![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 372 101" xmlns="http://www.w3.org/2000/svg"><path d="M 50.542 0 C 78.455 0 101.083 22.61 101.083 50.5 C 101.083 78.39 78.455 101 50.542 101 C 48.515 101 46.517 100.879 44.552 100.648 C 36.91 85.583 32.603 68.544 32.603 50.499 C 32.603 32.455 36.909 15.416 44.551 0.352 C 46.516 0.12 48.515 0 50.542 0 Z M 15.546 14.064 C 24.108 23.784 29.301 36.536 29.301 50.501 C 29.301 64.465 24.108 77.217 15.547 86.936 C 5.965 77.745 0 64.819 0 50.5 C 0 36.181 5.965 23.254 15.546 14.064 Z M 357.842 47.812 C 357.842 42.857 356.039 38.892 350.087 38.892 C 345.308 38.892 340.98 42.226 340.98 49.254 L 340.98 74.663 L 326.822 74.663 L 326.822 27.81 L 340.619 27.81 L 340.619 34.117 C 343.865 29.882 348.734 26.729 355.317 26.729 C 365.327 26.729 372 33.036 372 46.1 L 372 74.663 L 357.842 74.663 Z M 308.559 74.663 L 308.559 69.707 C 304.591 74.212 299.812 75.744 293.77 75.744 C 283.761 75.744 276.547 70.698 276.547 61.327 C 276.547 52.948 282.048 49.074 295.394 46.821 L 308.199 44.659 L 308.199 42.766 C 308.199 39.523 306.665 37.09 300.985 37.09 C 296.115 37.09 293.139 39.433 293.049 43.127 L 278.982 43.127 C 279.162 32.135 288.54 26.729 300.804 26.729 C 315.052 26.729 321.996 32.225 321.996 41.055 L 321.996 74.663 Z M 297.828 66.013 C 303.239 66.013 308.199 63.4 308.199 56.823 L 308.199 53.308 L 298.279 55.291 C 293.41 56.192 290.975 57.363 290.975 60.787 C 290.975 64.031 293.32 66.013 297.828 66.013 Z M 250.679 75.744 C 235.258 75.744 226.602 65.202 226.602 51.236 C 226.602 37.27 235.258 26.729 250.679 26.729 C 266.189 26.729 274.846 36.64 274.846 52.768 L 274.846 55.471 L 240.308 55.471 C 241.39 61.598 244.998 65.202 250.679 65.202 C 255.729 65.202 258.704 63.49 260.507 60.246 L 274.034 60.246 C 270.968 69.527 262.762 75.744 250.679 75.744 Z M 240.398 46.37 L 261.049 46.37 C 259.786 40.604 256.179 37.27 250.679 37.27 C 245.268 37.27 241.661 40.604 240.398 46.37 Z M 202.218 75.744 C 186.978 75.744 178.321 65.202 178.321 51.236 C 178.321 37.27 186.978 26.729 202.218 26.729 C 216.105 26.729 223.77 34.297 225.212 45.199 L 211.145 45.199 C 210.243 40.694 206.997 38.081 202.218 38.081 C 195.545 38.081 192.569 43.217 192.569 51.236 C 192.569 59.255 195.545 64.391 202.218 64.391 C 207.267 64.391 210.333 61.417 211.145 56.372 L 225.212 56.372 C 223.77 67.725 216.195 75.744 202.218 75.744 Z M 151.568 75.744 C 135.787 75.744 127.13 65.202 127.13 51.236 C 127.13 37.27 135.787 26.729 151.568 26.729 C 167.439 26.729 176.096 37.271 176.096 51.236 C 176.096 65.202 167.439 75.744 151.568 75.744 Z M 151.568 64.391 C 158.872 64.391 161.848 59.255 161.848 51.236 C 161.848 43.217 158.872 38.081 151.568 38.081 C 144.354 38.081 141.378 43.217 141.378 51.236 C 141.378 59.255 144.354 64.391 151.568 64.391 Z" fill="rgb(0, 34, 49)" height="101px" id="nbwo4Zi91" width="372.00001062700176px"/></svg>)
Blog
Liel Strauch
|
|
Reading Time:
5
min
The hardest email threats to catch don’t look malicious at first glance.
They come from trusted senders, inside real conversations, with requests that appear legitimate. Nothing about them immediately signals risk, which is exactly why they work.
When these emails are investigated carefully, the answer is usually there. The intent can be uncovered, and the attack can be understood. The issue is that doing this well takes time, experience, and access to multiple layers of context that not every team has at hand.
Security teams have spent years layering tools into the email stack, yet the highest-impact attacks still reach the inbox. The reason comes down to how these systems are built. Traditional tools are designed to recognize patterns such as known indicators, anomalies, and signals that can be matched at scale. The challenge is that modern attacks are built around context, not patterns, which leaves a gap that continues to be exploited.
