Netskope details Abnormal AI plugin for Cloud Threat Exchange
Netskope says it has added an Abnormal Artificial Intelligence (AI) integration that moves high-confidence email detections from Abnormal into Netskope Cloud Threat Exchange, then applies enforcement to web and cloud traffic. For enterprise IT and security teams, the update targets faster, automated blocking of malicious infrastructure beyond the inbox.
Research Overview
The post frames email as a starting point for targeted attacks such as phishing, Business Email Compromise (BEC), and account takeover. It notes that while detections may occur at the email entry point, malicious infrastructure such as URLs and domains can persist across cloud and web environments.
It also describes the operational problem created when email findings are not quickly used outside the inbox. The vendor states that this can expand the attack surface when malicious infrastructure is not blocked at the web gateway.
Key Findings
Netskope and Abnormal propose an automated workflow intended to turn verified indicators from email detections into policy enforcement across the Netskope ecosystem. The post positions the flow as bridging between inbox detections and network-edge controls.
It states that the integration is designed to ingest high-fidelity Indicators of Compromise (IOC) and apply them to real-time protection policies. The vendor also describes automation as reducing manual analyst work for copying threat data between consoles.
Technical Breakdown
The integration described is the Abnormal AI Plugin for Netskope Cloud Threat Exchange (CTE). Netskope says the plugin converts Abnormal detections into automated enforcement across Netskope’s environment.
The workflow is described in three steps: detection, sharing, and enforcement. Abnormal uses behavioral models to detect email attacks and identify verified IOCs; Netskope Cloud Threat Exchange ingests malicious URLs, domains, IPv4 addresses, and file hashes (SHA256 and MD5); Netskope then applies these indicators to real-time protection policies to block access to malicious infrastructure across web and cloud traffic in near real time.
Operational Impact
The post describes the approach as “detect once, block everywhere,” with threat intelligence synchronization intended to prevent email-initiated breaches from continuing into cloud-based attacks. It says blocking aims to reduce opportunities for lateral movement or reuse of infrastructure via alternate delivery paths.
For response operations, the post says automation removes the need for analysts to manually transfer threat data between consoles. It also states that Netskope Continuous Testing Environment (CTE) can enforce policies on web and cloud traffic faster than human analysts could manually, with the intent of limiting the window of exposure.
Getting Started
Netskope says the integration is available for customers using Netskope Cloud Exchange (CE) version 4.2.0 or higher. The vendor states security administrators configure the Abnormal Security plugin in the Netskope CE console using Abnormal Application Programming Interface (API) credentials to begin syncing threat data.
The post also provides a reference to Netskope technology partnerships and a partner ecosystem ebook for additional context.
Overall, the blog describes a new Abnormal AI plugin for Netskope Cloud Threat Exchange that ingests verified email IOCs and applies near real-time web and cloud enforcement through Netskope policies. Blog Signals brief is a fact-based summary of the vendor blog.