Proofpoint People-Centric Security
Overview
Proofpoint People-Centric Security provides user-level threat analytics that identify which individuals in your organization are most targeted by attacks and most susceptible to clicking on threats. This data enables MSPs to implement targeted security controls, prioritize security awareness training, and apply adaptive authentication policies for the highest-risk users.
The core concept is that people - not infrastructure - are the primary target of modern email attacks. By understanding who is targeted and who clicks, you can focus security resources where they have the most impact.
Key Concepts
Very Attacked People (VAP)
VAPs are users who receive a disproportionately high volume of sophisticated attacks. VAP status is determined by:
- Attack volume - Total number of threats targeting the user
- Attack sophistication - Complexity and novelty of attacks
- Attack diversity - Variety of threat actors and campaigns targeting the user
VAPs are typically executives, finance personnel, IT administrators, and people with external-facing email addresses.
Attack Index
The Attack Index is a composite score (0-1000+) that quantifies the severity of threats targeting a user. It factors in:
| Component | Weight | Description |
|---|
| Volume | Medium | Number of threats received |
| Sophistication | High | How advanced the attacks are |
| Actor reputation | High | Whether known threat actors are involved |
| Threat type mix | Medium | Diversity of attack types (phish, malware, BEC) |
Higher Attack Index = more severe threats targeting the user.
Click Susceptibility
| Metric | Description | Range |
|---|
clickRate | Percentage of threats the user clicked on | 0-100% |
clickCount | Total number of malicious clicks | Integer |
uniqueThreatsClicked | Distinct threats clicked | Integer |
lastClickTime | Most recent click on a threat | Datetime |
User Risk Categories
| Category | Attack Index | Click Rate | Action |
|---|
| Very High Risk | > 500 | > 10% | Isolate browsing, MFA everywhere, priority training |
| High Risk | 200-500 | 5-10% | Enhanced email filtering, additional MFA |
| Medium Risk | 50-200 | 2-5% | Standard controls, regular training |
| Low Risk | < 50 | < 2% | Baseline controls |
Field Reference
VAP Report Fields
| Field | Type | Description |
|---|
identity | object | User identity details |
identity.emails | string[] | User email addresses |
identity.name | string | User display name |
identity.department | string | User department |
identity.title | string | User job title |
identity.vip | boolean | Whether the user is flagged as VIP |
attackIndex | int | Composite attack severity score |
threatStatistics | object | Breakdown of threats by type |
threatStatistics.totalThreats | int | Total threats received |
threatStatistics.malwareCount | int | Malware threats received |
threatStatistics.phishCount | int | Phishing threats received |
threatStatistics.impostorCount | int | BEC/impostor threats received |
families | string[] | Threat families targeting this user |
topCampaigns | object[] | Most significant campaigns targeting this user |
Top Clickers Fields
| Field | Type | Description |
|---|
identity | object | User identity details |
clickStatistics | object | Click activity breakdown |
clickStatistics.clickCount | int | Total malicious clicks |
clickStatistics.permitCount | int | Clicks that were permitted |
clickStatistics.blockCount | int | Clicks that were blocked |
clickStatistics.clickRate | float | Click-through rate on threats |
clickStatistics.uniqueThreats | int | Distinct threats clicked |
clickStatistics.lastClick | datetime | Most recent click time |
clickStatistics.classifications | object | Breakdown by malware, phish |
User Risk Profile Fields
| Field | Type | Description |
|---|
email | string | User email address |
riskScore | int | Overall risk score (0-1000) |
attackIndex | int | Attack severity targeting this user |
clickRate | float | Historical click-through rate |
riskCategory | string | very_high, high, medium, low |
vulnerabilityFactors | string[] | Contributing risk factors |
recommendedActions | string[] | Suggested remediation steps |
trainingStatus | object | Security awareness training completion |
MCP Tools
| Tool | Description | Key Parameters |
|---|
proofpoint_people_get_vap | Get Very Attacked People report | window (14, 30, 90 days), size (top N) |
proofpoint_people_get_top_clickers | Get users who click most on threats | window (14, 30, 90 days), size (top N) |
proofpoint_people_get_user_risk | Get risk profile for a specific user | email |
proofpoint_people_get_attack_index | Get attack index rankings | window, department, size |
proofpoint_people_list_vip | List users flagged as VIP | - |
proofpoint_people_set_vip | Flag a user as VIP for enhanced protection | email, vip (true/false) |
Common Workflows
Generate VAP Report
- Call
proofpoint_people_get_vap with window=30 and size=20
- Review the top 20 most attacked users
- Cross-reference with organizational role - are they executives, finance, IT?
- For each VAP, check their click rate using
proofpoint_people_get_user_risk
- Prioritize users who are both heavily targeted and have high click rates
- Recommend additional controls for the highest-risk users
Identify Training Candidates
- Call
proofpoint_people_get_top_clickers with window=90 and size=50
- Identify users with the highest click rates
- Check if they have completed recent security awareness training
- Enroll high-clickers in targeted phishing simulation campaigns
- Follow up after training to measure improvement
Executive Risk Assessment
- Call
proofpoint_people_list_vip to get all flagged VIP users
- For each VIP, call
proofpoint_people_get_user_risk
- Assess Attack Index and click susceptibility
- Recommend enhanced controls: browser isolation, advanced MFA, dedicated monitoring
- Present risk summary to leadership
Department Risk Comparison
- Call
proofpoint_people_get_attack_index with department=Finance
- Repeat for other departments: IT, Executive, HR, Sales
- Compare average attack index across departments
- Identify which departments are most targeted
- Allocate security resources proportionally
New User Baseline
- After a new user is onboarded, wait 30 days
- Call
proofpoint_people_get_user_risk with the user's email
- Establish baseline risk score and attack index
- If the user is immediately targeted (high attack index), investigate why
- Ensure appropriate training has been completed
Error Handling
Common API Errors
| Code | Message | Resolution |
|---|
| 400 | Invalid window | Use 14, 30, or 90 for the window parameter |
| 400 | Invalid size | Size must be between 1 and 1000 |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | People API not enabled | Ensure your license includes People-Centric Security |
| 404 | User not found | The email address may not exist in Proofpoint |
| 429 | Rate limit exceeded | Implement backoff |
No VAP Data
- New organizations may not have enough data for VAP reports (requires 14+ days)
- Very small organizations may not have enough volume for meaningful rankings
- Check that email flow is routing through Proofpoint correctly
Best Practices
- Review VAP reports monthly - Attack patterns shift; update your high-risk user list regularly
- **Combine attack index