NVIDIA recently published a powerful framework: “The AI Kill Chain,” mapping how attacks against AI-powered applications unfold. It’s one of the clearest attempts yet to bring structure to an increasingly chaotic security frontier. The framework shows how adversaries move from reconnaissance and data poisoning to exploitation and command and control, giving security teams a common language for understanding AI-specific threats.

What makes this valuable is that it mirrors the maturity curve we saw in traditional cybersecurity. Once we learned to model how attackers think, we could design defenses that anticipate rather than react. But as AI systems evolve from passive models to autonomous agents, we’re facing something new: these agents carry credentials, access sensitive resources, and act on behalf of users – yet their behavior is far less predictable than any human. That’s why identity has to be the focus. Not just what the agent can do, but who it’s acting as, and under whose authority.

The shift from systems to actors

In conventional architectures, systems process inputs. In AI-driven environments, they act.

AI agents query databases, send messages, trigger workflows, and sometimes make policy decisions. They are, in effect, new actors in the enterprise. Each one operates under an identity that carries credentials, permissions, and behavioral patterns.

That identity is what turns an AI system from a model into an agent. And just like human users or service accounts, those identities can be hijacked, over-permissioned, or left unmonitored. This changes how we interpret every phase of the kill chain.

Reconnaissance isn’t just about mapping systems. It’s about discovering which agents exist, what they can access, and who they represent.

Exploitation happens when an attacker manipulates an agent’s logic to perform a legitimate action with illegitimate intent.

Command and Control shifts from remote access to delegated control, using the agent’s trusted identity to operate invisibly inside the environment.

The moment we view AI attacks through the lens of identity, the problem changes. Instead of asking “How do we protect the model?” we should be asking “How do we govern who the model acts as?”

A scenario in motion

Imagine an AI assistant in finance built to reconcile invoices. It’s integrated with payment systems and given credentials to approve small transactions automatically. A malicious prompt subtly changes the logic that defines “small,” and the agent begins approving larger transfers. All within its allowed permissions.

No anomaly detection flags it, because nothing technically breaks policy. The breach doesn’t come from model failure. It comes from identity misuse. The system was doing exactly what it was allowed to do, but under the wrong judgment.

This is where identity becomes the connective tissue across the AI Kill Chain. Each phase (reconnaissance, exploitation, and control) depends on visibility into who or what is acting, under whose authority, and within what boundaries.

Turning the kill chain into a trust chain

Identity security brings disciplines that map directly to AI defense: least privilege, continuous authentication, behavioral baselines, and traceable attribution. Together, they turn reactive controls into proactive assurance. I’d call this a trust chain for AI.

In that chain:

• Every agent has a defined owner and purpose
• Every action carries context: who initiated it, on whose behalf, and within what scope
• Every deviation from expected behavior can be observed, audited, and governed

By connecting lifecycle-based models like the AI Kill Chain with identity-aware controls, we start to close the loop between how attacks unfold and who enables them to unfold.

Looking forward

Over time, identity will become the organizing layer for AI governance. Just as we once centralized access management for human users, we’ll soon do the same for AI agents. We’ll be defining, monitoring, and authenticating every digital actor in the enterprise.

The AI Kill Chain helps us see how adversaries move.

Identity tells us who they move through.

Bringing those two perspectives together is how we turn AI from an opaque system into a trustworthy one. Not by slowing innovation, but by making accountability scalable.

Want to see what this looks like in practice? Read our breakdown of GTG-1002, the first documented agentic cyber campaign – and what it signals for defenders.

Source: Silverfort

Modern MSPs are being asked to do more than ever: support more endpoints, respond faster, retain talent and stay profitable. The challenge is doing all of that without drowning in tool sprawl, ticket volume and constant context switching that slows technicians down and frustrates customers.

That’s exactly what we tackled in the webinar, “12 questions to modernize your MSP operations.” Kaseya’s Abel Concepcion and MSP industry veteran Eric Simpson shared a real-world view of what modernization looks like across the service desk — from day-to-day efficiency improvements to the operational habits that help MSPs scale without chaos.

This session was structured around the IT operations modernization scorecard, a self-assessment built on 12 questions designed to evaluate how modern and scalable your operations really are. The scorecard helps you identify strengths, uncover gaps and prioritize next steps based on the potential biggest impact. You can also watch the full webinar recording here.

