
AI changed how people work. It changed the threats aimed at them.
Your people, your data and the AI tools they now use are tied together, and so are the threats. Mimecast secures that human plane on one platform. Cornerstone licences it, designs it around your environment, and runs it with you.
protected
processed daily
worldwide
layers
Sources: Mimecast; Gartner Magic Quadrant for Digital Communications Governance and Archiving, 2025; Forrester Total Economic Impact, Mimecast Incydr.
Most security tools secure where data lives. Mimecast secures the person at the keyboard, the plane the others barely touch. It is still where most incidents begin: a message, a click, a file moved, a prompt pasted into a chatbot.
AI has sharpened all of it. Attackers write convincing phishing at scale, staff feed sensitive data into AI tools, and information walks out the door with people who leave. Mimecast brings threat protection, insider risk, data governance, behaviour change and agentic AI security onto one platform, with billions of signals a day feeding its Mihra AI agent.
Estimated annual exposure from insider-driven incidents, with only 28% of organisations running the two foundational defences to stop them.
Source: Mimecast, State of Human Risk 2026
What you get from Mimecast that point tools can’t give you.
Plenty of products do one slice of this well. The difference here is that email, insider risk, governance, behaviour and AI run on one platform, so a person’s risk is understood in full rather than in fragments.
Email threats, data movement, conduct, behaviour and AI usage roll up to a single risk picture for each person, so you act on the people who matter instead of chasing alerts in five consoles.
An attack pattern seen at one organisation hardens the defence for every other. You inherit threat intelligence built since 2003, not a model that only knows your own four walls.
The Mimecast Intelligent Human Risk Agent correlates signals across the platform into a single case, explains what it found in plain language, and recommends the action, so a small team can keep up.
One person. One bad day. Five places it could go wrong.
Real incidents rarely sit in one tool. Follow a single employee through one connected attack and watch where Mimecast steps in, while Mihra ties every signal into one case and one rising risk score.
Five signals other tools would have seen separately became one investigation. The data was blocked before it left.
You don’t have to fix everything at once. Pick the problem that’s real for you today.
Most organisations start with one pressing risk and grow from there. Choose the one that sounds like your week and we’ll take you to the part of the platform that solves it.
Independent inspection in front of Microsoft 365, tuned for business email compromise and supplier fraud.
Email protectionSee data leaving to personal email, USB, cloud sync and GenAI tools, and act on real intent without blocking the work.
Insider riskTamper-proof archiving and one AI search across email, Teams, Slack and more, for eDiscovery, DSARs and legal hold.
GovernanceFind your riskiest users, change behaviour with training they will actually watch, and lift the human bar over time.
AwarenessDefend against AI-powered attacks, govern what staff and agents do with data, and put guardrails around AI use.
AI securitySee exactly where Mimecast layers over Microsoft 365, what it adds, and where the two work better together.
Where it fitsFive problems on the human plane. One platform.
Each segment is a problem most organisations already have. Tap one to see what it solves, and what we deliver with it. At the centre, the Human Risk Command Centre and the Mihra AI agent tie it all together.
Tap a segment to explore
Email is still where most attacks start. Here is how we stop them.
Mimecast Advanced Email Security inspects every message in front of your Microsoft 365 inbox across more than 40 intercorrelated detection layers. Here is how it protects, how it adapts to the environment you already run, and how it simplifies your team’s day.
Anatomy of an attack, inspected in milliseconds.
Pick a message, then run the inspection. Mimecast breaks each email into its parts: the sender, the body, the links and the attachment. It scores every signal, then weighs them together to reach a verdict.
Why it catches what a single filter misses.
No single layer is decisive. Mimecast runs the message through more than 40 detection layers and correlates their signals, so a message that looks clean to any one check is still caught when the signals line up. These are five of the core layers.
Two ways in. One architecture.
Mimecast fits the environment you already run. Connect through the Microsoft 365 API in under two hours with no change to mail flow, or route through the gateway for inline, pre-delivery protection. The same detection platform runs either way.
Advanced protection for the attacks that cost the most.
Some threats need more than a filter. These are the deeper defences Mimecast brings, and the business reason each one matters.
Stopping wire fraud that carries no malware.
