Abnormal Security

Overview

Abnormal Security is a cloud email security platform that uses behavioral AI to detect and block email attacks that traditional secure email gateways (SEGs) miss. Founded in 2018, the company has grown rapidly by focusing on a specific problem: socially engineered email attacks — business email compromise (BEC), vendor fraud, account takeovers, and sophisticated phishing that doesn't rely on malicious payloads or known indicators. These are the attacks that slip past Proofpoint, Mimecast, and Microsoft's built-in protection because there's nothing technically malicious about the email — no bad links, no malware attachments, just a well-crafted lie.

The platform deploys as an API integration with Microsoft 365 or Google Workspace, which means there's no MX record change, no mail flow disruption, and deployment takes hours rather than weeks. This architectural choice is a big part of Abnormal's appeal — the friction to try it is extremely low compared to replacing your existing email gateway. Abnormal positions itself as a supplement to, not a replacement for, your existing email security stack, though they've been quietly adding features that encroach on traditional SEG territory.

Abnormal has expanded beyond inbound email protection to include account takeover detection, email platform security posture management, and recently, a multi-channel approach covering Slack and Teams messages. But the core product — detecting and remediating socially engineered email attacks — is still where the platform is strongest and where our testing focused.

How It Works

Abnormal's approach is fundamentally different from traditional email security. Instead of scanning email content for known malicious indicators (bad URLs, malware signatures, blacklisted domains), it builds behavioral profiles of every person and organization that communicates with your company. It learns communication patterns — who emails whom, what topics they discuss, what tone they use, when they typically send messages, what their typical requests look like. When an email deviates from these established patterns, Abnormal flags it.

The system ingests data from multiple sources within your email environment: mail flow data, directory information, authentication logs, and email content. It uses this to build what Abnormal calls "VendorBase" and "PeopleBase" — comprehensive behavioral models of your external partners and internal users respectively. When a BEC attack impersonates your CFO asking for a wire transfer, Abnormal catches it not because of a malicious link but because the writing style, sending patterns, or request type doesn't match the CFO's established behavior.

Technically, the platform uses a combination of natural language processing, computer vision (for analyzing logos and branding in phishing emails), and behavioral analytics models. The ML pipeline processes emails in near real-time — typically under 1 second from delivery to verdict — which is important because some attacks have very short active windows. Emails that Abnormal flags as malicious are automatically remediated (moved to junk or deleted) based on your policy configuration, and the actions are logged with full explainability showing why each decision was made.

The API-based architecture means Abnormal can also detect threats that were delivered before the platform was deployed, by retroactively scanning mailboxes. During our initial deployment, it identified 23 suspicious emails that had been sitting in user inboxes undetected by our existing SEG. Several of these turned out to be genuine BEC attempts that hadn't been acted on yet. That's a powerful first-day experience that tends to get buy-in from skeptical security teams.

What We Liked

The BEC detection accuracy is outstanding. We tested Abnormal against a set of 50 simulated BEC emails — ranging from obvious "please buy gift cards" to sophisticated vendor impersonation with domain spoofing — and it correctly flagged 47 of them. The three it missed were all borderline cases that a human reviewer would also have struggled with. More importantly, the false positive rate on legitimate business email was extremely low — around 0.02% in our testing, which is significantly better than any SEG we've used. When your email security tool quarantines a legitimate email from your biggest client, the political fallout is worse than most actual security incidents. Abnormal avoids that trap.

The deployment experience was the smoothest we've seen in any security product, period. We connected the Microsoft 365 API, authorized the permissions, and Abnormal was processing email within two hours. No MX record changes, no certificate configuration, no mail flow testing. The platform started building behavioral profiles immediately and was providing useful detections within 48 hours. For a security tool, this kind of deployment velocity is almost unheard of — most products require weeks of professional services and configuration before they're useful.

The explainability of each detection is genuinely good. When Abnormal flags an email, it shows you exactly why: "This email claims to be from vendor X, but the sending domain was registered 3 days ago, the writing style doesn't match previous emails from this contact, and the request for a payment method change is unprecedented in your relationship." That level of detail makes it easy for analysts to validate the detection quickly and builds trust in the platform's decisions. Compare this to a SEG that just says "scored 87/100 for phishing indicators" with no useful explanation.

