By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Sublime: Rewriting the Rules of Email Security

Today, we’re incredibly excited to announce our investment in Sublime, the first open security platform that lets anyone write, run, and share rules to detect and block email threats. Sublime has been quietly securing email infrastructure for Fortune 500s, Global 2000s, and FTSE 250s while managing a 2,500-organization waitlist while in private beta.

Founders Joshua Kamdjou and Ian Thiel saw a painful gap in the email security landscape that inspired them to start Sublime. Josh did offensive security at the Department of Defense for years, while Ian worked in product and growth at companies like Optimizely and Alto. Together, they’ve built a platform that rejects the traditional black box, walled-garden approach and instead empowers security teams to control their email environments. There’s also Sublime’s secret ingredient — the power of a unified security community.

We spoke to Josh and Ian about how Sublime came to life, and their vision for the future of email security in our Founder Q&A:

Where did you grow up and what got you interested in cybersecurity?

Josh: I grew up in Rockville, Maryland as a first-generation American. My parents escaped the Iranian revolution and came over to the United States to study. At the time, my mom was one semester shy of graduating from Tehran University, but she had to start all over again when her credits didn’t transfer in America. Despite all that, she persisted and got her degree in civil engineering. Her resolve was a big driver in my early life.

I grew up competing internationally in Taekwondo and still have a soft spot for martial arts. As a software engineer, especially in cybersecurity, it’s easy to see the parallels. Your opponent is on the attack and to defend well, you must think like them, predict their next move, place traps and counter. There’s a chess-like back and forth to it all. In high school, I dove into programming, particularly IT. I racked up a few certifications and learned networking through various Cisco courses. I ended up spinning up networks with VMware, AD, Windows/Linux hosts, and routers.

Then, like any teenager, I figured it might be fun to learn how to break into those systems. Once I got my hands on Metasploit I was hooked, and owe so much to its legendary creator H.D. Moore. I decided I wanted to focus on security and ended up starting my career at the Department of Defense right out of high school.

Josh training for his next Taekwondo competition in 2007

Ian: I was born in West Germany just before the wall came down as both of my parents served in the US military and were stationed at various military bases there. The energy and positivism of post-reunification Germany was electric, and it left a profound impact on me during formative years. Moving constantly taught me that to succeed and thrive I had to be able to adapt to any environment, and constantly saying goodbye to friends taught me to appreciate the deep and enduring value of friendships and community. I carry this with me today as a founder.

How did you two meet?

Ian: In brief: we were very lucky. An old friend would occasionally connect me with DC founders to give them advice on product and customer development. I had probably done a few dozen of those calls over the years. Then, she connected me with Josh. We hit it off immediately, and what really struck me was this: most founders I’d met were interested in their solution, and Josh was the first that seemed truly committed to solving a problem. By the end of that first call, we’d decided to begin exploring partnering together on Sublime.

Why did you choose to focus on email security?

Ian: Josh is the driving force behind Sublime’s vision, and he’s literally spent his life thinking about how to bypass email security protections. That offensive perspective is woven into the very DNA of this company.

Email excites us because it touches everyone. It’s a universal, global protocol for communication. We think that’s incredibly powerful and beautiful, but it can also be exploited by cyber criminals and nation states to hurt innocent people. Solving that problem, and making the internet just a bit safer and happier, is worth spending life units on.

Josh and Ian working on an early Sublime prototype

What makes email ripe for both exploitation, and innovation?

Josh: To put it simply, email was designed 40+ years ago and hasn’t changed much. Meanwhile, the world around email has changed drastically, to say the least. We’re doing much more than trying to get a message from one person to another. That’s what the core of email was designed to do 40 years ago. Now email isn’t as simple. It’s embedded into our infrastructure, programmable via APIs, and it functions as a door into any organization and individual. Email has become critical to businesses and our daily lives and must be secure.

Email is so heavily abused because it’s ubiquitous, open, and the barrier to running an attack is incredibly low. You can target anyone, anywhere — it’s an amazing initial access vector. The average hacker can pick up a few open source tools or buy software as cheap as $5 to start a phishing campaign. The low barrier makes those attacks more common. Meanwhile, more sophisticated attacks by organized cybercrime groups and nation states are on the rise due to the lucrative financial returns of a successful BEC or ransomware attack.

A Sublime rule for detecting an HTML smuggling attack

What makes Sublime unique in the email security space?

Ian: Sublime gives teams two things that have traditionally been difficult or impossible: control and collaboration.

Traditional approaches to email security have a few key weaknesses. Every organization and email environment is so unique, it becomes very difficult for a single set of detections to work for everyone without accidentally blocking legitimate email or missing important attacks. This is the “one-size-fits-all” problem. Sublime solves this by giving teams control, allowing them to decide which rules to run, and to modify those rules to suit their unique needs. We’ve also made this easy enough for a T1 analyst to do it!

When teams see phishing emails landing in their environments, there’s little to nothing they can do about it beyond notifying their email security vendor and hoping for an update that can sometimes take weeks, months, or even years. This is the “vendor bottleneck” problem. Sublime solves this by letting anyone write and share custom detection rules, removing that bottleneck for adapting to newly observed phishing techniques. Large, sophisticated enterprise teams often already have some custom detection pipelines and logic for email, but Sublime makes this plug-and-play and introduces a common framework to foster collaboration within and across organizations. Today, ⅓ of the detection rules in the Sublime Core Feed were written by community members and vetted by our team.

Lastly, it’s self-hostable, free, you can threat hunt using arbitrary query logic, leverage organizational context like sender history, and combine simple rule logic with machine learning techniques like Computer Vision (CV), Natural Language Understanding (NLU), and more.

What’s your vision for Sublime?  

Josh: Our vision is a safer internet where defenders take back the advantage. The InfoSec community already uses domain-specific languages for detection and response in all other areas of security: YARA for binaries, Snort/Suricata for packets, osquery/EDR for endpoint, Sigma/EQL for logs. Now, there’s Sublime for email.

When security teams have more control and can speak the same language as other teams, it’s a win for the good guys. Instead of bad actors attacking disparate, isolated organizations it’s a united front of companies fighting back by sharing their best detection rules for new attacks.

We believe that when everyone’s in on the fight, we’re more likely to win. And we plan on winning.