TAP, TRAP, and EFD — Proofpoint's three most important products — explained from scratch. No jargon. No assumptions. Everything you need to know.
Before diving into each product, here's the 30-second orientation. Proofpoint is built around one core belief: people, not technology, are the number one target in cyberattacks. These three products are how they protect them.
To understand why these products matter, you need to understand the scale of the email threat problem.
Email is the world's most used business communication tool — which is exactly why attackers love it. Over 90% of all cyberattacks start with an email. It's the path of least resistance into any organization.
Modern email attacks are sophisticated. Polymorphic malware changes its signature to avoid detection. URLs are "clean" at delivery but become malicious minutes later. BEC attacks have no malware at all — just convincing impersonation.
Attackers don't hack systems — they hack people. They use social engineering to trick employees into clicking links, wiring money, or sharing credentials. Technology alone can't solve a human problem. Proofpoint's philosophy is "people-centric security."
Attackers compromise a supplier's email account, then use it to send fraudulent invoices or requests to that supplier's clients. The email looks 100% legitimate because it comes from a real, trusted sender — but the account is under attacker control.
TAP has to make a "safe or dangerous" decision in milliseconds, before a user can click. But some URLs are weaponized after delivery — they're clean when they arrive, then become malicious hours later when threat actors flip a switch.
Business Email Compromise (BEC) alone costs organizations over $50 billion globally since 2013. A single convincing fake invoice email to an accounts payable team can result in millions of dollars wired directly to attackers.
Detect, analyze, and block advanced email threats before they reach users — in real time.
Every inbound email passes through Proofpoint before it ever reaches your mail server (Microsoft 365, Exchange, Google Workspace). TAP operates inline — meaning it's in the actual email path, not just scanning copies after the fact.
Any attachment — PDFs, Office documents, executables, archives — is detonated in a cloud-based sandbox (a safe virtual machine). TAP watches what happens: Does it try to download more malware? Does it modify system files? Does it phone home to a hacker's server? This happens in real time using both virtual environments and bare-metal hardware, with analyst-assisted execution to maximize detection.
Every URL in an email is rewritten to a Proofpoint proxy URL. When a user clicks it, TAP intercepts the click, visits the destination URL in a safe environment right at that moment, and only forwards the user if it's safe. This solves the "weaponized after delivery" problem — even if the URL was clean at delivery, TAP catches it if it's become malicious by the time the user clicks.
TAP runs every message through Proofpoint's Nexus AI platform — analyzing sender behavior, message structure, historical patterns, and threat intelligence from 115,000+ customers and a trillion+ data points. It uses NexusAI's Language Model, Machine Learning, and Relationship Graph engines to score threats and detect BEC attacks that have no malicious payload.
Based on its verdict, TAP takes action: block the email outright, quarantine it for admin review, deliver it with a warning banner, or allow it through. Admins control the policy. Verdicts are rendered in milliseconds for most messages.
TAP feeds all threat data into the TAP Threat Insight Dashboard, showing who is being targeted, by what kind of attack, from which threat actors. It identifies your Very Attacked People (VAPs) — the specific employees under the heaviest attack — so you can apply stronger protections to them specifically.
TAP calculates an Attack Index score (0–1000) for every user, weighted across four factors: how sophisticated the attacker is, how targeted vs. widespread the attack is, what type of attack it is, and overall volume. The highest-scoring individuals are your VAPs — your CEO, CFO, or specific department members who are disproportionately targeted. TAP lets you apply extra protections (like URL isolation or mandatory sandboxing) specifically to these people.
Malware that constantly mutates its code to evade signature-based detection. TAP catches it by analyzing behavior, not just signatures.
Office files and PDFs with embedded malicious macros, exploits, or links that activate when opened. Sandboxing catches these in the act.
Fake login pages for Microsoft, Google, banks, etc. designed to steal usernames and passwords. TAP's URL scanning identifies these even when the page looks completely legitimate.
Emails that impersonate your CEO, CFO, or suppliers to trick employees into wiring money or sharing data. NexusAI's language and relationship models detect these even with no malicious payload.
Telephone-Oriented Attack Delivery — emails with fake phone numbers that trick users into calling attackers. TAP's Computer Vision engine detects malicious phone numbers and QR codes.
Emails linking to malicious OAuth apps that trick users into granting attackers full access to their cloud accounts (Google Drive, OneDrive, etc.) without ever entering a password.
Automatically quarantine malicious emails after delivery — including every forwarded copy.
Even the best detection systems occasionally let a malicious email through — especially attacks designed specifically to evade detection. When that happens, the clock is ticking from the moment delivery occurs. TRAP is the safety net for those cases.
