Proofpoint MCP
MCP server for Proofpoint Email Protection — TAP (Targeted Attack Protection), threat intelligence, URL Defense, DLP, forensics, and quarantine management.
🔗 Companion Plugin
Pair this MCP server with the Proofpoint plugin for skills, commands, and API knowledge alongside direct API access.
Installation
Run the MCP server with npx:
npx @wyre-technology/proofpoint-mcp Or install the package:
npm install @wyre-technology/proofpoint-mcp MCPB Bundle (Claude Desktop)
Download the .mcpb bundle from
GitHub Releases
for a zero-config Claude Desktop install. No Node.js or terminal required — just open the
bundle in Claude Desktop via Settings → MCP Servers → Install from file.
Requires Claude Desktop 0.10+.
Claude Desktop Configuration
Add to your claude_desktop_config.json:
{
"mcpServers": {
"proofpoint": {
"command": "npx",
"args": [
"@wyre-technology/proofpoint-mcp"
],
"env": {
"PROOFPOINT_SERVICE_PRINCIPAL": "your-proofpoint-service-principal",
"PROOFPOINT_SERVICE_SECRET": "your-proofpoint-service-secret"
}
}
}
}Authentication
| Variable | Required | Description |
|---|---|---|
PROOFPOINT_SERVICE_PRINCIPAL | Yes | Proofpoint TAP service principal |
PROOFPOINT_SERVICE_SECRET | Yes | Proofpoint TAP service secret |
PROOFPOINT_BASE_URL | No | Explicit base URL override (defaults to TAP production endpoint) |
Architecture
Single TypeScript MCP server with comprehensive flat tool exposure across TAP, threat intel, URL Defense, DLP, forensics, and policy domains.
Available Tools (13)
Tools are organized into 11 domains:
TAP (Targeted Attack Protection)
Targeted attack campaigns and threat actor tracking.
| Tool | Description |
|---|---|
proofpoint_tap_campaigns_list | List TAP campaigns |
proofpoint_tap_threats_list | List TAP threats |
Threat Intel
Threat intelligence enrichment for indicators (URLs, hashes, IPs).
| Tool | Description |
|---|---|
proofpoint_threat_intel_lookup | Look up a threat indicator (URL / hash / IP) |
URL Defense
URL Defense rewrites and click-tracking.
| Tool | Description |
|---|---|
proofpoint_url_defense_decode | Decode a URL Defense rewritten link |
Events
Email security events stream.
| Tool | Description |
|---|---|
proofpoint_events_list | List recent email security events |
People
Very Attacked Persons (VAPs) and per-user risk.
| Tool | Description |
|---|---|
proofpoint_people_vap_list | List Very Attacked Persons (VAPs) |
Forensics
Per-threat forensic detail.
| Tool | Description |
|---|---|
proofpoint_forensics_get | Get forensic details for a threat |
Quarantine
Held / quarantined message inspection and release.
| Tool | Description |
|---|---|
proofpoint_quarantine_list | List quarantined messages |
proofpoint_quarantine_release | Release a quarantined message |
DLP
Data loss prevention incidents.
| Tool | Description |
|---|---|
proofpoint_dlp_incidents_list | List DLP incidents |
Policy
Email security policy inspection.
| Tool | Description |
|---|---|
proofpoint_policy_list | List configured email security policies |
Smart Search
Smart search across the email security corpus.
| Tool | Description |
|---|---|
proofpoint_smart_search_query | Run a smart search query |
Reports
Aggregate security reports.
| Tool | Description |
|---|---|
proofpoint_reports_summary | Get summary report |