From Perimeter to Proof: The New Architecture of Email Security

How identity, investigation, browser security, and AI are reshaping the future of email defense.

Anna Perrone is a Research Associate/Business Process Analyst at SACR focused on email security, AI-driven threats, and research governance. Her work spans industry-wide reports and vendor analysis across the cybersecurity stack.

Executive Summary

Email is still the cheapest, highest-leverage path into the enterprise. Three decades of layered defenses have not narrowed the vector. They have moved it up the stack. The fight today is not really about malicious attachments at the perimeter. It is about trust, identity, and human judgment inside the inbox, and across the workflows that wrap around the inbox. The argument of this report is that in 2026, email security should be understood and purchased as an identity-graph problem with auditable evidence behind it, rather than as a content-filter problem with a headline detection rate on the marketing page.

Four claims sit underneath that thesis.

Email security is becoming more contextual. Many of today’s most damaging attacks, including business email compromise (BEC), vendor email compromise (VEC), account takeover (ATO), and OAuth abuse, often contain few traditional indicators of compromise. The relevant signal increasingly lies in communication patterns, identity relationships, behavioral context, and whether a request makes sense within the normal operation of the business.

Email security is converging with identity, data, and security operations. Modern attacks rarely stop at the inbox. A phishing email may lead to credential theft, SaaS compromise, unauthorized access, or data exposure. As a result, organizations must evaluate email-security platforms based on how effectively they connect to identity systems, data-security programs, and incident-response workflows.

The market is becoming more layered. No single architecture fully addresses prevention, contextual analysis, investigation, remediation, and governance. Secure email gateways (SEGs), integrated cloud email security platforms (ICES), investigation-centric tools, and automation-driven systems coexist because they solve different parts of the problem.

The attacks are more layered. While email remains the dominant vector for social engineering, attacks are now proliferating across multiple channels and platforms such as Slack, WhatsApp, Teams, voicemail, etc. The invasion of trusted sources presents a major challenge that traditional solutions must work to solve. Until then, all messages, links, attachments, and senders must be assumed malicious.

Explainability is becoming a procurement requirement. As email security becomes more interconnected and operationally significant, organizations need to understand why a platform reached a conclusion, what evidence supports it, and how response decisions can be defended to executives, auditors, regulators, and cyber insurers.

Why This Matters

For CISOs, security architects, and senior practitioners, the practical question is not whether the secure email gateway is dead or whether ICES replaces it. The better question is what each layer uniquely contributes. Does it prevent delivery? Does it understand the communication context? Does it produce evidence? Does it reduce blast radius? Does it remediate across mailboxes, shared folders, OAuth grants, mailbox rules, and collaboration surfaces? Does it integrate into the systems where security operations teams already work?

The future of email security is unlikely to be defined by a single architecture. It will be defined by how effectively different architectures help organizations understand attacks, respond to them efficiently, and reduce risk across an ever-more-complex communication environment.

Defining Email Security

For the purposes of this report, email security refers to the technologies and processes used to protect business communications from phishing, fraud, account compromise, unauthorized access, and data exposure.

Today, email security encompasses far more than the inspection of messages, links, and attachments. Organizations increasingly evaluate communications in the context of identities, relationships, business processes, user behavior, and the infrastructure that supports modern digital workflows. As a result, email-security platforms now incorporate varying degrees of behavioral analysis, identity context, investigation, remediation, automation, and response.

The category also extends beyond the inbox itself. Many attacks involve collaboration platforms, cloud applications, messaging systems, supplier portals, and browser-based workflows as part of a broader social-engineering chain. While email remains the primary focus of this report, many vendors increasingly position their offerings as broader communication-security platforms.

For this report, email security should therefore be understood as the set of technologies and workflows used to secure business communications, the identities and relationships that support those communications, and the business processes that attackers increasingly seek to exploit.

Why Email Security Is Changing

The evolution of email security is often described through product categories, but the deeper driver is attacker behavior. Attackers have adapted around the controls organizations deployed, and each adaptation has forced defenders to expand what email security is expected to understand.

The first generation of email security focused on malicious content and suspicious infrastructure. That made sense when attackers relied heavily on spam, malware attachments, commodity phishing kits, and newly registered domains. The defensive model was built around inspection, reputation, signatures, sandboxing, and policy enforcement.

Many of the most damaging attacks today look different. They exploit established relationships, legitimate infrastructure, identity workflows, and human decision-making under pressure. As a result, the current attack surface is not simply bad email; it is business workflow abused through email.

Business Email Compromise

Business email compromise remains one of the most damaging attack categories precisely because it often lacks the artifacts that email security tools were originally built to find. A BEC attack may impersonate an executive, finance employee, legal contact, or trusted business partner. The objective is usually to trigger a payment, redirect funds, disclose sensitive information, or approve an action that appears legitimate.

The technical content of the message may be unremarkable. There may be no malware attachment, no suspicious link, and no obviously malicious domain. The signal exists in the relationship, the timing, the request, and the deviation from normal business processes.

This is why relationship intelligence, behavioral baselining, and identity context became important. A content filter may see a normal message. A system with access to communication history and tenant behavior may see an unusual request from an unusual sender to an unusual recipient at an unusual time.

Vendor Email Compromise

Vendor email compromise extends this problem further because the attacker may operate from a legitimate supplier account. The sender is real, the domain is real, the email history is real, and the business relationship is real. The anomaly may be limited to a change in payment details, an unusual invoice, or a subtle deviation in workflow.

VEC is difficult because Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) may all pass. Domain reputation may be clean. The communication may be part of an existing thread. In this scenario, the security question becomes less about whether the sender can be authenticated and more about whether the request aligns with expected business behavior.

This is where ICES platforms and behaviorally informed systems gained traction. They were able to observe internal mail flow, mailbox relationships, communication cadence, and post-delivery behavior in ways that legacy gateway models often could not.

Trusted-Cloud Phishing

Trusted-cloud phishing has become one of the clearest examples of why reputation-based approaches are insufficient on their own. Attackers are expanding use of Microsoft 365, Google Workspace, Adobe, Dropbox, DocuSign, Atlassian, Confluence, Power BI, Notion, Figma, Vercel, Replit, and other legitimate services to host content or facilitate phishing workflows.

The infrastructure is often legitimate. The abuse occurs inside the workflow.

This creates a structural challenge for URL-rewrite controls and reputation feeds. A trusted domain may host a malicious workflow without the domain itself being malicious. The destination may not reveal risk until the user interacts with the page, follows a redirect chain, scans a QR code, grants OAuth consent, or submits credentials.

This is why dynamic analysis, URL detonation, browser interaction, screenshot capture, and redirect-chain reconstruction are becoming more important. For trusted-cloud phishing, defenders need to understand what happens after engagement rather than only evaluating the initial destination.

AI-Generated Social Engineering

Generative AI has changed the cost structure of phishing. Highly personalized spear phishing once required manual research and careful crafting. Today, attackers can generate targeted messages at scale using public data, breached information, social media, company context, and industry-specific language.

This does not mean every phishing email is sophisticated. It does mean the ceiling has moved. Messages can be more personalized, more grammatical, more context-aware, and more difficult to distinguish from routine business communication.

Static templates and legacy lexical detection struggle in this environment. If every message can be slightly different, template matching becomes less useful. Defenders must evaluate intent, sender behavior, communication context, and the action being requested.

OAuth, ATO, and Identity Abuse

Some email-related attacks do not depend on malicious email content at all. OAuth consent phishing, session hijacking, MFA fatigue, adversary-in-the-middle phishing, and help-desk social engineering often begin with communication but quickly move into identity systems.

An attacker may convince a user to grant a malicious OAuth application read or send permissions. They may steal a session cookie after MFA completion. They may impersonate an employee to a help desk and trigger an MFA reset. They may gain access to a mailbox and use that account for lateral phishing or supplier fraud.

These attacks show why email security and identity security are increasingly difficult to separate. The email may initiate the event, but the risk quickly moves into Entra ID, Google identity, OAuth grants, session tokens, mailbox rules, software-as-a-service (SaaS) applications, and data repositories.

For buyers, this changes the evaluation criteria. A modern email security platform will be judged not only on whether it blocks messages, but also on whether it helps contain ATO, clean up malicious mailbox rules, revoke OAuth grants, support SOAR and SIEM workflows, and connect suspicious communications to identity activity.

What These Attacks Have in Common

Although these attack patterns differ, they share a common theme. They exploit trust that already exists in the organization.

BEC exploits trust between colleagues. VEC exploits trust between businesses. Trusted-cloud phishing exploits trust in legitimate platforms. OAuth abuse exploits trust in authentication workflows. AI-generated social engineering exploits trust in communication itself.

This does not make content inspection irrelevant. It means content inspection is no longer enough. The modern email security stack needs to combine content analysis, relationship intelligence, identity context, dynamic investigation, response automation, and evidence generation.

How Email Security Evolved

The history of email security is often presented as a sequence of product categories. Secure email gateways gave way to integrated cloud email security platforms, which are now competing with investigation-centric and agentic approaches. Viewed too simply, the market appears to be a series of replacements.

