What score range does the Proofpoint Attack Index use?

Correct: c. The Attack Index scores each user on a scale of 0 to 1000, weighting threat sophistication and attacker focus more heavily than raw email volume.

Why might a finance coordinator rank higher than the CEO on the Attack Index?

Correct: c. The Attack Index weights threat sophistication and attacker focus heavily. A single-recipient BEC lure aimed at someone who approves wire transfers scores far higher than bulk spam — regardless of job title.

A SOAR engineer wants to auto-enrol high-risk users in stricter MFA without a manual SOC process. Which Proofpoint capability should they integrate?

Correct: a. The People API exposes the live Attack Index rankings so a SOAR playbook can pull the top-N VAPs, trigger a stricter MFA policy in the identity provider, and relax it automatically when scores fall — no manual ticket required.

Attackers send a credential-phishing campaign using newly registered domains. At delivery time the URLs pass all reputation filters. Which control catches the threat?

Correct: c. Newly registered domains have no reputation at delivery. Click-time URL defence re-evaluates the link when the user clicks it — by then the page has resolved and sandbox analysis can return a malicious verdict, blocking the credential-harvest attempt.

An organisation applies URL isolation to all 10,000 users equally. What is the main drawback compared with risk-tiered adaptive controls?

Correct: b. Remote browser isolation adds measurable latency and infrastructure cost. Applying it uniformly burdens low-risk users and wastes budget. Risk-tiered adaptive controls concentrate isolation on the users with elevated Attack Index scores, where the protection is actually needed.

Six months after enabling adaptive controls, the security team notices no users are currently in the high-VAP tier. What is the most likely correct interpretation?

Correct: c. A drop in VAP tier population can indicate that adaptive controls have raised the cost of successful targeting (stepped-up MFA, isolation) or that attacker campaigns have rotated to other organisations — both expected outcomes. Continued monitoring via the rolling Attack Index window is the correct response, not an assumption of system failure.

Proofpoint People-Centric Security & VAP Explained (2026)

Q: Why does a people-centric model outperform a perimeter-only model against targeted email attacks?

Correct: b. Over 90% of targeted attacks begin with a crafted email aimed at a researched individual. Perimeter controls have no visibility into who is being targeted or why — only a per-person Attack Index can surface that.

Q: Which Attack Index dimension reflects the blast radius if the user is compromised?

Correct: d. User privilege amplifies the Attack Index score because a user with financial approval rights or admin access causes far more damage if compromised than a user with no sensitive access.

Q: A security engineer wants the SOAR platform to automatically tighten MFA for the top 20 VAPs each week. Which Proofpoint capability enables this without manual work?

Correct: b. The People API exposes the ranked VAP list so SOAR platforms can pull it programmatically, trigger identity-provider policies and relax them when the score drops — all without manual SOC tickets.

Q: A company applies URL isolation only to its top-50 VAPs instead of all 5,000 users. What is the primary advantage of this approach?

Correct: b. Remote browser isolation adds latency and infrastructure cost. Concentrating it on the highest Attack Index users gives strong protection where it is needed, with minimal friction for the majority who do not need it.

Most engineers think…

Most security teams picture email threat protection as a funnel that filters bad messages before they land — and once a message is blocked, the job is done. That model works for commodity spam but fails for targeted attacks.

Proofpoint's data shows that a small fraction of people receive the majority of sophisticated threats — credential phishing, business email compromise, and nation-state lures. Those people are the Very Attacked People (VAPs). Without a people-centric lens you apply the same control to a VAP and to someone who rarely receives anything targeted — the VAP is chronically under-protected. The Attack Index gives you the scoring model to see who they actually are and respond proportionally.

① Why people-centric security — the attacker follows the person, not the perimeter

Modern attackers do not scan IP ranges looking for a gap — they research organisations on LinkedIn, map out who approves wire transfers, who has cloud admin access, and who tends to click. More than 90% of targeted attacks begin with a crafted email aimed at a specific person. A perimeter firewall has nothing useful to say about that.

Proofpoint calls the response to this shift people-centric security: security controls calibrated to the individual's actual risk profile rather than their job title. The headline insight is that the most attacked people are not always the executives. Finance co-ordinators, IT help-desk staff, and EA assistants who handle wire approvals often carry higher Attack Index scores than the CEO because attackers find them more reachable and more valuable as entry points.

The practical payoff: instead of giving every user the same training cadence and the same email policy, you concentrate your most expensive controls — URL isolation, step-up authentication, targeted simulation — on the people who genuinely need them. Everyone else gets standard protection and your SOC spends its time on real risk.

