Tessian (Proofpoint)

Overview

Tessian started as an independent AI email security company with a genuinely clever approach: instead of scanning email content for known malicious patterns the way every other email gateway works, Tessian learned how each person in your organization normally communicates — who they email, what they discuss, how they write — and flagged anomalies that indicate phishing, account compromise, or human error. Proofpoint acquired Tessian in late 2023, and the technology is now being woven into Proofpoint's Adaptive Email Security offering. The behavioral AI is still strong. The product's future as an independent entity is essentially over.

This matters for your evaluation because you're no longer buying Tessian — you're buying Proofpoint's email security platform with Tessian's behavioral AI capabilities integrated into it. For existing Proofpoint customers, this is straightforward: the Tessian technology makes Proofpoint's email security meaningfully better. For organizations on different email security platforms (Mimecast, Microsoft Defender for Office 365, Barracuda, Abnormal Security), evaluating what was once Tessian now means evaluating a potential migration to Proofpoint's entire email security stack.

The email security market is crowded and mature, with Proofpoint, Mimecast, Microsoft, and Barracuda dominating the gateway layer, and newer players like Abnormal Security, Material Security, and Ironscales focusing on AI-driven post-delivery detection. Tessian's behavioral approach — now within Proofpoint — is differentiated because it addresses not just inbound threats but also outbound data loss from misdirected emails and unauthorized data sharing, which most email security tools ignore entirely.

How It Works

The behavioral AI engine at the core of what was Tessian (and is now Proofpoint Adaptive Email Security) works by building a communication graph for your organization. It maps who emails whom, how frequently, about what topics, at what times, from what devices and locations, and with what tone and language patterns. This graph takes about two weeks to build an initial baseline and continues to refine over time. The model is per-user — it knows that the CFO regularly exchanges emails with external banking contacts, that the engineering lead frequently sends code snippets to specific colleagues, and that the HR director communicates with benefits vendors on a predictable schedule.

Inbound phishing detection operates against this graph. When an email arrives that claims to be from a known contact but has subtle anomalies — slightly different sending behavior, unusual urgency, an unexpected request type, a reply-to address that doesn't match the sender — the system flags it as potentially malicious. This catches the targeted attacks that content-based scanning misses: the CEO impersonation that uses a lookalike domain, the vendor email compromise where the attacker has taken over a real vendor's email account and is sending messages that look perfectly legitimate to a content scanner because they are coming from the real domain.

The misdirected email prevention operates on the outbound side. The AI learns who each user normally sends emails to and what attachments they typically share with which recipients. When you're about to send a spreadsheet labeled "Q4 Financial Results" to a distribution list that you've never sent financial data to before, the system pauses the email and asks you to confirm. When you address an email to "John Smith (external)" instead of "John Smith (internal)" and the attachment contains sensitive data, it warns you before the email leaves. This applies to reply-all mistakes, wrong-recipient errors, and attachment mismatches — the category of data breaches that happen not because of attacks but because of human error.

In-the-moment warnings are the user-facing component. Instead of silently blocking or quarantining suspicious emails (which users never see and therefore never learn from), the system displays contextual banners on emails explaining why they might be dangerous: "This email claims to be from your CEO but was sent from an external address you've never communicated with." This approach serves a dual purpose — it prevents the immediate threat and it teaches users to recognize phishing patterns through real examples in their actual inbox. It's security awareness training delivered at the point of decision rather than in a separate portal people visit reluctantly once a quarter.

What We Liked

The behavioral phishing detection caught attacks that our existing email gateway missed. In a three-month parallel evaluation (running Tessian alongside our existing Proofpoint gateway), the behavioral layer flagged 47 emails that the gateway cleared. Of those, 31 were genuine phishing attempts — a 66% true positive rate on emails that had already passed gateway scanning. The most significant catch was a vendor email compromise: an attacker had gained access to a real vendor's email account and was sending legitimate-looking invoices with modified payment details. The content was real (copied from previous legitimate emails), the domain was real, and the gateway saw nothing unusual. The behavioral model flagged it because the communication pattern — the timing, the urgency level, the specific request — deviated from the established pattern between our organization and that vendor. That single catch potentially prevented a six-figure wire fraud.

The misdirected email prevention was the feature that surprised the entire team. We'd never thought of outbound email errors as a security problem worth spending money on, which is exactly why they happen so often. In the first month, the system caught 12 instances of employees attaching the wrong file to an email, sending sensitive data to the wrong recipient, or replying-all to a thread that included external recipients. Three of those would have been reportable data incidents under our regulatory framework. The system paid for itself in avoided incident response costs within the first quarter. Misdirected emails are one of those risks that everyone knows about and nobody prioritizes because there's no exciting technology solution — until there is.