Takeaway 1: Disconnected tools quietly tax your margins

When your PSA, RMM and documentation live in separate worlds, technicians don’t spend their time solving problems — they spend it hunting for context.

That “in-between time” adds up fast:

• More clicks, switching and copy-and-paste
• Slower resolution times
• More escalations (because techs don’t have what they need)
• Lower customer satisfaction and lower technician morale

One of the strongest points from the session: integration isn’t just about convenience — it’s about cost control. The more seamlessly systems share context, the faster your team can move from alert to ticket to resolution without losing time (or details) along the way.

To resolve this issue, identify the top three places technicians lose time today (device context, passwords, SOPs, contract/billing fields, prior notes, etc.). Then, prioritize integrations that remove the biggest friction first.

Takeaway 2: Better dashboards = better days

How technicians start their day shapes how they finish it. When work sits in generic queues without clear assignment rules, it can lead to ticket cherry-picking, inconsistent prioritization and missed SLAs.

Modern operations use automation to ensure:

• Work is assigned based on the rules you define (priority, impact, client tier, skill set, etc.)
• Techs focus on execution, not constant decision-making
• Service managers get visibility into workload and bottlenecks

Move from “watch the queue” to rules-based assignment and role-based dashboards so the right work reaches the right person automatically.

Takeaway 3: AI works best when it’s embedded — and backed by real data

AI isn’t magic. It’s only as effective as the information you feed it. The webinar highlighted that the biggest gains come when AI is embedded directly into daily workflows, not treated as a separate tool.

For example:

• Summarizing ticket activity so escalations don’t start from scratch
• Flagging missing triage details
• Helping generate SOP-style documentation from real work performed

None of this works unless technicians consistently log clear notes and updates in the ticket. AI can only add value when your process is solid and your data is complete. A simple rule to reinforce is: if it’s not in the ticket, it didn’t happen — especially before escalations or vendor handoffs.

Takeaway 4: Process isn’t rigidity — it’s clarity

When the process breaks down, the symptoms are obvious:

• Everyone “fires from the hip”
• Service quality varies by technician
• Performance is hard to measure fairly
• Customers wait for their “favorite tech” instead of accepting the next available resource

As Eric Simpson bluntly put it, in the absence of process, people do what they think is right, which may not align with what the business needs.

Standardizing how work flows through the service desk creates consistent outcomes across the board. Issues are handled the same way, escalations follow a clear path, resolution steps are documented instead of improvised and automation runs on rules you can trust (not guesswork).

Takeaway 5: Documentation can’t be optional — and tribal knowledge doesn’t scale

Relying on what’s “in someone’s head” creates fragility. When documentation isn’t centralized and actively used:

• New hires ramp slowly
• Tickets take longer when your best techs are unavailable
• Teams repeat troubleshooting steps they’ve already solved
• Customers get inconsistent outcomes

The webinar also called out a cultural truth: most techs don’t love documenting, especially when they’re slammed. That’s why the right approach is to make documentation easier to create, easier to find and harder to ignore, with shared standards and accountability. To get started, standardize where documentation lives, how it’s named, who owns updates and how techs are expected to reference it during ticket work.

Takeaway 6: The best MSPs modernize through evolution, not revolution

You don’t modernize by rebuilding everything at once. High-performing MSPs:

• Review and refine regularly
• Fix the biggest bottleneck first
• Measure outcomes (SLA attainment, resolution time, utilization, CSAT)
• Build alignment with weekly team rhythms

Modernization isn’t a one-time project. It’s a habit.

Ready to benchmark your MSP operations?

If you’re unsure where to start, use the same framework the webinar is based on: the IT operations modernization scorecard. It includes 12 questions designed to highlight where your operations are strong today, and where modernization will deliver the biggest impact.

Source: Datto

The product team is pleased to announce that Sophos Firewall v22 is now generally available. This update brings several Secure by Design enhancements and many of your top requested features.

Secure by Design

Over the last several weeks, we’ve covered the importance of Secure by Design principles and why we need secure products as much as we need security products. Sophos Firewall v22 builds on the many security and hardening enhancements from previous releases to take Secure by Design to whole new level.

Watch this video for a quick overview of what’s new:

Sophos Firewall Health Check

A strong security posture depends on ensuring your firewall is optimally configured. Sophos Firewall v22 makes it much easier to evaluate and address the configuration of your firewall with the new Health Check feature.

