Proofpoint and Crowdstrike Partnership

Unparalleled protection for your users and their endpoints

Nearly 100% of threats are human activated. Transform your security program by deploying automated remediation for attacks targeting your people and their devices.

Address Your Security Program Challenges

  • Security Efficacy
  • Solution Complexity
  • Attacker Sophistication
  • SOC Productivity
  • Threat Visibility
  • Time to Deploy
  • Talent Shortage
  • Manual Workflows
Download the Solution Brief

Get automated end-to-end protection against threats across email and devices

Proofpoint and CrowdStrike have partnered to transform your security program and protect your organization from the ever-changing threat landscape. Together, we improve your security efficacy and enhance your visibility and context around threats. Our orchestration and response capabilities make your security team more productive. And we help you to reduce your overall risk against the No. 1 threat vector. These out-of-the-box integrations are free to any joint Proofpoint and CrowdStrike customers.

Integrations and Benefits

Predelivery Protection for External Email

Proofpoint leverages CrowdStrike intelligence (Falcon X) to block external emails with malicious attachments at the gateway. You get improved protection through our threat intelligence sharing, since we block ransomware, polymorphic malware, keyloggers and zero-day threats from getting to your inbox.

  • Proofpoint sandboxes attachments from external emails and queries the CrowdStrike Intelligence API for file reputation
  • CrowdStrike informs TAP if it recognizes the file as malicious
  • When it does, then both the message and file are condemned, blocking it from ever reaching the end user


  1. External email with attachment detected at email gateway (PPS)
  2. Unknown attachment sent to Proofpoint TAP (Sandbox) for analysis, file-hash lookup for reputation with CrowdStrike Falcon X
  3. If CrowdStrike condemns attachment, email is blocked at gateway
  4. If CrowdStrike does not respond with verdict but Proofpoint sandbox condemns attachment, email is blocked at gateway

Learn more about Targeted Attack Protection

Predelivery Protection for Internal Email

Proofpoint’s Internal Mail Defense (IMD) product leverages CrowdStrike intelligence (Falcon X) to stop lateral movement of malware via email. Our combined visibility and threat detection capabilities protect your inbox and endpoint.

  • Proofpoint’s IMD solution scans internal-to-internal email communications
  • Proofpoint sandboxes attachments from internal emails and queries the CrowdStrike Intelligence API for file reputation
  • If Proofpoint or CrowdStrike deem the attachment as malicious, Proofpoint automatically quarantines it and all related emails


  1. Internal email (with attachment) is sent to PFPT IMD (internal mail defense) for inspection
  2. IMD leverages TAP, sandboxing unknown attachments
  3. IMD blocks any email from being delivered if attachment is deemed malicious by TAP sandbox or Falcon X

Learn more about Predelivery Protection for Internal Email

Post-Delivery Automated Remediation

Proofpoint automatically detects and quarantines email that turns malicious post-delivery. And we share intelligence about unknown threats with CrowdStrike (Falcon Insight). This helps to limit future attacks on your endpoints.

  • Proofpoint quarantines any messages that have been delivered or forwarded
  • If unknown to CrowdStrike, the malicious hash is added to the CrowdStrike list of custom indicators of compromise (IOCs)
  • An alert is created if the malicious content tries to execute on the device

Post Delivery Automation

  1. If an attachment delivered is later found to be malicious (weaponized URL etc.), Proofpoint TAP alerts TRAP (threat response auto-pull)
  2. TRAP then pulls out the email from all customer inboxes (original plus forwards)
  3. IOC created and added to CrowdStrike Custom IOC list (Falcon Insight) for joint customers
  4. CrowdStrike Falcon platform generates alerts that can be followed up on by security team (also block any future attack directly on the endpoint)

Learn more about Automated Remediation

Enhanced Zero Trust Security

As companies work to achieve zero trust security within their organizations, making sure the endpoint is within security compliance before allowing it to connect is critical.  Proofpoint Meta and Crowdstrike Falcon integrate with posture checking to ensure endpoints are in compliance.

  • Ensure secure access to confidential systems by using the Proofpoint Meta agent to detect if Crowdstrike Falcon is deployed on the endpoint.  If not then several actions, such as disconnecting the endpoint, can take place.
  • Proofpoint Meta administrators have flexibility to create a posture checking message for the end user letting them know why they have failed posture checking and provide potential remediation options such a clicking a URL to deploy the Crowdstrike Falcon agent.

Learn more about Zero Trust

Better protection for Federal Government Agencies

Proofpoint and CrowdStrike combine their extensive threat visibility and detection capabilities to provide unparalleled protection for Federal customers. Through both of our FedRAMP Certified Solutions (Proofpoint TAP and CrowdStrike Falcon X), we can provide federal agencies multi-layered security to safeguard against today’s threat landscape.


Gain real-time insight into threats to help you prioritize and act on them

Email threats are constantly evolving. Proofpoint Targeted Attack Protection (TAP) evolves with them to detect and resolve new threats as they arise.

Watch the Demo