uk:
English: Europe, Middle East, Africa
Key takeaways
- A large enterprise renewed Mimecast on price but added Proofpoint after noticing continued missed threats and abuse mailbox overload.
- Proofpoint Core Email Protection API exposed what Mimecast was missing.
- This customer proved they didn’t need to rip and replace their existing solution. They could layer first, prove outcomes, then replace on their own timeline.
- The customer now expects to replace Mimecast with Proofpoint at renewal.
Mimecast didn’t fail this organization loudly. The gaps showed up quietly, in ways that added work little by little.
This large, distributed automotive retail and services enterprise runs hundreds of locations and supports a workforce that spans corporate teams, dealership operations, sales staff, and thousands of frontline and service employees. Email is critical for keeping everyone connected. But many users are “light” emailers: they don’t send hundreds of messages a day, yet they still create an enormous attack surface.
When Mimecast came up for renewal, the company reupped because the price was right. However, operationally, the costs kept climbing. Phishing kept showing up often enough to erode confidence. User-reported messages stacked up faster than analysts could review them. And an abuse mailbox was turning into a daily drag on the team.
Instead of accepting “good enough” email security, the company’s security team decided to make a pragmatic move. It would keep Mimecast temporarily and use Proofpoint Core Email Protection API behind it. The goals were to:
- See whether additional threats would be caught by adding a second layer
- Take manual abuse mailbox triage off their plate
It was this layered approach that helped them to sign with Proofpoint sooner than they expected—and set a clear path toward replacing Mimecast altogether.
“We weren’t looking for more alerts. We needed fewer misses—and a way to stop spending our best people’s time on manual mailbox triage.” – IT security director
A distributed business with a very specific email reality
This company operates at national scale, with many semi-autonomous locations and a workforce mix that includes a large number of frontline and service roles. They rely on Microsoft 365 for email and collaboration. Plus, they need security controls that don’t disrupt mail flow across hundreds of locations.
This creates a perfect storm for email security teams:
- Lots of targets (users, locations, suppliers, third parties)
- High variability in email behavior (sales, service, accounting, operations)
- A steady stream of “is this legit?” messages from constant user reporting
- Low tolerance for disruption or mail delays and false positives across the business
For this company, email security isn’t just about blocking malware. It’s about keeping the business moving without turning the security team into a human filter.
The Mimecast problem: it wasn’t just misses—it was added work
In the initial conversations, the team described two pain points that kept repeating:
1: Mimecast’s detection efficacy didn’t inspire confidence
Mimecast was stopping plenty of email threats. But those that still reached inboxes created a constant cleanup cycle:
- Users forwarded suspicious messages.
- Analysts investigated.
- An uncomfortable question always followed: “How did this land in an inbox again?”
They didn’t disclose any single major incident that was a trigger. It was more like a slow operational bleed. Each miss wasn’t catastrophic, but together those misses consumed time, attention, and trust.
2: Mimecast’s abuse mailbox was a bottleneck
Their abuse mailbox wasn’t a nice-to-have. It was the center of gravity for user-reported threats. Done well, an abuse mailbox can be a powerful signal stream. Done manually, it becomes a treadmill.
They wanted to replace Mimecast until Mimecast “won” the renewal
Originally, the team intended to do a straight replacement. They wanted to remove Mimecast as the secure email gateway (SEG) and use Proofpoint instead.
But then renewal time came around, and Mimecast made deep pricing concessions. Like many large enterprises that have lots of light email users, budget pressure is real. Deep discounts can postpone a decision even when the operational pain is obvious. So, the customer renewed Mimecast for another year.
There were issues that Mimecast still wasn’t solving, however, and this was especially true when it came to monitoring the abuse mailbox. They still didn’t trust Mimecast to catch enough threats. That’s when they changed their approach to how they evaluated Proofpoint.
The pivot: Proofpoint behind Mimecast (not instead of it)
Rather than force a disruptive “rip and replace” cutover, Proofpoint offered a path that felt safer and faster. They would deploy Proofpoint Core Email Protection API behind Mimecast.
This architecture mattered because it reduced friction. The customer could:
- Keep the incumbent gateway temporarily
- Add a second layer of detection where Mimecast was missing threats
- Streamline abuse mailbox workflows
- Prove value without changing mail flow
No one needed to argue for a massive migration just to get real improvement. The security team could demonstrate outcomes first.
