TTechclick ⚡ XP 0% All lessons
Proofpoint · Email Security · Awareness TrainingInteractive · L1 / L2 / L3

Proofpoint Security Awareness Training — PSAT, ThreatSim & VAP Risk Scoring

Proofpoint Security Awareness Training (PSAT) is a people-centric defence layer that simulates real phishing attacks with ThreatSim, auto-enrols risky clickers into targeted training modules, scores each user with a risk rating, and closes the loop with CLEAR so reported phishing is auto-remediated — all feeding back into the same platform that already knows who your Very Attacked People are.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Proofpoint Security Awareness Training (PSAT) in 2026: phishing simulations with ThreatSim, adaptive training modules, VAP user-risk scoring, and closed-loop CLEAR remediation.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What PSAT is

People-centric defence: simulate, train, score, close the loop.

 2

ThreatSim & simulations

Real-intel templates, smishing, USB drops, just-in-time coaching.

 3

Training modules & VAP

Adaptive modules, user-risk scores, Very Attacked People.

 4

CLEAR & closing the loop

PhishAlarm, TRAP auto-pull, reporting culture, tuning.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is Proofpoint PSAT just a library of training videos?

Answered in What PSAT is.

2. What is ThreatSim?

Answered in ThreatSim & simulations.

3. What does CLEAR stand for in Proofpoint?

Answered in CLEAR & closing the loop.

Most engineers think…

Most people treat security awareness training as a tick-box exercise: send an annual training video, file the completion certificate, done. That mental model fails in a real SOC and in a vendor interview.

Proofpoint PSAT is a feedback-driven behaviour-change platform. ThreatSim simulations use real, threat-intelligence-sourced templates to expose which users click, then the platform immediately shows them just-in-time coaching, auto-enrols them in adaptive training modules, and updates their Vulnerability Assessment score. VAP (Very Attacked People) data from Proofpoint TAP tells you who receives the most targeted threats, so training effort lands where risk is highest. CLEAR then closes the remediation loop so the whole system improves with every campaign.

① What Proofpoint PSAT actually is — people-centric defence

Proofpoint Security Awareness Training (PSAT) sits at the intersection of simulation, education, and risk intelligence. While a traditional email gateway blocks known-bad messages, PSAT treats the human layer as both the biggest vulnerability and the most scalable control: train the person and every future attack targeting them gets a little harder to land.

The platform is built around three ideas. First, simulate reality: ThreatSim campaigns use real attack templates drawn from Proofpoint's global threat intelligence, so users see the same lures that hit their inbox in genuine campaigns. Second, measure risk per person: every interaction — click, report, missed training — feeds a Vulnerability Assessment score. Third, close the loop: CLEAR connects the report-phishing button all the way through to automated email quarantine.

PSAT integrates natively with Proofpoint's email security stack (TAP, TRAP, Email Protection) so that VAP data — the list of people most targeted by real attacks — flows in and shapes who gets simulated first and trained hardest.

Figure 1 — The PSAT behaviour-change loop
Every PSAT campaign runs the same five-step loop, feeding risk data back into the next simulation cycle.The PSAT behaviour-change loopSimulateThreatSim campaignsentMeasureclick / report / missEducatejust-in-time coachingTrainadaptive moduleassignedScoreVA score updated
Every PSAT campaign runs the same five-step loop, feeding risk data back into the next simulation cycle.
Quick check · Q1 of 10 · Understand

What makes Proofpoint PSAT different from a static annual training video?

Correct: a. PSAT's value is the feedback loop: simulate with ThreatSim, score risk with the VA score, train adaptively, and close the loop with CLEAR — making it a continuous behaviour-change system, not a tick-box video library.
👉 So far: PSAT = ThreatSim simulations + adaptive training modules + VA risk scoring + CLEAR closed-loop remediation, all in one people-centric platform.

② ThreatSim phishing simulations — real lures, measurable clicks

ThreatSim is the simulation engine inside PSAT. It ships with thousands of phishing, smishing (SMS), and USB-drop templates built from Proofpoint's live threat-intelligence feed, so the lures look and feel like the attacks employees actually face. Admins choose a template category (credential harvest, malware attachment, link-to-site, voice phishing, QR code), target a group, and schedule the send — ThreatSim handles delivery and tracking.

What happens when someone clicks

A click triggers just-in-time education: instead of a real payload, the user sees an immediate, branded coaching page that explains exactly what they missed and why the lure was dangerous. This moment — right when the mistake is fresh — is where behaviour change happens fastest. The platform can also auto-enrol the clicker into a relevant training module automatically, so no admin has to manually create a follow-up assignment.