Figure 1 — People-centric security loop

Proofpoint's model: identify who is targeted, score them, apply controls, then measure improvement.

Quick check · Q1 of 10 · Understand

Why does a people-centric model outperform a perimeter-only model against targeted email attacks?

a) Because perimeter firewalls block more messages than email filtersb) Because attackers research and target specific individuals, making per-user risk scoring more precise than blanket IP-based controlsc) Because people-centric tools are cheaper to deployd) Because email encryption alone stops targeted attacks

Correct: b. Over 90% of targeted attacks begin with a crafted email aimed at a researched individual. Perimeter controls have no visibility into who is being targeted or why — only a per-person Attack Index can surface that.

👉 So far: Attackers target specific people, not IP ranges. People-centric security scores individual risk so controls can be proportional — not the same for everyone.

② The Attack Index — four dimensions that score every user 0–1000

The Attack Index is a weighted composite score, 0 to 1000, calculated for every person in your organisation. It is not a simple email-count; it deliberately weights quality of attack over quantity. Four dimensions feed the score.

The four scoring dimensions

Attack volume — how many threat messages the user received in the period.
Threat sophistication — commodity spam scores low; a bespoke BEC lure or a sandboxed zero-day attachment scores high. Proofpoint's threat intelligence rates each threat actor's known capability.
Attacker focus — was the user the only recipient of a lure, or one of 50,000? A highly targeted, single-recipient campaign signals far more risk than a spray campaign.
User privilege — access to sensitive data, financial approval rights, or admin credentials amplifies the score because a successful compromise has greater blast radius.

The resulting score places users into the VAP tier, the average-risk tier, or the low-risk tier. Score thresholds are relative within your organisation, so a VAP at a 100-person company and a VAP at a 50,000-person company are both the most attacked in their respective populations.

Figure 2 — Attack Index — four scoring layers

The 0–1000 score weights quality of attack, not just quantity of email received.

🎯

Very Attacked Person (VAP)

tap to flip

Any user whose Attack Index score places them in the top risk tier for the period — often NOT the CEO; frequently finance staff, EA assistants or IT help-desk users attackers find easier to reach.

📊

Attack Index

tap to flip

A 0–1000 weighted composite score per user. High threat sophistication and tight attacker focus push the score up far faster than raw volume of email does.

🔍

TAP Dashboard

tap to flip

The Threat Insight Dashboard where security teams view the VAP report, drill into individual threats, see sandbox verdicts and pivot to threat actor attribution — all from one console.

🛡️

Adaptive Controls

tap to flip

Stepped-up MFA, remote browser isolation for URL clicks, and targeted phishing simulation — applied automatically to users whose Attack Index is elevated, then relaxed when the score drops.

VAP is not the same as VIP

In an interview, be clear: VIP is a title (CEO, CFO); VAP is a data-driven Attack Index ranking. The most attacked person is often a finance coordinator or EA who handles wire transfers and responds quickly to urgent requests — not the CEO, who has dedicated security awareness training and a filtered mailbox.

Quick check · Q2 of 10 · Remember

Which Attack Index dimension reflects the blast radius if the user is compromised?

a) Attack volumeb) Threat sophisticationc) Attacker focusd) User privilege

Correct: d. User privilege amplifies the Attack Index score because a user with financial approval rights or admin access causes far more damage if compromised than a user with no sensitive access.

👉 So far: The Attack Index (0–1000) combines attack volume, threat sophistication, attacker focus and user privilege — weighting quality of attack over raw email count.

③ Targeted-threat visibility — the TAP Dashboard and the People API

Knowing the score matters only if you can act on it. Proofpoint surfaces VAP data in two main places: the TAP Dashboard (Threat Insight Dashboard) and the People API. The TAP Dashboard's Very Attacked People report lists every user ranked by Attack Index, filterable by time range, attack type (malware, phishing, BEC) and threat actor. You can drill from a VAP's card straight into every threat message they received, see the sandbox verdict, and pivot to threat actor attribution.

The People API lets your SIEM, SOAR or IAM platform pull the ranked VAP list programmatically. A common pattern is to feed the top-N VAPs into a SOAR playbook that automatically tightens their authentication policy in the identity provider — no manual ticket required.

A critical insight the dashboard reveals: VAPs rotate. The most-attacked person this quarter is not necessarily the most-attacked person next quarter, because attacker campaigns shift. Building a static 'protected list' of executives and forgetting about it is exactly the gap that leads to a successful BEC. The dashboard's rolling window keeps the list live.

Figure 3 — TAP Dashboard — one view, many actions

The TAP Dashboard connects VAP scores to threat details, threat actor intel and downstream integrations.