In practice, each generation emerged because attackers changed their behavior and because organizations changed how they communicated. New architectures were not created because previous approaches stopped working entirely. They emerged because existing methods became insufficient on their own.

Understanding this progression helps explain why the market now contains multiple competing models rather than one dominant architecture.

The Perimeter Era

For much of email security’s history, the primary challenge was preventing malicious content from reaching users. Spam campaigns, malware attachments, malicious links, and known-bad infrastructure dominated the threat landscape. Attackers relied on domains and hosting environments that were often disposable and relatively easy to identify.

The resulting architecture was the secure email gateway. Secure email gateways (SEGs) sat in-path through MX redirection, inspected inbound and outbound messages before delivery, and enforced policy at the perimeter. Their capabilities included anti-spam scoring, signature-based malware detection, URL inspection, attachment sandboxing, encryption, outbound DLP, archiving, and continuity.

This model worked because the attack surface matched the control point. If most threats entered through the mail stream and carried identifiable content or infrastructure signals, then inspecting mail before delivery was both practical and effective.

The gateway era also created many capabilities that organizations still depend on. Regulated industries continue to require archive, eDiscovery, retention, encryption at send, continuity, and outbound policy controls. These are not legacy concerns. They remain central to how large enterprises manage communication risk.

The limitation was that the model assumed malicious activity could often be identified through the content or infrastructure associated with the message. As attackers shifted toward impersonation, account compromise, and social engineering, that assumption became less reliable.

The Cloud and Identity Era

The transition to Microsoft 365 and Google Workspace changed email security architecture. Email became one part of a broader cloud productivity environment connected to identity systems, document repositories, collaboration platforms, and SaaS workflows.

This transition created the conditions for integrated cloud email security. ICES platforms are deployed through API integrations rather than MX redirection, allowing them to observe mailbox telemetry, internal communications, identity context, and post-delivery behavior. They could identify, quarantine, claw back, or banner messages after delivery, and they could build tenant-level behavioral baselines based on how people actually communicated.

This was particularly useful for BEC, VEC, reply-chain hijack, ATO, and lateral phishing. These attacks often bypassed traditional inspection because there was little malicious content to inspect. The relevant signal existed in communication history, sender-recipient relationships, identity behavior, and deviations from baseline.

ICES introduced important advantages, but also structural tradeoffs. API-based systems can be faster to deploy and better positioned to observe internal mail, but messages may land before verdicts are rendered. API throttling can constrain scale in large tenants. Outbound DLP and pre-delivery policy enforcement are often thinner than in gateway architectures. Remediation depth varies widely, particularly across shared mailboxes, delegated folders, distribution lists, and lateral campaigns.

The cloud and identity era did not eliminate the gateway. It created a second layer with a different evidence shape.

The Investigation Era

The current phase is being shaped by trusted infrastructure, AI-generated social engineering, multimodal phishing, and operational pressure on security teams. Attackers now use legitimate SaaS platforms, QR codes, image-based content, dynamic redirects, HTML smuggling, and adversary-in-the-middle phishing kits to evade controls that depend on static indicators.

This has shifted the buyer question. Historically, organizations primarily wanted to know whether a message was malicious. Today, they need to know why it was flagged, how the attack works, whether similar messages exist elsewhere, what users interacted with it, and what response action occurred.

That creates demand for evidence packets and investigation workflows. Useful evidence may include reason strings, signal contributions, screenshots, redirect chains, certificate details, domain registration data, URL detonation results, model or rule references, analyst override history, and blast-radius analysis.

This is also where SOAR, SIEM, IT service management (ITSM), extended detection and response (XDR), and managed detection and response integrations become important. Detection that does not produce action is telemetry. The practical value of an email security platform depends on its ability to remediate across mailboxes, revoke malicious OAuth grants, remove mailbox rules, cluster campaigns, contain ATO, and reduce security operations center (SOC) workload.

Why Multiple Architectures Continue to Exist

Email security rarely evolves through clean replacement. Organizations operate under different constraints, and those constraints shape procurement.

A financial institution may require SEG-grade archive, encryption, continuity, and outbound DLP. A cloud-native technology company may prioritize ICES because its primary problem is BEC and supplier fraud. A data-sensitive enterprise may care about connecting phishing to DSPM, DLP, and managed detection, defense, and response (MDDR) workflows. A resource-constrained security team may prioritize agentic investigation and autonomous remediation.

These priorities are not mutually exclusive. Many mature programs will continue to run layered architectures that combine MX-in-path controls, API-based ICES, platform-native controls, identity integrations, browser protections, and response automation.

The next phase of the market is therefore unlikely to produce a single winner. It will be shaped by how effectively each architecture contributes useful context, evidence, and action.

Modern Email Security Architectures

The evolution of email security has produced a market that is more diverse than at any point in its history. Organizations face a wider range of threats than they did a decade ago, while security teams operate under different regulatory obligations, staffing constraints, risk tolerances, and operational priorities.

As a result, the market no longer revolves around a single architectural model. Instead, several approaches have emerged, each built around different assumptions about how attacks occur and what security teams need most.

Policy and Perimeter-Centric Architectures

Policy and perimeter-centric architectures are typically associated with secure email gateways. They inspect messages before delivery, enforce inbound and outbound policy, and provide capabilities such as malware analysis, URL inspection, attachment sandboxing, encryption, archive, eDiscovery, continuity, and outbound DLP.

Their strength is breadth. Many organizations require email security to support governance and compliance alongside threat detection. For these buyers, SEG capabilities remain essential.

The gap is context. Perimeter-centric architectures can struggle when attacks contain few traditional indicators of compromise, especially BEC, VEC, internal-to-internal lateral phishing, and account takeover. In those cases, identity context and communication history may matter more than attachment or URL inspection.

Relationship and Identity-Centric Architectures

Relationship and identity-centric architectures emerged because many modern attacks exploit existing relationships rather than suspicious infrastructure. These platforms use API deployment, mailbox telemetry, communication history, tenant baselines, sender-recipient patterns, authentication activity, and user context to identify suspicious behavior.

This model is particularly strong against BEC, VEC, executive impersonation, account takeover, and reply-chain hijack. The relevant signal often exists outside the message itself.

The tradeoff is that attackers combine behavioral deception with infrastructure abuse, trusted-cloud hosting, image-based phishing, quishing, and HTML smuggling. Relationship intelligence remains important, but it may not provide a complete view of attacks where the primary signal exists in the destination workflow rather than the communication relationship.

Investigation and Evidence-Centric Architectures

Investigation and evidence-centric architectures focus on understanding how attacks operate. They dynamically inspect URLs, follow redirect chains, capture screenshots, detonate content, analyze infrastructure, evaluate domains, and produce artifacts that analysts can review.

This approach is especially relevant for trusted-cloud phishing, QR-code attacks, adversary-in-the-middle kits, dynamic redirects, and attacks that hide malicious behavior behind legitimate services.

Its strength is explainability. Security teams, auditors, insurers, and executives need to understand why a verdict was reached. The challenge is operational balance. Deep investigation must be fast enough, scalable enough, and easy enough to integrate into SOC workflows.

Agentic and Automation-Centric Architectures

Agentic and automation-centric architectures focus on operational scale. They use LLMs, small language models, specialized agents, and automated workflows to investigate messages, evaluate intent, assemble evidence, cluster campaigns, trigger remediation, and reduce analyst workload.

This model reflects a practical problem. As AI lowers the cost of creating attacks, defenders need to lower the cost of investigation and response. Agentic systems attempt to function as force multipliers for SOC teams.

The open question is governance. Organizations need to understand how much authority they are willing to delegate to automated systems, especially when those systems can quarantine messages, trigger password resets, escalate incidents, or initiate XDR and SOAR workflows.

Why No Single Architecture Will Win

The existence of multiple architectures does not mean the market has failed to converge. It reflects the fact that organizations are solving different problems.

A regulated enterprise may prioritize SEG controls. A cloud-native organization may prioritize ICES. A security team facing trusted-cloud abuse may prioritize investigation and evidence. A lean SOC may prioritize agentic automation.

Most mature organizations will combine elements of several models. The procurement question is not which architecture is best in the abstract; it is which combination produces the most useful prevention, context, evidence, and response for the buyer’s specific environment.

Market Outlook: Email Security Beyond the Inbox

The email security market has spent three decades expanding the scope of what organizations expect from the category. The first generation focused on preventing malicious content from reaching the inbox. The second focused on understanding the relationships and behaviors surrounding communications. The current generation emphasizes investigation, response, and operational efficiency alongside detection.

The next phase is unlikely to be defined by one breakthrough technology. It will be shaped by several trends already visible in buyer priorities, attack patterns, and vendor roadmaps.

Identity and Email Continue to Converge

Email security and identity security are becoming more interconnected. BEC often relies on account compromise. OAuth abuse often begins with social engineering. Session theft, credential harvesting, MFA fatigue, and help-desk manipulation frequently involve communication channels alongside identity systems.

This does not mean email security vendors become identity vendors. It means email products need identity context, and identity products benefit from communication context.

Buyers should expect tighter integration with Entra ID, Google Identity, OAuth telemetry, session activity, ATO detection, mailbox-rule cleanup, and identity threat detection and response workflows.