ThreatSim also tracks near-misses: users who hovered over a link but did not click, or who reported the simulation. This gives a richer behaviour picture than a binary click / no-click metric alone.

Figure 2 — ThreatSim simulation types
ThreatSim covers every major social-engineering vector, all using real threat-intelligence templates.ThreatSim simulation typesThreatSimsimulation engineEmail phishingSmishing (SMS)USB drop testVoice / vishingQR code luresAttachment test
ThreatSim covers every major social-engineering vector, all using real threat-intelligence templates.
🎣
ThreatSim
tap to flip

Proofpoint's simulation engine — sends phishing, smishing, USB, vishing and QR-code campaigns using real threat-intelligence templates. Clickers get just-in-time coaching, not a real payload.

📊
VA Score
tap to flip

The Vulnerability Assessment score — a per-user risk number combining simulation click rates, training completion and engagement. Higher = more susceptible; drives auto-enrolment and prioritisation.

🎯
VAP (Very Attacked People)
tap to flip

Users Proofpoint TAP identifies as receiving a disproportionately high volume of targeted, sophisticated real attacks. When a VAP also has a high VA score, they are highest priority for training.

🔁
CLEAR + TRAP
tap to flip

Closed Loop Email Analysis and Response: the PhishAlarm button → TRAP auto-quarantine path that removes confirmed threats from every inbox and sends reporters a feedback confirmation.

Use real-intel templates, not generic ones

ThreatSim templates sourced from live Proofpoint threat intelligence will land closer to what employees actually see in their inboxes. Generic 'you won a prize' templates train for a threat model that does not match your sector. Match the template category to your actual VAP attack data for the highest signal.

Quick check · Q2 of 10 · Remember

What does a user see immediately after clicking a ThreatSim simulated phishing link?

Correct: c. ThreatSim delivers a branded just-in-time coaching page at the moment of the click, when the mistake is fresh, to maximise the learning impact. No real payload is ever sent.
👉 So far: ThreatSim sends real-intel phishing, smishing, USB, vishing and QR-code lures; clickers get just-in-time coaching and are auto-enrolled in training.

③ Training modules & VAP risk scoring — adaptive, targeted, measurable

PSAT's content library holds a large portfolio of short, interactive training modules (average five to fifteen minutes each) covering phishing, social engineering, password hygiene, physical security, and more. Modules are mobile-responsive and on-demand, with embedded knowledge checks that provide immediate feedback rather than a single final quiz. Completion data feeds automatically into dashboards that show progress per user, per group, and org-wide.

The Vulnerability Assessment (VA) score is the risk number that matters most in reports. It combines simulation click rates, training completion, and engagement data into one per-person risk number. High scorers — especially those who are also VAPs (Very Attacked People) identified by Proofpoint TAP — get prioritised automatically for more frequent or more challenging simulations and targeted module assignments.

The People Risk Explorer dashboard surfaces the intersection of attack volume (from TAP) and susceptibility (from PSAT simulations) in one view, so security teams can focus their training budget where the combined risk is greatest rather than spreading it evenly across the org.

Figure 3 — PSAT risk prioritisation layers
Training effort is layered by risk: highest-risk users get simulations first, targeted modules next, and enhanced tracking throughout.PSAT risk prioritisation layersVAP + high VA scoreMost targeted & most susceptible — priority 1Clickers, low completionClicked simulations or overdue modulesGeneral populationBaseline phishing and awareness training
Training effort is layered by risk: highest-risk users get simulations first, targeted modules next, and enhanced tracking throughout.
Treating VA score as a compliance checkbox

A falling average VA score across the org feels good, but it can hide pockets of very high-risk users — especially VAPs. Always segment the People Risk Explorer by business unit and privilege level, not just the org average, or you will miss the accounts attackers care most about.

▶ Watch a phishing simulation turn into a training auto-enrolment

Follow the closed loop from ThreatSim send to VA-score update. Press Play for the healthy path, then Break it to see the most common failure.

① SimulateThreatSim sends a credential-harvest lure to a targeted group, using a real-intel template matching recent sector attacks.
② ClickThe user clicks the link. Instead of a payload, they see a just-in-time coaching page explaining the specific tactic used.
③ Auto-enrolPSAT auto-enrols the clicker in a five-minute phishing-awareness module. The VA score updates to reflect the click event.
④ Report & CLEARA colleague who spotted the same lure clicks PhishAlarm. CLEAR routes the report to TRAP, which auto-quarantines all copies and sends the reporter a confirmation.
Press Play to step through the healthy PSAT loop. Then press Break it.
Quick check · Q3 of 10 · Apply

A user has a high VA score AND appears on the VAP list. What should happen next?

