I am a senior information security analyst working with a healthcare company and we use a suite of products from Proofpoint including Proofpoint Threat Response, Proofpoint TAP (Targeted Attack Protection), Proofpoint Browser Isolation, Proofpoint Protection Service (AKA PPS) — essentially, everything except for the DLP solutions.
We mainly use Proofpoint Threat Response along with our main email firewall to pull (i.e. remove) specific emails that get delivered internally. For example, if a user gets any kind of malicious email, such a phishing email or another kind of email that poses a threat to the security of user credentials and which passes through our email filters for some reason, then Threat Response will come into play in one of two ways: either you can do a manual intervention and pull the emails yourself, or it will automatically get pulled by the Targeted Attack Protection part of Proofpoint.
With the automatic intervention, let's say the system was still busy analyzing the email and, before a verdict was reached, the email was released. If, a few minutes later, that email had been found to be malicious, it needs to be pulled back. This is where TAP sends the email ID to Threat Response and signals it to withdraw the email from the user's mailbox. If that same email was delivered or forwarded to anywhere else internally, then it will pull those emails back as well.
The team that uses Proofpoint Threat Response in my company is rather small, consisting of about four or five people, and we are all information security analysts in terms of our job role.
I personally maintain the back-end of our product migrations, and perform duties such as updating and so on. From time to time, we also have to deal with tickets and incident response. As an aside, I'm also a PhD student currently doing my dissertation, and I do research on machine learning, data analytics, and data science.