Detection efficacy remains important, but detection claims are becoming harder to differentiate. Nearly every major vendor claims strong performance. Buyers want to know whether a platform can explain its decisions.

Evidence packets, detection-as-code, model cards, signal contributions, reason strings, analyst override paths, and exportable case records will become more important during procurement. Opaque classifiers may still perform well, but buyers under pressure from boards, insurers, auditors, and regulators prefer systems that can produce defensible evidence.

Response Becomes More Important Than Detection

Security teams evaluate email security based on operational outcomes. The relevant questions are no longer limited to whether a vendor detects threats. Buyers want to know how quickly messages are removed, whether the system can claw back across shared mailboxes and delegated folders, how it handles OAuth grants and mailbox rules, whether it clusters related campaigns, and how well it integrates with SOAR, SIEM, ITSM, XDR, and MDDR workflows.

Mean time to remediation, blast radius reduced, SOC hours saved, ATO containment time, and false-positive reduction are becoming more useful metrics than raw detection rates.

Communication Security Expands Beyond Email

Email remains critical, but attacks now move across Teams, Slack, SharePoint, Google Drive, WhatsApp, LinkedIn, Discord, SMS, supplier portals, and browser-based workflows. Buyers should distinguish between integrations that merely forward alerts and integrations that provide message-level enforcement such as quarantine, removal, revoke, or user protection.

The future of communication security is less about protecting a single channel and more about following social engineering across the channels where work actually happens.

Email and data security are also moving closer together. A phishing email may lead to credential theft, credential theft may lead to unauthorized access, and unauthorized access may lead to data exposure. The incident spans email, identity, SaaS, and sensitive data, even if it begins with one message.

This creates a closer relationship between email security, DSPM, DLP, insider risk, and MDDR. Buyers should expect more vendors to position phishing as the beginning of a broader attack lifecycle rather than a standalone category.

CISO Implications

The email security market is becoming more complex, not less.

For most organizations, the future of email security will not involve replacing one architecture with another. Instead, it will involve assembling a layered security program that combines prevention, contextual analysis, investigation, and response capabilities.

As a result, the primary challenge for CISOs is no longer selecting a single email-security platform. It is determining which capabilities most directly reduce risk within their organization’s operating model, staffing constraints, regulatory requirements, and threat environment.

The most effective email-security programs over the next several years will not necessarily be those with the highest detection rates. They will be the programs that most effectively align technology investments with business risk, operational realities, and incident-response requirements.

Align Architecture to Risk

Different email-security architectures solve different problems.

Organizations operating in highly regulated industries continue to require secure email gateway capabilities such as encryption, archiving, continuity, eDiscovery, and outbound data loss prevention. These requirements do not disappear simply because phishing techniques evolve.

Organizations most concerned with business email compromise, supplier fraud, account takeover, executive impersonation, and lateral phishing may place greater emphasis on relationship- and identity-centric platforms capable of understanding communication context and behavioral anomalies.

Organizations facing sophisticated phishing campaigns that leverage trusted infrastructure, QR codes, image-based deception, adversary-in-the-middle workflows, or complex redirect chains may benefit from investigation-centric approaches that provide greater visibility into how attacks operate and why they were detected.

Organizations struggling with analyst workload, staffing shortages, or increasing alert volumes may place greater value on automation, orchestration, and agentic investigation capabilities designed to accelerate response and reduce manual effort.

The objective should not be identifying the “best” architecture. The objective should be identifying which combination of capabilities best supports the organization’s security operating model.

Indicators That Additional Investigation Capabilities May Be Needed

CISOs should consider strengthening investigation-centric capabilities when they observe one or more of the following conditions:

• Trusted-cloud phishing consistently bypasses existing controls.

• Analysts spend significant time manually validating phishing verdicts.

• Security teams struggle to explain detection decisions to executives, auditors, or insurers.

• QR-code phishing, browser-based attacks, or credential-harvesting campaigns are increasing.

• Security operations teams lack sufficient visibility into post-click attack behavior.

• Incident investigations frequently require evidence gathering from multiple tools.

These conditions often indicate that detection alone is not providing sufficient operational context.

Evaluate Operational Outcomes, Not Feature Lists

Many procurement processes still focus heavily on feature comparisons and detection claims. Those factors remain important, but they rarely determine long-term success. The more useful question is whether a platform improves operational outcomes.

Examples include:

• Reduction in business email compromise exposure.

• Faster remediation of malicious messages.

• Lower analyst investigation time.

• Improved visibility into account compromise activity.

• Reduced incident-response effort.

• Better integration with existing security workflows.

• More defensible evidence for audits, insurance reviews, and executive reporting.

As the gaps in detection capabilities close across vendors, operational effectiveness becomes a more important differentiator than incremental improvements in efficacy.

Consider the Economics of Security Operations

Email security should be evaluated as both a technology decision and an operational decision. Many organizations already possess significant visibility into threats. The limiting factor is often the ability to investigate, validate, and respond at scale.

CISOs should therefore assess:

• Analyst effort required to investigate alerts.

• Time required to remediate identified threats.

• Administrative overhead associated with deployment and maintenance.

• Training requirements for analysts and administrators.

• Opportunities to consolidate tools or workflows.

• Ability to automate repetitive investigative tasks.

The most effective platform is not the platform that generates the most alerts. It is the platform that helps the organization reduce risk with the least operational friction.

As staffing pressures continue across the industry, operational efficiency becomes the important procurement consideration.

Implementation Considerations

Before adopting a new platform, security leaders should evaluate how well it integrates with the broader security ecosystem.

Key considerations include:

• Integration with Microsoft 365, Google Workspace, Entra ID, and identity-security platforms.

• Support for SIEM, SOAR, XDR, ITSM, and incident-response workflows.

• Remediation capabilities across shared mailboxes, delegated mailboxes, mailbox rules, OAuth grants, and collaboration environments.

• Visibility into Teams, Slack, SharePoint, Google Drive, browser-based workflows, and other communication channels.

• Reporting capabilities for security operations, audit, compliance, and executive stakeholders.

• Administrative complexity and ongoing operational requirements.

Organizations should also recognize that deployment architecture creates tradeoffs.

MX-based gateways often provide stronger pre-delivery controls, governance capabilities, and outbound protections. API-based platforms often provide richer contextual visibility, identity awareness, and post-delivery response capabilities.

Neither model is universally superior.

Emerging Risks CISOs Should Monitor

Several trends deserve increased attention over the next 24 months.

Trusted Infrastructure Abuse

Attackers leverage legitimate platforms rather than obviously malicious infrastructure. Microsoft 365, Google Workspace, Dropbox, Adobe, Atlassian, and similar services are frequently incorporated into phishing workflows.

This trend reduces the effectiveness of approaches that rely primarily on reputation and static indicators.

Expanding Attack Surface

As organizations deploy AI agents across inboxes and business workflows, they create new targets for social engineering. Agents increasingly interact with emails, links, attachments, and external requests on behalf of users, expanding the number of identities, workflows, and trust relationships that security teams must protect.

While AI agents may have purported >99% detection rates, the <1% outlier cases where the AI proves susceptible mandate that email-security programs evolve from protecting human users alone to securing both human and machine participants in business workflows.

Identity-Centric Attacks

Business email compromise, OAuth abuse, adversary-in-the-middle phishing, session theft, and account takeover blur the distinction between email security and identity security.

Organizations should expect tighter integration between email security, identity security, and incident-response programs.

Explainability Requirements

Security decisions face increasing scrutiny from boards, auditors, regulators, and cyber insurers.

Organizations should evaluate not only whether a platform can detect threats, but whether it can explain detection decisions in a way that supports operational and governance requirements.

Automation Governance

Agentic investigation and autonomous remediation offer significant operational benefits.

However, organizations should establish clear policies regarding what actions may be automated, what approvals are required, and how automated decisions are reviewed and validated.

Questions CISOs Should Answer Before Evaluating Vendors

Before engaging vendors, security leaders should align internally on several strategic questions:

• Is our primary concern governance, fraud prevention, phishing detection, investigation, or operational efficiency?

• Where do our current controls consistently fail?

• How much analyst time is spent investigating email-related incidents?

• Do we require evidence suitable for audits, cyber-insurance reviews, or executive reporting?

• How important is integration with identity-security workflows?

• Do we need visibility beyond email into collaboration and communication platforms?

• Which operational metrics are most important to improve over the next 24 months?

Organizations that answer these questions first will generally conduct more effective evaluations than organizations that begin with product comparisons.

Priorities for the Next 12–24 Months

High Priority

• Reduce business email compromise and supplier fraud exposure.

• Strengthen integration between email security and identity security.

• Improve remediation speed and operational efficiency.

• Increase visibility into trusted-cloud phishing and post-click attack behavior.

Medium Priority

• Expand protection beyond email into collaboration and communication platforms.

• Improve explainability and evidence generation for investigations.

• Strengthen integration between phishing detection and incident-response workflows.

Emerging Priority

• Evaluate agentic investigation and autonomous response capabilities.

• Assess opportunities to consolidate investigation workflows.

• Monitor convergence between email security, identity security, and data security.