Business email compromise rarely contains a link or an attachment, so traditional filters miss it. Mimecast reads intent instead: a payroll or gift-card request, a sudden deadline, a switch to Signal or WhatsApp, a first-time sender posing as an executive.
When a real account is the attacker.
Once an attacker is inside a legitimate mailbox they slip past perimeter controls. Mimecast watches Microsoft Entra signals for behaviour that does not fit the user, and contains the account before it launches phishing from the inside.
One misclick should not compromise the business.
Links in email lead to the web, and uncategorised or suspicious sites are where credential theft and drive-by malware happen. Browser isolation renders risky pages remotely, so the user sees the content but nothing runs on the device.
Email keeps working, even when Microsoft 365 does not.
Email is the backbone of the business, and an outage stops everyone. Mimecast provides an always-on cloud mailbox that fails over instantly, so people keep sending and receiving with no data loss.
Where Mimecast’s data engine takes over from Microsoft.
Microsoft Purview classifies and enforces policy on sensitive data in sanctioned Microsoft channels. Mimecast’s data engine, led by Incydr, watches how files actually move, across every channel, including the ones policy DLP never sees. It even reads your Microsoft Purview labels and adds the missing context: who moved it, where to, and why it matters, with no policies to author first.
Legacy DLP asks what, where and how. Incydr asks who, why and so what.
Traditional DLP, CASB, UEBA and DSPM map systems and classify data at rest. That is thorough, but slow to stand up and heavy to run. Incydr starts from the person and the movement, so you see genuine risk on day one with no policies to author first.
Four jobs Incydr does from day one.
Pick the risk you care about. Each one shows what Incydr sees, the controls we apply, and the outcome.
Make AI an asset without losing the data to it.
Staff paste sensitive data into unsanctioned GenAI tools faster than policy can keep up, and most organisations can only suspect it is happening. Incydr shows data moving into AI tools from day one and lets you govern it without blocking the work.
- Full visibility of data going to GenAI tools, no policies required
- Automatic prioritisation of the movements that matter most
- In-the-moment Instructor nudges to change behaviour
- Destination blocking for high-risk GenAI tools
Don’t let data walk out the door.
Data loss spikes in the final weeks before someone leaves, and sudden departures give no notice at all. Incydr watches leavers automatically and keeps the forensic record, so a resignation never becomes a data-loss event.
- HCM integrations add leavers to watchlists automatically
- Tenant-wide controls stop exfiltration to untrusted destinations
- Full forensic detail and case files, even for sudden departures
- Alerts on anomalous exfiltration attempts
Keep the crown jewels from leaving.
Source code, design files and SaaS data are the assets attackers and leavers want most, and they rarely move through sanctioned channels. Incydr prioritises high-value data from day one and shows exactly where it goes.
- Block by source stops high-value data reaching untrusted destinations
- GitHub integration for deep source-code movement insight
- AI content inspection finds PII, PCI and keywords, no RegEx
- Cloud connectors show where high-value data actually lands
See and steer the riskiest users.
Contractors, privileged users and people already flagged need closer watch, without a blanket clampdown on everyone. Incydr lets you set your own risk appetite and respond in proportion.
- Watchlists for contractors and high-risk users
- Preventative controls from education through to blocking
- Hundreds of customisable risk indicators to set your risk appetite
- Dashboards and flexible search to surface anomalous behaviour
Every untrusted movement is scored on the user, the source, the destination and the content, using hundreds of risk indicators. The riskiest activity surfaces first, so the team spends its time where it counts instead of writing policies.
Classify with Purview, watch movement with Incydr
Purview labels and enforces policy on known-sensitive data. Incydr reads those Microsoft Purview labels and adds the context policy DLP lacks: the user, the destination and the intent, with no policy authoring to get started.
Two angles on the sanctioned channels
Both cover Microsoft email, SharePoint, OneDrive and the managed endpoint. Purview enforces content policy; Incydr scores movement risk. The channels everyone watches are covered twice, from two directions.
The paths policy DLP cannot see
Incydr covers shadow-AI uploads, personal webmail and cloud, browser uploads, source code and removable media, and raises the watch on departing employees: the exfiltration routes growing fastest.
