Correct Answer: D
TRAP (Threat Response Auto-Pull) is the Proofpoint capability designed for post-delivery remediation-it can locate and quarantine/pull messages from user mailboxes after they have already been delivered. This is critical in real-world IR because many threats are discovered after initial delivery (e.g., URL reputation flips, delayed detonation results, user-reported phish via "Report Suspicious," or new campaign intelligence). TAP provides detection, verdicting, and campaign intelligence, but TRAP is the mechanism that operationalizes containment inside mailboxes by removing the message from inboxes and other folders to reduce further exposure. In incident handling, TRAP actions are commonly paired with scoping queries (who received it), retroactive search for similar messages, and compensating controls (URL Defense blocks, domain blocks, authentication enforcement). Using TRAP effectively reduces "time at risk" and limits additional clicks or credential submissions after the incident is identified. It also supports auditability by recording which mailboxes were remediated and whether any items were "unavailable," which becomes a follow-up scoping requirement.