Bottom Line

The future of email security is unlikely to be defined by a single product category or architectural model. The organizations that succeed will be those that align prevention, contextual analysis, investigation, automation, and response capabilities around business risk rather than vendor categories.

The most important procurement question is, “Which combination of capabilities most effectively reduces risk and operational burden for our organization?”

Vendor Profiles

Unlike the earlier market map, which categorized vendors by their primary email-security architecture, the ecosystem map below illustrates how leading vendors are extending beyond traditional email security into adjacent domains. It highlights the broader security ecosystem, including identity, browser protection, data security, security operations, and human risk, to show where vendors are expanding their capabilities and where buyers should expect increasing market convergence.

The vendor profiles that follow are not product reviews, rankings, or procurement recommendations.

They are intended to illustrate how different vendors are responding to many of the same forces reshaping the email security market. Each profile reflects a distinct architectural perspective on the challenges discussed throughout this report, including business email compromise, trusted-cloud phishing, account takeover, explainability, operational scale, and the growing convergence between email, identity, and data security.

As a result, the profiles should not be evaluated primarily through a feature-by-feature comparison. Organizations purchase email security platforms for different reasons. A highly regulated enterprise may prioritize governance, continuity, encryption, and outbound DLP. A cloud-native organization may prioritize behavioral analysis and post-delivery remediation. A security team facing sophisticated phishing campaigns may place greater emphasis on investigation and evidence generation. Another may prioritize automation and analyst efficiency.

The goal of these profiles is therefore not to identify a single winner. It is to understand the assumptions each vendor is making about the future of email security, the problems each vendor is best positioned to solve, and the tradeoffs buyers should consider when evaluating different approaches.

Mimecast

Overview

As email security has evolved, much of the industry’s attention has shifted toward behavioral analysis, identity context, and post-delivery detection. Yet for many large enterprises, email remains more than a phishing problem. It is a business-critical communications platform governed by regulatory requirements, legal discovery obligations, business continuity planning, and data-protection policies. These operational requirements continue to shape procurement decisions alongside evolving threat models.

Mimecast occupies a distinctive position because it approaches email security as both a security platform and a communications risk platform. While the company has expanded into AI-assisted detection, account takeover protection, automated investigation, data security, and human risk management, its architectural philosophy remains rooted in unifying prevention, governance, continuity, compliance, and operational resilience within a single platform. Recent product expansion also reflects a broader trend in which email security is converging with human risk, data protection, AI-enabled workflows, and broader communications security.

Why This Vendor Matters

Mimecast represents an important perspective within the email-security market: governance, resilience, and operational simplicity remain strategic requirements even as attackers increasingly exploit identity, trust, and human behavior.

Rather than abandoning its secure email gateway heritage, Mimecast has modernized it by incorporating behavioral detection, AI-assisted investigation, account takeover protection, data-security visibility, and human risk analytics. The result is a platform designed to balance traditional communications governance with the demands of today’s phishing, impersonation, identity-based attacks, and data-exposure risks. As organizations increasingly seek to consolidate security capabilities, Mimecast’s strategy reflects a broader market trend toward integrating communications security, governance, human risk, data protection, and operational resilience within a unified platform.

Product & Architecture

Mimecast remains one of the few vendors capable of operating as a traditional MX-in-path secure email gateway, an API-integrated cloud email security platform, or a hybrid combination of both. This flexibility allows organizations to preserve pre-delivery inspection and policy enforcement while incorporating cloud-native visibility, post-delivery remediation, and behavioral analysis.

The platform’s API deployment model is also significant. Through direct integration with Microsoft 365 and Google Workspace, Mimecast can deliver its full detection stack through API deployment without requiring MX record changes. This allows customers to inspect and remediate messages after delivery without sitting directly in the mail flow, while documented APIs and prebuilt connectors enable email telemetry to integrate with broader security operations and automation workflows.

The platform combines malware detection, URL analysis, attachment inspection, impersonation protection, account takeover monitoring, collaboration security, archive, continuity, encryption, and outbound DLP within a unified architecture. Rather than positioning governance and threat protection as separate products, Mimecast increasingly presents them as complementary layers of the same communications-security platform.

Mimecast also provides DMARC management capabilities that help organizations enforce DMARC, SPF, and DKIM policies, improve visibility into legitimate email senders, and reduce domain spoofing alongside its broader governance and outbound protection capabilities.

Mimecast has also simplified ongoing administration by replacing large numbers of granular policies with protection categories built around phishing, malware, spam, and impersonation while still allowing advanced controls where needed. This reflects a broader trend toward reducing operational complexity without sacrificing enterprise flexibility.

At the center of Mimecast’s behavioral detection is CyberGraph, an identity graph that maps relationships between senders and recipients and learns normal communication patterns within an organization. Those relationship signals help identify potential impersonation, business email compromise, and other anomalies that may not be apparent through content inspection alone. CyberGraph also contributes to a cross-customer intelligence loop, allowing signals observed across the broader customer base to inform detection and protection beyond a single tenant’s relationship map.

Market Context

Mimecast reflects the continued relevance of policy- and governance-centric architectures. While much of the market has shifted toward relationship intelligence, identity-driven detection, and investigation-first workflows, many organizations continue to require retention, eDiscovery, encryption, continuity, outbound DLP, and policy enforcement. These requirements have not disappeared as attacks evolved. Instead, they increasingly coexist alongside behavioral detection, human-risk management, data-security visibility, and AI-assisted response.

The company’s recent investments suggest an acknowledgement that governance alone is no longer sufficient. By expanding into identity-aware detection, human risk analytics, automated investigation, data-security monitoring, and broader security integrations, Mimecast is attempting to bridge traditional communications governance with the operational demands of modern email security.

Product and Technical Notes

Several aspects of Mimecast’s recent product evolution stand out.

The platform’s Automated Remediation Service enables malicious messages to be removed across an organization when verdicts change after delivery, reducing analyst effort while limiting campaign spread. Mimecast has also strengthened its account takeover capabilities by integrating identity telemetry with Mimecast Insider to identify anomalous behavior, monitor potential data exfiltration, and automatically restrict compromised accounts from continuing to send email.

Mimecast also offers Email Incident Response services that provide expert-led investigation and remediation support for organizations that require additional operational assistance during active phishing campaigns. User and entity behavioral analytics further establish communication baselines so that suspicious deviations, rather than only known indicators of compromise, can trigger investigation or containment.

Another area of investment is analyst efficiency. Mimecast Mihra AI, or Mimecast Intelligent Human Risk Agent, comprises a growing suite of AI agents that support investigation workflows, summarize findings, recommend response actions, and integrate with external AI environments through the Mihra MCP Gateway. This allows security teams to run Mimecast investigation workflows inside external AI environments, including Claude and Gemini, rather than forcing those workflows into a separate interface. The platform also emphasizes explainability by surfacing the indicators that contributed to a verdict, allowing analysts to understand why a message was flagged rather than relying solely on opaque risk scores.

Mimecast has also expanded beyond traditional email security through capabilities such as Incydr, extending runtime visibility into data movement across endpoints, browsers, SaaS applications, MCP connections, and AI workflows. The company has similarly begun addressing risks associated with AI agents and machine identities, reflecting a broader shift as automated systems increasingly participate in business communications.

Mimecast also integrates with SIEM, SOAR, and broader security platforms, allowing email telemetry to contribute to enterprise-wide investigations. Human Risk Insights extends visibility into user risk, attack trends, and configuration improvements, while the Human Risk Command Center ingests third-party telemetry from tools such as CrowdStrike and Microsoft Defender to help security teams prioritize organizational risk. Managed security and incident-response services provide additional operational support for organizations with limited in-house security resources.

Operational Considerations for Buyers

Mimecast is often strongest in organizations where compliance, continuity, retention, encryption, operational governance, human risk reduction, and administrative simplicity remain important purchasing criteria alongside phishing protection.

Large enterprises and regulated industries may particularly value consolidating communications security, continuity, archiving, governance, data protection, and incident response within a single platform. Organizations whose primary objective is maximizing behavioral detection against sophisticated BEC or identity-centric attacks may also evaluate more specialized architectures, but buyers seeking to consolidate governance, resilience, human risk, data security, and threat protection are likely to view Mimecast differently than vendors focused primarily on detection.

Competition and Positioning

Mimecast competes through platform breadth rather than specialization. Its approach combines governance, continuity, compliance, threat protection, data protection, human risk capabilities, and broader communications-security coverage within a unified architecture instead of optimizing around a single detection methodology.

Recent efforts to simplify product packaging reinforce this strategy by making a broad platform easier to deploy and manage. As buyers continue to reduce product sprawl, operational simplicity, architectural breadth, and cross-domain telemetry may become increasingly important differentiators alongside detection efficacy.

Challenges and Open Questions

Mimecast’s primary challenge remains maintaining differentiation as behavioral analysis, explainability, AI-assisted investigation, and identity-aware detection become increasingly common across the market.

The company has significantly expanded its platform in recent years, extending into human risk, data security, AI-assisted operations, and broader communications security. The remaining question is less whether these capabilities exist and more how seamlessly they operate as a unified experience. Buyers will increasingly evaluate not only the depth of individual capabilities, but also whether the platform delivers measurable operational improvements across governance, security, data protection, and response.