Source: Forrester Total Economic Impact, Mimecast Incydr
Work moved off email. Your records and investigations have to follow.
Conversations that used to sit in email now happen in Teams, Slack and Google Chat. When a regulator, a court or a subject access request comes in, you still have to find every relevant record, prove nothing was changed, and act inside a deadline. Mimecast Aware captures all of it in one tamper-proof archive and lets you search across every channel from a single place.
One query. Every channel. Seconds, not days.
Pick an investigation and watch Search and Discover pull from email and collaboration at once. The old way means logging into each platform separately and stitching the results together by hand.
Three steps, same archive.
Find it fast
One search across email, Teams, Slack and Google Chat for eDiscovery, subject access and investigations. Around seven times faster than working tool by tool.
Watch it in real time
Continuous monitoring across the same channels for conduct, compliance and disclosure risk, flagged as it happens rather than discovered after the fact.
Understand the pattern
Behavioural analytics over your communications, so you can see trends and recurring risk instead of chasing one incident at a time.
Search and Discover for email is included with Mimecast archiving. Extending it to collaboration platforms, and adding Signal and Spotlight, is licensed on top. We size that to what you actually need to govern.
Work changed. People did not.
An annual training video and a phishing simulation tell you who clicked a fake email last quarter. They do not tell you who is actually putting the business at risk today. Mimecast Engage connects the signals you already have into a live picture of human risk, then acts on it in the moment.
People are targeted
Tailored phishing, credential theft and impersonation aimed at the individual. The better the lure, the more it tells you about who is exposed.
People break the rules
Circumventing MFA, disabling tools, over-using privilege, or pasting sensitive data into an unapproved AI tool to get the job done faster.
People make mistakes
The wrong recipient, a misconfigured share, a file sent home before a deadline. Honest errors that still expose the business.
The signals already exist. They are just disconnected.
Tap the behaviours that apply to a person and watch their risk profile build. Engage pulls these signals together, including from Microsoft Defender and Purview, scores the individual, and chooses the right response.
AI phishing simulations
Realistic, targeted lures built in seconds, so the test reflects real-world risk.
Content library
More than 200 modules in 27+ languages, with current topics like GenAI and deepfakes.
Real-time nudges
Micro-guidance in Slack, Teams and email at the moment a risky action happens.
Personalised scorecards
Each person sees their own security footprint, which drives accountability without shame.
Human Risk Command Centre
One place to measure human risk and direct intervention to the people who need it.
Intelligence and automation
High-risk cohorts are identified automatically and met with adaptive intervention.
of organisations pair continuous risk monitoring with their awareness training. The rest are still measuring last quarter's click rate and hoping it reflects today.
Source: Mimecast
Engage reads risk signals from Microsoft Defender and Purview alongside Mimecast's own email, web and data telemetry, so the risk profile is built from your real environment rather than a survey.
Security from AI, for AI, and by AI.
AI changed both sides of the equation. It sharpened the attacks, it gave your people powerful tools that move data in new ways, and it gave defenders a way to keep up. Mimecast works across all three. Pick a lens to explore it.
AI-powered attacks need an AI-powered defence.
Attackers now use AI to write flawless phishing at scale and clone executives convincingly. Mimecast answers in kind, correlating sender, domain, link and language signals across billions of messages a day to catch campaigns a human reviewer never could.
- Computer vision spots impersonated login pages and QR codes
- Language models read the intent behind text-only social engineering
- Social-graph analysis flags first-time senders posing as known contacts
- Signals correlated across 40+ layers, not scored in isolation
Bring shadow AI into the light, without slowing the business.
Your people already use AI tools, often through the browser where legacy DLP, CASB and Purview cannot see. Mimecast watches the AI interaction at the person’s endpoint, browser and desktop, so you can allow the sanctioned tools and act on the rest, with no policies to write first.
- See every AI interaction across endpoint, browser and desktop, from day one
- Allow approved tools like Copilot and ChatGPT Enterprise, flag the unsanctioned
- Respond in proportion: educate, allow with audit, or block
- Temporary Allow with a self-reported reason keeps work moving and leaves an audit trail
Your team, amplified by Mihra.
