- VS
- Sublime Security
- UPDATED
- April 2026
- CATEGORY
- EMAIL SEC
- SOURCES
- Official docs + live code
DFIR Platform vs Sublime Security
Use Sublime Security when
- You need to stop phishing, BEC, and malware at delivery across a Microsoft 365 or Google Workspace tenant.
- You have a detection engineering function and want to write, version, and backtest MQL rules as code.
- You need auto-remediation (quarantine, trash, warning banners) across every user mailbox.
Use DFIR Platform when
- You want an API to enrich IPs, domains, URLs, or hashes against 14 integrated sources on demand.
- You need a free shareable phishing-check tool without connecting your mail tenant or creating accounts.
- You're building n8n, Tines, or SOAR playbooks that enrich IOCs extracted from alerts or user reports.
The headline, in three sentences.
- Sublime is a managed email security gateway with MQL-based detection rules and AI agents — it processes every inbound message at delivery.
- DFIR Platform is an API-first enrichment tool: unified IOC lookups, a free /phishing-check, exposure scanning, and AI triage on one credit pool from $0.
- They're complementary — Sublime handles detection at delivery; DFIR Platform handles analyst triage, IOC extraction, and automation on escalated cases.
Feature-by-feature coverage.
Scoring legend: 100 = full native support, 50 = partial or documented workaround, 0 = not offered. Ties and partials rendered as such — no spin.
What each side does best.
Full email security coverage at delivery
Sublime sits inline with Microsoft 365, Google Workspace, or IMAP and inspects every inbound message. It detects BEC, credential phishing, malware, QR phishing, and callback phishing before users see them — something an enrichment API fundamentally cannot do.
MQL — detection-as-code rule engine
Message Query Language lets detection engineers write, version-control, and backtest rules against a structured Message Data Model. Combined with ML signals (computer vision, NLU, OCR) and AI agents (ADÉ, ASA), coverage adapts to novel attacks in hours.
Open-source rule marketplace
The sublime-security/sublime-rules repository on GitHub (353+ stars) is a public, community-maintained library of hundreds of detection rules. Any team — even Core users — can read, fork, and contribute, which is rare in this category.
Flexible deployment including self-hosted
Deployment options include managed SaaS, single-tenant SaaS, self-managed in AWS (including GovCloud) or Azure, and Docker for evaluation. That range is hard to match for regulated or data-residency-sensitive environments.
Unified IOC enrichment across 14 sources
A single API call aggregates up to 11 sources per IP, 8 per domain, 8 per URL, and 6 per hash — VirusTotal, AbuseIPDB, GreyNoise, Shodan, Censys, OTX, URLScan, Pulsedive, Hybrid Analysis, ThreatFox, IPVoid and more — returned in one normalized schema. Sublime ingests TI but doesn't aggregate multi-source reputation.
Self-serve pricing from $0 with no sales call
Free tier (100 credits/mo, no card), Starter at $29/mo, Professional at $99/mo, Enterprise custom. Sublime's Core is free up to 100 mailboxes but the full platform is Enterprise contact-sales — there's no published mid-tier.
One credit pool across a toolbox, not one product
The same key powers /enrich (IOC), /enrich/batch (up to 50 IOCs), /phishing-check, /exposure-scanner, /domain-lookup, and AI triage. Teams replace four point tools with one subscription — without adopting a full email gateway.
Shareable free /phishing-check — no tenant connection
dfir-lab.ch/phishing-check is a public, anonymous phishing-email analyzer an analyst can paste a header into for a second opinion. No M365/Workspace OAuth, no account, no mailbox quota. Sublime's EML Analyzer is free but requires account creation.
User-reported phish Sublime didn't block — analyst triages extracted IOCs
A finance user reports a wire-fraud email to the abuse mailbox. Sublime's Autonomous Security Analyst (ASA) triaged it as Unknown. The SOC analyst opens the message and extracts: 1 sender IP, 3 embedded URLs, 2 linked domains, and 1 attachment SHA-256. They need multi-source reputation on all 7 indicators to decide: block at the firewall, hunt historical matches, and update the internal rule set.
In Sublime, the analyst can search the Message Data Model, read matched MQL detections, and pivot on message attributes inside the platform. Threat intelligence ingestion brings in external feeds, but Sublime is not designed to aggregate per-IOC reputation across VirusTotal, AbuseIPDB, GreyNoise, Shodan, OTX, and the like in a single normalized response. Writing a new MQL rule to cover the tactic is the natural next step — but enrichment of the specific IOCs still needs another tool.