This new feature evaluates dozens of different configuration settings on your firewall and compares them with CIS benchmarks and other best practices, providing immediate insights to areas that may be at risk. It will identify all high-risk settings and provide recommendations with quick drill-down to the areas of concern so you can easily address them.

The Health Check status is displayed on a new Control Center widget and a full report is available under the “Firewall health check” main menu item.

Other Secure by Design enhancements

Next-Gen Xstream architecture

Introducing an all-new control plane re-architected for maximum security and scalability that will take us into the future. The new control plane enables modularization, isolation, and containerization of services like IPS for example, to run like “apps” on the firewall platform.

It also enables complete separation of privileges for added security. In addition, high-availability deployments now benefit from a self-healing capability that is continuously monitoring system state and fixes deviations between devices automatically.

Hardened kernel

The next-gen Xstream Architecture in Sophos Firewall OS is built upon a new hardened kernel (v6.6+) that provides enhanced security, performance, and scalability.

The new kernel offers tighter process isolation and better mitigation for side-channel attacks as well as mitigations for CPU vulnerabilities (Spectre, Meltdown, L1TF, MDS, Retbleed, ZenBleed, Downfall). It also offers hardened usercopy, stack canaries, and Kernel Address Space Layout Randomization (KASLR).

Remote integrity monitoring

Sophos Firewall OS v22 now integrates our Sophos XDR Linux Sensor that enables real-time monitoring of system integrity, including unauthorized configuration, rule exports, malicious program execution attempts, file tampering, and more.

This helps our security teams – who are proactively monitoring our entire Sophos Firewall install base – to better identify, investigate, and respond more quickly to any attack. This is an added security capability that no other firewall vendor provides.

New anti-malware engine

Sophos Firewall OS v22 integrates the latest Sophos anti-malware engine with enhanced zero-day real-time detection of emerging threats using global reputation lookups.

It takes full advantage of SophosLabs’ massive cloud database of known malicious files, updated every five minutes or less. It also introduces AI and ML model detections and delivers enhanced telemetry to SophosLabs for accelerating their emerging threat detection analysis.

Other security and scalability enhancements:

• Firmware updates via SSL and certificate pinning ensures authenticity
• Active Threat Response logging improvements enhance visibility
• NDR Essentials threat score is included in Logs for added insights
• NDR Essentials data center selection for data residency requirements
• Instant web category alerts for education institutions
• XML API access control enhancements with added granularity
• TLS 1.3 support for device access for the WebAdmin console and portals

Top requested features and quality of life enhancements:

• Enhanced navigation performance
• Hardware monitoring for SNMP with a downloadable MIB
• sFlow Monitoring for real-time visibility
• NTP server settings defaults to “Use pre-defined NTP server”
• UI enhancements for XFRM interfaces with pagination and search/filter options

SG UTM features:

With Sophos UTM coming toward end-of-life soon (July 30, 2026), some migrating customers will appreciate these added features:

• SHA 256 and 512 support for OTP tokens
• MFA support for WAF form-based authentication
• Audit trail logs with before and after tracking to meet the latest NIST standards

Get the full details

Download the full What’s New Guide for a complete overview of all the great new features and enhancements in v22. Also be sure to check out the full release notes documentation.

How to get v22

As with every firewall release, Sophos Firewall v22 is a free upgrade for Sophos Firewall customers with Enhanced or Enhanced Plus Support and should be applied to all supported firewall devices as soon as possible.

With the new architectural changes in v22, this update may require some additional steps for a very small percentage of existing desktop, virtual, or software firewall devices to free added disk space or resize the root partition. If your device requires additional steps this will be noted before you download with a link to instructions for the additional steps.

Review this video for an overview of the different devices and steps that may be required:

A quick summary:

• XGS 2100 and above – no additional steps required
• XGS Desktop Series – 97% will seamlessly upgrade, with 3% requiring a few additional manual steps which will be flagged by an alert
• Virtual/software devices deployed prior to v18 also require additional steps

If your device requires some additional manual steps to upgrade, the alert will advise you of what’s required in-product or via Sophos Central before you download the firmware. The alert will link to the required steps in this KB article: Requirements and resolution to upgrade to v22.

