Targeted Attack Protection (TAP) is Proofpoint's email-security product that includes URL rewriting and reputation scanning, attachment sandboxing for unknown payloads, business email compromise detection, and integration with the broader Proofpoint platform stack including PSAT awareness training and Proofpoint Sigma information protection.

Does TAP catch AitM and BEC?

Partially. TAP's URL-rewriting and reputation scanning catches AitM lures that use known-bad domains or recently-registered lookalike domains; it is less effective against AitM lures that use compromised legitimate domains. TAP's BEC detection catches the more obvious patterns (display-name spoofing, lookalike sender domains, urgency-linguistic indicators); behavioural-AI alternatives like Abnormal Security are typically more effective on the residual cases.

Should mid-market organisations buy TAP standalone or move to Defender for Office 365?

For existing Microsoft 365 E5 customers, Defender for Office 365 Plan 2 typically wins on incremental-cost basis. For Microsoft 365 E3 customers, the TAP-versus-E5-upgrade-cost calculation can favour either option depending on the broader E5 feature value. For non-Microsoft email customers (Google Workspace), TAP is one of several standalone-vendor alternatives to consider.

Filing 06.01.00Field 27 APR 2026Classification PublicStatus Open

Proofpoint TAP cost: $36 to $108 per user per year

Q: How much does Proofpoint TAP cost?

Estimated $36 to $108 per user per year depending on tier, organisation size, and bundle versus standalone purchase. Mid-market standalone typically lands $50 to $80; enterprise Aegis bundle pricing typically $36 to $60.

Q: How does TAP compare to Microsoft Defender for Office 365 Plan 2?

TAP and Microsoft Defender for Office 365 Plan 2 cover similar functional ground (URL rewriting, attachment sandboxing, anti-phishing) at competing price points. The Microsoft offering is typically bundled with Microsoft 365 E5 SKU at no additional incremental cost for E5 customers; TAP requires separate purchase. The Microsoft pricing pressure has compressed TAP standalone pricing through 2023-2025.

Q: What is the Aegis bundle?

The Proofpoint Aegis bundle combines TAP with PSAT (security awareness training), Proofpoint Sigma (information protection), and other Proofpoint platform components. Bundle pricing typically yields 15-25 percent discount versus standalone purchase. Most enterprise Proofpoint customers buy through the bundle.

Targeted Attack Protection is Proofpoint's gateway-and-detection email security product. The competitive position has been compressed through 2023-2025 by Microsoft Defender for Office 365 Plan 2 and by behavioural-AI alternatives like Abnormal Security. All figures triangulated from public records as of 2026.

Exhibit A

TAP pricing and the post-2022 competitive squeeze

Proofpoint TAP pricing in 2026 sits at an estimated $36 to $108 per user per year. The wide band reflects substantial variation by purchase mode (standalone versus Aegis bundle), organisation size, and the specific feature mix included. Mid-market standalone pricing typically clusters $50 to $80; enterprise Aegis bundle pricing typically $36 to $60 because the bundle discount and volume break combine to compress the per-user figure substantially below the standalone equivalent.

The competitive position has changed materially since 2022. Microsoft's investment in Defender for Office 365 Plan 2 has produced a competing product that ships at no additional incremental cost for Microsoft 365 E5 customers. The functional coverage (URL rewriting, attachment sandboxing, anti-phishing AI) is now comparable to TAP for the typical mid-market use case. For Microsoft 365 E5 customers, the rational starting question is whether Defender for Office 365 Plan 2 meets the organisation's needs at zero incremental cost; if it does, the TAP business case becomes hard to justify.

Proofpoint's response to the Microsoft pressure has been to tighten the Aegis bundle discount (making the multi-product bundle more attractive versus single-product alternatives), to invest in BEC-specific detection and threat-intelligence capabilities that Microsoft has been slower to match, and to emphasise the integration value of running TAP alongside PSAT awareness training in a unified Proofpoint platform deployment. The defensive moves have stabilised TAP standalone pricing in 2024-2025 but the secular trend toward Microsoft-bundle email security continues to compress the addressable market.[USASpending + GovSpend Proofpoint contract records 2022-2025 + Microsoft Defender for Office 365 SKU pricing + Gartner Magic Quadrant Email Security 2024]

Exhibit B

What TAP actually does: feature anatomy

REFERENCE

URL rewriting and reputation scanning

URLs in inbound email are rewritten to route through Proofpoint's URL-defence service. On click, the URL is checked against threat-intelligence feeds and sandbox-detonation results. Catches lures pointing at known-bad domains or recently-registered lookalike domains.

