← view all openings

We're a fully distributed team and as required by federal law this role is open only to any US citizen based in the US.

Why | What | Role | Stack | Challenges | How we work | Comp | Traction | Funding | Team

Why Sublime

Nation states, criminal organizations, and lone wolves attempt to phish businesses, non-profits, and governments 24/7/365. When they succeed it can be extraordinarily destructive, disrupting coronavirus research, impacting a US presidential election, or damaging a country’s national defense. Email is the #1 attack vector, and last year phishing cost US businesses over $9B in direct financial losses.

Security professionals deserve superpowers that make them the heroes in this fight.

What we do

Sublime is making email security programmable.

Many companies have tried to solve phishing using black box ML. They've failed for the past 20 years. We're taking a different approach - we've created a DSL to enable security professionals, IT admins, and academic researchers to quickly develop new phishing detection rules. These new, community-built rules can be powered by arbitrary sets of ML models, 3rd party enrichment services, and custom functions. All backed by a GitHub-like system for version control that makes sharing and collaboration easy for the first time ever.

Here's an example of a moderately sophisticated phishing detection rule that is written in Sublime's Message Query Language (MQL):

// rules can detect inbound, internal, or outbound messages
type.inbound

// identify credential theft language in the body using NLU
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
)

// suspicious sender signals
and (
  beta.whois(sender.email.domain).days_old <= 30
  or profile.by_sender().days_known < 10
  or not profile.by_sender().solicited
)

To see more rule examples and for a deeper dive into Sublime, check out our docs or open-source rules feed.

Role

Hiring manager: @Josh Kamdjou

At Sublime, our Detection team is at the core of our business. Unlike traditional approaches to email security, we utilize a bespoke domain-specific language (DSL) that enables rapid development of innovative email attack detection rules. This same DSL is available to all of our users, too.

Ideal candidates have deep security domain expertise with an understanding of modern attacker techniques, and prior experience building detections or threat hunting through massive data sets. Email domain expertise is a plus but not a requirement.

Your work will directly benefit the community and our customers, and will be an integral part of the company’s success. You will have an opportunity to:

• Author new detection rules for emerging email threats with high efficacy, and share them with the broader community and our customers
• Research attacker campaigns and identify their tactics, techniques, and procedures (TTPs) to build new detection rules. Identify the signals that others miss, with a particular emphasis on non-IOC based signals
• Hunt for email threats across our customer base to discover and analyze emerging attack techniques
• Work with leadership to maintain a prioritized technical roadmap that enables future detection capabilities
• Work alongside data scientists and ML engineers to identify and write new signals in support of Machine Learning model improvements
• Tune and continuously improve detection rules and threat insights
• Analyze telemetry using SQL to identify new email attack trends and techniques
• Regularly publish your research, detection rules, and other technical content to benefit the community and spread the word about Sublime via Twitter, LinkedIn, conference talks, blog posts, and more

Stack

MQL (Message Query Language), PostgreSQL, Go, Python