Setting Up Nuclei Agents with Proofpoint ITM

Overview

Nuclei Agents analyze data that is already being captured by Nuclei and identify findings based on the Agent type and configuration you choose. If you want flagged findings delivered to Proofpoint ITM, you must also configure a separate Proofpoint ITM Channel and connect that Channel to the Agent.

There are two distinct connections involved in this setup:

• A Source-to-Agent connection determines which Nuclei data sources the Agent will analyze
• An Agent-to-Channel connection determines where flagged Agent findings will be delivered

A Source connection alone does not send findings to Proofpoint ITM. A Channel connection alone does not cause an Agent to analyze data.

Prerequisites

• At least one Nuclei Source is already configured and syncing under Configuration > Sources
• Access to Configuration > Agents, Configuration > Channels, and connection settings
• A defined Agent use case such as Insider Threat Matrix, AI Governance, Regulatory Compliance, or a Custom Agent
• Proofpoint ITM connectivity has been provisioned for your Nuclei tenant

If Proofpoint ITM has not yet been enabled for your tenant, please contact Nuclei before creating the Channel.

TLDR

1. Create and configure the Agent
2. Make sure Enabled By Default is turned on for the Agent
3. Create the Source you want the Agent to analyze
4. Create the Proofpoint ITM Channel
5. Connect the Agent to the Proofpoint ITM Channel
6. Validate that flagged Agent findings are appearing in Proofpoint ITM

Getting Setup

1. Create the Agent

1. Go to Configuration > Agents
2. Select New
3. Choose the Agent Type that matches your use case
4. Enter a Description
5. Turn Enabled By Default on
6. Complete the Agent-specific configuration
7. Select Create Agent

Common examples include:

• Insider Threat Matrix for motive-based insider risk detection
• AI Governance for risky or non-compliant GenAI usage
• Regulatory Compliance Agent - Financial Services for configurable surveillance use cases
• Custom Agent for customer-defined review criteria

Depending on the Agent Type, you may be asked to configure items such as:

• Additional Instructions
• Approved Communication Tools
• Banned Communication Tools
• Approved GenAI Tools
• Banned GenAI Tools
• Specific rule groups, motives, or policy categories

Turning Enabled By Default on ensures that Sources created afterward will automatically connect to this Agent.

2. Create the Source

1. Go to Configuration > Sources
2. Select New
3. Configure the Source you want the Agent to analyze
4. Complete any required authorization or onboarding steps for that Source
5. Save the Source

Because the Agent was created first and is Enabled By Default, the Source will automatically connect to it.

Agents do not collect data directly. They analyze data from connected Nuclei Sources.

3. Create the Proofpoint ITM Channel

1. Go to Configuration > Channels
2. Select New
3. Choose Proofpoint ITM
4. Enter a Description
5. Set Enabled By Default based on whether new Agent connections should start active
6. Select Create Channel

The Proofpoint ITM Channel does not require additional customer-entered configuration fields in the Nuclei UI.

4. Connect the Agent to the Proofpoint ITM Channel

1. Open the Agent, or open the Proofpoint ITM Channel
2. In Connected Channels or Connected Agents, select Create New Channel Connection or Create New Agent Connection
3. Choose the Agent and the Proofpoint ITM Channel
4. Confirm Agent Channel Connection is enabled
5. Save the connection

This connection controls where flagged Agent findings will be delivered.

Usage

Once setup is complete:

• Nuclei Sources acquire data into the platform
• The connected Agent analyzes data from the Sources automatically connected to it
• Only flagged Agent findings are forwarded through the Proofpoint ITM Channel
• The same Proofpoint ITM Channel can be connected to multiple Agents as needed

If you need to tune detection behavior later, update the Agent configuration rather than the Channel connection.

Validation

1. Allow time for the connected Source to sync and for the Agent to run
2. Review the Agent and confirm the new Source appears under Connected Sources
3. Confirm flagged findings are being generated
4. Confirm those flagged findings are appearing in Proofpoint ITM

If no findings are appearing in Proofpoint ITM, confirm all three layers are in place:

1. The Source is enabled and syncing
2. The Source is connected to the Agent
3. The Agent is connected to the Proofpoint ITM Channel

Uninstallation

1. Remove the Agent-to-Channel connection if you want to stop sending findings to Proofpoint ITM
2. Disable or remove the Source if you want the Agent to stop analyzing that Source
3. Disable or delete the Agent or Channel if they are no longer needed

More Information

If you need help enabling Proofpoint ITM for your tenant or validating end-to-end delivery, please contact Nuclei Support or your Nuclei account team.