Implications for Email Security Moving Forward

Mimecast’s recent direction suggests that the next phase of email security may involve operational consolidation as much as technical innovation. The company is simplifying deployment, integrating AI into analyst workflows, strengthening identity-aware response, expanding into data security and AI-related risks, and broadening its security ecosystem while preserving the governance capabilities that have long differentiated the platform.

If this direction continues, Mimecast may be well-positioned for organizations seeking to reduce operational complexity without sacrificing enterprise governance. Its continued investment in integrated security capabilities reflects a broader market trend toward platform consolidation, where governance, communications security, data protection, human risk, and operational resilience increasingly converge within unified security platforms.

Abnormal AI

Overview

Abnormal AI has established itself as one of the most prominent vendors in the ICES market by focusing on a problem that many organizations continue to struggle with: attacks that appear legitimate.

While phishing remains the most common email-borne threat, some of the most damaging incidents today involve BEC, VEC, ATO, executive impersonation, and other forms of social engineering that often contain few traditional indicators of compromise. In these scenarios, the challenge is not simply determining whether a message is malicious. It is determining whether a communication is consistent with the relationships, workflows, and business processes that normally exist within an organization.

Abnormal’s platform is designed around that premise. Its architecture emphasizes behavioral analysis, communication context, and organizational understanding rather than relying exclusively on content inspection and reputation systems. Over time, the company has expanded beyond its original focus on behavioral email detection into adjacent areas such as identity protection, ATO defense, explainability, and automated detection engineering.

Today, Abnormal’s position in the market is shaped less by the fact that it helped popularize relationship intelligence and more by how it continues to evolve those capabilities. Recent investments in a behavioral foundation model, threat research, explainability, and AI-assisted operations suggest a vendor focused on scaling and operationalizing behavioral security rather than treating it as a standalone detection technique.

Why This Vendor Matters

Abnormal represents one of the clearest examples of the industry’s shift toward communication-aware security.

The company’s platform is built around the belief that understanding how people normally communicate provides valuable security context that traditional inspection methods often miss. This remains particularly relevant as organizations continue facing attacks that exploit trusted relationships, supplier ecosystems, and established business processes.

Equally important, Abnormal has increasingly positioned itself not only as an email-security vendor but as a source of threat intelligence, attack research, and operational insight into how modern social-engineering campaigns are evolving.

Product & Architecture

Abnormal operates as an API-based security platform integrated directly with Microsoft 365 and Google Workspace environments. This deployment model provides access to mailbox telemetry, communication history, identity signals, and organizational context that can be used to evaluate activity across the tenant.

The platform’s architecture is designed to identify behavioral anomalies rather than focusing exclusively on malicious content. Communications are evaluated against established patterns involving senders, recipients, vendors, executives, and business processes. This allows the platform to identify attacks that may appear legitimate from a purely technical perspective but are inconsistent when viewed through the lens of organizational behavior.

This approach has proven particularly effective against BEC, vendor fraud, executive impersonation, ATO, and lateral phishing. These attacks often rely on legitimate infrastructure, compromised accounts, or trusted relationships, reducing the effectiveness of traditional detection techniques.

Over time, Abnormal has expanded beyond email-specific use cases. Identity protection capabilities reflect the reality that many modern email incidents evolve into broader identity-security events involving credential theft, unauthorized access, privilege abuse, or account compromise.

The company’s architectural direction increasingly reflects a broader view of communications security in which email, identity, user behavior, and organizational trust are treated as interconnected sources of security intelligence.

The platform’s evolution also reflects a recognition that email incidents increasingly extend beyond the inbox. While Abnormal remains best known for its email-security capabilities, recent investments suggest a broader focus on communication and identity risk. Identity Protection addresses account takeover scenarios that often begin with phishing or credential theft but quickly expand into cloud applications, SaaS environments, and identity systems.

The company has also invested in post-delivery remediation workflows designed to reduce the operational burden associated with modern phishing campaigns. This reflects a broader industry reality: identifying a malicious message is only one part of the response process. Organizations must also determine who received the message, who interacted with it, whether similar messages exist elsewhere in the tenant, and what actions are required to contain the threat. By expanding beyond detection into remediation and identity-aware response, Abnormal increasingly positions itself as part of a larger security workflow rather than a standalone email control.

Market Context

Abnormal’s growth reflects a larger market reality: attackers have become increasingly adept at blending into normal business operations.

The company’s 2026 threat research found that while phishing represented the majority of observed attacks, BEC continued to account for a disproportionate share of financial impact. Within that category, VEC represented 61% of observed BEC attacks, highlighting the extent to which attackers now target trusted supplier relationships rather than relying solely on executive impersonation schemes.

The research also identified meaningful differences between organizations of different sizes. Smaller organizations experienced significantly higher rates of executive-focused impersonation attacks, while large enterprises saw attackers increasingly target employees and leverage lateral movement within compromised environments. According to the company’s findings, large enterprises were roughly 50 times more likely to experience lateral attacks than smaller organizations.

These trends reinforce a broader shift occurring across email security. Attackers are increasingly calibrating campaigns to specific organizational structures, communication patterns, and business processes. The challenge is no longer simply detecting malicious infrastructure. It is understanding how attacks exploit trust, familiarity, and organizational context.

Abnormal’s strategy is closely aligned with this reality.

Product and Technical Notes

Several recent developments help illustrate where the company is investing.

Attune 1.0, Abnormal’s behavioral foundation model, represents a formalization of the company’s long-standing focus on communication behavior. Rather than functioning as a general-purpose LLM, Attune is designed specifically to understand organizational communication patterns, relationship structures, and behavioral signals across enterprise environments. The objective is not simply language analysis but understanding how people, teams, suppliers, and executives normally interact.

Detection360 is another significant area of investment.

As email-security vendors increasingly report similarly high efficacy rates, buyers have become more interested in understanding how verdicts are generated and how detections evolve over time. Detection360 is designed to provide greater transparency into the signals contributing to a particular verdict and the reasoning behind platform decisions.

This capability is evolving beyond explainability alone. Recent enhancements provide visibility into the individual signals contributing to a detection, and show how customer submissions influence future detections across the platform. This creates a feedback loop between customer-reported incidents and ongoing detection improvement.

Perhaps more interesting is the company’s investment in AI-assisted detection engineering.

Detection360 enhancements also incorporate agentic workflows capable of analyzing customer submissions, generating semantic and lookalike detections, identifying similar messages across the environment, and supporting automated remediation efforts. Safeguards remain in place to prevent customer submissions from automatically generating new detections without additional analysis and validation, but the direction is notable. It reflects an effort to reduce manual detection-engineering overhead while improving responsiveness to emerging threats.

The emphasis on Detection360 appears closely tied to a broader challenge facing the email-security market. Most major vendors now report strong detection efficacy, making it increasingly difficult for buyers to differentiate platforms based solely on vendor-provided performance metrics. As a result, explainability, transparency, and operational validation are becoming more important procurement criteria.

Abnormal’s approach has been to provide greater visibility into how detections are generated, how customer-reported incidents influence platform protections, and how analysts can validate platform decisions. According to the company, customer environments continue to demonstrate extremely high detection efficacy while maintaining false-positive rates below one percent. Whether buyers view those numbers as differentiating factors increasingly depends on their ability to independently understand and verify platform outcomes.

This focus on validation extends into the company’s broader product strategy. Customer submissions increasingly function not only as incident reports but also as inputs into future detection development. The long-term vision appears to be a system in which customer observations, analyst workflows, threat research, and automated detection engineering contribute to a continuously evolving protection model. While many vendors discuss AI-assisted operations, Abnormal’s roadmap places particular emphasis on applying those capabilities to detection creation, campaign clustering, lookalike identification, and remediation rather than limiting them to analyst assistance alone.

Threat intelligence has also become a growing area of emphasis.

The company’s recent research into the Venom phishing-as-a-service operation provides a useful example. The campaign targeted executives across multiple industries and employed QR codes constructed from Unicode characters rather than image files, allowing them to bypass many traditional scanning techniques. Victims were directed to Microsoft impersonation pages with pre-populated credentials and ultimately subjected to MFA-bypass techniques designed to establish persistent access. According to the company, behavioral analysis played a critical role in identifying the campaign because it contained few traditional indicators of compromise.

This type of research appears increasingly important to Abnormal’s broader market strategy. Rather than relying exclusively on efficacy claims, the company is investing in original threat analysis intended to demonstrate how modern attacks operate and why behavioral detection remains relevant.

Operational Considerations for Buyers

Organizations evaluating Abnormal should consider the platform’s strengths in relation to their primary threat concerns.

The architecture is particularly well aligned with environments where BEC, supplier fraud, ATO, executive impersonation, and social-engineering attacks represent significant risks. The platform’s emphasis on communication context and behavioral understanding provides advantages in situations where content inspection alone may be insufficient.

Buyers should also evaluate how detection visibility, remediation workflows, threat-intelligence reporting, and identity-security capabilities fit within broader operational processes. As explainability becomes a more important procurement requirement, the ability to understand and defend platform decisions may become increasingly valuable.

