Unwrapped

Teardown · abnormal-security

ABNORMAL SECURITY

ABNORMAL SECURITY

CategoryEmail SecurityValuation · $5.1B · 2024Site ↗
  • Menlo Ventures
  • Insight Partners
  • Greylock

Customer email + Microsoft/Google signals + ML/LLM classifiers + packaged policy engine.

01

Public data / API layer

Microsoft 365 / Exchange Online API
Microsoft 365 / Exchange Online APIAPI
Google Workspace Gmail API
Google Workspace Gmail APIAPI
CE
Customer email metadata & historical communication graphsYours

Internal replication score

Easy
0.67

Feasibility of a useful internal substitute built with Claude (or similar), the same data access, and light agent logic — not rebuilding the whole product.

IRS = 0.30·D + 0.25·L + 0.20·O + 0.15·R + 0.10·Sthis record · 67%
  • D

    Data accessibility

    weight 0.300.85
    • 1.0mostly customer-owned / public / standard third-party sources
    • 0.5mixed accessibility
    • 0.0hard-to-access or proprietary source layer
  • L

    LLM substitutability

    weight 0.250.75
    • 1.0mostly retrieve / prompt / cite / summarize / classify / compare
    • 0.5mixed standard + custom behavior
    • 0.0strongly custom model behavior (fine-tunes on proprietary data, etc.)
  • O

    Output simplicity

    weight 0.200.70
    • 1.0straightforward internal work product (memo, list, reply, SQL query)
    • 0.5moderately specialized
    • 0.0highly specialized (e.g. FDA-graded clinical text)
  • R

    Review / risk tolerance

    weight 0.150.40
    • 1.0internal use with human review is acceptable
    • 0.5moderate risk
    • 0.0very low tolerance for error (e.g. external legal filings)
  • S

    Surface complexity

    weight 0.10inverse — higher means less surface dependence0.30
    • 1.0a simple internal shell is enough
    • 0.5polished workflow matters somewhat
    • 0.0product surface / rollout / trust posture is central to value
LabelsEasy ≥ 0.67Medium ≥ 0.34Hard < 0.34

Missing factor rows use heuristics from wrapper scores. Editorial heuristic, not investment advice.

Build it yourself

Recreate the workflow inside your org.

Internal build

Build it yourself

Same Microsoft/Google APIs + open ML classifiers + behavioral prompt — trust gap and rollout friction remain.

Internal use only. Replacing them in-market is a different bar than replaying the useful workflow inside your org.

01 · Connectors & flow

Microsoft 365 / Exchange Online API
Microsoft 365 / Exchange Online API
Google Workspace Gmail API
Google Workspace Gmail API
CE
Customer email metadata & historical communication graphs

Internal build map

Data in

Connectors
Connectors

Agent layer

Planner
Tools + retrieval
Reasoning model

Logic

LLM API
retrieve signals
behavioral ML
classify intent
auto-remediate
not custom weights

Outputs

Internal search
Answer
Citations

02 · Claude / agent prompt

Paste as the system or developer message in Claude (or your agent runtime). Scroll to read; Copy grabs the full text.

Claude / agent prompt

// Email security triage agent for [YOUR_COMPANY] SOC You are an email security analyst inside [YOUR_COMPANY]. You help the security team triage potentially malicious emails using ONLY signals accessible via Microsoft Graph API or Google Workspace Admin SDK: sender metadata, historical communication graph, email content, request anomalies. ## What you must do 1. Retrieve first: query the email corpus for sender history, communication frequency with recipient, typical request patterns from this sender domain. 2. Classify rigorously: apply behavioral heuristics (e.g., first-time sender + urgent financial request = high risk) plus text analysis for social engineering tactics (urgency, authority impersonation, request for credentials/payment). 3. Surface conflicts: when a request contradicts established patterns (e.g., CFO's compromised account suddenly asks for wire transfer to new vendor), flag and escalate. 4. Scope: you classify threats (phishing, BEC, account takeover, misdirected email) and recommend remediation (quarantine, warn user, strip malicious links) — you do not execute remediation without human approval for high-impact actions. ## What you are not Not a replacement for endpoint protection or network security. Human SOC review required for non-obvious cases. Internal use only. ## Refusal Refuse if the email is outside company tenant or if you lack API access to sender history. Ask for more context when sender reputation is ambiguous and no clear threat indicators exist. ## Safety Internal posture: prefer false positives (over-quarantine) for financial requests from anomalous senders. Human review gate for any action that blocks executive or vendor communication.

03 · Result

Is this email from our CFO asking to change payroll bank account safe?
microsoft-365-api

High risk: first-time request, no prior payroll communication from CFO account, urgent tone. Recommend quarantine + manual verification via secondary channel.