Email Security Software

AI-driven behavioral anomaly detection, modern category leader for BEC, ATO, and vendor email compromise.

Abnormal Security is the modern AI-driven email security leader, founded 2018 by former Twitter and Pinterest engineers. The product is API-integrated (Microsoft Graph / Google Workspace) rather than gateway-inline, which lets it ingest the full identity and behavioral graph of the organization and detect anomalies that signature-based gateways consistently miss, particularly business email compromise, account takeover, and vendor email compromise. Closed a $250M Series D at a $5.1B valuation in 2024, with reported 2025 ARR over $300M. Best fit for enterprises (1,000-100,000+ employees) on Microsoft 365 or Google Workspace deploying alongside Defender for O365 or a legacy SEG as the AI-behavioral overlay layer. Trade-offs: priced as a premium overlay (does not replace your inline SEG/Defender for most buyers), pricing opaque and rising, and the company is still pre-IPO so financial transparency is limited.

Largest legacy enterprise SEG installed base; Tessian acquisition added behavioral AI.

Proofpoint is the legacy enterprise email security leader by installed base, founded 2002 and public 2012. Thoma Bravo took the company private at $12.3B in 2021, at the time the largest software take-private in history. The product has the largest enterprise installed base among traditional secure email gateways, particularly entrenched in regulated verticals (financial services, healthcare, federal). Acquired Tessian in October 2024 to plug the visible behavioral AI gap against Abnormal, that integration is still settling into the core product as of 2026. Trade-offs: PE-driven price escalation has been aggressive (10-20% annual increases reported), the platform feels increasingly heavy compared to API-native challengers, and Microsoft Defender for O365 erodes the bottom of the installed base every renewal cycle.

Legacy SEG with mature archiving and awareness training bundle; PE-owned post-2022.

Mimecast is the legacy email security and continuity platform founded in London in 2003. Permira took the company private in August 2022 at $5.8B. The product's historical strength is the integrated bundle of email security + email continuity + archiving + security awareness training, particularly attractive for buyers wanting a single vendor for those four functions. Acquired Code42 in 2024 for insider risk capability and Aware in 2024 for collaboration security. Trade-offs: similar to Proofpoint, PE ownership has driven aggressive pricing escalation, behavioral AI lags Abnormal, and Microsoft Defender for O365 is the constant replacement threat at every renewal.

Bundled with M365 E5, the de facto default for Microsoft-anchored organizations.

Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection / ATP) is the email security product bundled into Microsoft 365 E5 and available standalone as Plan 1 / Plan 2. The product's defining advantage: at zero incremental cost for M365 E5 customers, it has become the default reference point that every legacy SEG must out-perform to justify its line item. Detection efficacy has materially closed the historical gap with Proofpoint and Mimecast on signature-based threats, and Defender XDR integration (cross-domain telemetry across email, endpoint, identity, cloud) is structurally unmatched by any standalone email vendor. Trade-offs: behavioral AI for BEC and ATO still lags Abnormal materially, the management UX (Microsoft 365 Defender portal) has a steep learning curve, and standalone Plan 1/Plan 2 pricing without M365 E5 is less compelling than the bundled story.

IronPort heritage; tight Cisco SecureX and Talos threat intelligence integration.

Cisco Secure Email (formerly Cisco Email Security Appliance / IronPort) is the email security platform Cisco acquired with IronPort in 2007 for $830M. The product's strengths: deep integration with the Cisco SecureX security platform, Cisco Talos threat intelligence (one of the largest commercial threat research teams), and the option of cloud, hybrid, or on-premises appliance deployment for organizations with legacy on-prem requirements. Best fit for enterprises already committed to Cisco network security stacks. Trade-offs: innovation pace has been slow relative to modern AI-behavioral challengers, the IronPort heritage shows in older UX, and outside Cisco-anchored stacks the value proposition is weak.

Mid-market email + backup + archive bundle; KKR-owned post-2022.

Barracuda Email Protection is the email security product line within the broader Barracuda Networks portfolio (also encompassing backup, web application firewall, and SD-WAN). KKR acquired Barracuda for $4B in 2022 from Thoma Bravo, who had taken it private in 2018. The product's strengths: strong mid-market fit, integrated bundling with Barracuda Backup and Cloud-to-Cloud Backup, and the Sentinel API-integrated layer (acquired Sookasa heritage) for post-delivery behavioral detection. Best fit for mid-market organizations (200-5,000 employees) wanting integrated email + backup + archive under a single mid-market vendor. Trade-offs: PE ownership pattern same as Proofpoint and Mimecast, pricing escalation reported, behavioral AI lags modern leaders, and innovation pace has been steady rather than aggressive.

Cloud-anchored API-integrated email security; tight Check Point Infinity integration.

Avanan is the cloud-anchored email security platform Check Point Software Technologies acquired in August 2021 for ~$300M. The product was an early API-integrated email security pioneer (founded 2015), inserting between Microsoft 365 / Google Workspace and the inbox via API to provide post-delivery detection without changing MX records. Now branded as Check Point Harmony Email & Collaboration. Best fit for organizations already committed to Check Point's Infinity security platform wanting unified threat prevention across email, network, and endpoint. Trade-offs: outside Check Point-anchored stacks the value proposition is weaker, behavioral AI lags Abnormal materially, and the post-acquisition product velocity has been steady rather than aggressive.

Open-format detection rules (MQL); modern challenger for detection-engineering teams.

Sublime Security is a modern challenger founded in 2020, building an open-format email detection platform around MQL (Message Query Language), an open detection rule format that lets security teams read, write, and share email detection logic the same way they share Sigma rules for SIEM or YARA rules for malware. The product is API-integrated (Microsoft Graph / Google Workspace) and includes a free Community Edition. Best fit for mature security teams running detection engineering as a discipline, security teams that already write custom Sigma, Snort, or YARA rules and want the same control over email detection. Trade-offs: Smaller deployed base versus Abnormal, requires detection engineering muscle to extract full value, and best-fit narrows below 200 employees.

Post-delivery email protection, reduces the blast radius of compromised mailboxes.

Material Security is a modern challenger founded in 2017, building post-delivery email protection that reduces the blast radius of compromised mailboxes. The product's thesis: pre-delivery filtering will always miss some attacks, so the durable defensive posture is to assume mailboxes will be compromised and to architect them to limit damage when they are. Material does this by re-encrypting historical sensitive email at rest, requiring step-up authentication to retrieve it, and by hardening Microsoft 365 / Google Workspace configurations against the post-takeover playbook (forwarding rules, OAuth grants, mailbox delegation). Best fit for security-mature organizations specifically prioritizing account takeover containment as a layer above their inline SEG or Defender. Trade-offs: niche positioning makes it a complement rather than a replacement, Narrower customer base than Abnormal, and the value is in containment rather than detection.

French ML-anchored email security; strong European mid-market and ISP fit.

Vade (formerly Vade Secure) is a French ML-anchored email security platform founded in 2009. Hornetsecurity Group acquired Vade in 2024 to consolidate the European email security mid-market. The product's strengths: ML-anchored detection going back to 2009 (well before the modern AI-behavioral wave), strong European data residency, and a mature OEM business protecting over 1.4 billion mailboxes globally through ISPs and telcos. Best fit for European mid-market organizations and ISPs / telcos protecting end-user mailboxes. Trade-offs: outside Europe brand visibility is lower, behavioral AI capability for BEC lags Abnormal, and the Hornetsecurity acquisition is still settling product roadmap as of 2026.