Competition and Positioning

Abnormal competes most directly against both legacy SEGs and newer cloud-native email-security platforms.

Against traditional vendors such as Proofpoint and Mimecast, the company generally positions behavioral analysis and organizational understanding as its primary differentiators. Against Microsoft, Abnormal is often deployed as a complementary layer rather than a replacement, extending native protections with additional behavioral analysis and threat-detection capabilities. According to the company, Microsoft environments represent a substantial portion of its installed base.

The company also increasingly intersects with adjacent identity-security and identity threat detection and response (ITDR) markets as account takeover and credential abuse become larger components of modern email-security programs. This convergence reflects a broader industry trend in which communication security and identity security are becoming increasingly difficult to separate.

Abnormal’s strongest position is often within organizations that have already concluded that business email compromise, supplier fraud, and account takeover represent their highest-priority email threats. In these environments, communication context and behavioral analysis frequently become more important evaluation criteria than traditional gateway capabilities.

Organizations operating in highly regulated industries may evaluate the platform differently. Archive, continuity, encryption, outbound DLP, and broader governance requirements remain important purchasing criteria for many enterprises, and buyers may therefore compare Abnormal alongside more operationally focused platforms depending on their priorities.

As a result, Abnormal’s success often depends less on replacing existing email infrastructure entirely and more on convincing buyers that behavioral intelligence deserves a dedicated layer within the security stack. The company’s continued growth suggests that many organizations increasingly agree with that premise, particularly as social engineering, supplier fraud, and identity compromise continue driving financial losses across the market.

Challenges and Open Questions

Abnormal’s primary challenge is maintaining differentiation as behavioral analysis becomes more common across the industry.

Many competing platforms now incorporate communication context, identity telemetry, and behavioral signals into their detection models. As a result, differentiation increasingly depends on the quality of those models, the effectiveness of operational workflows, and the ability to demonstrate measurable outcomes rather than simply claiming behavioral capabilities.

The company also faces the challenge of proving efficacy in a market where many vendors report similarly strong detection rates. This reality helps explain the growing emphasis on Detection360, explainability, customer feedback loops, and original threat research. These investments suggest a recognition that buyers increasingly want evidence, transparency, and operational proof rather than broad marketing claims alone.

Implications for Email Security Moving Forward

Abnormal’s vision of the market assumes that understanding behavior will remain a foundational component of email security.

That assumption appears increasingly reasonable as attackers continue leveraging trusted relationships, compromised accounts, supplier ecosystems, and highly personalized social-engineering techniques. The company’s own threat research suggests that attackers are becoming more targeted, more adaptive, and more willing to exploit organizational context rather than relying on generic phishing campaigns.

At the same time, the future of email security is unlikely to be defined by behavioral analysis alone. Identity telemetry, threat intelligence, investigation workflows, explainability, and automated response capabilities are all becoming increasingly important components of modern security programs.

Abnormal’s recent investments suggest the company understands this shift. The evolution of Detection360, the expansion of identity-security capabilities, the development of agentic detection-engineering workflows, and the growing focus on threat intelligence all point toward a broader vision that extends beyond email filtering and behavioral detection.

Conclusion

Abnormal remains one of the most influential vendors in the modern email-security market because its core focus continues to align with how attacks are evolving.

The company’s emphasis on communication context, behavioral analysis, and organizational understanding remains highly relevant in an environment where BEC, vendor fraud, ATO, and sophisticated social-engineering attacks continue to challenge traditional security controls.

Recent investments in explainability, AI-assisted detection engineering, threat intelligence, and identity protection suggest a vendor focused not only on identifying threats but on helping organizations understand, validate, and operationalize security decisions. As email security continues converging with identity, investigation, and automation, those capabilities may prove just as important as detection efficacy itself.

Varonis Interceptor (formerly SlashNext)

Overview

Email security has historically been evaluated through a relatively straightforward lens: can a platform identify and stop malicious messages before they reach users? While that objective remains important, many organizations are discovering that the challenge has become considerably more complex.

Modern phishing attacks increasingly rely on trusted infrastructure, legitimate cloud services, compromised accounts, and highly personalized social-engineering techniques. They often bypass traditional indicators of compromise and exploit the fact that employees are accustomed to interacting with Microsoft 365, Adobe, DocuSign, Dropbox, Salesforce, and countless other legitimate business platforms. In many cases, security teams are no longer struggling to identify obviously malicious content. They are struggling to determine whether a seemingly legitimate interaction is trustworthy.

Varonis entered this market from a different direction than most email-security vendors. The company built its reputation around data security, identity monitoring, and insider-risk visibility rather than email protection. Its introduction of Interceptor reflects a belief that phishing should be viewed not simply as an email problem, but as the first stage of a broader attack chain that often culminates in credential theft, data exposure, privilege escalation, or business process compromise.

This perspective has shaped both the architecture and positioning of the product. Rather than focusing exclusively on classifying messages, Interceptor places significant emphasis on investigation, evidence generation, attack reconstruction, and understanding attacker intent. The platform is designed not only to determine whether a message is malicious, but also to explain why that conclusion was reached and what actions defenders should take next.

That emphasis on evidence and investigation is particularly notable as AI continues to reshape both offensive and defensive security. As detection systems become increasingly automated, organizations are placing greater importance on understanding how decisions are made, validating security outcomes, and generating defensible evidence that can support response activities. In this environment, explainability becomes more than a product feature. It becomes part of the security workflow itself.

Today, Varonis occupies a distinctive position within the email-security market because it approaches phishing from the perspective of attack progression rather than message classification. The company is effectively arguing that security teams need to understand how attacks work, not simply whether they exist.

Why This Vendor Matters

Varonis represents one of the clearest examples of a broader shift occurring within email security: the movement from detection toward investigation.

Many platforms excel at identifying suspicious messages. Fewer platforms are designed around reconstructing attacks, analyzing infrastructure, generating evidence, and connecting phishing activity to broader identity and data-security workflows.

This distinction is important because modern phishing attacks increasingly span multiple systems, users, and channels. Security teams are often asked to answer questions that extend beyond whether a message was malicious. They need to understand how an attack was delivered, what infrastructure was involved, whether users interacted with it, what credentials may have been exposed, and whether additional systems were affected.

In account takeover scenarios, this data-security adjacency becomes particularly relevant. Once an account is compromised, the investigation often shifts from the original phishing message to questions about downstream access, including what sensitive data the account could reach, what actions were taken during the compromise window, and whether the incident created a broader data-exposure risk.

Interceptor’s connection to Varonis’ data-centric security model gives it a natural path into those questions and helps distinguish its approach from email-security products that remain focused primarily on message-level detection and remediation.

Product & Architecture

Interceptor combines foundational email-security functions with a broader investigative architecture intended to evaluate messages, URLs, infrastructure, and user interactions.

The platform analyzes inbound communications using multiple detection layers, including language models, visual analysis, infrastructure inspection, URL detonation, and behavioral indicators. Rather than relying on a single detection methodology, it attempts to build a more complete understanding of the attack and its associated infrastructure before reaching a verdict.

A notable component of the platform is the AI Phishing Sandbox. Unlike traditional sandboxing approaches that focus primarily on files or executable content, the AI Phishing Sandbox is designed to interact with phishing pages in a manner that resembles human behavior. The objective is to determine what a user would encounter if they followed the attack path, including redirects, credential collection forms, multi-step phishing workflows, and social-engineering mechanisms.

This capability is increasingly relevant because many modern phishing campaigns no longer depend on malware delivery. Instead, they rely on convincing users to authenticate, approve MFA requests, enter credentials, or disclose sensitive information. Understanding the user experience, therefore, becomes an important part of understanding the threat itself.

The platform also emphasizes infrastructure analysis. Redirect chains, domain registration details, certificate information, hosting environments, and related technical artifacts are incorporated into the investigative process. This allows analysts to move beyond simple classifications and develop a clearer understanding of how a campaign operates.

Another notable architectural decision is the company’s investment in browser-level visibility. As phishing increasingly shifts from email messages to browser interactions, the ability to observe and evaluate destinations becomes more valuable. Many attacks now involve multiple redirects, trusted cloud services, and staged credential-harvesting workflows that cannot be fully understood through message inspection alone.

A practical example helps illustrate why this visibility matters. A QR-code phishing attack may originate through email, direct a user toward a trusted cloud service, route them through multiple redirects, and ultimately present a credential-harvesting page designed to mimic a familiar business application. At each stage, the infrastructure involved may appear legitimate when evaluated in isolation. The challenge is understanding how those stages connect and whether the overall workflow serves a legitimate business purpose.

This is one reason browser-level visibility has become increasingly important. Modern phishing campaigns frequently distribute indicators across multiple systems and interactions rather than concentrating them within a single email or URL. Observing the complete user journey can therefore provide context that would be difficult to obtain through message inspection alone.

It also reflects a broader reality: users do not distinguish between corporate and personal communication channels when browsing. A credential-theft campaign launched through a personal Gmail account, SMS message, or social-media platform can ultimately create the same business risk as a phishing email delivered directly to a corporate inbox. Visibility at the browser layer can help close security gaps that traditional email-centric controls were never designed to address.

