Gartner recognizes a new segment of email security focused on filling gaps in existing advanced threat protection.

“Protecting the perimeter” was the refrain for conventional security practices, conjuring up views of castles with moats. In the age of the cloud, there is no perimeter, and perimeter-based security solutions are now failing to sufficiently block the newest threats. As the market trends toward new perspectives on email security, perimeter-based defenses, such as firewalls and email gateways, will fall out of favor compared to identity-based solutions.

Research Analysts, Neil Wynne and Peter Firstbrook, discuss these trends in Gartner’s inaugural Market Guide for Email Security, which explores this shift in technological focus in depth. With this survey of the landscape, the authors introduce “Cloud Email Security Supplements.” (Gartner clients can read the full document here.) 

Gartner suggests that the email security market is starting to adopt a continuous adaptive risk and trust assessment (CARTA) approach. Furthering a CARTA-inspired email security architecture, CESSs support new detect and response capabilities by integrating directly with the email system via API. This emerging technology addresses gaps in the advanced threat defense capabilities of default and advanced security layers within cloud platforms, as well as those provided by incumbent Secure Email Gateways (SEGs). They further recommend adding these capabilities to as a supplement or replacement to those technologies. 

What is a Cloud Email Security Supplement (CESS)?

According to Gartner, "CESSs focus on specific threats, often in the realm of hard-to-detect phishing, and can leverage full access to cloud-hosted inboxes via APIs for detection and remediation.." 

In Note 7 of the “Gartner Market Guide for Email Security,” a CESS is an additional line of defense for an organization that:

  • Requires on-demand scanning of mailboxes, generally as a secondary scan at low-use times
  • Wants to quickly manage outbreaks that spread through email
  • Demands detection methods that use historical communication patterns (for example, to build social graphs in defense against phishing)
  • Has substantial intra-domain email traffic without routing through an SEG
  • Uses applications that have programmatic access to the mail server
  • Has users who regularly post messages in public folders
  • Does not use an SEG

CESS Solutions Use Application Programming Interfaces (APIs)

APIs are foundational to all cloud software. A security solution that takes full advantage of them practically becomes integrated into the platform, providing a substantial advantage in threat detection.

The advantages of leveraging APIs are numerous. Key data points, such as historical communication patterns, communication anomalies, and suspicious logins, are visible to the API connected security layer. This enables data exchanges between systems or components, an essential part of training an Artificial Intelligence (AI) engine to identify threats. 

Admins utilizing CESS solutions to protect their people and data also gain increased control. Addressing attacks such as Business Email Compromise (BEC), intradomain email protection is a requirement for a secure system. Those threats often leverage authenticated access to mailboxes, which is in turn used to phish other users in the same email domain, bypassing perimeter security solutions which would miss these threats entirely. This gives CESSs the ability to “clawback” threats from active or archived inboxes.  

Read: Gartner's Recommendation for BECs

How do CESSs supplement email gateways?

Presuming many large organizations already leverage an SEG, Gartner thinks of this segment as a supplement to that technology.  This technology leverages hardware or software components to put a proxy or Mail Transfer Agent (MTA) between the outside world and an email system.  

As malicious actors have learned to evade these technologies, their phishing attacks have resulted in successful account takeovers, executive/vendor impersonations, new “payload-less” zero-day attacks, and BEC.  All of these threats leverage identity and access rather than malicious files, which SEGs were initially intended to catch. This shift in attack strategy heralds a new era in email and collaboration security and demands new tools. The API technology make it possible for  CESSs to address these gaps, sitting behind security controls, as a native component inside the cloud infrastructure. 

When would a CESS replace an email gateway?

Gartner suggests that some CESS vendors have functionality that could take the place of SEGs. This would include sandboxing, malicious link detection, advanced threat intelligence, Data Loss Protection (DLP), etc. Gartner addresses these components more fully in How to Build an Effective Email Security Architecture,” part of their Gartner for Technical Professionals advice. 

The API approach taken by a CESS makes it possible to address internal-to-internal traffic and extend beyond email to protect entire collaboration suites like Microsoft Office 365. Gartner suggests that intradomain phishing (between coworkers) and malware are the areas in which CESSs are most needed. 

“There are many account takeover scenarios in which an attacker can leverage intradomain messages to move laterally and compromise internal resources. Without some way to effectively scan intradomain emails, these attacks could affect the organization. Protect against internal spread using technologies that integrate with the email system.”

Organizations may choose to implement a CESS solution alongside existing security solutions, then affirm that the CESS satisfies all of the layered security protection and risk avoidance they require. Consolidating on a full-featured CESS would also offer substantial cost savings for most organizations. 

Download: 5 Questions Your SEG Hopes You Never Ask 


It’s worth noting that Avanan is a CESS that has patented an approach to stop phishing attacks before they reach the inbox and after they have been scanned by perimeter technology or security built-in to the cloud platform. Using Office 365 as an example, Avanan uniquely scans email after the default Exchange Online Protection (EOP), as well as the Advanced Threat Protection (ATP), and even after the SEG, but before the inbox. In this way, would intervene with inbound, outbound, and internal messages before they arrive in the inbox.

Get Your ATP Assessment


Email is the most mature security market in the cybersecurity space. Yet attackers are proving to be more innovative and adaptive than legacy technology. CESSs are a recommended way to solve for this, elevate an organization’s security posture, and provide the necessary functionality around internal email scanning, BEC, and pre- and post-delivery email protection.  

Gartner suggests that this will coincide with vendors retiring appliance-based SEG approaches. As this process continues, CESSs should be considered for their enhanced access capabilities, flexible management tools, and the ability to analyze historical communication to predict threats in the future. As such, this emergent technology provides much-needed additional protection and may also be a method of cost savings as a replacement for SEGs. 

Avanan will catch advanced attacks missed by Microsoft

Start Your Trial Now