Sublime for email detection engineers

Give your detection engineers everything they need to hunt threats and then write, test, and iterate on rules with our comprehensive detection engineering workbench.

The promise of an agent continuously tailoring and backtesting new protections for our environment is a force multiplier. It means our defenses don't just work, they evolve—we get the benefit without having to do the work.

Roger Allen
Senior Director, Global Head of Detection and Response, Sprinklr

Built for detection engineers, by detection engineers

Sublime's detection engineering capabilities give you the tools to adapt to novel threats with speed and precision.

Agentic detection

Our Autonomous Detection Engineer (ADÉ) writes rules for novel attacks, so engineers never need to write a Rule from scratch.

Tools for iteration

Our rule editor’s VS Code-like interface lets detection engineers test and iterate their rules directly against real attacks.

Backtest immediately

After writing a Rule, engineers can retroactively evaluate its performance at scale and tune for accuracy.

Autonomous Detection Engineer

ADÉ takes results from ASA and creates new coverage, so you don’t have to. After a detection has been autonomously written, backtested, iterated upon, and finalized, a human analyst is notified for final review before it’s added to your instance of Sublime.

Learn about ADÉ

Detection engineer workbench

From our EML Analyzer, engineers can create rules, test them, see where issues exist, iterate, and re-test until the rule meets their expectations using our detection engineering workbench.

Try the EML Analyzer

Write better rules

Rules require balance. Broad rules lead to false positives and narrow rules to false negatives. Sublime's detection engineering platform lets teams strike the right balance.

01

Public data model and query language

Sublime offers a standardized JSON schema for representing an email message (MDM), as well as a universal, email-provider agnostic domain-specific language (DSL) for Rules, Hunts, and response Actions.

02

Stack detection signals

Engineers can write AI-powered rules against an open-ended set of detection signals using functions like file analysis, intent analysis, sender behavior, ML-powered link analysis, QR code analysis, logo detection, Base64 decoding, entity recognition and more.

03

Backtest against historical data

Rules can be backtested against all retained messages to more accurately determine efficacy.

04

Turn Hunts into Rules

Hunts and Detection Rules are both written in MQL, so a successful Hunt can be turned into a powerful Detection Rule that prevents future attacks.

Ready to empower your detection engineers?

Experience how Sublime's detection engineering platform transforms email security rule development and testing.

Complete detection engineering platform capabilities

Advanced features designed for modern detection engineers who need precision and control.

Message Query Language (MQL)

Message Query Language (MQL)

Write complex detection logic with our intuitive, domain-specific query language.

EML Analyzer testing interface

EML Analyzer testing interface

Test rules against real attacks with VS Code-like development experience.

Historical message backtesting

Historical message backtesting

Validate rule performance against retained messages for accurate efficacy measurement.

Modular detection logic

Modular detection logic

Build reusable components that can be combined for sophisticated detection strategies.

Real-time rule iteration

Real-time rule iteration

Modify and test detection rules instantly without vendor dependencies or delays.

YARA

YARA

Deploy custom YARA signatures to detect, hunt, and prevent email-originating malware and ransomware.

Hunt-to-Rule conversion

Hunt-to-Rule conversion

Transform successful threat hunts into automated detection rules seamlessly.

Public data model access

Public data model access

Leverage standardized MDM schema for consistent rule development across teams.

What our customers are saying

The black box approach to email security no longer works. 
It reduces visibility on how 
Brex may be attacked and 
the tactics and techniques 
used by attackers. 



With Sublime, we now have transparency and the confidence to keep up with emerging threats.

Mark Hillick
CISO, Brex

The ability to automate remediations with high confidence and minimize manual reviews unlocks a new level of efficiency in our SOC. It’s hard to imagine going back to life before Sublime.

JJ Agha
CISO, Fanduel

What I love about the platform is that it just works. I’m so tired of all these tools I have to futz with, and Sublime is just easy.

Jason Kikta
CISO, Automox

With Sublime, we no longer wait weeks for vendor updates. Our team reacts instantly - which is critical for our fast-moving environment.

Ronald Richards
OVO Energy
See all customer stories

Latest from Sublime

November 3, 2025
Attack spotlight

ICS phishing: Stopping a surge of malicious calendar invites

Ahry Jeon
Product Manager
Brandon Murphy
Detection
October 28, 2025
Sublime news

Sublime raises $150M Series C to arm defenders for the post-LLM world

Josh Kamdjou
Co-founder & CEO
Ian Thiel
Co-founder & COO
October 23, 2025
Attack spotlight

Direct Send abuse on Microsoft 365: Just another failed authentication

Peter Djordjevic
Detection
See all blog posts

Frequently asked questions

What makes Sublime's detection engineering platform different from traditional email security?
Sublime provides full transparency with MQL and standardized data models, unlike black-box solutions. For advanced teams, the platform is fully extensible, allowing you to write, test, and iterate on custom detections with complete visibility into detection logic and performance.
How does the EML Analyzer improve detection rule development?
EML Analyzer offers a VS Code-like interface where detection engineers can test rules against real attacks, see exactly where issues exist, iterate on logic, and re-test until rules meet expectations within the detection engineering platform.
Can I backtest detection rules against historical email data?
Yes, Sublime's detection engineering platform allows engineers to backtest rules against all retained messages to accurately measure efficacy, tune for precision, and validate performance before deploying to production environments.
What is Message Query Language (MQL) and how does it work?
MQL is Sublime's domain-specific query language for writing detection rules and hunts. It provides intuitive syntax with ML-powered functions, enrichments, and signal stacking capabilities designed specifically for email security detection engineering.
How do I convert threat hunts into automated detection rules?
Both hunts and detection rules use the same MQL syntax in our detection engineering platform. Successful hunts can be converted into real-time detections with a few clicks, enabling proactive protection against similar future threats.

Now is the time.

See how Sublime delivers autonomous protection by default, with control on demand.

Get started
Get a demo
Resources
BlogEvents
Community slack
Resource center
EML Analyzer
Sublime Core Feed
API reference
Documentation
Security at SublimeICS Phishing Playbook
©2025 Sublime Security, Inc.
TermsPrivacySecurityDisclosurePrivacy choices