The broader platform combines several analytical approaches. Visual models inspect branding, screenshots, logos, embedded text, and QR codes. Language models evaluate requests, urgency, intent, and social-engineering techniques. Infrastructure analysis examines redirect chains, hosting environments, certificates, and domain characteristics, while behavioral signals contribute additional context around user interactions and attack progression.

This multimodal architecture reflects a broader reality of modern phishing campaigns. Attackers increasingly combine visual impersonation, trusted infrastructure, social engineering, and identity compromise within the same workflow. Evaluating those attacks often requires multiple analytical perspectives rather than relying on a single detection methodology.

The resulting architecture reflects a broader belief that phishing should be evaluated as a sequence of events rather than a single artifact. Messages, URLs, browser activity, infrastructure, and user interactions all contribute pieces of the overall picture.

Market Context

One of the most significant trends shaping the email-security market is the growing use of trusted infrastructure by attackers.

Historically, phishing campaigns often relied on newly registered domains, suspicious hosting providers, or clearly malicious infrastructure. While these tactics still exist, modern campaigns increasingly leverage services such as Microsoft 365, Adobe, Dropbox, DocuSign, Salesforce, Figma, Vercel, and Replit. The challenge is that these platforms are not inherently malicious. They are often core components of normal business operations.

The challenge for defenders is that these platforms are not inherently malicious. In many cases, they are essential components of normal business operations. Blocking them outright is rarely practical. As a result, phishing increasingly becomes a question of intent rather than infrastructure.

A credential-harvesting page hosted on a trusted service may appear legitimate from a reputation perspective. A redirect chain may traverse multiple trusted domains before arriving at a malicious destination. A phishing email may contain links that pass traditional reputation checks because the infrastructure itself is legitimate. This reality creates pressure on detection systems to evaluate more than domains and URLs.

Interceptor’s architecture is particularly aligned with this challenge. Rather than treating trusted infrastructure as inherently benign, the platform attempts to understand how that infrastructure is being used. Redirect behavior, destination analysis, page content, credential collection mechanisms, and browser interactions all become relevant signals.

The company’s briefing also highlighted the growing prevalence of QR-code phishing, image-based phishing, and attacks designed specifically to bypass traditional scanning technologies. These campaigns frequently rely on visual elements, embedded content, and cloud-hosted workflows that are difficult to evaluate through conventional content inspection alone.

This helps explain Varonis’ investment in multimodal analysis. Modern phishing campaigns increasingly combine visual deception, trusted infrastructure, social engineering, and identity compromise within the same workflow. Evaluating any single component in isolation may not provide sufficient context.

The broader implication is that phishing detection increasingly requires understanding the entire attack path rather than merely inspecting the initial message.

Product and Technical Notes

Several aspects of Interceptor’s architecture reflect Varonis’ broader security background.

The platform’s AI Phishing Sandbox is designed to interact with phishing destinations in a manner that more closely resembles human behavior than traditional URL inspection technologies. Rather than simply rendering a page or evaluating static content, the sandbox follows redirect chains, interacts with phishing workflows, analyzes credential-harvesting stages, and documents the techniques used by attackers. This approach is particularly relevant as phishing campaigns increasingly rely on trusted cloud services, staged redirects, and multi-step authentication workflows.

Evidence generation is another notable differentiator. Interceptor produces screenshots, redirect-chain analysis, certificate information, hosting details, domain-registration data, and supporting artifacts intended to help analysts understand how a verdict was reached. As AI-assisted detection becomes more common across the industry, the ability to independently validate security decisions may become increasingly important.

The platform also incorporates multimodal analysis techniques that evaluate visual content, language patterns, infrastructure signals, and behavioral indicators together. This reflects the reality that modern phishing campaigns often distribute indicators across multiple layers in order to evade traditional controls. QR-code phishing, image-based phishing, brand impersonation, and cloud-hosted phishing workflows frequently require multiple forms of analysis to accurately assess risk.

Interceptor’s browser-oriented capabilities further distinguish it from many email-security products. The platform places significant emphasis on understanding what users encounter after clicking a link rather than focusing exclusively on the message itself. This allows analysts to evaluate the complete attack path, including redirects, destination content, credential collection mechanisms, and other indicators that may not be visible through message inspection alone.

A useful way to understand Interceptor is as an attack-reconstruction platform as much as a detection platform. Traditional email-security products often answer a relatively narrow question: is this message malicious? Interceptor attempts to answer a broader set of questions. What did the user actually encounter? How many redirects occurred? What infrastructure was involved? What credential-harvesting mechanisms were present? What evidence supports the final verdict?

This distinction becomes increasingly important as phishing attacks move away from malware delivery and toward browser-based workflows. Understanding the sequence of events surrounding an attack can provide valuable context for analysts, incident responders, and security leaders attempting to assess risk and determine appropriate remediation actions. Screenshots, redirect-chain mapping, infrastructure analysis, and browser observations are ultimately most valuable when they help security teams reconstruct the attack narrative and make more informed response decisions.

The company’s background in data security also creates opportunities for tighter integration between phishing investigations and broader security workflows. While Interceptor remains an email-security product, organizations already using Varonis for DSPM, DLP, insider-risk monitoring, or identity investigations may find value in the ability to connect phishing activity with downstream security telemetry.

Another notable aspect of the platform is its emphasis on remediation and response. The market has historically focused heavily on detection efficacy, but security teams increasingly evaluate how quickly threats can be investigated, validated, and remediated. Varonis’ approach reflects the view that evidence generation, investigation workflows, and remediation support are becoming more important procurement criteria as phishing campaigns grow more sophisticated and operational teams face increasing alert volume.

Operational Considerations for Buyers

Organizations evaluating Interceptor should understand that the platform’s primary value proposition extends beyond detection efficacy alone.

Its strongest differentiation emerges in environments where investigation quality, analyst validation, evidence generation, and response workflows are important evaluation criteria. Security teams that regularly investigate sophisticated phishing attacks may find particular value in the platform’s ability to generate screenshots, infrastructure analysis, redirect-chain visibility, and supporting evidence.

The browser-oriented elements of the architecture are also worth evaluating carefully. Many phishing attacks now unfold across multiple redirects and cloud-hosted environments that are difficult to assess through message inspection alone. Organizations concerned about trusted-cloud phishing, QR-code phishing, and browser-based credential theft may view this visibility as a meaningful advantage.

Buyers should also evaluate how Interceptor integrates into existing security operations. Detection quality remains important, but so do remediation workflows, reporting, analyst experience, and integration with broader security tooling. Organizations that already leverage Varonis for data security, insider-risk monitoring, or identity investigations may find additional operational value through shared workflows and investigative context.

Organizations should also evaluate where Interceptor fits within their broader email-security architecture. In many environments, the platform will function as an additional investigative layer rather than a direct replacement for existing controls. Organizations already using Microsoft Defender, secure email gateways, or ICES platforms may find value in the additional visibility provided through attack reconstruction, browser analysis, and evidence generation.

Questions around OAuth-grant response, identity-security integrations, SIEM and SOAR connectivity, and support for incident-response workflows may ultimately prove just as important as detection performance. As phishing increasingly intersects with identity compromise and SaaS abuse, operational integration becomes a larger part of the purchasing decision.

As explainability becomes a larger procurement consideration across cybersecurity, the ability to validate security decisions may become increasingly important. Interceptor’s emphasis on evidence generation aligns closely with this trend.

Competition and Positioning

Interceptor occupies an unusual position within the email-security market because it approaches phishing through the lens of investigation rather than communication analysis or governance.

Against traditional secure email gateways, the platform differentiates through attack reconstruction, infrastructure analysis, browser-level visibility, and evidence generation.

Against cloud-native ICES vendors, it emphasizes understanding the mechanics of attacks rather than focusing primarily on communication context and behavioral relationships.

Against newer AI-focused platforms, it competes through investigative depth and the ability to provide supporting evidence for security decisions.

This positioning does not necessarily place Interceptor in direct competition with every email-security vendor. In many procurement scenarios, buyers may evaluate multiple architectural approaches simultaneously.

Some organizations prioritize behavioral analysis and relationship intelligence. Others prioritize governance, compliance, archive, and continuity. Others increasingly prioritize investigation, explainability, and operational response.

Interceptor’s strongest fit is likely to be among organizations that view phishing as part of a broader security workflow rather than an isolated email problem.

The platform may be particularly attractive to organizations that have already invested heavily in incident response, security operations, identity security, or data protection programs and are looking for greater investigative depth within their phishing defenses. In these environments, attack reconstruction and evidence generation may provide meaningful operational value beyond traditional message classification.

Conversely, organizations whose primary requirements center on archive, continuity, encryption, compliance, or governance may prioritize different evaluation criteria. Interceptor is not attempting to compete primarily on those dimensions. Its differentiation is rooted in understanding how attacks operate, documenting the evidence behind security decisions, and supporting investigation and response workflows.

This positioning places the platform somewhat adjacent to many cloud-native email-security products rather than directly replacing them. For some organizations, the most relevant question may not be whether investigation-centric architectures replace relationship-centric or governance-centric approaches, but how those approaches complement one another within a broader security program. The platform may also appeal to security teams seeking stronger connections between phishing investigations, identity security, and data security operations.

