Sublime's Editable Email Detections
Sublime Security
This is a product design choice that puts Abnormal closer to an autopilot model than a detection engineering platform. In practice, customers buy Abnormal for managed outcomes from a large shared model that learns across tens of thousands of tenants, but they do not get the kind of rule level control where an internal security team can inspect logic, tune a detection, or write a new one for a niche attack the moment they see it. That makes Abnormal easier to deploy, but less adaptable for teams that want security tools to behave like software they can edit.
-
Sublime is built around the opposite model. It ingests mail from Microsoft 365, Google Workspace, or IMAP, converts messages into a structured data model, and lets analysts create or modify live detections in Message Query Language. Its docs and product pages show teams can create new rules directly and share them through open feeds and Git repos.
-
The practical difference shows up on edge cases. If a finance team is hit by a new vendor impersonation pattern or a region specific scam, a closed system means waiting for the vendor to ship coverage. A programmable system lets the customer write a narrow rule, test it on historical mail, and publish it quickly.
-
Material Security is a useful contrast because it emphasizes post compromise controls. Its product centers on scanning mailboxes for sensitive content, redacting messages, and gating access with MFA, which helps after account access is at risk, but is a different workflow from giving customers a detection language to shape frontline filtering behavior.
Email security is moving toward tools that combine shared AI with customer editable logic. As AI generated phishing changes faster and gets more tailored, vendors that let defenders turn what they learn in one incident into a reusable rule and then spread that rule across teams should gain ground, especially in large enterprises and regulated environments that need transparent decisions.