




















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The TPAD01 exam is an advanced technical certification that validates a security professional's ability to effectively administer and manage Proofpoint’s security solutions in real-world environments. It is designed for IT professionals and security administrators looking to demonstrate operational readiness and advanced administrative proficiency. Proofpoint Proofpoint +1 Focus: Day-to-day operational skills required to secure and maintain a reliable email environment. Target Audience: Security administrators, IT professionals, and analysts. Duration: Up to 90 minutes. Certification Tier: Part of the Proofpoint Certified Guardian technical certification track
Typology: Exams
1 / 28
This page cannot be seen from the preview
Don't miss anything!





















Key Features Advanced Threat Analysis: Deep dives into Targeted Attack Protection (TAP) and attachment/URL sandboxing. Automated Remediation: Mastery of Threat Response Auto-Pull (TRAP) for post-delivery incident response. Identity Protection: Focus on Very Attacked People (VAPs) and Impostor protection. Policy Granularity: Sophisticated rule creation for Spam, DLP, and Encryption.
Advanced Threat Mitigation: o Focuses on Targeted Attack Protection (TAP) to identify and block sophisticated URL and attachment-based threats using sandboxing technology. Post-Delivery Remediation: o Identity & Authentication Security: o Covers the implementation of DMARC, SPF, and DKIM to prevent domain spoofing and ensure brand protection.
People-Centric Visibility: o Granular Policy Management: o Data Protection (DLP): o Includes the configuration of Data Loss Prevention (DLP) and Encryption to prevent sensitive data (PII, PCI) from leaving the organization unauthorized. NexusAI Integration: o Utilizes Proofpoint's NexusAI machine learning engine to detect "malware-less" threats like CEO fraud and impersonation attacks. Incident Investigation & Reporting: o Equips admins with Smart Search and Threat Graph tools to perform forensic analysis and generate high-level executive risk reports.
1. Which components are required to successfully deploy Proofpoint Threat Response Auto-Pull (TRAP)? (Select TWO) A. An API connection to the mail environment (e.g., Microsoft Graph API). B. A physical hardware appliance in every branch office. C. A TAP (Targeted Attack Protection) subscription. D. A local POP3 mail server. Correct Answers: A and C. Explanation: TRAP requires an API connection to reach into mailboxes and remove messages, and it relies on TAP alerts to identify which messages are malicious. 2. Which of the following are primary functions of the Proofpoint TAP Dashboard? (Select THREE) A. Identifying "Very Attacked People" (VAPs) within the organization. B. Monitoring real-time click activity on rewritten URLs.
Conformance) D. DHCP (Dynamic Host Configuration Protocol) Correct Answers: A, B, and C. Explanation: SPF, DKIM, and DMARC are the three pillars of email authentication used to prevent spoofing and verify sender identity.
6. Which of the following are characteristics of a "Very Attacked Person" (VAP)? (Select TWO) A. They receive a high volume of targeted threats. B. They are always the CEO or CFO. C. They receive attacks from sophisticated threat actors. D. They have failed more than ten phishing simulations. Correct Answers: A and C. Explanation: VAPs are identified by the nature and intensity of the attacks they receive, not necessarily their job title or their behavior in simulations. 7. In Proofpoint PPS, what can be used as a "Condition" for a mail rule? (Select THREE) A. Sender IP address B. Envelope Recipient C. Attachment File Extension D. Monitor Refresh Rate Correct Answers: A, B, and C. Explanation: Rules are built on conditions like where the mail is coming from, who it is for, and what it contains; hardware refresh rates are not part of mail logic. 8. Which features are included in Proofpoint’s "Information Protection" suite? (Select TWO) A. Data Loss Prevention (DLP) B. Email Encryption C. Hard Drive Defragmentation D. Power Supply Monitoring Correct Answers: A and B.
Explanation: Information protection focuses on securing data via DLP rules (preventing leaks) and encryption (securing transit).
