Proofpoint and Crowdstrike Partnership

Unparalleled protection for your users and their endpoints

Nearly 100% of threats are human activated. Transform your security program by deploying automated remediation for attacks targeting your people and their devices.

Address Your Security Program Challenges

  • Security Efficacy
  • Solution Complexity
  • Attacker Sophistication
  • SOC Productivity
  • Threat Visibility
  • Time to Deploy
  • Talent Shortage
  • Manual Workflows
Download the Solution Brief

Get automated end-to-end protection against threats across email and devices

Proofpoint and CrowdStrike have partnered to transform your security program and protect your organization from the ever-changing threat landscape. Together, we improve your security efficacy and enhance your visibility and context around threats. Our orchestration and response capabilities make your security team more productive. And we help you to reduce your overall risk against the No. 1 threat vector. These out-of-the-box integrations are free to any joint Proofpoint and CrowdStrike customers.

Integrations and Benefits

Predelivery Protection for External Email

When an email that contains a file is sent to a customer, Proofpoint TAP begins a sandbox analysis. This determines whether or not the email is malicious. At the same time, TAP also queries CrowdStrike intelligence to check the reputation of the file. CrowdStrike informs TAP if it recognizes the file as malicious. When it does, then both the message and file are condemned. They are blocked from ever reaching the user.


  1. Email with attachment detected at email gateway (PPS)
  2. Attachment sent to Proofpoint TAP (Sandbox) for analysis, file-hash lookup for reputation with
  3. CrowdStrike Falcon X 3. CrowdStrike condemns attachment, email is blocked at gateway
  4. If CrowdStrike does not respond with verdict but Proofpoint sandbox condemns attachment, email is blocked at gateway

Learn more about Targeted Attack Protection

Predelivery Protection for Internal Email

More than ever, internal email traffic must be treated the same as external email. You need a multilayered security approach to scan internal emails for malicious content. Proofpoint Internal Mail Defense scans internal-to-internal email communications. Its integration with CrowdStrike intelligence also helps protect against emails that contain attachments. If Proofpoint or CrowdStrike deems an internal email to be malicious, then Proofpoint Threat Response Auto-Pull (TRAP) can automatically quarantine it and all related messages.


  1. Internal email (with attachment) sent to PFPT IMD (internal mail defense) cluster
  2. IMD leverages TAP to ensure the attachment is malicious
  3. IMD blocks any email from being delivered if attachment is deemed malicious by TAP sandbox or Falcon X

Post-Delivery Automated Remediation

Proofpoint automatically detects and quarantines email that turns malicious post-delivery. And we share intelligence about unknown threats with CrowdStrike. This helps to limit future attacks on your endpoints.

  • Proofpoint quarantines any messages that have been delivered or forwarded
  • If unknown to CrowdStrike, the malicious hash is added to the CrowdStrike list of custom indicators of compromise (IOCs)
  • An alert is created if the malicious content tries to execute on the device
Proofpoint Crowdstrike Integration
  1. If an attachment delivered is later found to be malicious (weaponized URL etc.), Proofpoint TAP alerts TRAP (Threat Response Auto-Pull).
  2. IOC created and added to CrowdStrike Customer IOC list for joint customers.
  3. TRAP then pulls out the email from all customer inboxes (original plus forwards).
  4. CrowdStrike Falcon platform generates alerts that can be followed up on by security team (also block any future attack directly on the endpoint).

Learn more about Automated Remediation

Enhanced Zero Trust Security

As companies work to achieve zero trust security within their organizations, making sure the endpoint is within security compliance before allowing it to connect is critical.  Proofpoint Meta and Crowdstrike Falcon integrate with posture checking to ensure endpoints are in compliance.

  • Ensure secure access to confidential systems by using the Proofpoint Meta agent to detect if Crowdstrike Falcon is deployed on the endpoint.  If not then several actions, such as disconnecting the endpoint, can take place.
  • Proofpoint Meta administrators have flexibility to create a posture checking message for the end user letting them know why they have failed posture checking and provide potential remediation options such a clicking a URL to deploy the Crowdstrike Falcon agent.

Learn more about Zero Trust

Better protection for Federal Government Agencies

Proofpoint and CrowdStrike combine their extensive threat visibility and detection capabilities to provide unparalleled protection for Federal customers. Through both of our FedRAMP Certified Solutions (Proofpoint TAP and CrowdStrike Falcon X), we can provide federal agencies multi-layered security to safeguard against today’s threat landscape.


Gain real-time insight into threats to help you prioritize and act on them

Email threats are constantly evolving. Proofpoint Targeted Attack Protection (TAP) evolves with them to detect and resolve new threats as they arise.

Watch the Demo

Ready to give Proofpoint a try?

Let us walk you through our Targeted Attack Protection and answer any questions you have about email security.