Ross Wolf

@sublime_sec TL;DR How to make ~90% similarity search Instead of one hash for a 100% match, 1. Use many min hashes (400-500) 2. Group those into a handful of big hashes (10-20) 3. Find an exact matching big hash to get close 4. Count matching small hashes to calculate similarity

We’re excited to announce that Sublime has raised $150M in a Series C led by @Georgian_io, joined by new investors @Avenir_Growth, @01Advisors, @jonoberheide, and @nicoleperlroth, and existing investors @IndexVentures, @IVP, @slow, and @CitiVentures. This year we launched ASA and ADÉ, our AI agents that autonomously triage threats and auto-adapt coverage, freeing security teams from repetitive work and delivering rapid, tailored defenses. We’ve grown our customer base 4x since the beginning of the year while maintaining zero enterprise customer churn since company inception. This funding accelerates our vision to deliver autonomous email security that adapts to each organization's unique needs, stopping sophisticated attacks while eliminating the manual work and vendor bottlenecks of legacy solutions. Thank you to our customers, partners, and investors for being on this journey with us. 🔗 Read more: sublime.security/blog/sublime-r…

the “email security mona lisa”

brb updating my linkedin profile to say “Built technology masterpiece”

@sublime_sec if loving angles is wrong, I don't wanna be right

any guesses? wrong answers only ⬇️

Our limited drop Sublime DEF CON t-shirt returns this year with a new design we can’t wait to share. Hint: let's just say it's pretty rad 👍 As always, we’ll post our location during the con, so you can swing by to pick one up and say hello to the team.

@drewbadtweets i thought it could be turned off

@jonathanbourke @sublime_sec If you need an invite link sublimecommunity.slack.com/join/shared_in…

@jonathanbourke @sublime_sec Happy to help you debug! Do you mind hopping in our community slack so we can take a look? Twitter replies are just so painful for the back and forth, and I find it way more productive

@sublime_sec my server had a power outage, which borked (a technical term) some docker processes. Back up and running, but Sublime is not ingesting email - no new detections, nothing recent when searching. Any pointers?

if a rule is too complex to understand, the alert is even worse

@br0k3ns0und you should write the zen down! our v1 was github.com/elastic/detect… but could use a refresh!

For the curious observers, some things that _can_ make a detection rule bad: - non-performant - overscoped - underscoped - too brittle - too comprehensive - too atomic - too complex - non readable Basically need a zen of rule writing, similar to python

@GabrielLandau @Andrew___Morris obviously not as generalizable but could get more bang for the buck

If you publish anything that involves a list of hashes, please consider publishing tuples of (hash,size) instead. This enables lookups to skip expensive hashing work if the size does not match anything in the set. 64-bit file sizes can be encoded as 8 bytes concatenated onto the end of hashes, turning a 32-byte SHA256 into a 40-byte tuple. If space is an issue and you control both the hash generation and verification logic, you can alternatively truncate SHA256 to 192 bits to get 32-byte (hash,size) tuples.