This is especially visible in vendor compromise, targeted phishing, and AI-generated social engineering. AI has made these attacks easier to generate, more personalized, and far more scalable, reducing the kinds of signals that detection systems rely on.
To address this directly, Ocean built Ray, a central autonomous intelligence engine designed to investigate and understand email threats in context.
What Investigation Actually Looks Like Today
When a suspicious email reaches a SOC analyst, the investigation follows a familiar path. The analyst starts with the email itself, reviewing headers, content, attachments, and links to identify anything out of the ordinary. From there, the work moves into context. Prior communication history is reviewed, the sender’s behavior is evaluated, and subtle shifts in intent are examined.
Infrastructure and threat intelligence checks follow, validating whether anything behind the email points to compromise or abuse. Only after this full process does the analyst make a decision, take action, and document the findings.
This approach works, but it is manual, time-intensive, and difficult to apply consistently across the volume of email most organizations receive. As a result, only a fraction of emails are ever investigated at this level of depth.
How Ray Understands Email Attacks in Real Time
Ray applies that level of investigation continuously, across every email, as it arrives.
In a vendor compromise scenario, a trusted sender makes a request that looks plausible, but something in the context has shifted. Analysts typically need to reconstruct prior communications to determine whether the request aligns with expected behavior. Ray evaluates how that sender typically communicates, identifies when intent deviates, and surfaces the inconsistency immediately without requiring manual review.
The same approach applies to reported phishing. Security teams have trained users to report anything suspicious, which creates a steady stream of low-signal emails. Ray analyzes each reported message in context, determining whether it represents real risk or normal communication. At the same time, it provides case-specific feedback to the user, turning each report into a training opportunity and improving judgment over time without adding workload to the SOC.
For attacks that do not match any known pattern, the process shifts as well. These cases often require deeper analysis to determine intent, and detection typically happens only after someone investigates and creates a new rule. Ray evaluates behavior and context in real time, allowing it to identify threats without relying on prior examples and reducing the need for reactive rule creation.
Across these scenarios, the dependency on manual investigation is removed. Ray enables these attacks to be understood as they occur.
An AI-Native, Agentic Approach to Investigation
Ocean’s platform is built as an AI-native, agentic system. A swarm of agents works together to carry out different parts of the investigation, including content analysis, communication review, infrastructure checks, and threat intelligence lookups.
Ray acts as the central intelligence layer that coordinates this system. It does not attempt to perform every function itself. Instead, it orchestrates sub-agents, ensuring that each step of the investigation is executed and that the results are combined into a coherent understanding of the email.
The process mirrors what an analyst would do manually, but without the same constraints around time and scale. Each email is evaluated directly, with the system determining whether it makes sense in context rather than waiting for a predefined signal.
In cases where additional internal context is needed, analysts can contribute information that becomes part of the system’s knowledge. Over time, this allows the system to adapt to the organization while continuing to operate autonomously across the vast majority of cases.
What previously required hours or days of work can now happen automatically and at scale across all emails.
What Changes for the Security Team
For the security team, this changes how work is distributed and how decisions are made.
More attacks are identified before they ever require manual investigation, and emails are evaluated with full context rather than partial signals. Analysts don’t have to rely on incomplete indicators or opaque verdicts, which reduces uncertainty around whether something is actually malicious.
Novel attacks also no longer depend on someone identifying a gap and writing the next rule after the fact. Instead of spending time validating low-signal activity, teams gain deeper visibility into real threats and can operate with greater confidence in what reaches the inbox.
At the same time, this approach addresses a long-standing issue in email security: the black box problem.
Many tools provide a verdict without showing how it was reached, forcing analysts to retrace the investigation manually if they want to validate the decision. This slows response time and limits trust in the system’s output.
The industry has made progress in addressing this with explainable AI (xAI), introducing ways to surface contributing factors and provide partial insight into model behavior. But in most cases, that visibility stops short of the investigation itself. Analysts may see why a model produced a score, but not how the full decision was formed across all layers of context.
Ray takes a more complete approach. The full chain of reasoning is exposed, including how the email was analyzed, what context was considered, and how the conclusion was reached. Analysts are not asked to trust a decision; they can see how it was made.
Over time, this changes the relationship between the team and the system. Decisions become clearer, confidence increases, and the need to second-guess outcomes is reduced. The result is fewer missed attacks, more consistent responses, and a level of visibility that allows the team to operate with greater certainty.
What Happens When Every Email Gets Investigated
The ability to identify these attacks has never been the limiting factor. Practitioners have shown, time and again, that with enough time and context, the signal can be found. The challenge has been applying that level of understanding consistently across the full volume of email.
Ray changes that by extending the investigation to every message, rather than reserving it for a small subset of cases.
Once email security operates this way, investigation becomes continuous and proactive, and legacy tools feel inherently incomplete.
Book a demo to see Ray investigate email threats in a live environment.