Material slower to adopt LLM detections
Sublime Security
Material Security’s slower rollout of LLM-specific detections reflects a product strategy centered on limiting blast radius after an email lands, not on winning the race to classify every new AI-written message at the inbox edge. Its core controls are message redaction, account hardening, and step-up authentication, while newer entrants like Sublime are building dedicated models and rule systems for AI-generated business email compromise and image based deception.
-
Material has publicly emphasized layered phishing defense, user reports, expert rules, and selective use of ML and LLMs for analyst explanation and remediation guidance, rather than positioning LLMs as a front line detection engine for new attack patterns.
-
Sublime is pushing faster on AI-native detection. It parses every email into structured data, lets teams write custom detection logic, and uses language models for intent and urgency analysis plus computer vision for fake logos, QR codes, and text hidden inside images.
-
IRONSCALES has long leaned on user reported phishing, clustering, and automated response, and only recently began pushing AI agents more directly against AI-driven phishing. That makes the newer wave of LLM-specific detection a recent competitive reset across the category, not just a Material issue.
The market is moving toward systems that both understand AI-generated social engineering and let security teams tune detections quickly when attackers change prompts, tone, or formatting. Vendors that combine strong pre-delivery judgment with post-compromise controls will set the pace, and slower detection cycles will increasingly push platforms toward a narrower role inside the email security stack.