Personalized risk evaluation for every sender.
OpenEFA® Signals Series | April 2, 2026
Not every sender should be measured by the same ruler. A message from a vendor you've worked with for five years carries a fundamentally different risk profile than a message from a sender you've never seen before. Yet most email security systems evaluate both against the same static thresholds.
This one-size-fits-all approach creates a painful trade-off: set thresholds low enough to catch threats from unknown senders, and you'll generate false positives on legitimate mail from established contacts. Set them high enough to avoid annoying your trusted partners, and you'll miss threats from unfamiliar sources.
OpenEFA® eliminates this trade-off by building individualized behavioral profiles for every sender and adjusting detection thresholds based on trust history, communication patterns, and relationship depth.
Consider how traditional email security evaluates a message. The system assigns a score based on various factors — content analysis, authentication results, sender reputation, link analysis — and compares that score against a fixed threshold. If the score exceeds the threshold, the message is flagged, quarantined, or rejected.
This model has a fundamental flaw: the same threshold applies regardless of who the sender is.
A fixed threshold of, say, 5.0 might be appropriate for an unknown sender contacting your organization for the first time. But for your accounting firm, which sends you encrypted PDF attachments every quarter, the same threshold generates constant false positives because their legitimate messages naturally trigger content-analysis rules (encrypted attachments, financial terminology, urgency around tax deadlines).
Administrators respond by creating allowlists, bypass rules, and per-domain exceptions. This introduces a different problem: those exceptions become permanent, they're rarely reviewed, and they create blind spots that attackers can exploit. A compromised vendor that has been allowlisted receives less scrutiny at precisely the moment they need more.
The result is a system that is simultaneously too aggressive with some senders and too permissive with others — and requires constant manual tuning to maintain.
OpenEFA takes a fundamentally different approach. Instead of applying a single threshold to all mail, it builds a behavioral profile for every sender that communicates with your organization and adjusts the detection sensitivity based on what it has learned about that sender over time.
Every time a sender communicates with your organization, OpenEFA records a set of behavioral attributes: sending time patterns, typical recipients, message structure, language characteristics, attachment habits, authentication infrastructure, content types, and communication frequency. Over time, these observations form a statistical baseline — a model of what "normal" looks like for that specific sender.
This is not a simple reputation score. It is a multi-dimensional profile that captures the shape of a sender's communication behavior across dozens of attributes.
Trust is not binary. It accumulates incrementally as a sender demonstrates consistent, legitimate behavior over time. A sender who has sent 500 messages over two years, with consistent patterns and no incidents, has earned a different trust level than a sender who first appeared last week.
OpenEFA quantifies this trust through several dimensions:
Based on the accumulated trust profile, OpenEFA adjusts the detection threshold for each sender. This adjustment works in both directions:
For high-trust senders, the threshold is relaxed for behaviors that match their established patterns. If your law firm always sends encrypted attachments at the end of the month, those attachments don't accumulate risk score the way they would from an unknown sender. But the threshold tightens for behaviors that deviate from their established patterns. A sudden change in sending time, a new type of request, or an unfamiliar attachment format from a high-trust sender is scrutinized more carefully — because the deviation from a well-established baseline is itself a strong signal.
For unknown or low-trust senders, the threshold is strict across all dimensions. Every aspect of the message is evaluated with full scrutiny because there is no behavioral baseline to measure against. First-contact messages face the highest level of analysis.
This is the key insight: trust is not a bypass. It changes what "normal" means, not whether checking occurs.
The limitations of static thresholds become clear when you examine specific failure modes:
An international vendor sends messages in a language that triggers content-analysis rules. A healthcare provider's messages contain medical terminology that resembles pharmaceutical spam. A financial partner's quarterly reports include urgency language about regulatory deadlines. All of these are legitimate communications that trigger static rules designed for different contexts.
With adaptive thresholds, these patterns are recognized as normal for these specific senders. The content-analysis rules still fire, but the resulting score is weighted against the sender's established behavioral profile. The system has learned that this sender always communicates this way — and that previous instances have been legitimate.
