TAP notification alerting is most valuable when there is meaningful risk to users—especially when a threat has been delivered and may require immediate investigation and response. A delivered malicious impostor message (B) is a high-priority condition because it can indicate BEC/executive impersonation or supplier impersonation, which often lacks malware indicators and can lead directly to financial fraud or credential theft. Proofpoint workflows emphasize alerting on delivered threats because “blocked at the gateway” events are already contained, while delivered impostor threats demand rapid action: validate recipient exposure, check user interaction (reply/forward/click), execute post-delivery remediation (TRAP pull/quarantine), and coordinate business verification steps (finance call-back procedures). While blocked clicks can be telemetry, the alert scenario in TAP training contexts typically highlights delivered impostor threats as the condition warranting immediate attention since the attacker reached the user. TAP’s design aligns with IR triage: prioritize what is active, delivered, and likely to cause harm if not rapidly contained.