This firmware release will follow our standard staged roll-out process. The new v22 firmware will be gradually rolled out to all connected devices in phases over the coming weeks. A notification will appear on your local device or Sophos Central management console when the update is available, allowing you to schedule the update at your convenience.

Source: Sophos

We’re thrilled to unveil Sophos Intelix for Microsoft 365 Copilot, a powerful new integration that brings world-class threat intelligence from Sophos X-Ops directly into your daily workflow to enhance your cybersecurity outcomes.

Security analysts and IT professionals can instantly access, investigate, and respond to emerging cyber threats right from the Copilot chat interface, without leaving the Microsoft 365 environment, accelerating attack neutralization. This seamless experience transforms threat intelligence from a separate resource into an actionable, always-on ally that accelerates decision-making, strengthens cyber resilience, and fuels more effective collaboration across teams.

Benefits of Sophos Intelix for Microsoft Copilot

• Seamless Access to Threat Intelligence: Security and IT administrators, risk managers, and business users can interact with Sophos Intelix directly using natural language via Copilot chat, submitting artifacts and receiving real-time threat intelligence without leaving the Microsoft 365 ecosystem. This speeds up threat investigation and response, reducing the impact of threats.
• Comprehensive Threat Analysis: Sophos Intelix leverages cloud lookups, static and dynamic analysis, and the power of Sophos X-Ops threat intelligence to deliver detailed, explainable verdicts on files and URLs. This enables users to understand not just whether something is malicious, but why, facilitating faster, informed decision-making.
• Open Access: The agent is available to all Microsoft 365 Copilot users at no charge, democratizing access to world-class threat intelligence.

How to access Sophos Intelix for Microsoft Copilot

The Sophos Intelix Agent is available for free via the Agent Store in Copilot Studio and Teams. The single agent brings all the Sophos Intelix capabilities to Copilot, including:

• Cloud Lookups
• Static Analysis (File and Web)
• Dynamic Analysis

With the chat interface, users can tap directly into the deep, real-time threat landscape insights of Sophos X-Ops. Far surpassing traditional chat-ops integrations, the agent understands natural language queries, delivering actionable, expert-driven answers—so security teams can anticipate, adapt, and neutralize threats faster than ever before.

Democratizing cybersecurity for every organization

Today’s release marks a major milestone in the delivery of Sophos’ broader vision of making Sophos X-Ops data and services accessible through agent-based frameworks. With unmatched breadth and depth of data, include intelligence from SophosLabs and the Sophos managed detection and response (MDR) service, Sophos X-Ops provides security operations center (SOC) analysts with deeper threat visibility – including adversary behaviors, signature and IOC metadata, threat actor attribution, and prevalence insights – all surfaced naturally within the tools that analysts use daily. The result: more empowered analysts, faster attack resolution, and reduced cyber risk.

Ready to transform your cyber defense strategy? Start using Sophos Intelix for Microsoft 365 Copilot today and experience the future of proactive, integrated threat intelligence—right where your teams work every day.

Source: Sophos

We released Sophos DNS Protection for networks last year, and it is now close to serving its 600 billionth query. Since then, many of you have asked for a version that can be used on roaming endpoints and for additional insights into DNS requests along with DNS over HTTPS.

Today, we are excited to launch the early access program (EAP) for DNS Protection on Windows endpoints with enhanced visibility into which users and devices are making DNS queries and support for HTTPS.

As you know, Sophos DNS Protection for Endpoints enables an added layer of transparent web protection across all ports, protocols, and applications.

Sophos DNS Protection for Endpoints

DNS Protection can now be deployed and enabled on your Windows endpoint devices in Sophos Central. Once deployed, the agent intercepts all DNS traffic from programs and apps on the Windows device and forwards it to the nearest DNS Protection resolver via DNS over HTTPS. DNS Protection will check the requests for security risks and policy compliance and allow or block access accordingly.

DNS Protection policies provide a comprehensive set of controls:

• Category-based allow and block rules
• Custom domain allow and block lists
• Enforcing safe search features on Google, YouTube, and other search engines

Enhanced visibility

All DNS queries originating from your endpoint devices are logged with the user and device names. This allows you to pinpoint problematic devices and target responses to address security issues. It also enhances the data available during XDR and MDR incident investigations.

Note: device and user identities are only available when used in conjunction with the Sophos DNS Protection for Endpoints agent and not yet for DNS Protection on Sophos Firewall.