When an employee forwards a suspicious email to colleagues ("Hey, do you recognize this?"), the threat multiplies. Manual cleanup — finding and removing every copy from every mailbox — can take hours. TRAP does it automatically in seconds.
Some phishing URLs are safe at delivery but become malicious afterward. TAP might scan them and find nothing wrong — but later, users who clicked are at risk. When TAP updates its verdict, TRAP gets triggered automatically to clean up.
Manually quarantining a single email in Exchange or Microsoft 365, tracking down forwarded copies, and documenting everything takes 10–20 minutes. When you have 100 malicious emails to clean up, that's 30+ hours of analyst time. TRAP does it in seconds.
TRAP connects to multiple alert sources: TAP (its primary partner), abuse mailboxes where users report suspicious emails, CSV file uploads from SmartSearch, and even third-party tools like FireEye. When any of these sources identifies a threat, an alert flows into TRAP automatically.
TRAP doesn't just act on the original recipient. It uses the Nexus Threat Graph and its own logic to trace the email through forwarding chains and distribution lists — finding every mailbox that received a copy, whether directly or indirectly through internal forwarding.
TRAP connects directly to Exchange, Microsoft 365, or Google Workspace and moves the email from every affected inbox to a quarantine folder that only admins can access. This happens in the automatic setting before most users even have a chance to click anything. You can also run TRAP in manual mode where an analyst approves the action first.
TRAP checks whether any user clicked a malicious URL or otherwise interacted with the message. Unlike Microsoft's native message recall system, TRAP doesn't care whether the message was read — it pulls it regardless. But it also tells you exactly who read it, which is critical for follow-up response (password resets, account reviews, etc.).
If a user clicked a malicious URL or is confirmed to have interacted with the email, TRAP can automatically trigger additional responses: reset the user's password in Active Directory or Okta, lock the account, or notify their manager. These are policy-driven and configurable.
Every action TRAP takes is logged with timestamps: which mailboxes were affected, what actions were taken, whether the email was read before quarantine, and the success or failure of each retrieval attempt. This is invaluable for incident response, compliance, and reporting to executives or regulators.
Stop email impersonation attacks by authenticating every email sent to and from your domain.
EFD is centered on deploying and managing three email authentication standards. You don't need to memorize these deeply, but understanding them at a high level is essential.
A list published in your domain's DNS records of every server that is allowed to send email on your behalf. If an email claims to be from you but comes from a server not on the list, receiving servers can flag or reject it. EFD helps you manage and host your SPF records properly — including all third-party senders (marketing tools, CRMs, etc.).
A cryptographic signature added to every outbound email, signed with a private key only your organization holds. Receiving servers verify the signature using your public key. If the signature doesn't match — because the email was forged or tampered with — the message fails DKIM and can be rejected.
The policy layer that ties SPF and DKIM together. DMARC tells receiving mail servers what to do when an email fails authentication: nothing (monitor), quarantine it, or reject it outright. Critically, DMARC also sends reports back to you — so you can see every email that claims to be from your domain and whether it passed or failed authentication.
EFD begins by mapping the entire landscape of who sends email on behalf of your domain. This isn't just your own servers — it includes third-party marketing platforms (Mailchimp, Salesforce, HubSpot), CRM tools, invoice systems, and shadow IT services that teams set up without IT's knowledge. Each one needs to be identified and authorized.
EFD subscribes to the DMARC aggregate reports that every major mail provider sends — Google, Microsoft, Yahoo, and others. These XML reports show every email claiming to be from your domain, which servers sent them, and whether they passed SPF and DKIM. EFD parses and visualizes this data, turning thousands of raw data points into actionable insights on a clean dashboard.
EFD guides you through a carefully staged rollout: start with p=none (monitor only), then quarantine, then reject. Proofpoint's expert consultants work with you to ensure all legitimate senders are properly authenticated before you tighten policy — so you don't accidentally reject your own emails. The typical journey takes weeks, not months.
EFD's Nexus Supplier Risk Explorer automatically identifies all the third-party suppliers and vendors that email your employees, scoring each one for risk. It also runs Domain Discover — a machine learning system that finds domains impersonating your brand (e.g., companyna me.com or company-invoices.net) that attackers might use to target your customers or partners.
EFD doesn't just protect outbound email. The authentication intelligence it builds — knowing exactly which servers legitimately send from your domain — is fed back into the Proofpoint gateway to make inbound filtering smarter. Fake emails claiming to be from your CEO are more easily identified and blocked.
TAP, TRAP, and EFD are all powered by Proofpoint's Nexus threat intelligence and AI platform. Understanding Nexus helps you understand why these products are so effective.
