Gartner released its annual “Market Guide for Email Security” report last month. The report comes out at a very eventful time in the cybersecurity world. We are seeing a constant rise in the number and complexity of cybersecurity attacks. The targets are no longer just large organizations with sensitive data, but any type of organization, with impact on the general public. Having that the majority of companies maintain databases with different types of customer related data – cybersecurity attacks have turned into everyone’s problem, with privacy concerns reaching every home.

Email vulnerability to cyberthreats is still a major problem in 2021 and more importantly, it will be so in 2022 and beyond. With the majority of attacks originating from email, no wonder email is in the prime focus of security leaders. 

Email security has even been rated as “project of the year” in surveys conducted among security experts. So why can’t enterprises get it right?

“Many ransomware-as-a-service gangs use email as the initial entry point. Beyond malware, business email compromise and account takeover threats continue to rise, with significant financial losses as a result. These are often very difficult to detect because they contain no links or attachments and rely on social engineering to defraud the recipient. In the case of account takeover, there isn’t even any indication in the message headers, so, for all intents and purposes, it’s a legitimate email.”

The 2021 Gartner Market Guide for Email Security Report

The email security market continues to transition due to the aforementioned increase in attack complexity, the ongoing shift to cloud email and the growing adoption of API-based email security solutions. These are just a few of the trends covered by the Gartner 2021 Market Guide for email security report.

In the report, Gartner segments the email security market into two main categories:

  1. SEGs (Secured Email Gateways)
  2. ICES (Integrated Cloud Email Security) a new category, merging the previous CESS (Cloud Email Security Supplements) and IESS (Integrated Email Security Solutions) categories. 


The Integrated Cloud Email Security solutions, which leverage APIs to examine emails are gaining momentum, augmenting either an existing SEG offering or the built-in protection. The report highlights a high growth rate for ICES, which will gain significant market share.

By 2025, 20% of anti-phishing solutions will be delivered via API integration with the email platform, up from less than 5% today.”

Main Takeaways

Here are a few main takeaways from the report that we feel are worthwhile discussing and elaborating on, as they are critical to organizations’ ability to improve their security posture. We highly recommend reading the full report, which is available here.

Takeaway 1: POCs for email security product selection should be mandatory

How do you choose a new email security solution? 

Email security has been here for a long time, and it’s a competitive market with different solutions that have a big variance between them. CISOs need to be able to evaluate all these solutions, each promising to be the best, and make an informed decision on what to choose. 

Gartner tries to assist with this difficult task and talks about the process of evaluation of a replacement email security solution over an incumbent one. It’s not easy to find reliable recurring tests to provide a benchmark. There are some labs – like SE Labs, an independent source for providing  evaluations of email security solutions. But these types of evaluations are only released periodically and sometimes a year or more apart. For that reason, Gartner recommends a POC process, saying it has become a mandatory step for organizations in order to evaluate their security posture. 

“One of the largest challenges faced in the email security market is difficulty in building reliable, independent, recurring email protection testing, in particular with spam and phishing detection. There are no reliable monthly tests for spam and phishing results of all the top vendors, as compared with anti-malware tests provided by organizations such as AV-TEST or AV-Comparatives. SE Labs periodically tests several email security products, but not on a monthly basis, and focuses mainly on malware and phishing. The challenges are vendor participation, as well as the ability to come up with current and relevant spam and phishing samples.”

Takeaway 2: There is a major difference in the evaluation process of SEGs vs. ICES solutions that you should be aware of

The Gartner report emphasizes the difficulty in measuring SEG vs. ICES solution performance during a process of evaluation of a replacement solution. 

What does this mean?

SEG solutions are located on the MX-record, hence they always get all the traffic first. Placing another solution after an existing SEG, usually results in catching additional attacks that they missed. However that is only half of the evaluation, because you cannot tell what the SEG caught as opposed to the existing evaluated solution. When evaluating the built-in protections of the cloud email provider, e.g. Microsoft, it is thus not possible to tell what was stopped by the SEG solution that wouldn’t have been blocked by Microsoft. 

In the case of ICES, they are never on the MX-record and the cloud email provider receives all of the traffic, so it’s easier and more accurate to evaluate and know what they have caught and what was missed. However, as ICES are always second in the scanning process, it’s important to determine the false positive rates as well. 

The following diagrams illustrate the difference between MX-record deployment and an ICES solution deployment:

Figure 1: MX-record Change, commonly used by SEGs
Figure 2: API integration, commonly used by ICES

An important differentiator inside the ICES category, which is not reflected in its diagram, is in pre-delivery vs. post-delivery scanning capabilities, where a large chunk of ICES only supports the latter. In pre-delivery scanning, the email is scanned before arriving at the user’s inbox. In post-delivery scanning, it is pulled out retroactively, in case it is found malicious, leaving some risk that the user opens the email before it is scanned. In both cases, the evaluation is more simple than evaluating a SEG, due to the considerations mentioned above. 

The ease in ICES evaluation, as well as other unique capabilities that will be discussed in the next section, leads Gartner to the recommendation to opt-in for evaluating integrated solutions.

