Community Rules Drive Sublime Adoption
Sublime Security
The open-source rules repo makes product adoption start before a sales call ever happens. A security engineer can find Sublime on GitHub, pull community maintained detections into the dashboard through Git backed rule feeds, and see real attacks caught in their own environment. That turns rule authors, users, and evaluators into one funnel, while also making the commercial product better as more community rules become part of the default catalog.
-
This works because the open component is close to the paid workflow, not a side project. Sublime publishes MIT licensed rules in a public repository, and its docs show those rules flowing directly into the product through rule feeds, so community activity maps cleanly into trials and enterprise deployments.
-
The model also differentiates Sublime from AI native rivals like Abnormal, whose detection system is described as closed and not customer modifiable. In practice, Sublime lets a security team inspect a detection, tweak the rule logic, and promote it into production, which gives regulated buyers more control and creates deeper product engagement.
-
Against incumbents like Proofpoint, the advantage is speed. Proofpoint processes email at huge scale and added AI through the Tessian acquisition, but its broader suite structure slows iteration. A community fed rule layer gives Sublime a way to ship new detections as fast as practitioners encounter fresh phishing tactics.
This pushes email security toward a model that looks more like developer infrastructure, where the best product also becomes the place practitioners build and share defenses. If Sublime keeps turning community authored detections into production grade coverage, open source can remain both a distribution edge and a compounding data moat.