A sophisticated attacker carefully crafts a message that stays just below the static detection threshold. The content is clean enough, the domain is old enough, and the authentication is valid. The message passes because it doesn't quite trigger any individual rule.
With adaptive thresholds, an unknown sender faces a stricter evaluation by default. The absence of a behavioral profile is itself informative — the system has no reason to extend trust, so every signal is evaluated with maximum sensitivity. The same message that would pass under a static threshold is caught because the unknown-sender threshold is lower.
Organizations that rely on static thresholds inevitably create allowlists to reduce false positives from trusted senders. But allowlists are binary — a sender is either on the list or off it. There's no middle ground, no gradation, and typically no ongoing behavioral monitoring. If an allowlisted vendor is compromised, their messages bypass security entirely.
Adaptive thresholds replace static allowlists with dynamic trust that can detect compromise. A high-trust sender whose behavior suddenly shifts receives increased scrutiny automatically — no manual intervention required.
The behavioral profile that drives threshold adjustment captures multiple dimensions of sender behavior:
When does this sender typically communicate? What days of the week? What hours? Is there a predictable cadence (weekly reports, monthly invoices, quarterly reviews)? Temporal analysis creates an expected sending window for each sender. Messages that arrive outside this window face increased scrutiny — not because unusual timing is inherently dangerous, but because it represents a deviation from the established pattern.
Who does this sender typically contact within your organization? Do they communicate with a consistent set of individuals, or does their recipient list vary? A sender who normally communicates with the sales team but suddenly contacts the CFO directly represents a significant pattern change worth investigating.
What does this sender's typical message look like? Do they tend to send short replies or long, detailed messages? Do they include attachments regularly? What file types? Do they include links? To which domains? The content profile doesn't examine the specific content of each message — it characterizes the shape of the sender's communications over time.
Does this sender consistently use the same mail servers, the same email client, the same authentication infrastructure? Changes in the underlying sending infrastructure can indicate that the account is being accessed from a new location or device — potentially legitimate (new laptop, travel) or potentially malicious (compromise).
What does this sender typically ask for? A sender who has never made financial requests but suddenly asks for a wire transfer represents a significant deviation. A sender who regularly shares documents but has never asked for credentials represents a change in request pattern that warrants attention.
Consider how adaptive thresholds handle a common real-world situation:
Sender A: A long-standing vendor (3 years, 400+ messages observed)
Sends monthly invoices as PDF attachments. Uses consistent language. Communicates with accounts payable every 2nd week of the month.
Sender B: Unknown sender (first contact)
Claims to be a new vendor. Sends an invoice as a PDF attachment. Requests payment within 48 hours.
Under a static threshold system, both messages receive similar evaluation. Both contain PDF attachments. Both contain financial language. Both request payment. If the threshold is tuned to allow Sender A's legitimate invoices, it may also allow Sender B's fraudulent one.
Under OpenEFA's adaptive thresholds:
Now consider a third scenario:
Sender A (compromised): Same vendor, but their account has been taken over
Sends an invoice on an unexpected date. The PDF is a different format than usual. The message requests payment to a new bank account. The email was sent from a different IP than their normal infrastructure.
Under a static system with Sender A allowlisted, this message sails through — the allowlist bypasses security entirely.
Under adaptive thresholds, Sender A's deep behavioral profile works against the compromised account. The unexpected timing, changed document format, new banking request, and infrastructure shift all represent significant deviations from the established baseline. The threshold tightens because the behavior doesn't match the profile. The message is flagged despite coming from a trusted sender.
Adaptive Sender Thresholds represent a fundamental shift from static security to dynamic security. Instead of applying rigid rules uniformly, OpenEFA recognizes that context determines risk, and every sender provides their own context through their behavior over time.
The core principle: trust is earned, not granted. It is specific, not universal. And it is continuously validated, not permanently assumed.
This approach doesn't just improve detection accuracy. It changes the operational model for email security teams. Instead of spending time tuning thresholds and maintaining allowlists, administrators can focus on the alerts that matter — because the system has already accounted for each sender's individual context before a human ever sees the message.
Every sender tells a story through their behavior. Adaptive thresholds ensure that story is heard, understood, and used to make better security decisions for every message that arrives.