Back 
When everything is connected, there’s nothing more frustrating than siloed tools that don’t integrate with each other. Not only does it lead to significant amounts of technical debt, but it also underscores significant visibility and context gaps for security teams, leading to increased risks and poor security posture.
For example, look at the majority of modern, targeted email-initiated attacks, whether it’s phishing, business email compromise (BEC), or account takeover. While these attacks may be detected at the email entry point, the malicious infrastructure behind them (URLs, domains, etc.) often persists across cloud and web environments.
Without a way to quickly operationalize email detections beyond the inbox, organizations face an expanded attack surface. If a threat is detected in an email but not immediately blocked at the web gateway, attackers can still utilize that infrastructure for lateral movement or data exfiltration.
Netskope is excited to address this email security challenge through our recently announced strategic alliance partnership and integration with Abnormal AI. By connecting Abnormal’s AI-native email detections with Netskope’s cloud, AI, and web enforcement, this partnership bridges the gap between the inbox and the network edge.
Let’s take a closer look at how this works:
The Abnormal AI plugin for Netskope Cloud Exchange
The new Abnormal AI Plugin for Netskope Cloud Threat Exchange (CTE) is designed to turn high-confidence email detections into automated enforcement across the Netskope ecosystem.
This workflow operates in three steps:
- Detection: Abnormal AI uses behavioral models to detect sophisticated email attacks and identifies verified Indicators of Compromise (IoCs).
- Sharing: These high-fidelity IoCs, specifically malicious URLs, domains, IPv4 addresses, and cryptographic file hashes (SHA256 and MD5), are automatically ingested into Netskope Cloud Threat Exchange.
- Enforcement: Netskope applies these indicators to its real-time protection policies, blocking access to the malicious infrastructure across web and cloud traffic in near real-time.
This integration delivers a “detect once, block everywhere” architecture that strengthens the entire security stack. By synchronizing threat intelligence, organizations can prevent email-initiated breaches from transitioning into cloud-based attacks. This stops attackers from moving laterally or reusing infrastructure via alternate delivery paths, offering security teams unified protection while reducing risk.
Similarly, the ability to automate responses can help security teams increase efficiency, eliminating the need for analysts to manually “copy and paste” threat data between consoles. By automating the lifecycle of an indicator from detection to enforcement, security teams can focus on a high-impact strategy rather than manual data entry. Additionally, because validated threat intelligence is shared automatically, Netskope CTE can enforce policies on web and cloud traffic faster than human analysts could manually, limiting the window of exposure and improving mean time to recovery.
Overall this joint solution offers security teams a unified automated approach that helps reduce risk, increase efficiency and improve mean time to recovery.
Getting Started
This integration is available for customers using Netskope Cloud Exchange (CE) version 4.2.0 or higher. Security administrators can simply configure the Abnormal Security plugin within the Netskope CE console using their Abnormal API credentials to begin syncing threat data.
By combining Abnormal’s best-in-class email protection with Netskope’s leading SSE enforcement, organizations can now execute a unified defense that is stronger than the sum of its parts.
To learn more about Netskope’s technology partnerships, download the Netskope’s Partner Ecosystem ebook here.
Read the blog