How a Technology Company Closed the Gaps Cisco IronPort Couldn't—and Finally Got Ahead of Phishing and BEC

Key Takeaways

• A layered Cisco ESA and Microsoft Defender setup created several SPF/DMARC alignment and operational headaches.
• Proofpoint’s proof of concept showed how the need for many custom ESA rules could be reduced.
• After migration, the team recovered some of its daily time and could use it to optimize the SOC.

A global technology company with operations across multiple regions had a problem that was impossible to ignore: even with a dedicated security team, threats were slipping through. Spam, phishing emails, and business email compromise (BEC) attempts were slipping through their filters at a rate that drew complaints from colleagues as well as senior management. The team knew something had to change—and when they finally went looking, the answer turned out to be simpler than expected.

The Challenge: a Legacy Gateway that Couldn't Keep Up

The company had built its email security around Cisco IronPort's Secure Email Appliance (ESA). On paper, it was a capable platform. In practice, it required constant attention just to maintain a baseline of protection.

"We tried everything the ESA was capable of to reduce malicious email," said the company's IT security lead. "But it was not good enough."

The security team worked hard to close the gaps. They refined configurations, built custom filters, and wrote manual rules to catch lookalike domains and other common attack patterns. None of it was enough to meaningfully reduce the volume of threats reaching users' inboxes.

And that was just the security side. The operational toll was just as punishing. Five people on the team were each spending around two hours a day managing the fallout—chasing complaints, reviewing false positives, and manually intervening on threats that should never have reached anyone’s inbox. Overtime became the norm. And when something slipped through, the team felt even more pressure. 

What Held Them Back: a Layered Workaround that Created New Problems

Facing pressure to act quickly, the team's first move wasn't to go to market. Instead, they decided to layer in Microsoft Defender for Office 365 as a secondary filter, running it in series behind the Cisco ESA.

"It helped a little, but it created new problems," said the security lead. "With two gateways in a row, SPF and DMARC records stopped matching because everything was going through the ESA first, and the IP addresses weren't aligning with the policies."

The dual-gateway setup also created operational complexity. Rules written for external email no longer applied internally. Troubleshooting required reasoning across two separate systems. "It was not a good solution," he said.

Having tuned, patched, and layered as far as they could go, the team decided that it was time to evaluate other solutions.

The Evaluation: Putting Proofpoint to the Test

The security team reviewed several leading email security vendors. To take the guesswork out of the decision, they ran a structured proof of concept—splitting their inbound mail flow for their primary domain and routing it simultaneously through their existing Cisco/Microsoft stack and through Proofpoint for approximately one month.

The results were clear. "Most of the unwanted mail was caught by Proofpoint," the security lead said. "The filtering numbers made it easy."

Beyond detection efficacy, the team found that Proofpoint felt like a more cohesive, purpose-built platform, not a collection of products stitched together. And the decision aligned with a broader strategic priority. "Our company has a cloud-first policy," he said, "so it all fits together."

The Migration: Less Painful than Expected

When Proofpoint was selected as the clear winner, one of the most surprising parts was how smoothly the migration went—despite the complexity of the company’s existing rule environment.

The Cisco ESA is known for its highly flexible, customizable policy engine, and the technology company had built up a large library of bespoke rules over the years. The team expected a labor-intensive one-to-one migration. Instead, what they found was that many of those rules simply weren't needed anymore.

"A lot of the custom rules we didn't need to migrate at all. Proofpoint's out-of-the-box filtering covered the same ground," the security lead said. Features like Proofpoint's impersonation protection handled threats that had previously required manual rule-writing in the ESA.

For the rules that did need to carry over, Proofpoint's team stepped in early. "A Proofpoint professional services consultant walked us through the first basic rule set," the security lead said. "Once we understood the concept, we could complete it ourselves. But those first steps were the hardest and having that support made everything much easier."

The Outcome: Stronger Protection, Simpler Operations

With Proofpoint in place, the company gained what its previous setup couldn't deliver: a single, modern platform purpose-built to stop the threats that matter most—spam, phishing, and BEC—without the operational overhead that had been slowing the team down. "It was a more well-rounded product," said the security lead.

The proof has shown up where it matters most. One early test came in the form of a fraudulent invoice for a six-figure sum. Already queued for payment, it was sophisticated enough to have sailed through their previous filters—and Proofpoint stopped it. Another came when a compromised internal account flooded company-wide mail traffic and brought everything to a halt for hours. The team deployed Proofpoint’s Identity Management Defense (IMD) in response—and so far, they haven’t seen the same type of incident recur.

The day-to-day has been transformed. The team has two hours per person back, and overtime is gone. That freed-up capacity is going somewhere useful. The team is now focused on optimizing the SOC, working on tasks that had been pushed aside when email was consuming everything. They’re also looking at what AI-driven capabilities within the platform might do for them next.

Conclusion

For the technology company, the shift to Proofpoint did more than replace a legacy gateway. It gave the team a cleaner operating model, stronger protection against the threats that were reaching users, and the time to focus on higher-value security work.

For organizations still trying to close gaps with layered workarounds and manual tuning, the lesson is clear: modern email threats require more than another filter. They require a platform built to stop today’s attacks and reduce the operational burden on the teams defending against them.

Learn how Proofpoint helps organizations defend against phishing and BEC and simplify email security operations.