Include API-based ICES solutions when evaluating email security solutions. The simplicity of evaluation and additional visibility into internal traffic and other communication channels can reduce risk.”

Takeaway 3: The shift to API solutions provides many benefits to organizations

API solutions, not being located on the MX-record, can operate both as predelivery (Prevention) or postdelivery (Detection). While predelivery guarantees the user will not get the email before it’s scanned, post delivery relies on being able to pull back the email in case it’s malicious:

“Predelivery is usually implemented as a connector and intercepts email before it reaches the user’s inbox. Postdelivery analyzes emails after they have been delivered, and some products effectively “hide” the message to prevent the user opening it before it is scanned, while others simply rely on being able to scan the email before the user reads it.”

The ability to prevent users from ever receiving malicious emails is of course an important differentiator between solutions in the ICES category. 

Gartner also discusses specific benefits ICES solutions can provide, that SEGs normally don’t. These include:

  1. Better visibility into internal email.
  2. The ability to add context-aware banners.
  3. The ability to move messages into built-in classification mailboxes and create relationship graphs and ML models to improve detection.


“Integrated solutions go beyond simply blocking known bad content and provide in-line prompts to users that can help reinforce security awareness training, as well as providing detection of compromised internal accounts.”

Another benefit cited is that ICES products provide better connectivity and connection to SIEM/SOAR and XDR. This is inherent in their architecture which is designed and built from the get-go to be exposed and communicate with other systems via APIs, rather than legacy SEG solutions that are more difficult to integrate  and normally integrate with specific systems only.

Takeaway 4: Effective email security over time requires more than just the right product

Many organizations experience high detection rates during a POC or when first implementing a new email security solution, but as time goes by, the detection rates continue to deteriorate. 

For an email security solution to maintain its effectiveness over time, not only is the right product required, but also proper ongoing management. This is a combination of ongoing configurations of the product, along with threat and vulnerability management, security incident response, and more. 

“Effective email security requires not only the selection of the correct products, with the required capabilities and configurations, but also having the right operational procedures in place.”

Ongoing management of security systems is not easy for organizations to maintain due to varied barriers, such as difficulty in hiring and training cyber experts, challenges in defining and implementing the correct and efficient operational procedures, and more. 

The result is a trend Gartner identifies in that companies seek a managed service as part of the product selection criteria for email security.

“The evolution in threats has led to increased demand for other techniques and services, such as mail-focused security orchestration, automation and response (MSOAR)… MSOAR capabilities are offered to rapidly triage user-reported phishing messages as a managed service, either directly from the vendor or through a managed security service provider (MSSP).”

Takeaway 5: Beyond email – collaboration tools are organizations’ blindspots

Cloud collaboration channels include different channels that are designed for sharing content and data, such as messaging & team collaboration tools (e.g. Slack, Microsoft teams), cloud storage (e.g. Dropbox, Google Drive), shared virtual spaces (e.g. confluence, Huddle), enterprise social networks (e.g. Chatter, Jive), CRM applications (e.g. Salesforce, HubSpot) and in-house applications and APIs.

At a basic level, the attacks coming through these channels are almost identical to email-borne attacks. Some of the examples are impersonations, spreading malicious malware/URLs, and ransomware. These attacks leverage the same or even more sophisticated methods from malicious agents such as  combining several evasion techniques into one attack.

Figure 3: Content-borne attack channels

For many organizations, these channels are essentially a blindspot; they are investing a lot of time and money into securing their email channel but overlooking other channels where attackers can easily infiltrate the organization. 

Gartner has identified this blindspot, and suggests for organizations to use ICES solutions that utilize API integrations, to also support their internal and external cloud collaboration channels.

“With the shift to remote and hybrid working, communication is moving beyond just email to include collaboration tools such as Microsoft Teams and Slack with users outside the organization. These have the potential to be used by attackers for phishing and malware distribution. Several vendors’ solutions can use their API integrations into such collaboration platforms to filter malicious content or suspicious interactions.”


Email security is still a major problem and requires the best protection out there. Organizations should use industry best practices to form a strategy for email security to define  what needs to be part of their email security solution’s architecture, features, and related processes and playbooks, and then properly evaluate next-gen technologies and managed services that include them, to best protect themselves from the emerging threat landscape.

About Perception Point

Perception Point is a Prevention-as-a-Service company, offering fast interception of any content-based attack across all cloud collaboration channels, including email, cloud storage, CRM apps, and messaging platforms. The company prevents phishing, BEC, spam, malware, Zero-days, and N-days well before they reach enterprise users.

Deployed in minutes with no change to the enterprise’s infrastructure, the Perception Point solution conforms with any policy and requires zero fuss from IT teams. As part of the managed service provided by the company, its Incident Response team serves as a force multiplier to the enterprise’s SOC team. 

  • Perception Point has been rated #1 on the SE Labs independent detection testing for the best detection rates and lowest false positive rate. 
  • Perception Point has been recognized 3rd year in a row as a Gartner Representative Email Security Vendor in their Integrated Cloud Email Security (ICES) category of the Market Guide for Email Security.


To learn more about Perception Point, visit our website, follow us on LinkedIn, Facebook, and Twitter, or contact us.