DNS over HTTPS for privacy and integrity

Sophos DNS Protection for Endpoints supports DNS over HTTPS for added privacy and integrity. By using a secure, encrypted TLS tunnel, all queries and responses are protected from network snooping and from attacks, such as DNS cache poisoning, that exploit the open nature of traditional DNS protocols.

HTTPS support is only available on DNS Protection for Endpoints at this point, however it will come to Sophos Firewall in the near future.

Getting started

Get started today with the early access program for Sophos DNS Protection for Endpoints on the Sophos Community.

Source: Sophos

The use of SaaS applications and the volume of cloud workloads are surging. Businesses today use approximately 112 SaaS apps for various business operations. According to The State of BCDR Report 2025, over 50% of workloads and applications now run in public cloud environments, and this is expected to reach 61% within the next two years.

The cloud has become the new endpoint, where employees collaborate, data resides and critical business operations run. Today, cloud platforms serve not only as the backbone of modern business productivity but also as the primary attack vector for cybercriminals.

Traditional security controls, such as firewalls and endpoint detection and response (EDR) tools, protect on-premises assets and devices. However, business-critical SaaS platforms, such as Microsoft 365, Google Workspace and Salesforce, fall completely outside EDR coverage, leaving organizations vulnerable to cyber-risks like account takeovers, data exfiltration and configuration-based attacks that bypass conventional defenses.

Protecting cloud environments requires a new approach to detection and response. That’s where cloud detection and response (CDR) solutions come in. CDR solutions are designed specifically to fill this gap by providing continuous monitoring, real-time threat detection and alerting and rapid response capabilities across SaaS environments.

In this blog, we’ll discuss what CDR is, why it matters and how it protects cloud environments from emerging threats.

What is cloud detection and response?

Cloud detection and response is a security approach that continuously monitors activity across cloud platforms to detect, analyze and respond to threats in real time.

Let’s take a look at how the cybersecurity landscape has evolved through successive generations of detection and response technologies to better understand the role of CDR.

From antivirus to CDR: The evolution of detection and response

As cyberthreats advanced, security tools adapted in response, resulting in new approaches to protecting shifting attack surfaces:

Antivirus (AV): Antivirus solutions scan the programs and files on endpoint devices using methods such as signature-based detection, heuristic analysis and behavioral monitoring to identify malicious software. However, while antiviruses are effective against known threats, traditional antivirus tools offer little to no visibility into novel or sophisticated attacks in cloud environments.

Endpoint detection and response: As threats become more complex, EDR solutions have emerged to provide continuous monitoring, behavior-based analytics and real-time, automated responses to threats on endpoints such as laptops, desktops and servers that antivirus software fails to detect.

Extended detection and response (XDR): XDR unifies data from multiple security layers, including endpoints, networks and cloud workloads, into a single platform. By breaking down silos, it delivers a more integrated and coordinated approach to detecting and responding to modern threats.

Cloud detection and response: The latest advancement in cybersecurity defense is cloud detection and response. CDR is a proactive security solution designed for threat detection, investigation and response within cloud and SaaS environments — domains that are typically beyond the monitoring capabilities of EDR and XDR platforms.

Why traditional security tools fall short

Traditional security tools such as AV, EDR and firewalls were designed to monitor endpoints and create a network perimeter. They are effective at protecting physical devices and on-premises infrastructure, strengthening an organization’s security posture by detecting malware, blocking unauthorized access and monitoring endpoint behavior. However, as organizations increasingly shift their operations to cloud-based applications, such as Microsoft 365, Google Workspace, Salesforce and other SaaS platforms, these tools fall short of protecting the environments where most business activities now occur.

Cloud services operate outside the reach of traditional endpoint tools. EDR agents cannot monitor activity within web-based SaaS applications, and firewalls miss attacks that occur through legitimate cloud APIs. Attackers now exploit cloud identities and permissions, rather than targeting devices.

In cloud-focused attacks, cybercriminals:

Abuse OAuth permissions by tricking users into granting malicious apps access to corporate data.

Exploit shared links, as overexposed or publicly shared files can become easy entry points for data theft.

Bombard users with repeated authentication requests until they accidentally approve one.

Exploit compromised credentials — obtained through data breaches or purchased on dark web forums — to infiltrate cloud accounts undetected.