Proofpoint aggregates data from over 115,000 customers and analyzes more than 1 trillion data points — spanning email, cloud, network, mobile, and social media. This community threat graph means that when an attack targets one of Proofpoint's customers anywhere in the world, all 115,000+ customers instantly benefit from the intelligence gained.
Analyzes email text for transactional language and urgency patterns characteristic of BEC attacks — even with no malicious payload or attachment.
Builds a model of normal communication patterns between senders and recipients. Flags deviations — like a CEO "emailing" from a country they never contact, or a supplier suddenly changing payment details.
Detects behavioral similarities to known threat patterns. Trained continuously on new attack campaigns across the entire Proofpoint customer base.
Detects image-based impersonations, malicious QR codes, and fake phone numbers embedded in emails — attacks that traditional text-analysis systems miss entirely.
These three products aren't just complementary — they're designed as an integrated system, each filling the gaps the others leave.
DMARC rejects forged emails claiming to be from your domain. Supplier monitoring alerts you to compromised partner accounts before they target you.
TAP scans every email, sandboxes attachments, rewrites URLs, runs AI analysis, and blocks or quarantines threats before they reach the inbox.
If anything slips through, TRAP auto-pulls every copy from every mailbox the moment a threat verdict is updated. Audits who interacted with it.
Threat intelligence loops back into Nexus. Every detected attack improves detection for all 115k+ customers. The system gets smarter with every attack.
The most common integration. TAP detects a threat and automatically sends an alert to TRAP. TRAP immediately begins hunting down and quarantining every copy of that email. The integration takes minutes to set up and results are immediate — in automatic mode, emails are typically pulled before users have a chance to click. This is the cornerstone workflow of Proofpoint's post-delivery response.
EFD's deep knowledge of which email servers legitimately send on your behalf gets shared with TAP's inbound filtering. This means TAP can more confidently identify when an email is spoofing your domain or impersonating an internal sender — even if it technically passes basic checks. EFD's DMARC insights make TAP's detection sharper for your specific environment.
Users report suspicious emails to an abuse mailbox. TRAP picks these up, analyzes them using Proofpoint intelligence, and if they're confirmed malicious, auto-pulls them. Threat data flows back into TAP to improve future detection. This creates a closed-loop security system where your own employees' vigilance directly improves your defenses — at scale, with zero manual intervention.
All three products feed into the Proofpoint dashboard ecosystem. The TAP Threat Insight Dashboard shows your threat landscape, VAPs, attack actors, and campaign data. TRAP's dashboard shows incident history and remediation audit trails. EFD's portal shows your DMARC compliance journey and domain abuse monitoring. Together, they give a 360° view of your email security posture.
Everything compared at a glance.
| Attribute | TAP | TRAP | EFD |
|---|---|---|---|
| Full Name | Targeted Attack Protection | Threat Response Auto-Pull | Email Fraud Defense |
| Primary Job | Detect & block threats before delivery | Remove threats after delivery | Authenticate email identity, stop impersonation |
| When It Acts | Pre-delivery (and at click) | Post-delivery | Before email is even sent (DNS-level policy) |
| Core Technique | Sandboxing, URL rewriting, AI/ML analysis | Automated mailbox quarantine across forwarding chains | DMARC, SPF, DKIM authentication + AI BEC detection |
| Threats Addressed | Malware, phishing, BEC, ransomware, TOAD, cloud threats | Delivered threats — any type TAP or other sources flag | Domain spoofing, brand impersonation, BEC, lookalike domains |
| Who It Protects | Your employees (inbound) | Your employees (post-delivery cleanup) | Your customers, partners & employees (outbound trust + inbound spoofing) |
| Key Dashboard | TAP Threat Insight Dashboard — VAP reports, threat actors, campaign data | TRAP Incident Dashboard — quarantine history, audit trail | EFD Portal — DMARC compliance, sender landscape, domain abuse |
| Deployment | Cloud gateway (inline), API mode for M365/Google | Cloud (SaaS), on-prem VMware, or AWS | Cloud SaaS — consult-led implementation |
| Integration with TAP | — | ✅ Primary alert source for TRAP | ✅ EFD intel feeds TAP inbound detection |
| Human Action Required? | Analysts review flagged threats; most actions automated | Automatic mode requires zero human action; manual mode optional | Consultant-assisted setup; ongoing monitoring is automated |
| Industry Analogy | Airport security screening | Bomb squad post-breach response team | Passport/identity verification authority |
Want to become a Proofpoint professional? Here's the structured path.
Every important term from this guide — defined in plain English.