Attachment sandboxing

Unknown attachments are detonated in Proofpoint's sandbox environment before delivery to the recipient. Catches malware-bearing attachments including macro-enabled documents, ISO and IMG files, and recent-format payloads. Less effective against attachments delivered via cloud-storage links rather than direct attachment.

BEC detection

Anti-impersonation analysis on inbound email looking for display-name spoofing, lookalike sender domains, urgency-linguistic indicators, and wire-instruction-change patterns. Catches the more obvious BEC patterns; behavioural-AI alternatives like Abnormal Security are typically more effective on the residual cases.

Image-OCR for embedded QR codes

Decodes QR codes embedded in inbound image attachments and inline images, extracts the URL, and runs reputation lookup. Necessary for catching quishing lures (see /by-attack/quishing). Deployed by default in current TAP versions; older deployments may not have it enabled.

Threat-intelligence integration

Proofpoint's broader threat-intelligence platform feeds into TAP detection. Real-time updates of known-bad domains, malware signatures, and BEC indicators. The threat-intelligence depth is one of TAP's distinguishing capabilities versus Microsoft Defender.

Reporting and post-event analysis

Detailed dashboards on delivered, blocked, and remediated emails. Post-event forensic capability to trace specific email-recipient interactions. Mature reporting infrastructure that integrates with SIEM and SOAR platforms.

Exhibit C

Worked examples by organisation profile

Organisation profile	Purchase mode	Per-user cost	Annual total
500-employee mid-market, standalone	TAP standalone	$65	$32,500
500-employee mid-market, Aegis bundle	Aegis (TAP + PSAT)	$55	$27,500
2,000-employee mid-market, Aegis	Aegis full bundle	$48	$96,000
10,000-employee enterprise, Aegis	Aegis + volume	$42	$420,000
50,000-employee Fortune 500, Aegis	Aegis + deep volume	$36	$1,800,000

Examples use midpoint negotiation outcomes. The bundle premium versus standalone is most pronounced for mid-market because the bundle's PSAT and Sigma components have proportionally more value at smaller user counts where the alternative would be standalone purchase of each.[Triangulated from Proofpoint contract records + reseller catalogues]

Exhibit D

TAP versus Microsoft Defender for Office 365 Plan 2: the decision tree

The TAP-versus-Defender-for-Office-365 decision dominates enterprise email-security procurement in 2025-2026. The decision tree depends primarily on three variables: current Microsoft 365 licensing posture, organisational appetite for vendor consolidation versus best-of-breed, and the specific threat-model emphasis the organisation has settled on.

For organisations already on Microsoft 365 E5, Defender for Office 365 Plan 2 ships at no additional incremental cost. The functional coverage is comparable to TAP for typical mid-market use cases. The vendor-consolidation benefit of running email security in the same platform as the email itself is real and meaningful. Unless there is a specific threat-model gap (BEC-detection depth, threat-intelligence breadth) that Defender does not cover, the default choice for E5 customers is Defender, not TAP.

For organisations on Microsoft 365 E3, the calculation is more nuanced. The E5-upgrade-cost (typically $15 to $25 per user per month incremental) versus the TAP standalone purchase cost is comparable, and the E5 upgrade brings additional capabilities beyond email security (Microsoft Sentinel, additional information protection, advanced compliance). For E3 customers wanting only email security improvement and not the broader E5 capability, TAP is frequently the more cost-effective choice; for E3 customers who can use the broader E5 capability, the E5 upgrade frequently wins.

For organisations on Google Workspace (the non-Microsoft email population), TAP is one of several standalone-vendor alternatives to consider alongside Abnormal Security (see /email-security/abnormal-security-cost), Mimecast, and IRONSCALES. The decision among these alternatives depends primarily on whether the organisation prioritises gateway-style scanning (TAP, Mimecast) or post-delivery behavioural-AI (Abnormal). Many mature Google Workspace organisations now run a behavioural-AI platform in place of or alongside a gateway-style product.[Microsoft Defender for Office 365 SKU pricing + Microsoft 365 E5 vs E3 SKU pricing + Gartner Magic Quadrant Email Security 2024]

Exhibit E

ROI math: TAP cost vs phishing event cost

The ROI calculation for TAP follows the standard email-security-investment template. For a 2,000-employee mid-market organisation paying $48 per user per year through the Aegis bundle, the annual TAP cost is $96,000. Against the modelled $4.20M average mid-market breach cost (see /by-scale/mid-market), the program pays back on a single avoided event if TAP prevents that event. Industry benchmark data places gateway-style email security at approximately 40 to 60 percent reduction in successful phishing-delivery, which translates to roughly equivalent reduction in event-probability-weighted cost.