Traditional endpoint tools often fail to detect these threats, creating a critical visibility and response gap that leaves organizations vulnerable, even when they have endpoint and network security solutions in place.

Businesses need a reliable CDR platform to monitor, detect and respond to evolving threats across SaaS and cloud environments where traditional endpoint security solutions have limited reach.

How cloud detection and response works

CDR combines monitoring, analytics and automation to deliver continuous protection across cloud environments. Unlike traditional security tools that focus on endpoints or networks, CDR solutions are built to operate natively in the cloud, connecting through APIs and activity logs.

The key components of a modern CDR platform include:

Continuous cloud monitoring

CDR continuously monitors SaaS apps for suspicious activity by tracking login locations, file-sharing behavior, privilege changes and third-party app integrations. This provides real-time visibility into how users and applications interact with sensitive data across services such as Microsoft 365, Google Workspace and others.

Behavioral analytics

Modern CDR platforms use machine learning-powered behavioral analytics to identify anomalies that indicate potential compromise. For example, a user logging in from unapproved locations, sharing business-critical files with people outside the organization or granting excessive permissions, might suggest malicious intent or account takeover.

Automated response

CDR systems can take automated response actions to mitigate or eliminate threats as soon as they are detected. This might include temporarily disabling the compromised account or blocking suspicious login attempts. Automation helps minimize response times — reducing dwell time and limiting the damage caused by unauthorized access or data exfiltration.

Integration with other security tools

CDR integrates with other security tools, such as Security Information and Event Management (SIEM), XDR and identity and access management (IAM) platforms to deliver a unified and coordinated defense. This integration with broader security ecosystems provides a comprehensive view of the threat landscape, enabling real-time threat detection, faster investigation and automated response.

Benefits of implementing CDR

CDR solutions provide real-time visibility and automated threat remediation across SaaS environments. Here are some of the key benefits:

Faster detection of account takeovers and insider threats

Advanced CDR platforms monitor user behavior and cloud activities to spot anomalies, such as unusual logins, privilege changes and suspicious data transfers. This helps security teams quickly detect and respond to account takeovers, insider threats and other credential attacks that traditional tools may miss.

Prevention of data leaks via malicious OAuth apps or misconfigurations

By monitoring API connections, file sharing and app permissions, CDR prevents data leaks from malicious OAuth apps, misconfigurations or excessive sharing. It protects sensitive business data in cloud apps, such as Microsoft 365, Google Workspace or Salesforce, from exposure or misuse.

Reduced manual workload through automated remediation

Cutting-edge CDR platforms, such as SaaS Alerts, automate time-consuming response actions. They lock accounts during breaches, terminate risky file sharing and alert IT technicians. This not only reduces the manual workload for MSPs but also allows them to act quickly before threat actors can inflict additional damage. Automated remediation through CDR implementation allows MSPs to focus on higher-value security tasks instead of repetitive incident handling.

Enhanced compliance and audit readiness

With detailed activity logs, reporting and continuous monitoring, CDR helps MSPs enhance auditability and simplify regulatory compliance for their clients. It enables providers to demonstrate adherence to key industry standards, including HIPAA, GDPR and SOC 2. CDR delivers evidence of proactive threat detection and response across all managed cloud environments.

Cloud detection and response for MSPs

With SaaS applications now serving as core platforms for business-critical operations, implementing a robust CDR solution is no longer optional for MSPs and their clients.

Visibility into client SaaS environments

For MSPs managing dozens or even hundreds of client environments, visibility is crucial. Modern businesses rely heavily on SaaS apps to create, store and share sensitive data. However, these applications often fall outside the scope of traditional endpoint and network monitoring tools. Without direct visibility into these environments, MSPs cannot detect threats, such as account compromises, misconfigurations or unauthorized data sharing.

A reliable cloud detection and response solution provides a centralized view of SaaS threats across all tenants, without the complexity of deploying endpoint agents or juggling multiple tools. It provides MSPs with real-time insights into client cloud activity, including suspicious logins, risky file sharing and third-party app integrations. This enables MSPs to proactively identify threats and respond quickly before they escalate.

