From proofpoint
Works with Proofpoint people-centric security: VAP reports, top clickers, user risk scoring, attack index, and user-level threat analytics for identifying high-risk users.
How this skill is triggered — by the user, by Claude, or both
Slash command
/proofpoint:peopleWhen to use
When working with centric security - Very Attacked People (VAP) reports, top clickers, user risk scoring, attack index, and user-level threat analytics in Proofpoint people. Use when: proofpoint people, very attacked people, vap report, proofpoint vap, top clickers, user risk, attack index, proofpoint user risk, high risk users, most attacked users, user threat profile, people-centric security, or proofpoint risk score.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Proofpoint People-Centric Security provides user-level threat analytics that identify which individuals in your organization are most targeted by attacks and most susceptible to clicking on threats. This data enables MSPs to implement targeted security controls, prioritize security awareness training, and apply adaptive authentication policies for the highest-risk users.
Proofpoint People-Centric Security provides user-level threat analytics that identify which individuals in your organization are most targeted by attacks and most susceptible to clicking on threats. This data enables MSPs to implement targeted security controls, prioritize security awareness training, and apply adaptive authentication policies for the highest-risk users.
The core concept is that people - not infrastructure - are the primary target of modern email attacks. By understanding who is targeted and who clicks, you can focus security resources where they have the most impact.
VAPs are users who receive a disproportionately high volume of sophisticated attacks. VAP status is determined by:
VAPs are typically executives, finance personnel, IT administrators, and people with external-facing email addresses.
The Attack Index is a composite score (0-1000+) that quantifies the severity of threats targeting a user. It factors in:
| Component | Weight | Description |
|---|---|---|
| Volume | Medium | Number of threats received |
| Sophistication | High | How advanced the attacks are |
| Actor reputation | High | Whether known threat actors are involved |
| Threat type mix | Medium | Diversity of attack types (phish, malware, BEC) |
Higher Attack Index = more severe threats targeting the user.
| Metric | Description | Range |
|---|---|---|
clickRate | Percentage of threats the user clicked on | 0-100% |
clickCount | Total number of malicious clicks | Integer |
uniqueThreatsClicked | Distinct threats clicked | Integer |
lastClickTime | Most recent click on a threat | Datetime |
| Category | Attack Index | Click Rate | Action |
|---|---|---|---|
| Very High Risk | > 500 | > 10% | Isolate browsing, MFA everywhere, priority training |
| High Risk | 200-500 | 5-10% | Enhanced email filtering, additional MFA |
| Medium Risk | 50-200 | 2-5% | Standard controls, regular training |
| Low Risk | < 50 | < 2% | Baseline controls |
| Field | Type | Description |
|---|---|---|
identity | object | User identity details |
identity.emails | string[] | User email addresses |
identity.name | string | User display name |
identity.department | string | User department |
identity.title | string | User job title |
identity.vip | boolean | Whether the user is flagged as VIP |
attackIndex | int | Composite attack severity score |
threatStatistics | object | Breakdown of threats by type |
threatStatistics.totalThreats | int | Total threats received |
threatStatistics.malwareCount | int | Malware threats received |
threatStatistics.phishCount | int | Phishing threats received |
threatStatistics.impostorCount | int | BEC/impostor threats received |
families | string[] | Threat families targeting this user |
topCampaigns | object[] | Most significant campaigns targeting this user |
| Field | Type | Description |
|---|---|---|
identity | object | User identity details |
clickStatistics | object | Click activity breakdown |
clickStatistics.clickCount | int | Total malicious clicks |
clickStatistics.permitCount | int | Clicks that were permitted |
clickStatistics.blockCount | int | Clicks that were blocked |
clickStatistics.clickRate | float | Click-through rate on threats |
clickStatistics.uniqueThreats | int | Distinct threats clicked |
clickStatistics.lastClick | datetime | Most recent click time |
clickStatistics.classifications | object | Breakdown by malware, phish |
| Field | Type | Description |
|---|---|---|
email | string | User email address |
riskScore | int | Overall risk score (0-1000) |
attackIndex | int | Attack severity targeting this user |
clickRate | float | Historical click-through rate |
riskCategory | string | very_high, high, medium, low |
vulnerabilityFactors | string[] | Contributing risk factors |
recommendedActions | string[] | Suggested remediation steps |
trainingStatus | object | Security awareness training completion |
| Tool | Description | Key Parameters |
|---|---|---|
proofpoint_people_get_vap | Get Very Attacked People report | window (14, 30, 90 days), size (top N) |
proofpoint_people_get_top_clickers | Get users who click most on threats | window (14, 30, 90 days), size (top N) |
proofpoint_people_get_user_risk | Get risk profile for a specific user | email |
proofpoint_people_get_attack_index | Get attack index rankings | window, department, size |
proofpoint_people_list_vip | List users flagged as VIP | - |
proofpoint_people_set_vip | Flag a user as VIP for enhanced protection | email, vip (true/false) |
proofpoint_people_get_vap with window=30 and size=20proofpoint_people_get_user_riskproofpoint_people_get_top_clickers with window=90 and size=50proofpoint_people_list_vip to get all flagged VIP usersproofpoint_people_get_user_riskproofpoint_people_get_attack_index with department=Financeproofpoint_people_get_user_risk with the user's email| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid window | Use 14, 30, or 90 for the window parameter |
| 400 | Invalid size | Size must be between 1 and 1000 |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | People API not enabled | Ensure your license includes People-Centric Security |
| 404 | User not found | The email address may not exist in Proofpoint |
| 429 | Rate limit exceeded | Implement backoff |
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin proofpointAuthenticates and integrates with Proofpoint APIs (TAP SIEM, quarantine, people, URL Defense) using HTTP Basic Auth. Covers base URLs, rate limits, pagination, and error codes.
Manages KnowBe4 users and groups: lifecycle, risk scores, group membership, and event tracking for security awareness campaigns.
Detects and analyzes email-borne threats (BEC, phishing, malware) using Abnormal Security's behavioral AI. Activates on keywords like 'abnormal threat', 'phishing detection', 'credential theft'.