Correct: c. The intersection of high VA score (susceptible) and VAP status (heavily targeted by real attacks) represents maximum risk. The People Risk Explorer surfaces these users precisely so admins can focus training resources on them first.
👉 So far: VA score = per-user risk number; VAP = most targeted by real attacks; the People Risk Explorer shows who sits at the dangerous intersection of both.

④ CLEAR & the closed loop — from report to auto-remediation

The closed loop starts with the PhishAlarm button — a one-click add-in for Outlook and Gmail that lets employees report suspected phishing directly from the inbox. Reported messages land in a triage queue, and CLEAR (Closed Loop Email Analysis and Response) connects that queue to TRAP (Threat Response Auto-Pull): if analysis confirms a message is malicious, TRAP automatically quarantines that message from every inbox across the organisation that received the same campaign — not just the reporter's copy.

Why the closed loop matters for culture

Without CLEAR, reporting feels thankless: users click 'report phishing', nothing visibly happens, and the habit fades. With CLEAR, reporters receive a confirmation message telling them whether their report was a real threat or a simulation. This feedback loop reinforces reporting behaviour — the metric that matters most for a resilient human firewall. Admins can benchmark their reporting rate and resilience factor (reports ÷ clicks) over time as KPIs for programme health.

Figure 4 — Without CLEAR vs. with CLEAR
CLEAR transforms reported phishing from a dead-end into an auto-remediation trigger that protects every inbox.Without CLEAR vs. with CLEARWithout CLEARUser clicks 'report phishing'Message queued for manual reviewNo feedback to the reporterOther inboxes still hold threatReporting habit fades over timeWith CLEAR + TRAPUser clicks PhishAlarm buttonTRAP analyses and auto-quarantinesReporter gets a confirmation replyAll copies org-wide are pulledReporting culture grows over time
CLEAR transforms reported phishing from a dead-end into an auto-remediation trigger that protects every inbox.

Priya at a Mumbai fintech runs this

Six months into a PSAT rollout, phishing simulation click rates have dropped but the PhishAlarm reporting rate is near zero — nobody is using the button.

Likely cause

The programme sent simulations and training but never configured CLEAR, so reporters got no confirmation and stopped bothering. TRAP was never connected.

Diagnosis

Check the CLEAR integration: PhishAlarm is installed but TRAP is not configured, so reported messages disappear silently with no feedback to the reporter.

PSAT Admin Console ▸ PhishAlarm ▸ CLEAR Integration ▸ TRAP Settings
Fix

Connect TRAP to the CLEAR queue, enable the reporter-feedback confirmation email, and add a short internal announcement explaining that PhishAlarm now removes the threat from every inbox. Run a campaign and highlight a real auto-pull event to the team.

Verify

Track the resilience factor (reports ÷ clicks) week over week — it should climb steadily as users experience the confirmation loop and share it with colleagues.

Prove the loop works before the next campaign

Before launching a large ThreatSim wave, send a test message through PhishAlarm yourself and confirm the CLEAR confirmation reply arrives within the expected SLA. If reporters get silence, the loop is broken — fix TRAP connectivity first. You cannot build a reporting culture on a broken feedback mechanism.

Quick check · Q4 of 10 · Analyze

Why does the CLEAR closed-loop approach improve the phishing-reporting culture over time?

Correct: a. Without feedback, reporting feels pointless and the habit dies. CLEAR's confirmation reply — telling the reporter whether the message was real or a sim — closes the human feedback loop and reinforces the behaviour security teams need most.
👉 So far: CLEAR + TRAP = PhishAlarm button ▸ auto-quarantine of all copies ▸ reporter feedback confirmation — the loop that builds a reporting culture and actually measurable resilience.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What component of PSAT delivers just-in-time coaching when a user clicks a simulated phishing link?

Correct: b. ThreatSim controls the simulation send and the landing experience. When a user clicks, ThreatSim presents a just-in-time coaching page instead of a real payload, right at the moment the mistake occurs.
Q6 · Understand

A user appears on the VAP list AND has a high VA score. What does this tell you?

Correct: d. VAP = most targeted by real attacks (from TAP); high VA score = most susceptible (from PSAT simulations). The People Risk Explorer surfaces users in both categories because they represent the greatest actual breach risk.
Q7 · Apply

Phishing simulation click rates are falling but PhishAlarm reporting is near zero. What is the most likely root cause?