The analyst posts all 7 indicators to DFIR Platform's /enrich/batch endpoint in one request. Each IOC returns a normalized verdict aggregated across up to 11 sources plus source-by-source breakdown and tags. Cost: 7 × 3 credits = 21 credits — inside the $0 Free tier. The sender IP comes back malicious on 4 sources, two URLs are known phish kits, and the hash is unknown. The analyst blocks, opens a hunt, and writes a matching MQL rule back in Sublime.
Sublime's strength is detection and remediation at delivery; DFIR Platform's strength is fast, cheap, multi-source IOC triage when a message slips through or an analyst needs to pivot on extracted indicators. Teams running both get gateway coverage and analyst-grade enrichment without paying enterprise rates for both.
Side-by-side tier comparison.
DFIR Platform
Publicly priced — self-serve- Free
- 100 credits/mo — no credit card
- Starter
- 500 credits — ~100 single / 166 batch IOCs
- Professional
- 2,500 credits — ~500 single / 833 batch IOCs
- Enterprise
- Unlimited credits, on-prem option
Sublime Security
Core free + Enterprise contact-sales- Core
- First 100 mailboxes free — essential protection
- Enterprise
- Full platform, premium support, advanced controls
- Typical spend
- Vendr median for Sublime deals (range $6.7K–$116K/yr)
Using both together
Sublime handles detection and remediation at delivery — quarantining or banner-flagging messages that its MQL rules and AI agents catch. When a user still reports a message Sublime didn't block, or when an analyst needs to triage an extracted sender IP, embedded URL, or attachment hash across multi-source threat intelligence, they hit DFIR Platform's /enrich or /phishing-check API. Sublime for the gateway; DFIR Platform for the triage and automation tail.
Questions people actually ask.
- 01.Q
Is DFIR Platform an email security gateway like Sublime?
No. DFIR Platform is an IOC enrichment and phishing-check API — it does not sit inline with your mail flow, quarantine messages, or connect to Microsoft 365 or Google Workspace. Sublime is a full email security platform that processes every inbound message. These are different product categories and most teams running Sublime still want an enrichment API alongside it.
- 02.Q
So is DFIR Platform a real alternative to Sublime at all?
Only for a narrow use case: analyst-triggered phishing analysis and IOC enrichment of specific indicators. If your goal is to block phishing and BEC at delivery across a tenant, Sublime (or another email security platform) is the right product. If your goal is to enrich IPs/domains/URLs/hashes from alerts or user reports, DFIR Platform is a better fit — and cheaper.
- 03.Q
Can I use DFIR Platform alongside Sublime Security?
Yes — this is the common setup. Sublime handles detection and remediation at the mail gateway; DFIR Platform handles triage of escalated user reports, extracted IOC enrichment, and automation playbooks (n8n, Tines, SOAR). Credits cover /enrich, /enrich/batch, /phishing-check, /exposure-scanner, /domain-lookup, and AI triage on one plan.
- 04.Q
What is MQL and does DFIR Platform have anything like it?
MQL (Message Query Language) is Sublime's detection-as-code language. Rules run against a structured Message Data Model derived from each email. DFIR Platform has nothing equivalent — it does not ingest mail flow. It exposes a REST API for indicator lookups and a /phishing-check endpoint that analyzes a single email when you send it explicitly.
- 05.Q
Is Sublime's free Core tier enough to replace Enterprise?
It's generous — free for the first 100 mailboxes with ADÉ and ASA agents, detection engine, and git-based rule management. But several capabilities sit in Enterprise only: inline protection, quarantine, REST API, SIEM/SOAR integrations, advanced threat hunting, SSO/MFA/SCIM, and custom RBAC. Match your mailbox count and control needs to the right tier.
- 06.Q
How much does Sublime Security actually cost at Enterprise?
Sublime doesn't publish Enterprise pricing. Public benchmark data from Vendr reports a median Sublime deal around $20K/year with a range from ~$6.7K to ~$116K/year depending on mailbox count and feature mix. Expect a sales cycle and annual contract — whereas DFIR Platform is $0–$99/mo self-serve for the API use case.
Run your own IOCs through DFIR Platform.
Free /ioc-check, no signup — or a Free account for the full API and 100 credits per month.