9. What types of analysis does the TAP Sandbox perform? (Select TWO) A. Static Analysis (examining code without running it). B. Dynamic Analysis (observing behavior during execution). C. Physical Analysis (checking the weight of the server). D. Manual Analysis by the user. Correct Answers: A and B. Explanation: Sandboxing uses both static inspection of files/links and dynamic detonation in a virtual environment to detect threats. 10. Which methods can be used to import users into the Proofpoint platform? (Select TWO) A. LDAP/Active Directory Sync B. CSV file upload C. Bluetooth transfer D. Physical mail-in forms Correct Answers: A and B. Explanation: Administrators typically sync users via LDAP for automation or use CSV uploads for smaller, static environments. 11. What are the core components of the Proofpoint "NexusAI" engine? (Select TWO) A. Machine Learning models for threat detection. B. A physical robot in the data center. C. Global threat intelligence shared across all customers. D. A manual spreadsheet of bad IP addresses. Correct Answers: A and C. Explanation: NexusAI leverages AI algorithms and massive datasets from Proofpoint’s global customer base to identify emerging threats. 12. When a message is "Rewritten" by TAP, what visible changes might occur? (Select TWO) A. The URL is prefixed with "urldefense.proofpoint.com".
Explanation: DMARC relies on the alignment of SPF and DKIM; both must be healthy before a "Reject" policy can be safely implemented.
16. Which of these are common "Impostor" attack techniques? (Select TWO) A. Display Name Spoofing B. Look-alike Domain Spoofing C. Brute Force Password Cracking D. SQL Injection Correct Answers: A and B. Explanation: Impostor attacks (BEC) focus on deception through name or domain manipulation rather than technical exploits like SQLi. 17. What are the primary administration roles in PPS? (Select TWO) A. Super User B. Reporting User C. Coffee Manager D. Janitorial Admin Correct Answers: A and B. Explanation: Proofpoint uses Role-Based Access Control (RBAC), with Super User having full access and Reporting User having read- only access to data. 18. Which actions can an administrator take from the Quarantine interface? (Select THREE) A. Release the message to the user. B. Delete the message. C. View the message headers. D. Format the user's hard drive. Correct Answers: A, B, and C. Explanation: The quarantine allows admins to inspect, deliver, or permanently remove blocked messages. 19. What does the "Spam Score" (0-100) indicate? (Select TWO) A. The probability that a message is spam.
B. The number of characters in the email. C. Whether the message meets the "Spam" threshold set in policies. D. The age of the sender. Correct Answers: A and C. Explanation: PPS assigns a score based on various heuristics; if the score exceeds the policy threshold (e.g., 80), it is treated as spam.
20. Which of these are "Smart Search" filters? (Select THREE) A. Sender Address B. Subject Line C. Message ID D. User's Home Address Correct Answers: A, B, and C. Explanation: Smart Search allows administrators to find specific emails using technical metadata like sender, subject, and unique IDs. 21. What is the purpose of the "Proofpoint Browser Isolation" feature? (Select TWO) A. To allow users to browse risky websites in a secure, containerized session. B. To prevent malware from reaching the local endpoint via the browser. C. To increase the internet speed of the user. D. To block the user from using the internet entirely. Correct Answers: A and B. Explanation: Browser Isolation creates a "buffer" in the cloud, rendering website content safely so that any malicious code never touches the user's actual computer. 22. Which of the following can be inspected by Proofpoint DLP? (Select TWO) A. Credit Card Numbers B. Social Security Numbers C. The color of the user's desktop wallpaper. D. The physical weight of the laptop. Correct Answers: A and B.
26. Which of the following are "Alert" types in the TAP system? (Select THREE) A. Malware B. Phish C. Impostor D. Hardware Failure Correct Answers: A, B, and C. Explanation: TAP alerts focus on threat categories: software-based threats (malware), credential theft (phish), and identity deception (impostor). 27. What can be found in a TAP Forensic report? (Select TWO) A. Screenshots of a malware's behavior in the sandbox. B. Network connections attempted by an attachment. C. The home phone number of the attacker. D. A list of all the user's personal friends. Correct Answers: A and B. Explanation: Forensics provide technical proof of why a file was flagged, including visual evidence (screenshots) and technical logs (network calls). 28. Which of the following are "Threat Actor" types tracked by Proofpoint? (Select TWO) A. State-Sponsored Actors. B. Cybercriminals (motivated by profit). C. Hollywood Actors. D. Local sports teams. Correct Answers: A and B. Explanation: Proofpoint tracks sophisticated groups, categorized by their motives (espionage vs. financial gain). 29. What is the function of the "Proofpoint Encryption" module? (Select TWO) A. To automatically encrypt sensitive outbound emails based on DLP rules. B. To allow recipients to securely read and reply to encrypted
messages via a portal. C. To hide the email subject line from the sender. D. To delete the email after 5 minutes. Correct Answers: A and B. Explanation: Encryption ensures data privacy during transit and provides a secure "Decryption Portal" for external recipients.