Mihra, the Mimecast Intelligent Human Risk Agent, turns billions of daily signals into clear next steps. It triages and investigates so analysts spend their time deciding, not gathering, and you can bring your own model through the Mihra MCP Gateway with a human always in the loop.
- Automated investigation and context-gathering on every alert
- Recommended next steps, not just raw alerts
- The Mihra MCP Gateway brings your own LLM into governed workflows
- Front-loads context, so time-to-verdict drops
Ask the agent a question.
Pick a question a security team actually asks. Mihra gathers the context and comes back with a verdict and next steps. This is an illustration of the experience.
The same foundation, extended to AI agents.
Agents and MCP connections are being given access to real data and systems faster than anyone can govern them. Mimecast extends Incydr’s human-risk foundation to score agents the way it scores people, and to map which agents can reach which data. This capability is in early access, not yet general availability.
- Adaptive risk scoring for people and AI agents alike
- Data-to-agent access mapping, the agent-to-data blast radius
- Policy governance across commercial, user-built and MCP agents
One philosophy across the whole platform: response that matches the risk.
Blunt blocking breaks the work and trains people to route around security. Every part of Mimecast instead applies the lightest control that manages the risk, and escalates only as the risk does. Choose an area, then drag across the severity to see how the response changes.
Capabilities reflect Mimecast Incydr adaptive controls
The risk looks different in your industry. So does the answer.
Choose your sector to see what usually triggers the conversation, where Mimecast helps most, and the obligations we map each control back to. We translate the control to the business consequence, not the acronym.
Cornerstone licences, implements and runs this for you, mapped to the obligations your sector carries.
See where your risk sitsWe add Mimecast to complete the Microsoft story.
Most of our clients run Microsoft 365 as their foundation. Microsoft secures identity, the endpoint and a strong email baseline. We add Mimecast where the stakes are highest and the gaps are real: the inbox, the people, and the data leaving the business. It layers in through the Microsoft API in minutes, with no change to mail flow.
- •Entra ID identity and conditional access
- •Defender for Endpoint on managed devices
- •Exchange Online Protection and Defender for Office baseline
- •Purview sensitivity labels and policy DLP
Layered email defence with no single point of failure. Mimecast inspects independently and closes the gaps built-in filtering leaves behind, while Incydr reads your Microsoft Purview labels and adds the context they lack. Each covers the other’s blind spots.
- Independent second engine, so a bypass of one is caught by the other
- Deeper impersonation, BEC and supply-chain defence
- Collaboration protection and email continuity
- Insider risk across every vector, plus behaviour and agentic AI
Signal moves both ways. Mimecast reads Microsoft Purview labels and identity risk, and Microsoft tools consume Mimecast detections through 350+ integrations, so the two operate as one layered defence rather than two silos.
and journaling
connects in minutes
The real differentiators over Defender email alone.
Microsoft Defender for Office 365 is a capable baseline, and that is exactly where it and Mimecast overlap. Toggle Mimecast on to see where the outcome changes.
When a user reports a suspicious email, Mimecast Email Incident Response triages it: AI clears the noise and analysts review the rest, so genuine threats are resolved in minutes and your team is not buried in benign reports.
Source: Forrester Total Economic Impact, 2024; Mimecast
Licensed per person. Sized to what you actually need.
Mimecast is licensed per user, per year, and the platform is modular. You can start with the one capability that matters most and add the others as you go, rather than buying everything on day one. Cornerstone sizes it to your environment and gives you a clear, itemised quote.
Pick the capabilities you need
The five solutions are sold as a platform but licensed independently, so you only pay for what fits your risk. Most clients start where the exposure is sharpest and grow from there.
Priced by people, not boxes
Licensing scales with your headcount and tier, in line with the Microsoft 365 model you already run. That keeps it predictable to budget and simple to true up as the business changes.
Cornerstone licences and runs it
We procure the licences, implement the platform and operate it alongside your team. One accountable contract and one team to call, rather than a vendor portal and a support queue.
We do not publish per-seat pricing because the right number depends on the mix above. Tell us your headcount and your Microsoft 365 tier and we will come back with an itemised quote, with no obligation.
Scope your own Mimecast solution in a few minutes.
