Skip to main content

Abnormal Security

Abnormal Security is a cloud-native email security provider that uses behavioral analysis and Machine Learning (ML) to detect and prevent advanced email-based attacks across enterprise environments.

  • Cloud-native email security platform for Microsoft 365 and Google Workspace (email security)
  • Behavioral-based threat detection for Business Email Compromise (BEC), phishing, and social engineering (email security)
  • Account takeover and insider threat detection using identity and behavioral signals (identity security)
  • Automated response and remediation for malicious and unwanted email (security automation)
  • API-based deployment that integrates with existing cloud email platforms without inline gateways (cloud security)

More About Abnormal Security

Abnormal Security focuses on protecting cloud email platforms used by enterprises, with particular alignment to Microsoft 365 and Google Workspace. Its platform connects to these environments via APIs instead of operating as a traditional secure email gateway, which allows the system to ingest email, identity, and behavioral data from within the tenant. This architecture is designed for organizations that have adopted cloud productivity suites and want to extend protection against targeted email threats beyond native controls.

The core of Abnormal Security’s approach is behavioral-based detection (email security), which analyzes communication patterns, user identities, and relationship graphs to identify anomalous messages. Rather than relying only on known threat signatures, domain reputation, or static rules, the platform models typical sender-recipient interactions, content styles, and workflows. When an email deviates from these baselines in ways associated with BEC, social engineering, executive impersonation, vendor fraud, or payroll and invoice scams, the system can flag, quarantine, or remove messages.

Abnormal Security also addresses account takeover and insider threats (identity security) by monitoring signals such as login patterns, device characteristics, and changes in user behavior. When the platform detects behavior inconsistent with a user’s historical profile, it can surface alerts and automatically act on suspicious sessions or messages originating from compromised accounts. This is aimed at reducing risk from both external attackers who gain access to accounts and internal misuse of access.

On the response side, Abnormal Security provides automated remediation (security automation), including the ability to retroactively remove malicious emails from inboxes, manage user-reported phishing messages, and streamline Security Operations (SecOps) center (SOC) workflows. The product’s API-driven model allows it to operate alongside existing email security controls without requiring changes to mail exchange (MX) records or insertion of inline gateways, which can simplify deployment in large enterprises.

In an enterprise security architecture, Abnormal Security is typically categorized in the email security and cloud security segments. It is often deployed to complement or extend native controls from cloud email providers and to provide coverage for advanced and socially engineered threats that may bypass traditional filters. The offering aligns with zero trust and identity-centric security principles by emphasizing continuous behavioral assessment of users and communications rather than perimeter-based inspection alone.

At-A-Glance

  • Employees: 720
  • Estimated Annual Revenue: $100M-$250M

Connect

Corporate Headquarters

185 Clara Street
San Francisco, CA 94107

Market Segmentation

  • Type: Private
  • Sector: Information Technology
  • Group: Software & Services
  • Industry: Internet Software & Services
  • Sub-Industry: Internet Software & Services