Give your detection engineers everything they need to hunt threats and then write, test, and iterate on rules with our comprehensive detection engineering workbench.
Built for detection engineers, by detection engineers
Sublime's detection engineering capabilities give you the tools to adapt to novel threats with speed and precision.
Agentic detection
Our Autonomous Detection Engineer (ADÉ) writes rules for novel attacks, so engineers never need to write a Rule from scratch.
Tools for iteration
Our rule editor’s VS Code-like interface lets detection engineers test and iterate their rules directly against real attacks.
Backtest immediately
After writing a Rule, engineers can retroactively evaluate its performance at scale and tune for accuracy.
The promise of an agent continuously tailoring and backtesting new protections for our environment is a force multiplier. It means our defenses don't just work, they evolve—we get the benefit without having to do the work.
Roger Allen
Senior Director, Global Head of Detection and Response, Sprinklr
Autonomous Detection Engineer
ADÉ takes results from ASA and creates new coverage, so you don’t have to. After a detection has been autonomously written, backtested, iterated upon, and finalized, a human analyst is notified for final review before it’s added to your instance of Sublime.
From our EML Analyzer, engineers can create rules, test them, see where issues exist, iterate, and re-test until the rule meets their expectations using our detection engineering workbench.
Rules require balance. Broad rules lead to false positives and narrow rules to false negatives. Sublime's detection engineering platform lets teams strike the right balance.
Public data model and query language
Sublime offers a standardized JSON schema for representing an email message (MDM), as well as a universal, email-provider agnostic domain-specific language (DSL) for Rules, Hunts, and response Actions.
Stack detection signals
Engineers can write AI-powered rules against an open-ended set of detection signals using functions like file analysis, intent analysis, sender behavior, ML-powered link analysis, QR code analysis, logo detection, Base64 decoding, entity recognition and more.
Backtest against historical data
Rules can be backtested against all retained messages to more accurately determine efficacy.
Turn Hunts into Rules
Hunts and Detection Rules are both written in MQL, so a successful Hunt can be turned into a powerful Detection Rule that prevents future attacks.
Advanced features designed for modern detection engineers who need precision and control.
Message Query Language (MQL)
Write complex detection logic with our intuitive, domain-specific query language.
EML Analyzer testing interface
Test rules against real attacks with VS Code-like development experience.
Historical message backtesting
Validate rule performance against retained messages for accurate efficacy measurement.
Modular detection logic
Build reusable components that can be combined for sophisticated detection strategies.
Real-time rule iteration
Modify and test detection rules instantly without vendor dependencies or delays.
YARA
Deploy custom YARA signatures to detect, hunt, and prevent email-originating malware and ransomware.
Hunt-to-Rule conversion
Transform successful threat hunts into automated detection rules seamlessly.
Public data model access
Leverage standardized MDM schema for consistent rule development across teams.
What our customers are saying
The black box approach to email security no longer works. It reduces visibility on how Brex may be attacked and the tactics and techniques used by attackers.
With Sublime, we now have transparency and the confidence to keep up with emerging threats.
Mark Hillick
CISO, Brex
The ability to automate remediations with high confidence and minimize manual reviews unlocks a new level of efficiency in our SOC. It’s hard to imagine going back to life before Sublime.
JJ Agha
CISO, Fanduel
What I love about the platform is that it just works. I’m so tired of all these tools I have to futz with, and Sublime is just easy.
Jason Kikta
CISO, Automox
With Sublime, we no longer wait weeks for vendor updates. Our team reacts instantly - which is critical for our fast-moving environment.
Experience how Sublime's detection engineering platform transforms email security rule development and testing.
Thank you!
Thank you for reaching out. A team member will get back to you shortly.
Oops! Something went wrong while submitting the form.
Frequently asked questions
What makes Sublime's detection engineering platform different from traditional email security?
Sublime provides full transparency with MQL and standardized data models, unlike black-box solutions. For advanced teams, the platform is fully extensible, allowing you to write, test, and iterate on custom detections with complete visibility into detection logic and performance.
How does the EML Analyzer improve detection rule development?
EML Analyzer offers a VS Code-like interface where detection engineers can test rules against real attacks, see exactly where issues exist, iterate on logic, and re-test until rules meet expectations within the detection engineering platform.
Can I backtest detection rules against historical email data?
Yes, Sublime's detection engineering platform allows engineers to backtest rules against all retained messages to accurately measure efficacy, tune for precision, and validate performance before deploying to production environments.
What is Message Query Language (MQL) and how does it work?
MQL is Sublime's domain-specific query language for writing detection rules and hunts. It provides intuitive syntax with ML-powered functions, enrichments, and signal stacking capabilities designed specifically for email security detection engineering.
How do I convert threat hunts into automated detection rules?
Both hunts and detection rules use the same MQL syntax in our detection engineering platform. Successful hunts can be converted into real-time detections with a few clicks, enabling proactive protection against similar future threats.
Now is the time
See how Sublime delivers autonomous protection by default, with control on demand.
.svg)
.svg)
.avif)