The caveats are important. Gateway-style email security is most effective against bulk and lower-sophistication phishing; effectiveness against AI-grade spear phishing and AitM attacks is lower because the lures use grammatically-perfect content and frequently target legitimate or recently-compromised domains that pass reputation lookup. The pragmatic enterprise architecture in 2026 runs TAP (or equivalent gateway-style product) alongside a behavioural-AI platform (Abnormal Security or equivalent) to cover both the bulk and the residual sophisticated attacks. The total spend is higher than either platform alone but covers a broader attack-surface set.

For Microsoft 365 E5 customers using Defender for Office 365 Plan 2 as the gateway layer at zero incremental cost, the TAP business case is harder to justify because the residual effectiveness gap versus Defender is small in most use cases. The behavioural-AI layer is the higher-leverage incremental investment for E5 customers, not a TAP overlay on top of Defender. The architecture choice depends on threat-model and operational considerations rather than pure ROI math.[IBM 2025 mid-market cohort + Gartner Magic Quadrant Email Security 2024 effectiveness data]

Exhibit F

What buyers should ask before signing the TAP contract

Are we Microsoft 365 E5 customers?

If yes, evaluate Defender for Office 365 Plan 2 first because it ships at no incremental cost. TAP business case has to justify against zero-cost incumbent.

Are we Microsoft 365 E3 considering upgrade vs TAP?

Run the E5-upgrade-cost calculation including non-email E5 capabilities. For email-only need, TAP frequently wins; for broader E5 capability use, upgrade frequently wins.

Standalone or Aegis bundle?

If you intend to use PSAT and Sigma, Aegis bundle pricing is typically more attractive. If you intend to use other awareness-training or information-protection vendors, standalone TAP plus those vendors may be cheaper total.

What is the BEC-detection performance?

TAP's BEC detection catches the obvious patterns. For residual sophisticated BEC, evaluate behavioural-AI overlay (Abnormal Security or equivalent). Get baseline-detection-rate data from Proofpoint for your industry.

Is image-OCR for QR codes enabled?

Required to catch quishing lures (see /by-attack/quishing). Default in current TAP; confirm for older deployments.

What is the renewal-price posture?

Proofpoint contracts can auto-renew at prevailing list price. Negotiate renewal-price cap.

Exhibit G

Frequently filed questions

ON RECORD

How much does Proofpoint TAP cost?[open]

Estimated $36-$108 per user per year. Standalone mid-market typically $50-$80; Aegis bundle pricing typically $36-$60 at enterprise volumes.

What does TAP actually do?[open]

URL rewriting and reputation scanning, attachment sandboxing, BEC detection, image-OCR for embedded QR codes, threat-intelligence integration. Standard gateway-style email security capability set.

How does TAP compare to Microsoft Defender for Office 365 Plan 2?[open]

Comparable functional coverage. Microsoft Defender ships at no incremental cost for Microsoft 365 E5 customers. Microsoft pressure has compressed TAP standalone pricing through 2023-2025.

Does TAP catch AitM and behavioural-AI BEC?[open]

Partially. Effective against AitM lures using known-bad domains; less so against AitM using compromised legitimate domains. BEC detection catches obvious patterns; behavioural-AI alternatives like Abnormal are typically more effective on residuals.

Should I buy TAP standalone or Aegis bundle?[open]

If you intend to use PSAT and Sigma, Aegis bundle is typically more attractive. If you have alternative awareness-training and information-protection commitments, standalone TAP may be cheaper total.

Should I run TAP plus behavioural-AI overlay?[open]

Pragmatic enterprise architecture in 2026 runs gateway-style (TAP or Defender) plus behavioural-AI (Abnormal, Sublime, IRONSCALES) to cover both bulk and sophisticated attacks. Total spend is higher but covers broader surface.

What is the Aegis bundle discount?[open]

Typically 15-25 percent versus standalone TAP purchase. Most enterprise Proofpoint customers buy through the bundle.

Exhibit H