A proof-of-concept (POC) followed and it delivered the kind of evidence that changes internal conversations.
The POC moment: “Proofpoint started catching things we didn’t expect”
During the POC, Proofpoint detected suspicious and malicious emails that had already passed through Mimecast. That mattered for two reasons:
- Validation. The team wasn’t imagining the gaps.
- Urgency. Proofpoint wasn’t just theoretically an upgrade. It caught real messages in their environment.
This explains why the deal closed earlier than expected. The POC didn’t just show better protection. It showed better protection in the exact places Mimecast was failing them.
Fixing the abuse mailbox: from manual triage to managed workflow
This is where this story will feel familiar to many security teams. Most security leaders don’t need another dashboard. They need fewer hours burned on repetitive, low-leverage tasks—especially when those tasks are triggered by employees reporting suspicious emails that ultimately turn out to be benign.
Before Proofpoint, the way the team handled their abuse mailbox looked like what you see in many Mimecast environments:
- A user forwards a suspicious email
- An analyst opens it, inspects it, and makes a judgment call
- The analyst replies or remediates
This cycle repeats dozens or hundreds of times. And in a distributed organization with many locations, this can become a daily avalanche.
With Proofpoint, the customer could shift to workflow-driven triage:
- Clearer classification and prioritization
- Fewer “wild guess” decisions
- Reduced backlog pressure
- More analyst time spent where it actually reduces risk
The result wasn’t just faster handling, it was a change in operating mode. The team spent less time playing detective and more time preventing repeat exposure.
Why this hit hard: human-led attacks create human work
This customer’s experience aligns with what many security teams see broadly: the biggest email threats today are still human-centric.
Verizon’s 2025 Data Breach Investigations Report (DBIR) is often cited for showing that nearly 60% of breaches involve a human element (error, manipulation, or misuse). That matters because when threats are caused by people, they generate a workload that impacts people. Teams must investigate, reset credentials, search mailboxes, communicate with users, and document incidents.
If your gateway misses enough threats, you pay for it in analyst time and business disruption.
Making the economics work
One of the more practical reasons this company chose Proofpoint was that our licensing model fit their workforce reality. They had a high volume of users who send and receive relatively little email. As a result, they were very price conscious.
Proofpoint’s approach to light email-users helped them justify the investment even while Mimecast remained in place. They weren’t only comparing Proofpoint to Mimecast’s full gateway cost, they were comparing it to cheaper point tools that only addressed abuse mailbox monitoring “at a fraction of the cost.”
Proofpoint still won them over because we don’t just provide an abuse mailbox tool. Our platform delivers:
- Abuse mailbox monitoring plus post-delivery detection behind Mimecast
- A measurable efficacy story from the POC
- A runway toward more comprehensive protection
The outcome
By the end of the evaluation cycle, the customer signed with Proofpoint so it could run behind Mimecast. This approach delivered immediate value without forcing a risky cutover.
The near-term wins were practical:
- Catch threats Mimecast missed
- Reduce manual reviews of the abuse mailbox
- Restore confidence in day-to-day outcomes
- Keep Microsoft 365 central
And importantly, the customer’s roadmap is now clear. When Mimecast comes up for renewal again, the company expects to replace it with Proofpoint’s gateway model.
What Mimecast customers should take from this
If you’re a Mimecast customer, ask yourself these questions:
- Are users reporting threats that “should have been stopped”?
- Is your abuse mailbox a daily source of backlog and stress?
- Do discounts keep you renewing even as the operational pain grows?
- Are you stuck choosing between disruption (rip/replace) and stagnation (stay put)?
This customer proved there’s a third option: layer first, prove outcomes, then replace on your own timeline.
Ready to stop chasing threats that Mimecast misses?
If phishing is still getting through Mimecast, if abuse mailbox review is consuming your team’s valuable time, or if you’re ready to modernize without a high-risk cutover, it’s worth a conversation.
Contact Proofpoint to explore how Core Email Protection API can sit behind your existing gateway, close detection gaps, and streamline analyst workflows.
To learn why Proofpoint is a leading choice for email security, download our e-book: Smarter, faster email protection.
