Sublime Security, which makes an AI-powered email security platform, has announced the Autonomous Detection Engineer [ADE] an industry-first, end-to-end AI agent that detects threats and automatically creates or improves detection coverage at scale. ADE transparently bridges coverage gaps, which lets users avoid vendor bottlenecks and take control of their coverage – without requiring any specialized coding skills.
“In the world of AI attacks, we believe in fighting fire with fire,” said A.J. Williams, Product Manager at Sublime Security. “First, we launched ASA, our defensive AI agent that autonomously triages user reports around the clock. Now we’re going a step further, with an AI agent that automatically responds to the evolving threat landscape.”
Williams made it clear that ADE was very different from agents of the past,
“It breaks from the norms of both traditional (rules-based) and modern (AI-based) email security solutions,” he said. “It is a transparent and explainable AI, not a black box. It writes clear, AI-powered Detection Rules that analysts can understand and verify, not hidden logic that just needs to be trusted. And maybe most importantly, it closes coverage gaps per-environment rather than applying one-size-fits-all rules to all Sublime users at once.”
“What may seem like just a productivity nuisance flooding a user with tens of thousands of non-malicious messages is often more insidious,” said Josh Kamdjou, Founder and CEO of Sublime Security. “Email bombs are often used to cover up an out of band social engineering attack, an external ATO/fraud, or other attacker activity. One of the biggest challenges with defending against this is not just detection, but prevention and remediation, since the user likely receives legit business mail throughout the period of the email bomb. For detection of the bomb, we first create a baseline per-mailbox, and then detect anomalies/spikes over sustained periods of time. For prevention/remediation, we use a variety of AI/ML techniques to separate out legitimate mail from the bomb including our new NLU 3.0, topic modeling, Attack Score, and more.”
With 90% of malicious emails customized to target specific organizations, security teams are expected to respond in a similar, but unrealistic, manner with their own tailored coverage – a manual, time-intensive process that canʼt keep pace with the volume of attacks. Unlike traditional solutions which rely on user-generated updates or vendor-initiated coverage updates, ADE analyzes both unflagged and user-reported attacks to build attack patterns, write, test, and validate new tailored coverage. It analyzes historical data at scale, iterates on detection strategies, and submits high-efficacy detection protections for human review, cutting coverage timelines from days to hours.
“A key problem organizations face is the speed at which their defensive solutions can adapt and respond,” Kamdjou stated. “With ADE, we’re now offering a team of digital security agents that autonomously generates clear, evolving protections against new attacks within hours, not weeks. Together with ASA, Sublime’s Autonomous Security Analyst, ADE gives enterprises defenses that adapt as quickly as attackers, while preserving the visibility and control that matter most.”
ADE continuously improves in step with adversaries, turning attack telemetry into transparent and auditable protection that security teams can trust. It collaborates with Sublime’s other agents, including ASA, to investigate, engineer, and validate protections, closing the loop on novel techniques.
ADE also enables a multi-agent system in the Sublime platform which is built on four key functionalities to keep human analysts informed, in control, and armed with the insights they need most.
First is deep analysis, where ASA triages suspicious or user-reported emails and produces a behavioral analysis based on attack vectors and key indicators. Second is protection engineering where, using ASA’s findings, ADE translates threat intelligence into concrete protections and refines existing coverage using Sublimeʼs proprietary Message Query Language (MQL) without needing to manually write any protective logic, democratizing detection engineering so even analysts without deep MQL knowledge can contribute.
The third point is smart refinement and validation where, before any proposal is deployed, ADE backtests it across historical data to validate precision, reduce false positives, and confirm that similar past attacks would have been stopped. Finally comes human approval, where analysts remain in control, with the ability to review and approve ADE’s recommendations with full visibility into its rationale.
“ADE isn’t a replacement for analysts and detection engineers – it’s a defensive power-up that amplifies their impact,” Williams stated. “It helps teams close detection gaps faster from weeks to hours. Closing gaps faster means security evolves as quickly as adversaries do. Unlike other LLM-based Rule generators, ADE completes 100% of the work for you. Proposals are already engineered to work effectively at scale in your environment.”
The rollout of ADE comes during a period of strong momentum for Sublime. The company raised a $60M series B funding round in December 2024, and launched its first AI agent, ASA, in April to fully automate the triage and remediation of user reported emails.
ADE is now available to Sublime Enterprise customers across Google Workspace and Microsoft 365.