I am a senior information security analyst working with a healthcare company and we use a suite of products from Proofpoint including Proofpoint Threat Response, Proofpoint TAP (Targeted Attack Protection), Proofpoint Browser Isolation, Proofpoint Protection Service (AKA PPS) — essentially, everything except for the DLP solutions.
We mainly use Proofpoint Threat Response along with our main email firewall to pull (i.e. remove) specific emails that get delivered internally. For example, if a user gets any kind of malicious email, such a phishing email or another kind of email that poses a threat to the security of user credentials and which passes through our email filters for some reason, then Threat Response will come into play in one of two ways: either you can do a manual intervention and pull the emails yourself, or it will automatically get pulled by the Targeted Attack Protection part of Proofpoint.
With the automatic intervention, let's say the system was still busy analyzing the email and, before a verdict was reached, the email was released. If, a few minutes later, that email had been found to be malicious, it needs to be pulled back. This is where TAP sends the email ID to Threat Response and signals it to withdraw the email from the user's mailbox. If that same email was delivered or forwarded to anywhere else internally, then it will pull those emails back as well.
The team that uses Proofpoint Threat Response in my company is rather small, consisting of about four or five people, and we are all information security analysts in terms of our job role.
I personally maintain the back-end of our product migrations, and perform duties such as updating and so on. From time to time, we also have to deal with tickets and incident response. As an aside, I'm also a PhD student currently doing my dissertation, and I do research on machine learning, data analytics, and data science.
The best part of Proofpoint Threat Response is the Auto-Pull feature. Being able to pull an email back from a user's mailbox is very useful, yet I have noticed that not a lot of organizations use this kind of feature. I've seen organizations that use Cisco Email Security or Barracuda Email Security and while these solutions may also include such a feature, I have very rarely seen any organizations implement it for some reason (possibly because of its perceived downsides).
Compared to these other solutions, I think that Proofpoint's version of the Auto-Pull feature is superior in my experience.
For an example of where it really comes in useful, I have seen a case in one company where a malicious email was delivered to 24,000 users internally. I believe it was auto-forwarded from only one user to all these other 24,000 users at once. Now, imagine how many days it would take for that company to pull the email using a legacy Exchange PowerShell script or by using Exchange Online. It would take forever, and there isn't much you could do to track or analyze how many other users it was being sent to at that moment in real time. It's simply impossible to do all that just by using Exchange PowerShell scripts.
But with Threat Response, all you have to do is input the details of the malicious email (e.g. the email ID) and upload these details via CSV file or similar, at which point Threat Response will call the vectors of the email and it will go in and pull those 24,000 emails instantly.
This is truly a top-notch feature, and I have not seen such good functionality from the same kind of feature in any other tool so far. Looking at four or five of the industry's top email security solutions, none of them even come close to matching Proofpoint's version of this feature.