Proofpoint Threat Protection Administrator TPAD01 Exam Questions

Answer : C

Proofpoint Dynamic Reputation (PDR) is designed to evaluate the reputation of the sending host at the connection level, using the sender's IP address as the core signal. In Proofpoint's own public description of PDR, the technology uses many features to determine the reputation of a particular IP and delays or blocks mail when that IP shows indications of spam activity. That means PDR is not primarily a user training feature, not a user-defined inbox rule engine, and not a simple keyword scanner of message body text. Its job is to assess the sending MTA before full message acceptance and use that reputation to influence how the system handles the connection. This is exactly why PDR is valuable in early-stage filtering: it helps reduce unwanted traffic before deeper content analysis takes place. Proofpoint's spam architecture also describes a multilayered defense where connection-level analysis includes Dynamic Reputation alongside SPF, recipient verification, and other connection checks. In practical administrator terms, PDR is part of the front-line evaluation of the source system's trustworthiness, helping the platform identify suspicious or compromised senders quickly and efficiently. That makes the correct answer the option focused on assessing the sending MTA's reputation by IP address.

Answer : A

The correct answer is A. Admin UI on port 10000 of the PoD. Proofpoint's hosted-cluster administration guidance notes that the accounts admin, and in hosted clusters the podadmin, can access the Admin GUI by direct login to port 10000 of the Proofpoint cluster. That direct administrative interface is the location associated with the underlying PoD administrative controls rather than the higher-level cloud portals used for threat investigation or dashboarding.

Additional integration guidance from Cortex XSOAR's Proofpoint Protection Server integration shows that API access for Proofpoint environments is tied to administrator roles with API permissions, and for on-premise or management-interface scenarios the API role is created in the management interface itself. That reinforces the course logic that SIEM-facing API credentials are created in the core administrative interface, not in TAP or general threat dashboards.

The other options are therefore incorrect in the course context. The TAP Dashboard is for targeted attack visibility and investigation, and the Threat Protection portal is used for operational threat workflows, not for creating the PoD-side API keys referenced in this question. Because the exam wording specifically mentions Smart Search data from your PoD protection server in JSON format, the administrative creation point is the direct PoD Admin UI on port 10000. That is the option aligned with the product's administrative model and with the expected course answer.

Answer : C

The correct answer is C. CSV and PDF. In the Proofpoint training materials and related product guidance, report export options are presented as CSV for structured data export and PDF for formatted report output. A Proofpoint training reference for report handling explicitly describes exporting reports as PDF or CSV, which matches the Cloud Admin reporting workflow tested in the Threat Protection Administrator course. Separately, the Threat Protection Student Guide excerpt available publicly shows Smart Search export to CSV for result data, reinforcing that CSV is a standard export format used in the platform for operational reporting and investigation tasks.

The alternative choices do not align with the Proofpoint reporting export formats referenced in the training materials. XML is not presented as a standard report export format in this course context, and while JSON may exist in other product or API workflows, it is not the answer for standard Cloud Admin report export in this administrator course question. The course's Alerts and Reporting section focuses on practical reporting operations, where administrators commonly export human-readable reports to PDF and data-oriented outputs to CSV for spreadsheet analysis or downstream review. Based on the course-aligned materials available, CSV and PDF is the verified answer.

Answer : A

The correct answer is A because an alert profile or alert notification policy must define who receives the alerts. Proofpoint documentation on monitoring alerts states that an alert notification policy defines which alerts are sent to which email addresses and at what frequency. That means recipient addresses are the essential delivery element. Without them, the system has no destination for the alert notifications, regardless of how the rest of the profile is configured.

The other options may be useful context or supporting settings, but they are not the key requirement for making sure alerts reach the appropriate people. A schedule or frequency can determine when alerts are sent, but not who receives them. A description of alert type helps categorize the alert, but it does not provide delivery targets. A confirmation message is not the core object that determines delivery. In administrator practice, the first operational question for alerting is always: who needs to know? Proofpoint's alerting model answers that by tying alert rules or alert conditions to an alert profile that includes recipient email addresses.

This is consistent with the Threat Protection Administrator course section on Alerts and Reporting, where administrators create profiles and then bind those profiles to alerting events. The critical setting that ensures the right individuals receive the notifications is the list of recipient email addresses, making A the correct answer.

Answer : B, E

Directory harvest attacks try to discover valid recipient addresses by sending large numbers of SMTP recipient attempts and observing which addresses are accepted or rejected. In Proofpoint's layered connection-level defenses, Recipient Verification and SMTP Rate Control are the two features that work together most directly against this problem. Recipient Verification checks whether the addressed mailbox is valid, while SMTP Rate Control helps detect and automatically block or throttle abusive SMTP connection behavior. Proofpoint's published spam detection material describes connection-level analysis that includes recipient verification and Dynamic Reputation, and then states that based on this analysis, SMTP rate control is used to automatically block or throttle malicious connections, providing strong protection against directory harvest and denial-of-service attacks. That pairing is exactly what makes these two options the correct answer. Outbound Throttle is aimed at controlling excessive outbound mail from accounts, not inbound recipient enumeration. Dictionaries are content and pattern controls, not recipient-existence validation controls. Bounce Management deals with BATV-style handling of backscatter, which is a different problem space. The Threat Protection Administrator course topic list also places SMTP Rate Control and Recipient Verification together under the same operational area, reinforcing that they are complementary controls for this class of attack. For a directory harvest scenario, these are the right two protections to deploy together.

Answer : C

The correct answer is C. Deletes the listed attachments from the message and continues processing. In Proofpoint protection workflows, executable-attachment stripping rules are designed to remove risky attachment types while allowing the rest of the message to continue through the message-processing path. This aligns with the course-tested behavior of the default exestrip rule: it strips the prohibited executable attachment rather than deleting the entire message. Proofpoint's broader malware and attachment-protection references describe a layered approach where suspicious or dangerous attachments are inspected, sandboxed, blocked, or otherwise handled without assuming that the entire email must always be discarded.

That distinction matters operationally. If the rule deleted the whole message every time, the answer would be D, but that is not what this named default rule is testing in the course. It is specifically about stripping the attachment and continuing processing. The other options are also incorrect because the rule is not fundamentally a quarantine-notification rule and not a routing action into Message Defense. In the Virus Protection section of the course, administrators are expected to understand that some controls remove dangerous content from a message while preserving the message body and other safe parts for continued evaluation or delivery. Therefore, the verified and course-aligned answer is C.

Answer : C

The correct answer is C because when an external domain publishes multiple MX records but only one specific host should actually be used for mail delivery, the clean administrative approach is to control that resolution internally through DNS. Proofpoint mail routing depends on the target destination the system resolves for delivery, and DNS is the normal mechanism used to determine which host should receive mail for a domain. Proofpoint's own MX reference explains that MX records direct email to the appropriate mail server and that priority ordering controls fallback behavior.

If you simply let the mail system perform a normal DNS lookup against the public MX set, it may select among the published records according to priority and availability, which does not meet the requirement of forcing delivery to only one specific host. Likewise, using a wildcard does not create deterministic routing to the exact intended server. While directly entering a destination host in a route can sometimes be used in other routing contexts, the scenario here specifically involves controlling delivery for a domain whose public MX set does not reflect the desired operational target. Using an internal DNS override or internal DNS record lets the Proofpoint system resolve that domain to the exact host you need while preserving consistent routing behavior.

This aligns with the course emphasis on Mail Flow and routing control: when public DNS does not match the required delivery target, the administrator should use internal DNS to steer resolution properly. Therefore, C is the best answer.