30. Which of these are valid "Module" names within PPS? (Select THREE) A. Anti-Spam B. Anti-Virus C. Regulatory Compliance D. Video Streaming Correct Answers: A, B, and C. Explanation: PPS is modular; administrators enable/disable features like Spam protection, Virus scanning, and Compliance (DLP) as needed. 31. How does Proofpoint identify "Look-alike" domains? (Select TWO) A. By checking for transposed characters (e.g., g00gle.com). B. By checking for non-standard character sets (Cyrillic). C. By calling the domain owner on the phone. Correct Answers: A and B. Explanation: Sophisticated algorithms look for visual similarities in domains that attackers use to trick users. 32. What information is required to set up an LDAP profile in PPS? (Select THREE) A. Server Hostname/IP B. Bind DN and Password C. Search Base D. User's Favorite Color Correct Answers: A, B, and C.
36. Which "Action" can be taken by a DLP rule? (Select THREE) A. Encrypt B. Notify Manager C. Quarantine D. Buy more storage Correct Answers: A, B, and C. Explanation: When a DLP violation is found, the system can secure the mail, alert a supervisor, or hold the mail for review. 37. What is "Sandboxing" latency? (Select TWO) A. The brief delay while a file is being analyzed in the sandbox. B. It is usually measured in seconds or a few minutes. C. It is the time it takes to print an email. D. It is the distance between the server and the user. Correct Answers: A and B. Explanation: Because sandboxing requires "detonating" a file, there is a small, necessary delay before the email is released to the user. 38. Which of these are considered "Malware" types? (Select TWO) A. Ransomware B. Keyloggers C. Newsletters D. Coupons Correct Answers: A and B. Explanation: Malware refers to software designed with malicious intent, such as locking files for ransom or stealing keystrokes. Which of the following are valid "Actions" for a Data Loss Prevention (DLP) rule? A) Quarantine for Approval. B) Encrypt the message. C) Tag the Subject Line (e.g., [SECURE]). D) Automatically delete the sender's mailbox. Answer: A, B, and C. Explanation: DLP actions are designed to secure or stop the flow
of sensitive data; deleting a mailbox is an administrative task, not a policy action. 42. What information is available in the Proofpoint "Very Attacked People" (VAP) report? A) The names of users targeted by high-severity attacks. B) The type of threats targeting each user (e.g., Phish, Malware). ) The home address of the attacker. D) The "Attack Index" score for each individual. Answer: A, B, and D. Explanation: The VAP report focuses on identifying risk within the organization based on attack frequency and severity. 43. To ensure high deliverability and security, which DNS records should be configured? A) MX records pointing to Proofpoint. B) SPF records including Proofpoint’s sending IPs. C) DKIM records for digital signing. D) A records pointing to the company's coffee machine. Answer: A, B, and C. Explanation: MX, SPF, and DKIM are the foundational pillars for email routing and sender authentication. 44. What are the key features of the Threat Response Auto- Pull (TRAP) dashboard? A) View incidents generated by user reports (PhishAlarm). B) Manually trigger a "Clawback" of a specific Message ID. C) Monitor the success rate of automated threat removals. D) Manage employee vacation schedules. Answer: A, B, and C. Explanation: TRAP is an incident response tool focused on automating the removal of threats from the mail environment.
Explanation: A False Negative is a failure of the security system to catch a real threat, representing a risk to the organization. 50. What is the role of "PhishAlarm" in the Proofpoint ecosystem? A) It provides an easy way for users to report suspicious emails. B) It sends reported emails to TRAP for analysis. C) It automatically fires employees who click on phishing links. D) It provides feedback to the user on whether their report was a real threat. Answer: A, B, and D. Explanation: PhishAlarm turns employees into "sensors," helping the security team identify threats that may have bypassed automated filters. 51. Which types of files are typically sent to the Proofpoint Sandbox for analysis? A) Executable files (.exe, .msi). B) Office documents with macros (.docm, .xlsm). C) Plain text files (.txt). D) Compressed archives (.zip, .7z). Answer: A, B, and D. Explanation: Sandboxing is reserved for file types that can carry active, malicious code. Plain text files are generally safe. 52. What are the primary objectives of a DMARC "Reject" policy? A) To block all unauthorized emails using the company's domain. B) To protect the brand's reputation. C) To increase the amount of spam received. D) To ensure only authenticated mail reaches the recipient. Answer: A, B, and D. Explanation: A 'reject' policy is the ultimate goal of DMARC, ensuring that spoofed emails are dropped before delivery. 53. How can an administrator reduce "Spam" while minimizing "False Positives"? A) Adjusting the "Spam Score" threshold. B) Using "Safe Lists" for trusted partners. C) Disabling the spam filter entirely.