Correct: c. Low click rates with low reporting suggests CLEAR/TRAP is misconfigured: users see no benefit to reporting, so they stop. Fix the TRAP integration and enable reporter confirmation emails before expecting reporting rates to climb.
Q8 · Analyze

Why does CLEAR route PhishAlarm reports through TRAP rather than just flagging them for manual review?

Correct: b. The point of CLEAR is speed and scale: TRAP pulls confirmed-malicious messages from every mailbox that received the same campaign automatically, often before a human reviewer would finish reading the first ticket.
Q9 · Evaluate

Which metric best demonstrates that a PSAT programme is building genuine organisational resilience?

Correct: d. Training completion is a compliance metric, not a behaviour metric. The resilience factor captures both halves of the human firewall: users who avoid clicking AND users who actively report threats, which is the behaviour that defends the organisation when a real attack lands.
Q10 · Evaluate

An admin sees the org average VA score falling and declares the PSAT programme a success. What is the risk in this conclusion?

Correct: a. Averages mask distributions. High-privilege or heavily attacked users — exactly the ones attackers target first — may still have very high individual VA scores even when the org mean looks healthy. Always segment by business unit, role, and VAP status.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the difference between a falling click rate and a rising resilience factor, and why does it matter? Then compare with the expert version.

Expert version: A falling click rate means fewer users are falling for simulated phishing — good, but passive. A rising resilience factor (reports ÷ clicks) means users are also actively reporting threats to the organisation's defence — which is the behaviour that actually matters when a real attack lands and bypasses every technical control. The first metric shows training is working on individuals; the second shows the human firewall is functioning as a collective defence mechanism.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

PSAT
Proofpoint Security Awareness Training — the platform combining phishing simulations, interactive training modules, VA risk scoring, and CLEAR closed-loop remediation.
ThreatSim
Proofpoint's simulation engine that sends phishing, smishing, USB-drop, vishing and QR-code campaigns using real threat-intelligence templates.
VA Score (Vulnerability Assessment)
A per-user risk number combining simulation click rates, training completion, and engagement data; drives adaptive training prioritisation.
VAP (Very Attacked People)
Users identified by Proofpoint TAP as receiving a disproportionately high volume of targeted, sophisticated real phishing attacks.
CLEAR
Closed Loop Email Analysis and Response — the integration connecting the PhishAlarm report button to TRAP auto-quarantine and reporter feedback.
PhishAlarm
A one-click Outlook/Gmail add-in that lets employees report suspected phishing; the entry point to the CLEAR closed-loop system.
TRAP
Threat Response Auto-Pull — automatically quarantines confirmed-malicious messages from every inbox in the organisation when triggered by CLEAR.
Resilience Factor
The ratio of phishing reports to simulation clicks, measuring how actively employees defend the organisation rather than just avoiding clicks.
Just-in-time coaching
The branded teaching page a user sees immediately after clicking a ThreatSim lure, delivering the lesson at the moment of the mistake for maximum retention.
People Risk Explorer
The PSAT dashboard that surfaces users at the intersection of high VA score and high VAP attack volume, enabling risk-prioritised training decisions.

📚 Sources

  1. Proofpoint — Security Awareness Training platform overview and phishing simulation features. proofpoint.com/us/products/security-awareness-training/platform
  2. Proofpoint — ThreatSim phishing simulations: real-intel templates, smishing, USB, and QR-code assessments. proofpoint.com/us/products/security-awareness-training/phishing-simulations
  3. Proofpoint — PSAT data sheet: modules, VA scoring, and CLEAR closed-loop reporting. proofpoint.com/sites/default/files/pfpt-uk-ds-security-awareness-training-a4.pdf
  4. Proofpoint — Closed Loop Email Analysis and Response (CLEAR) with TRAP auto-pull. proofpoint.com
  5. Spambrella Managed Services — Proofpoint Security Awareness Training (PSAT) feature guide. spambrella.com/proofpoint-security-awareness-training-psat/
  6. Proofpoint — PSAT Federal data sheet: VAP integration, reporting culture, and resilience metrics. proofpoint.com/sites/default/files/pfpt-us-ds-psat-federal.pdf

What's next?

Got PSAT? Next, explore Proofpoint Targeted Attack Protection (TAP) to see how URL and attachment sandboxing catches the threats that phishing simulations train users to report.

Next · All interview lessons → Practice on exam.techclick.in →