Answer a few questions, get a recommended build across all five capabilities, and export a clean bill of materials with the exact SKUs and prerequisites. No prices, no obligation.
Tell us about your environment. See where the human-plane risk sits.
This is a guide, not a quote. Answer a few questions and we will show, in plain terms, where your exposure is concentrated and what we would look at first. The real picture comes from a short conversation.
Summary copied. Bring it to the conversation.
Guidance only. Not a substitute for an assessment.
We lead with Mimecast when it is the right answer. We will tell you when it is not.
Mimecast is excellent at the human plane. It is not the whole stack, and we do not pretend it is. Knowing where it leads and where another tool fits is the difference between a system that holds together and a pile of overlapping licences.
- Email and collaboration are where the incidents start, and you want an independent layer over Microsoft 365.
- You need insider risk across email, browser, USB and cloud, with the movement context that policy-only DLP lacks.
- You have to govern and investigate conversations across Teams, Slack and email in one place.
- You want awareness that reflects real behaviour, not a once-a-year training tick.
- Discovering and classifying sensitive data at rest across cloud stores is a job for a DSPM platform like Cyera, not Mimecast.
- Inline web filtering and CASB at full scale sit with a platform like Netskope, which we bring in where that is the need.
- Endpoint detection and response is Defender or CrowdStrike territory. Mimecast feeds them signal, it does not replace them.
- Native labelling and policy inside Microsoft 365 is Purview. Mimecast reads those labels and adds the context, rather than competing with them.
Most environments need a mix. Our job is to architect the right combination for your risk and your budget, not to sell you all of it.
Email is still number one
Most incidents start with a message and a person. Mimecast hardens exactly that, with email security built and refined since 2003.
One platform for human risk
Threat protection, insider risk, governance, behaviour and AI in one place, instead of five tools that do not talk to each other.
Complements Microsoft 365
It layers over Exchange Online and reads your Purview labels, catching what native filtering misses without ripping anything out.
A licence is easy to buy. The value is in how it’s designed, integrated and run.
Mimecast is one of several platforms we bring together for clients. The reason to work with us is what surrounds it.
Across Mimecast, Microsoft, Cyera, Netskope and more, so the whole stack holds together and there is one team to call.
Vendor-neutral by design. We recommend what fits your risk and budget, and tell you plainly when Mimecast is not the answer.
We licence, design and integrate it into your Microsoft 365 and the tools you already run, not a generic switch-on.
We hand it over with no lock-in, document it clearly, and stay alongside your team for as long as you want us there.
Mimecast is one piece. We design the whole system.
Book a short consultation. We will talk through where your human-plane risk sits, architect the right fit across the five solutions, integrate it properly with Microsoft 365, and hand it over to you to run. No lock-ins, just the outcome you needed.
Questions we get asked about Mimecast.
One platform across the human risk surface: email, data, behaviour and AI.
What does Mimecast actually do?
It brings five things together: email and collaboration threat protection, insider risk and data protection (Incydr), data governance and compliance (Aware), security behaviour management (Engage), and agentic AI security. The common thread is the person at the keyboard, who is still where most incidents start.
How is it different to Microsoft Defender for Office 365?
It layers over the top. Defender for Office is capable; Mimecast adds independent inspection that catches what slips through, plus deeper protection against impersonation, business email compromise and supply-chain attacks. Many regulated organisations run both.
What is Incydr?
Mimecast’s insider risk and data protection product: it shows sensitive data leaving via personal email, browser uploads, cloud sync, removable media and GenAI tools. The user-side complement to DLP.
What is Mimecast Aware?
The data governance, compliance and archiving suite: tamper-proof archiving, defensible retention, legal hold and eDiscovery, plus monitoring of Microsoft 365 and collaboration for conduct and disclosure risk. Built for regulated environments.
What is agentic AI security?
Discovering which AI tools and agents staff use, seeing the data they can reach, and governing them before they become a path to a breach. It lets you enable AI adoption without opening a new front.
Do we need all five solutions?
Usually not at once. Email and collaboration threat protection is the core most organisations start with, and the rest is selected by risk profile and obligation. We architect the right fit and phase it to your environment.