Ease of deployment and automation at scale

CDR platforms connect to client SaaS platforms via secure APIs, helping MSPs quickly onboard tenants and scale as their client base grows. For instance, the SaaS Alerts App Wizard allows MSPs to integrate with any SaaS application that has a viable API, pulling mission-critical data into SaaS Alerts. This supports quick detection and response to security threats across almost all of their clients’ SaaS applications.

Once deployed, automated detection and response workflows handle necessary security tasks, such as temporarily disabling affected accounts or blocking suspicious login attempts. This automation reduces manual burden, helping MSPs better protect clients with minimal overhead.

How Kaseya 365 User simplifies cloud detection and response

Kaseya 365 User includes cloud detection and response across Microsoft 365, Google Workspace, Salesforce and other critical SaaS applications, helping MSPs simplify their SaaS security operations.

The CDR platform constantly monitors and protects your clients’ SaaS applications, detecting unauthorized access and shutting it down without requiring any manual intervention. It provides real-time alerting and automated remediation steps, with actions taken within seconds of malicious activity. This significantly minimizes the risk of data egress or malicious activity within your clients’ most vulnerable environments.

Discover how Kaseya 365 User helps MSPs strengthen their clients’ cloud security while boosting their bottom line. Learn more.

Source: Kaseya

It’s that time of year when network admins in many parts of the world are looking forward to spending more time with family and friends and less time in front of their management consoles.

Unfortunately, this is also a peak period for cyberattacks. To help ensure your network is optimally secure over the holidays, here are a few quick and easy best practices you can utilize.

For a full list of best practices to secure your network from ransomware and other attacks be sure to download our whitepaper on this topic.

Update firmware and shut down unnecessary systems

Make sure that before you depart for the holidays, all your network infrastructure has been updated with the latest firmware and any unnecessary infrastructure is shut down and offline.

Any system exposed to the Internet either directly or indirectly (via NAT) represents a potential vulnerability and risk. Eliminate as much of that attack surface as possible by taking it offline, and update and lock down the rest.

Firmware updates often contain important security patches for known vulnerabilities or hardening enhancements that can improve your security posture. If you’re a Sophos Firewall customer, make sure you’re running the latest firmware update for your device and consider enrolling in the early access program for Sophos Firewall v22, which includes many new security hardening features and a new Health Check feature to ensure your firewall is configured optimally.

If you have other internet facing infrastructure like a VPN concentrator or WAF, make sure these systems are also up to date or shut down.

Check your configuration against best practices

Double check that all access controls, portals, NAT rules, networked apps, IoT devices, and administration systems are either disabled or locked down.

As mentioned above, if you’re a Sophos Firewall customer, consider upgrading now to the v22 early access program to take advantage of all the new security hardening capabilities and the new firewall Health Check feature that will assess your configuration against best practices to highlight any risky areas.

Ensure all systems use strong authentication with MFA

Make sure all admin consoles and remote access systems are either shut down or protected against brute force attacks or stolen credentials with multi-factor authentication.

As you would expect, Sophos Central, Sophos Firewall, ZTNA, and our full line of network security solutions leverage MFA to help protect your systems from unauthorized logins. Sophos Firewall v22 also includes new MFA support for the Web Application Firewall – one of the many top requested features in this release.

At any rate, make sure MFA is enabled for all your systems.

If you’re attacked, we can help

If you experience an emergency incident over the holidays (or any time), you can engage our fixed-fee Sophos Rapid Response service. Our team of expert incident responders will help you triage, contain, and eliminate active threats, and remove all traces of the attackers from your network.

Whether it’s an infection, compromise, or unauthorized access attempting to circumvent your security controls, we’ve seen and stopped it all. Sophos Rapid Response is available 24/7/365, including over the holiday period.

Source: Sophos

In the rapidly evolving landscape of cyber threats, artificial intelligence is no longer a luxury: it’s a necessity. At Sophos, we recognized this reality early: we’ve been integrating sophisticated AI capabilities across our product portfolio since 2017.

This deep, practical expertise has allowed us to build the industry’s largest AI-native security platform, combining both predictive machine learning (ML) and revolutionary generative AI (GenAI) to deliver faster detection and smarter, more automated responses.

However, power requires principle. Our long-standing commitment to leveraging AI for defense is governed by a framework designed to ensure that our technologies are not only effective but are also developed and deployed with the highest standards of safety, ethics, and trust.