A static 'protected list' is a false sense of security

Attackers shift campaigns quarter to quarter. A VAP this month may not be a VAP next month, and a new VAP appears without warning. Treat the VAP list as a live, rolling view — not a one-time exercise. The TAP Dashboard's time-windowed report is designed exactly for this.

▶ Watch a targeted phishing campaign surface a VAP and trigger adaptive controls

Follow a single spear-phishing email from delivery to automated protective response. Press Play for the healthy detection path, then Break it to see the classic miss.

① DeliveryA threat actor sends a single-recipient credential-phishing email to a finance coordinator. The lure uses a newly registered domain with no prior reputation.

▼

② TAP verdictProofpoint TAP sandboxes the URL at click time: the page resolves to a fake Microsoft login — verdict: malicious. The click is blocked and the Attack Index for this user rises.

▼

③ VAP surfacedThe TAP Dashboard now shows this user in the top-10 VAP list. The People API pushes the updated score to the SOAR platform.

▼

④ Adaptive responseThe SOAR playbook automatically enrolls the user in URL isolation and triggers a stepped-up MFA policy in the identity provider — no SOC ticket required.

Press Play to step through the healthy detection path. Then press Break it.

Quick check · Q3 of 10 · Apply

A security engineer wants the SOAR platform to automatically tighten MFA for the top 20 VAPs each week. Which Proofpoint capability enables this without manual work?

a) The TAP Dashboard email-blocking ruleb) The People API, which lets SOAR pull the live VAP list programmaticallyc) The Proofpoint sandbox verdict feedd) The standard email quarantine folder

Correct: b. The People API exposes the ranked VAP list so SOAR platforms can pull it programmatically, trigger identity-provider policies and relax them when the score drops — all without manual SOC tickets.

👉 So far: The TAP Dashboard and People API surface live, rotating VAP rankings so SIEM and SOAR tools can act on current risk — not a stale executive list.

④ Adaptive controls — applying the right protection per user risk level

Identifying a VAP is only half the loop. The other half is adaptive controls: automatically applying stronger protection to the users who need it. Proofpoint enables three major control levers tied to the Attack Index.

The three adaptive levers

Stepped-up MFA — VAPs targeted with credential-phishing attacks can be automatically enrolled in a stricter MFA policy (FIDO2 or number-matching push) via an identity provider integration. The tighter policy applies while the Attack Index is elevated, then relaxes when the score drops.
URL isolation — URLs in email to high-risk users are routed through a remote browser isolation (RBI) layer at click time, so even a missed malicious link cannot deliver a payload to the endpoint. Lower-risk users get standard click-time URL rewriting without isolation overhead.
Targeted security awareness — VAPs and Top Clickers (users who click through simulated phishes) are automatically enrolled in more frequent, more realistic phishing simulations and micro-training modules, while the general population gets the standard annual cadence.

The key architecture point: the adaptive controls loop is automated. The Attack Index score rises when new threats arrive, a SOAR integration tightens the user's controls, and it relaxes when the score falls. This removes the need for manual, weekly SOC reviews of a static VIP list.

Figure 4 — Flat policy vs adaptive controls

Adaptive controls concentrate expensive protection on the users who genuinely need it, reducing cost and friction for everyone else.

Pooja, security analyst at a Mumbai fintech, faces this

Three finance team members clicked credential-phishing links in the same week, two of which bypassed standard URL rewriting. The CISO asks why the existing controls failed and what to do differently.

Likely cause

The phishing URLs used newly registered domains that had no reputation at delivery time; URL rewriting flagged them only after the click. The finance users had high Attack Index scores but were not enrolled in URL isolation or stepped-up MFA.

Diagnosis

TAP Dashboard ▸ Very Attacked People report — the three finance users ranked in the top 10 by Attack Index for the past 30 days, with high attacker-focus scores indicating single-recipient campaigns.

TAP Dashboard ▸ People Report ▸ VAP details ▸ Threat messages ▸ URL click events

Fix

Enrol the top-20 Attack Index users in URL isolation via the TAP adaptive controls integration; trigger stepped-up FIDO2 MFA for VAPs targeted with credential phishing via the People API SOAR playbook; add the finance team to a weekly targeted phishing simulation track.

Verify

Re-check the TAP Dashboard after 30 days: Attack Index scores for the finance team users have dropped, no further credential-phishing clicks appear in the URL click feed, and the SOAR log shows the MFA policy automatically relaxed when scores fell.

Confirm controls are actually active for VAPs

After enabling adaptive controls, check the People API output or the SOAR integration log to confirm the top-N VAPs have the tighter policy applied. A common gap is the SOAR playbook firing correctly but the identity provider silently ignoring the MFA policy update due to a permission scope error.