The surprise for us was the account takeover detection. We tested a scenario where a compromised internal account started sending emails with unusual content to unusual recipients, and Abnormal detected it within 15 minutes of the first anomalous email. It correctly identified that the compromised account's sending behavior diverged from its baseline and triggered an alert with remediation options (force password reset, block outbound email, notify IT). This is a use case that SEGs don't address at all, and it's becoming increasingly important as attackers pivot from inbound phishing to account takeover as their primary entry vector.

What Fell Short

Abnormal is excellent at what it does, but what it does is narrower than the marketing suggests. It's fundamentally an email security tool, and while the Slack and Teams monitoring is a nice addition, it's nowhere near as mature as the email detection. The platform also doesn't address several email security functions that a traditional SEG handles: URL rewriting, attachment sandboxing, and DMARC reporting. If you're thinking about replacing your SEG with Abnormal, you'll still need something handling those functions. Abnormal's positioning as a "supplement to" rather than "replacement for" your SEG is honest, but it means you're paying for two email security products.

The reporting and analytics are adequate but not great. The dashboard shows detection metrics and trends, but it's not easy to generate the kind of executive-level reports that security leaders need for board presentations. We wanted to show "email threats blocked by category over time" with year-over-year comparison, and it took more clicking and exporting than it should have. The API is available for building custom reports, but you shouldn't need to hit an API for basic reporting functionality in a product at this price point.

Pricing scales with mailbox count, and for large organizations, it gets expensive. Abnormal doesn't publish rates, but based on customer conversations, expect $3-6 per mailbox per month. For a 10,000-mailbox organization, that's $360,000-$720,000/year — a significant premium on top of whatever you're already paying for SEG licensing. The value proposition is strong if BEC and social engineering are your primary email threat vectors (and for most organizations, they are), but the total email security spend can be hard to justify when you're effectively paying for two overlapping products.

Pricing and Value

Abnormal Security pricing is based on the number of protected mailboxes. Rates are not published but typically fall in the $3-6 per mailbox per month range, with volume discounts for larger deployments. A 5,000-mailbox organization should budget $180,000-$360,000/year. This is on top of your existing email security spend (Microsoft E5 licensing, Proofpoint, Mimecast, etc.), so total email security costs can feel high. Multi-year contracts come with discounts, and Abnormal typically offers a proof-of-value period where the platform runs in monitoring mode before you commit to a contract.

The ROI argument for Abnormal centers on BEC prevention. A single successful BEC attack averages $125,000 in losses according to FBI data, and large organizations report multiple attempts per month. If Abnormal prevents even two or three BEC attacks per year that your existing tools would have missed, it's paid for itself. The proof-of-value period usually demonstrates this concretely — Abnormal will show you the attacks it caught that your current tools didn't, which makes the budget conversation easier.

Who Should Use This

Abnormal Security is the right choice for organizations where email-based social engineering is a top risk — which, frankly, is most organizations. It's particularly valuable for companies with high-value wire transfer activity (finance, real estate, legal), large vendor ecosystems with frequent payment-related communication, and executive teams that are frequently impersonated. You'll get the most value if you're running Microsoft 365 or Google Workspace and already have a SEG in place that handles the commodity threat detection.

It's less necessary for very small organizations (under 200 mailboxes) where the per-mailbox cost doesn't scale favorably, or for organizations where email isn't a primary attack vector (which is rare, but does exist in some air-gapped or specialized environments). If your current SEG already catches most BEC attempts effectively — test this before assuming — the incremental value of Abnormal is lower, though most organizations are surprised by what's getting through when they actually measure it.

The Bottom Line

Abnormal Security does one thing and does it better than anyone else: catching the socially engineered email attacks that bypass traditional defenses. In an industry full of platforms trying to be everything, there's something refreshing about a product that picked a specific problem and solved it thoroughly. The deployment is painless, the detection accuracy is the best we've tested, and the false positive rate is low enough that you can run it in automated remediation mode without losing sleep. Yes, you're adding another line item to your email security budget, and yes, the per-mailbox pricing adds up for large organizations. But BEC remains the most financially damaging cyber attack category, and Abnormal is the best defense against it that we've found.