threats can be surfaced through infrastructure clues, like unusual hop patterns, SPF/DMARC failures, and suspicious sending hosts.

Hunts <-> Rules

With Message Query Language (MQL), analysts can turn a Hunt into a Detection Rule and vice versa in a few clicks.

Hunt and remediate from one screen

Hunt for threats in inboxes and then remediate malicious emails right from the results.

Hunt across every signal

Attackers leave behind breadcrumbs in language, visual cues, infrastructure, sender behavior, and more. Sublime's threat hunting platform can help you find them all.

In-depth threat hunting

Sublime lets you hunt threats using deep, flexible primitives, AI-powered functions, and external enrichments like link analysis, WHOIS, domain age, logo detect, string patterns and behavioral context all in one unified threat hunting platform built for real investigation.

Hunt by behavior & TTPs

Put the latest threat intelligence to use by hunting down novel attacks using their known behaviors and TTPs.

Contextualized sender data

Sublime uses historical data - like previous verdicts, time known, whether contact was solicited, and more - to inform sender reputation.

Infrastructure metadata

Infrastructure metadata free file hosts, free email providers, known-malicious domains, failed authentication, and more will expose even the most well-crafted attack campaign.

Switch from Hunt to Detect

Hunts and Detection Rules are both written in MQL, so a successful Hunt can be turned into a powerful Detection Rule that prevents future attacks.

Complete threat hunting platform capabilities

Advanced features designed for modern security teams who need comprehensive email threat hunting.

Message Query Language (MQL)

Write complex queries to hunt threats with precision and flexibility.

YARA

Hunt over historical email data using custom YARA signatures.

Automated threat grouping

Group similar attacks automatically to accelerate investigation workflows.

External enrichment integration

Leverage threat intelligence feeds and enrichment sources for deeper context.

Quarantine

Safely isolate suspicious messages automatically or with a single click.

Hunt-to-Rule conversion

Transform successful hunts into automated detection rules instantly.

Email infrastructure analysis

Analyze sending patterns, authentication failures, and hosting providers.

Behavioral pattern detection

Identify suspicious sender behaviors and communication patterns.

What our customers are saying

The black box approach to email security no longer works.  It reduces visibility on how  Brex may be attacked and  the tactics and techniques  used by attackers.   

With Sublime, we now have transparency and the confidence to keep up with emerging threats.

Mark Hillick

CISO, Brex

The ability to automate remediations with high confidence and minimize manual reviews unlocks a new level of efficiency in our SOC. It’s hard to imagine going back to life before Sublime.

JJ Agha

CISO, Fanduel

What I love about the platform is that it just works. I’m so tired of all these tools I have to futz with, and Sublime is just easy.

Jason Kikta

CISO, Automox

With Sublime, we no longer wait weeks for vendor updates. Our team reacts instantly - which is critical for our fast-moving environment.

Ronald Richards

OVO Energy

See all customer stories

Latest from Sublime

November 3, 2025

Attack spotlight

ICS phishing: Stopping a surge of malicious calendar invites

Ahry Jeon

Product Manager

Brandon Murphy

Detection

October 28, 2025

Sublime news

Sublime raises $150M Series C to arm defenders for the post-LLM world

Josh Kamdjou

Co-founder & CEO

Ian Thiel

Co-founder & COO

October 23, 2025

Attack spotlight

Direct Send abuse on Microsoft 365: Just another failed authentication

Peter Djordjevic

Detection

See all blog posts

Frequently asked questions

What makes Sublime's threat hunting platform different from traditional email security?

Unlike one-size-fits-all solutions, Sublime provides full transparency and explainability. For advanced teams, our platform is fully extensible, allowing you to hunt for novel and organization-specific threats using MQL.

Can I convert threat hunts into automated detection rules?

Yes, Sublime's threat hunting platform uses MQL for both hunting and detection coverage. Any successful hunt can be converted into an automated detection with a few clicks, enabling proactive protection against similar future threats.

What types of infrastructure signals does the threat hunting platform analyze?

Sublime examines SPF/DMARC failures, unusual hop patterns, suspicious sending hosts, free email providers, domain age, hosting reputation, and authentication changes to identify potential threats through infrastructure analysis.

How does historical sender context improve threat hunting accuracy?

The threat hunting platform maintains detailed sender profiles including previous verdicts, relationship history, communication frequency, and trust levels. This context helps distinguish between legitimate senders and potential threats with higher precision.

Behavioral threat hunting in email