Quick check · Q4 of 10 · Analyze

A company applies URL isolation only to its top-50 VAPs instead of all 5,000 users. What is the primary advantage of this approach?

a) URL isolation only works on a small number of users by technical designb) It reduces browser isolation infrastructure costs and end-user friction while concentrating the strongest control where actual risk is highestc) Isolation breaks links for low-risk usersd) The Attack Index cannot identify more than 50 VAPs

Correct: b. Remote browser isolation adds latency and infrastructure cost. Concentrating it on the highest Attack Index users gives strong protection where it is needed, with minimal friction for the majority who do not need it.

👉 So far: Adaptive controls — stepped-up MFA, URL isolation, targeted simulation — apply automatically when the Attack Index rises and relax when it falls, with no manual SOC intervention.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: what is the difference between a VIP and a VAP in Proofpoint's model, and why does it matter? Then compare with the expert version.

Expert version: A VIP is a title — the C-suite, set once and rarely changed. A VAP is a data-driven Attack Index ranking that identifies whoever is actually receiving the most sophisticated, most focused threats in the current period. VAPs rotate as attacker campaigns shift, and they are frequently mid-level staff rather than executives. It matters because applying your most expensive controls (URL isolation, stepped-up MFA, targeted simulation) to title-based VIPs while ignoring a finance coordinator who is receiving single-recipient BEC lures every week leaves a chronic, unprotected gap in your defences.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Proofpoint at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Very Attacked Person (VAP): Any user whose Attack Index score places them in the highest-risk tier for the period — identified by data, not by job title.
Attack Index: A 0–1000 weighted composite score per user combining attack volume, threat sophistication, attacker focus and user privilege.
TAP Dashboard: The Threat Insight Dashboard where analysts view VAP reports, drill into threat messages, see sandbox verdicts and pivot to threat actor attribution.
People API: Proofpoint API that exposes the ranked VAP list programmatically, enabling SIEM and SOAR integrations to automate adaptive controls.
URL isolation: Remote browser isolation applied to URL clicks for high-risk VAP users, so a missed malicious link cannot deliver a payload to the endpoint.
Stepped-up MFA: A stricter authentication policy (e.g. FIDO2 or number-matching push) applied automatically via identity-provider integration when a user's Attack Index is elevated.
Click-time URL defence: Proofpoint TAP capability that re-evaluates a URL at the moment the user clicks it — catching threats on newly registered domains that had no reputation at delivery.
Attacker focus: Attack Index dimension measuring how tightly targeted an attack is — a single-recipient lure scores far higher than a mass spray campaign.
Top Clicker: A user who repeatedly clicks through simulated phishing tests, flagged alongside VAPs for more frequent targeted security awareness training.

📚 Sources

Proofpoint — Attack Index: How It Reveals Your Most Targeted Users. proofpoint.com/us/corporate-blog/post/how-proofpoint-attack-index-reveals-your-most-targeted-users
Proofpoint — Very Attacked Person (VAP): Protection Starts with People (solution brief). proofpoint.com/sites/default/files/solution-briefs/pfpt-us-sb-vap-protection-starts-with-people.pdf
Proofpoint — How to Use the Attack Index in the TAP Dashboard. proofpoint.com/us/corporate-blog/post/how-use-proofpoint-attack-index-tap-dashboard-part-1
Proofpoint — Reduce Your Organisation's People Risk Through Targeted Controls. proofpoint.com/us/blog/email-and-cloud-threats/actionable-insights-reduce-your-organizations-people-risk-through
Proofpoint Help — People API documentation. help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/People_API
Proofpoint — Targeted Attack Protection (TAP) data sheet. proofpoint.com/sites/default/files/data-sheets/pfpt-us-ds-targeted-attack-protection.pdf

What's next?

Understand VAPs and the Attack Index? Next, go deep on Proofpoint TAP URL and attachment sandboxing — how click-time protection, Dynamic Reputation, and TRAP work together to stop the click that bypassed detection.

Next · All interview lessons → Practice on exam.techclick.in →

Proofpoint People-Centric Security — VAP, Attack Index & Adaptive Controls

🎯 By the end you will be able to

Pick where you want to start

Why people-centric

Attack Index scoring

VAP visibility

Adaptive controls

① Why people-centric security — the attacker follows the person, not the perimeter

② The Attack Index — four dimensions that score every user 0–1000

The four scoring dimensions

③ Targeted-threat visibility — the TAP Dashboard and the People API

▶ Watch a targeted phishing campaign surface a VAP and trigger adaptive controls

④ Adaptive controls — applying the right protection per user risk level

The three adaptive levers

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?