Selecting the right email security approach is critical to how effectively an organization detects and stops modern attacks. In 2024 alone, the FBI reported $2.8 billion in business email compromise losses, a reminder that the most essential enterprise communication channel remains one of the hardest to protect.

Most organizations layer multiple tools and deployment models: native controls from Microsoft 365 or Google Workspace, third-party secure email gateways (SEGs) for hygiene and compliance, and increasingly, API-based detection to uncover the behavioral anomalies other systems miss. Each approach brings distinct advantages and trade-offs in visibility, speed, and operational efficiency.

Secure email gateways, whether built into Microsoft 365 and Google Workspace or delivered by third-party vendors, form the backbone of email hygiene. Positioned inline in the delivery path, they inspect messages before they reach the inbox, blocking spam, malware, and known malicious URLs while supporting compliance features such as encryption and archiving.

This pre-delivery architecture offers strong protection against known bad content and clear benefits for policy enforcement. Since SEGs analyze messages in transit, they make decisions based on a narrow set of indicators such as headers, URLs, attachments, and sender reputation, without the broader user or organizational context needed to recognize behavioral anomalies behind targeted attacks.

However, because SEGs primarily scan emails coming from outside the organization, they often have limited visibility into internal-to-internal communication, where compromised accounts or insider threats may originate.

Gateways also require continual tuning to balance filtering accuracy with mail flow reliability, adding operational overhead for security and IT teams. They provide effective baseline protection but limited coverage against advanced, socially engineered threats.

Pros of Secure Email Gateways

• Effective for filtering spam, malware, and known malicious content.

• Mature, well-understood architecture that aligns with compliance and policy controls.

• Centralized pre-delivery inspection that integrates easily with legacy systems.

Cons of Secure Email Gateways

• Primarily inspects inbound external mail, leaving gaps in internal and lateral message visibility.

• Limited behavioral and identity context for detecting targeted or payload-less attacks.

• Requires constant tuning to balance accuracy and mail flow reliability.

As organizations move to cloud email, API-based architectures have become the next evolution in detection and response. Two main models exist: inline APIs, which evaluate messages during delivery, and pure APIs, which analyze messages after delivery.

Inline APIs sit within the mail flow, scanning messages in transit through connectors or routing rules before they reach the inbox. They provide pre-delivery blocking and can leverage some platform telemetry to make detection decisions. These solutions often rely on static rules and sandboxing rather than adaptive, behaviorally informed models, so verdicts may require manual validation and rule tuning to maintain accuracy.

Inline integrations can disrupt mail flow, introducing latency from seconds to minutes and creating delivery risk if the service experiences downtime. Because native controls and SEGs already sit inline, layering additional inline APIs can introduce routing complexity, configuration changes in Microsoft 365, and additional troubleshooting overhead for analysts.

Pros of Inline APIs

• Enables pre-delivery blocking for known or easily classified threats.

• Can use platform telemetry to enrich detection accuracy.

• Fits naturally into Microsoft 365 and Google Workspace environments that already rely on connectors and transport rules.

Cons of Inline APIs

• Detection logic is fixed at delivery, reducing flexibility against evolving attack techniques.

• Verdicts often require analyst confirmation to maintain confidence and prevent disruption.

• May duplicate functions already handled by native or SEG layers, increasing integration and maintenance complexity.

Pure API architectures take a fundamentally different approach, connecting directly to the cloud platform through native APIs to perform continuous, behavior-based analysis within the mailbox environment.

Operating asynchronously and outside the mail flow, pure API architectures connect to Microsoft 365 or Google Workspace through native APIs and continuously analyze messages alongside identity, behavioral, and historical data across users, vendors, and applications. No modifications to native protections upstream are required or recommended. The broader visibility of pure API architectures enables higher-confidence detection of advanced threats such as impersonation, vendor compromise, and account takeovers, while reducing the day-to-day operational burden for security teams.

Detection occurs quickly enough to remove threats before users engage. This asynchronous model adds richer behavioral and historical context, helping security teams confirm and remediate attacks with greater accuracy and confidence. This architectural design also simplifies operations: no MX record changes, no rerouting, and no disruption to mail flow. Integration takes minutes, and messages continue to be delivered even when system outages occur.

Across industries, organizations using this architecture report measurable improvements in detection and risk reduction:

• 100% increase in advanced attack volume bypassing SEGs over the past three years.¹

• 60 business email compromise attacks blocked by Abnormal per organization per month.²

• 665 advanced threats each month detected by Abnormal that SEGs miss.¹

Together, these results show how broader visibility and behavioral analysis improve both detection efficacy and operational efficiency.

Like all architectural choices in security, pure API architecture involves deliberate trade-offs. Operating post-delivery means messages briefly exist in the mailstore before remediation—typically measured in seconds. A brief processing interval provides AI models the computational window to run complex behavioral analysis—natural language processing for tone shifts, graph neural networks for relationship mapping, anomaly detection across communication patterns—then conduct API calls that redirect messages and remediate threats.

Pros of Pure API Architectures

• Provides full behavioral, identity, and historical visibility for higher-confidence detection.

• Simplifies deployment and maintenance by operating outside the mail flow.

• Enables continuous detection and rapid remediation through native integration with cloud platforms.

Cons of Pure API Architectures

• Introduces a short processing interval while behavioral analysis completes before remediation.

• Relies on API connectivity and platform stability for uninterrupted protection.

• Requires confidence in automated, asynchronous remediation rather than traditional inline blocking.

Every email security architecture has its advantages and limitations. Gateways are effective for filtering known threats and enforcing policy but offer limited insight beyond message content. Inline solutions extend protection into the cloud with pre-delivery blocking but add routing complexity and lack the behavioral depth to detect identity-based attacks.

Abnormal built an API-first architecture that operates outside the mail flow to deliver faster, more accurate detection, simpler management, and protection that continually adapts as attacker tactics evolve.

“Attackers already use AI for greater impact, so you need solutions that improve as attacks evolve. Abnormal’s been ahead of the behavioral AI game, and as attacks become more refined, Abnormal will be there to help us.”
— Waldon Smith, CSIRT Manager, Valvoline

Because architecture drives everything from visibility to response, it should be a primary consideration when evaluating email security providers. The key questions to ask each vendor include:

• How does the solution collect and correlate behavioral context beyond message content?

• How does the detection model adapt in response to changing attacker techniques?

• What measurable outcomes have other users achieved in efficacy and efficiency?

• Does the solution’s architecture facilitate a hands-on or hands-off approach to management?

• What detection enhancements have they recently released to their customers?

Effective email defense is driven by architectural choices that determine how defenses see, respond to, and learn from evolving threats. Organizations using Abnormal’s pure API detection report measurable gains in efficiency and automation:

• 70% spend less than 30 minutes in the Abnormal portal each week.³

• 100% automate inbound email remediation.²

• 78% automate triage and response to all user-reported phishing.²

• 15+ hours of security team time saved each week.²

At Abnormal AI, we built API-first because deeper visibility leads to stronger protection and relieves the manual burden on SOC teams managing today’s constant wave of email threats. Every security architecture has trade-offs, but only one continues to learn as quickly as the AI-powered tools threat actors use to launch their next offensive.

¹ Comparing the average attacks / 1,000 mailboxes across all Abnormal customers with a SEG in place for Q3, 22 versus Q3, 25.
² Data collected from the Abnormal platform.
³Reported across 100 Abnormal customers.

To explore how Abnormal’s API-first architecture delivers a modern solution to modern email threats, schedule a demo today.