D) Enabling "Bulk Mail" folders for newsletters. Answer: A, B, and D. Explanation: Balancing security and usability requires fine-tuning scores and using allow-lists for known good senders. 54. What information is required to perform a "Smart Search"? A) Sender or Recipient email address. B) Subject line keywords. C) The user's home phone number. D) Message ID or Date Range. Answer: A, B, and D. Explanation: Smart Search uses metadata to locate specific logs of email traffic for troubleshooting or investigation. 55. Which components make up the Proofpoint "Threat Protection Platform"? A) Email Protection. B) Targeted Attack Protection (TAP). C) Threat Response Auto-Pull (TRAP). D) Proofpoint Toaster Management. Answer: A, B, and C. Explanation: These three core products form the pillar of Proofpoint’s defense against modern, targeted email attacks. 56. What does "Clawback" refer to in the context of TRAP? A) Removing a delivered email from a user's inbox. B) Recovering deleted files from a hard drive. C) Reversing a financial wire transfer. D) Moving an email from the inbox to a secure quarantine. Answer: A and D. Explanation: Clawback is the automated process of retrieving a message after it has reached the user's mailbox. 57. What are the "Emergency Inbox" features used for? A) Providing email access during a primary mail server outage (e.g., Office 365 down). B) Sending mass marketing emails. C) Maintaining business continuity. D) Storing personal photos.
Answer: A, B, and D. Explanation: Effective remediation involves identifying the scope of the problem, removing the threat, and hardening defenses. 62. What does "URL Sandbox" do? A) It clicks on links in a safe environment to see where they lead. B) It checks if the destination site tries to download malware. C) It deletes the user's browser history. D) It captures screenshots of the destination page for analysis. Answer: A, B, and D. Explanation: URL sandboxing goes beyond reputation checks by actually interacting with the site to find hidden malicious behavior. 63. Which "Role-Based Access Control" (RBAC) levels exist in Proofpoint? A) Super User. B) Operations Admin. C) Read-Only User. D) Guest/Janitor. Answer: A, B, and C. Explanation: RBAC ensures that staff members only have the permissions necessary for their specific job functions. 64. What happens to an email when it is "Dropped" by a policy? A) The email is deleted. B) No notification is sent to the sender or recipient. C) It is stored in the "Sent" folder. D) It is as if the email never existed. Answer: A, B, and D. Explanation: "Drop" or "Discard" is a silent action usually reserved for high-confidence threats where you don't want to alert the attacker. 65. Why is "Outbound Filtering" important? A) To prevent the company's IPs from being blacklisted. B) To stop data leaks (DLP). C) To filter internal office gossip. D) To ensure the company is not inadvertently sending malware
to customers. Answer: A, B, and D. Explanation: Outbound security protects the organization's reputation and prevents the spread of threats from compromised internal accounts. 66. What is "Nexus Threat Intelligence"? A) A global database of threat data shared across Proofpoint customers. B) Information about millions of domains and IP reputations. C) A social media network for hackers. D) The brain that powers automated detection and response. Answer: A, B, and D. Explanation: Nexus is the collective intelligence engine that allows Proofpoint to stay ahead of evolving global threats. 67. In TRAP, what is an "Incident"? A) A collection of related malicious emails. B) A single spam message. C) A report from a user via PhishAlarm. D) A hardware failure in the data center. Answer: A and C. Explanation: An incident in TRAP groups together threats from the same campaign or reporter to make response more efficient. 68. What are the signs of a "Compromised Account"? A) Sudden spikes in outbound email volume. B) Logins from unusual geographic locations. C) The user changed their desktop wallpaper. D) The account is sending phishing links to internal colleagues. Answer: A, B, and D. Explanation: Compromised accounts exhibit abnormal behavior that deviates from the user's standard activity patterns. 69. Which "Transport Layer Security" (TLS) versions are supported for secure mail delivery? A) TLS 1.2. B) TLS 1.3. C) SSL 2.0 (deprecated). D) ROT13.