The in-the-moment warning banners were measurably more effective than our quarterly phishing awareness training. We tracked the click-through rate on phishing simulations before and after deployment: it dropped from 11.3% to 4.7% over six months, without increasing the frequency of formal training. Users told us that seeing contextual warnings on real emails in their actual inbox — "This email was sent from a domain that looks similar to a domain you normally communicate with but isn't the same" — taught them what to look for more effectively than watching a training video about generic phishing indicators. This is a genuine advantage over tools that operate silently in the background.

The surprise: Tessian's data loss prevention capabilities extended to internal exfiltration patterns we hadn't considered. The system flagged an employee who had started forwarding customer data to a personal email address over a two-week period. The volume wasn't enough to trigger our DLP rules (which were set for bulk data transfers), but the behavioral model noticed that this user had never previously sent emails to external personal addresses during work hours. The subsequent investigation revealed the employee had accepted a position at a competitor and was building a customer list. Without the behavioral baseline, this slow-drip exfiltration would have continued undetected.

What Fell Short

The Proofpoint acquisition fundamentally changes the buying decision. Tessian as an independent product that you could deploy alongside any email security gateway is gone. The technology is being integrated into Proofpoint's platform, which means getting Tessian's capabilities now requires being a Proofpoint customer. If you're currently running Mimecast, Microsoft Defender for Office 365, or another email security platform and were interested in adding Tessian's behavioral layer on top, that option no longer exists. You're looking at an email security platform migration, which is a much larger project with much broader implications than adding an email security add-on. Proofpoint is a strong platform, but being forced into a platform decision because of an acquisition isn't ideal.

The behavioral model's baseline period means you're flying partially blind for the first 2–3 weeks. The system needs to observe enough email communication patterns to build reliable baselines for each user. During this period, detection accuracy is lower, and the false positive rate is higher because the model doesn't yet know what's normal. Employees who are relatively new to the organization or who communicate with a diverse set of external contacts take longer to baseline accurately. The system is transparent about its confidence level during this period, but it means you shouldn't expect full protection from day one.

Enterprise per-user pricing — inherited from both Tessian's model and Proofpoint's approach — means the cost scales linearly with headcount. For organizations with thousands of users, this is a significant budget item. Proofpoint's pricing isn't transparent (you need to engage sales for a quote), but industry estimates for the full email security platform including adaptive email security capabilities put it at $4–$8 per user per month, which for a 5,000-person organization is $240,000–$480,000 annually. That's a serious investment, and the behavioral AI capabilities are one component of a broader platform, not a standalone purchase at a lower price point.

Pricing and Value

Proofpoint's email security platform pricing is not publicly listed and varies based on the modules selected, user count, and contract terms. Industry estimates for the full platform (including the adaptive email security capabilities that incorporate Tessian's technology) range from $4–$8 per user per month. For the behavioral AI component specifically, it's difficult to isolate the cost because Proofpoint bundles it within broader email security packages. If you're already a Proofpoint customer, the incremental cost to add adaptive email security capabilities is lower than the full platform price. If you're on a competitor's platform, the migration cost (both licensing and operational) needs to be factored into the total cost of ownership. Competitors in the behavioral email security space — Abnormal Security and Ironscales — offer similar AI-driven detection at competitive price points and don't require a platform migration.

Who Should Use This

Existing Proofpoint customers who want to add behavioral AI capabilities to their email security stack — this is the most straightforward use case with the lowest friction. Organizations where business email compromise (BEC) and targeted phishing are significant risk factors — financial services, legal services, professional services, and any organization that regularly handles wire transfers or sensitive data via email. Companies with compliance requirements around email data loss prevention that need to cover the misdirected email risk. Organizations considering an email security platform migration who want to evaluate Proofpoint's full offering. Not a good fit for organizations committed to a different email security platform who want behavioral AI as an add-on layer — for that use case, evaluate Abnormal Security instead.

The Bottom Line

Tessian built the best behavioral email security technology on the market. Then Proofpoint bought it, and now you can only get it as part of Proofpoint's platform. If you're a Proofpoint customer, stop reading and enable it — the behavioral detection and misdirected email prevention are meaningful improvements over gateway-only protection. If you're not a Proofpoint customer, you have a harder decision. The technology is genuinely differentiated, especially the outbound misdirected email prevention that nobody else does as well. But "switch your email security platform to get this one feature" is a heavy ask. Weigh the full Proofpoint platform against your current stack, not just the Tessian-powered features against the competition. And if all you want is behavioral inbound phishing detection without a platform migration, Abnormal Security is the closest independent alternative.