Organizations that prioritize business email compromise detection, communication analysis, and relationship intelligence as their primary evaluation criteria may find stronger alignment with other architectural approaches. Interceptor is most differentiated when investigation quality, evidence generation, attack reconstruction, and operational response are central procurement requirements.

Challenges and Open Questions

Varonis’ strategy raises several important questions about the future direction of email security.

The first concerns market education. Many organizations continue evaluating email-security platforms primarily through detection efficacy metrics. Investigation quality, evidence generation, and attack reconstruction may be valuable, but buyers must first view those capabilities as meaningful differentiators.

The second involves platform convergence. Many of the trends discussed throughout this report point toward increasing overlap between email security, identity protection, collaboration security, browser security, and data security. The market has not yet settled on how these capabilities should be packaged or delivered. Vendors are pursuing different visions of that future, and it remains unclear which models will ultimately prove most compelling to buyers.

A final question involves balancing automation with investigation. Rich investigative workflows can provide valuable context, but organizations must determine how much information analysts actually need and how that information should be incorporated into response processes. The balance between automated decision-making and human validation remains an active debate across the industry.

These questions are not unique to Varonis. They reflect broader uncertainties affecting the market as a whole.

Implications for Email Security Moving Forward

If Varonis’ vision proves correct, the future of email security may place greater emphasis on investigation, validation, and response rather than detection alone.

Historically, the category focused on preventing malicious messages from reaching users. Modern environments increasingly require organizations to understand what happened after delivery, how users interacted with content, what infrastructure was involved, whether credentials were exposed, and what downstream actions are necessary.

The rise of trusted-cloud phishing reinforces this trend. When attackers operate through legitimate services and cloud platforms, reputation-based controls become less effective. Security teams increasingly need visibility into attacker behavior, infrastructure usage, redirect chains, and user interactions to make informed decisions.

At the same time, buyers are becoming more interested in explainability. As AI-assisted detection becomes commonplace, the ability to provide evidence, support analyst validation, and defend security decisions may become a meaningful competitive differentiator. Vendors that can combine automation with transparency are likely to be well-positioned as the market evolves.

Varonis’ approach reflects one possible vision of that future: a security architecture in which phishing detection, investigation, evidence generation, and remediation operate as connected components of a broader workflow.

Conclusion

Varonis entered the email-security market from a different starting point than many of its competitors.

Rather than approaching phishing primarily as a messaging problem, the company views it as the beginning of a broader attack sequence that may ultimately involve identity compromise, data exposure, or business-process abuse. This perspective has shaped Interceptor’s emphasis on investigation, evidence generation, infrastructure analysis, and attack reconstruction.

The platform’s investments in AI Phishing Sandbox, multimodal detection, browser-level visibility, and explainable security workflows align closely with several of the most significant trends currently shaping the market. Trusted-cloud phishing, QR-code attacks, image-based phishing, and increasingly sophisticated social-engineering campaigns all place greater pressure on security teams to understand attacks rather than simply classify them.

Whether investigation-centric architectures become a dominant model remains an open question. Buyers will continue evaluating platforms through different lenses, including behavioral analysis, governance, automation, and operational efficiency. Interceptor represents a distinct perspective within that landscape: that understanding how an attack works may ultimately become just as important as detecting that it exists.

Ocean Security

Overview

As email attacks become more sophisticated, many security teams are discovering that detection alone is no longer the primary challenge. Most organizations can identify suspicious activity. The harder problem is understanding what happened, determining whether it matters, and responding quickly enough to reduce risk.

Ocean Security was founded around this operational reality. Rather than focusing exclusively on identifying known threats, the company emphasizes investigation, intent analysis, and automation. Its architecture reflects the belief that defenders increasingly need systems capable of evaluating unfamiliar attacks and reducing the manual effort required to investigate them.

This perspective aligns with a broader shift occurring across cybersecurity as AI lowers the cost of creating novel phishing campaigns and social-engineering attacks.

Why This Vendor Matters

Ocean represents one of the newer architectural directions emerging within email security: the use of AI-driven agents to investigate threats, evaluate intent, and automate portions of the response process.

The company reflects a growing belief that operational scale may become just as important as detection efficacy in the years ahead.

Product & Architecture

Ocean’s architecture is built around pre-delivery investigation and agent-driven analysis.

The platform uses over a dozen purpose-built AI agents to investigate messages, sender identity, links, attachments, infrastructure, financial context, supporting context and more before delivery. Rather than relying exclusively on reputation systems or historical indicators, Ocean attempts to determine what an email is trying to accomplish and whether the requested action introduces meaningful risk.

This approach differs from traditional classification-focused architectures. Instead of simply categorizing a message as benign or malicious, the platform attempts to understand intent and gather supporting evidence before reaching a verdict.

The company also places significant emphasis on automated remediation and analyst-assistance workflows designed to reduce investigation time and operational burden.

Ocean deploys via API only, requiring no MX record changes, and integrates in less than 4 minutes. The platform sits on top of existing Microsoft 365 or Google Workspace environments.

Market Context

Ocean reflects two broader trends shaping the market: the rise of agentic security operations and the growing demand for systems that can evaluate communications in the context of business processes rather than message content alone.

As attackers increasingly use AI to generate new phishing content and adapt campaigns quickly, defenders are looking for technologies capable of evaluating unfamiliar scenarios rather than relying solely on historical patterns. This has created growing interest in systems that can investigate, reason, and automate portions of the response process.

Product and Technical Notes

Ocean’s platform stands out across three core capabilities: Agentic Protection, Agentic Automation, and Agentic Investigation.

The company’s focus on intent analysis differentiates it from many traditional detection approaches. Ocean’s autonomous investigation engine, Ray, serves as the platform’s central intelligence engine and is designed for the kinds of deep email-security investigations that often fall to Tier 3 analysts. For each reported or suspicious email, RAY runs a swarm of specialized sub-agents across areas such as invoice analysis, infrastructure assessment, sandboxing, and content review, compressing investigations that may otherwise take several hours into under two minutes.

Ocean’s value proposition is not only speed, but explainability: each verdict is presented as a step-by-step evidence chain showing the signals evaluated rather than as a black-box score. Ray also handles automated triage of reported phishing and quarantine release requests, allowing employees to receive rapid responses with a plain-language explanation of what was found, without requiring direct SOC involvement

Ocean emphasizes workflow automation, helping security teams move from detection to response with less manual effort. This reflects the company’s broader focus on analyst productivity and operational efficiency.

Ocean’s approach is also notable for its emphasis on evidence rather than scoring. Rather than relying primarily on anomaly detection, reputation systems, or risk scores, the platform attempts to identify concrete indicators that support or refute a malicious hypothesis. This philosophy aligns closely with the company’s broader focus on explainability and investigation.

Operational Considerations for Buyers

Ocean may be particularly attractive to organizations seeking to remediate threats with transparent and explainable AI decision making, reduce investigation workload without significantly expanding headcount, and to those concerned with missing novel AI-powered attacks that no longer trigger traditional detection signals.

Buyers should evaluate not only detection capabilities, but also how the platform integrates into existing SOC workflows, remediation processes, and governance requirements. As with many emerging platforms, operational trust and workflow fit may be just as important as technical efficacy.

Competition and Positioning

Ocean competes through automation and investigation depth rather than governance, behavioral analysis, or relationship intelligence.

Its strongest differentiation lies in combining agent-driven analysis with operational workflows designed to reduce analyst effort and accelerate response.

Challenges and Open Questions

The company’s central challenge is not proving that investigation can be automated. The more important question is how much investigation organizations will ultimately feel comfortable delegating to autonomous systems.

Like many emerging vendors, Ocean must also demonstrate scalability, consistency, and operational trust across larger enterprise environments.

Another question concerns channel coverage. Ocean’s long-term vision extends beyond email into platforms such as Slack, Teams, and other communication channels, but the platform’s current focus remains primarily on email security. As social-engineering attacks increasingly move across multiple communication surfaces, the company’s ability to extend its investigation and automation model beyond the inbox will be an important area to watch.

Implications for Email Security Moving Forward

If Ocean’s perspective proves correct, the future of email security may involve a greater shift from classification toward investigation and automation.

As attack volume continues increasing, organizations will likely place greater value on platforms capable of reducing analyst workload while maintaining confidence in security outcomes.

Conclusion

Ocean Security offers a forward-looking perspective on the email-security market.

Its emphasis on AI-driven investigation, intent analysis, and workflow automation reflects a belief that defenders increasingly need help understanding and responding to threats, not simply identifying them. Whether agentic investigation becomes a mainstream security model remains an open question, but Ocean highlights an important direction of travel for the industry.

Research Disclosure

This report reflects SACR’s independent research and analysis of the email security market as of June 2026.

Varonis and Abnormal AI participated in sponsored research programs associated with this report. Sponsorship provided access to briefings, product demonstrations, and supporting materials. It did not influence SACR’s conclusions, analysis, or editorial direction.

The vendor profiles in this report are not product reviews, rankings, or procurement recommendations. They are intended to illustrate how different vendors are responding to many of the same market forces discussed throughout the report. All opinions expressed are those of SACR.