TL;DR: The 2026 Verizon DBIR found the human element was present in 62% of breaches, while Proofpoint says its aggregated assessments across 696 deployments showed a median 27.1% of threats blocked by Proofpoint bypassed Microsoft, highlighting how measurement point and mail flow architecture change what efficacy numbers actually mean. Partial visibility distorts buying decisions, and pre-delivery versus post-delivery controls now matter as much as detection accuracy.
NHIMG editorial — based on content published by Proofpoint: email security efficacy, measurement context, and architectural blind spots
By the numbers:
- The 2026 Verizon DBIR showed that the presence of the human element increased to 62% of breaches this year.
- Across 696 production customer assessments, the median customer running Proofpoint in front of Microsoft Defender catches an additional 27.1% of threats.
- Behind Microsoft, customers see a median of 408 advanced threats delivered per 1,000 users.
Questions worth separating out
Q: What fails when email security benchmarks only measure post-delivery cleanup?
A: They measure residue rather than prevention, which can undercount threats stopped upstream by an inline gateway.
Q: Why do phishing and BEC remain identity risks even when email controls are in place?
A: Because email is often the first trust channel attackers use to reach users, service desks, and cloud identities.
Q: How do security teams know whether an email control is actually blocking threats?
A: They should compare blocked, delivered, and remediated messages using the same threat IDs and the same time window across all layers.
Practitioner guidance
- Standardise measurement at the same mail-flow point Require every proof-of-value exercise to compare controls against the same inbound stream, with identical time windows and the same definition of inspected traffic.
- Separate prevention credit from remediation credit Track blocked, delivered, and post-delivery cleaned messages as different outcomes.
- Audit all bypass paths in Microsoft 365 and similar tenants Test Direct Send, tenant-to-tenant delivery, and any partner or SaaS mail path that may avoid the normal inspection stack.
What's in the full article
Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:
- The exact proof-of-value methodology used to correlate unique threat IDs across deployments and explain how the comparisons were normalised.
- The full breakdown of delivery-path differences between secure email gateway, API-based inspection, and post-delivery remediation models.
- Per-vendor missed-threat totals, false-positive and false-negative data, and the underlying assessment structure used to derive them.
- Examples of how the comparison changes when the email stack is measured before delivery instead of after it.
👉 Read Proofpoint's analysis of email security efficacy and measurement gaps →
Email security benchmarks and visibility gaps: what practitioners need to know?
Explore further
Visibility debt is now a control problem, not a reporting problem: when teams benchmark only what survives upstream filtering, they create a false sense of efficacy that hides the real attack surface. The article shows that measurement point changes the result, which means procurement teams can mistake architectural placement for security performance. For email, identity compromise often begins before a mailbox control ever sees the message, so practitioners should treat visibility gaps as a governance defect.
A question worth separating out:
Q: Who is accountable when a mailbox-based benchmark hides upstream email filtering?
A: The buying team is accountable for insisting on a measurement model that reflects the real architecture, and the vendor is accountable for disclosing exactly what is being counted. Frameworks such as NIST CSF and NIST SP 800-53 expect traceable, auditable controls, so unverifiable comparisons should never be treated as evidence of protection.
👉 Read our full editorial: Email security benchmarks expose the hidden cost of partial visibility