The six pillars of our responsible AI framework

Our approach to responsible AI in cybersecurity is built on six core principles, which guide every phase of development, deployment, and monitoring:

• Human-centered: We design AI to enhance human expertise, not replace it. Our tools are built to support security analysts, allowing them to make faster, smarter decisions while maintaining full control over critical security operations.
• Robust: Our models undergo rigorous development, stress testing, and continuous improvement, ensuring high accuracy and precision to minimize false positives and maintain resilience against real-world complexity and adversarial attacks.
• Outcome-focused: We measure success by real-world impact. Our AI is engineered to optimize prevention, accelerate detection, and neutralize threats faster, focusing on measurable cybersecurity benefits for our customers.
• Security and privacy first: Protecting customer data is paramount. Our systems are built with security and privacy embedded from the start, guided by clear usage policies and global standards. Crucially, we do not share customer data to train third-party large language models (LLMs).
• Accountable: We have established strong governance frameworks with clear roles and oversight to manage risk and review our AI systems at every stage, ensuring we take full responsibility for the technology we develop.
• Transparent: Effective security partnership requires understanding the tools you rely on. We strive to explain what our AI does and how it works, including its capabilities and, importantly, its limitations. We provide clarity around how our AI technologies are developed, including how data is utilized for training our proprietary models, and how we work with technology partners.

Sophos continues to leverage the transformative power of AI to defeat cyberattacks. By anchoring our innovation in a steadfast commitment to human oversight, robust engineering, and complete transparency, we ensure our technologies remain a trustworthy and powerful asset in the global fight against cybercrime.

This openness, through product documentation and governance practices, empowers our customers to make informed decisions and assess the suitability of our AI solutions for their unique needs.

In that spirit, we invite you to further review our AI Principles in Cybersecurity and Responsible AI FAQs web pages, both located in the Sophos Trust Center.

Source: Sophos

Ransomware attacks are evolving faster than ever. For already stretched IT and security teams, staying ahead can feel impossible, but it doesn’t have to be.  

The right combination of firewall and endpoint security can stop ransomware before it spreads and restore confidence at the edge of your network. 

To help organizations navigate this shifting threat landscape, Chris McCormack, Sophos Network Security Specialist, presented how integrated defenses built on Sophos Firewall and Sophos Endpoint can reduce risk and rebuild trust. Here are five key takeaways from our recent webinar, “Rebuilding Trust at the Edge: A Smarter Approach to Firewall Security.”

Reduce your attack surface

Every exposed system is a potential entry point. Consolidating and securing infrastructure limits opportunities for attackers — and makes your defenses simpler and more effective.  

“The best practices to prevent being attacked or targeted in the first place are perhaps most important,” McCormack said during the webinar. “These reduce your surface area of attack or risk of being attacked, which is largely focused on things like minimizing exposed infrastructure and ensuring that what you do have that’s exposed is hardened so it’s not an attractive target — or at least not as attractive as the next vendor.” 

Start by identifying everything that is exposed to the internet and removing what’s unnecessary, and hardening what must remain. The fewer targets you present, the harder it is for attackers to get in, and the easier it is for your team to defend.

Design systems to be secure from the start

Security shouldn’t be bolted on — it should be built in. Systems exposed to the internet must be configured correctly, continuously updated, and hardened against attacks.  

“Make sure you look for a vendor that can provide automatic over-the-air updates or critical patches that don’t require you to lift a finger,” McCormack said. “You shouldn’t have to schedule a firmware upgrade or reboot your network every time there’s a new vulnerability discovered.” 

Sophos Firewall’s automated patching, strong default policies, and cloud-managed configuration through Sophos Central simplify security operations for even small IT teams. Enforcing strong passwords, enabling multi-factor authentication, and applying zero-trust principles are baseline controls that keep intruders out.

Adopt Zero Trust Network Access (ZTNA)

Traditional VPNs assume trust once a connection is made. ZTNA flips that model — no user or device is trusted by default.  

Sophos ZTNA verifies identity and device health before granting access, dramatically reducing the risk of lateral movement if an attacker gets ahold of credentials. 

“I can’t stress enough the importance of utilizing [ZTNA], which is all about trusting nothing and verifying everything,” McCormack said. “Credential theft [is] a key root cause of ransomware attacks. That’s because many firewalls, many organizations, and network security are trusting that if you have those credentials, we trust you. ZTNA solves this problem.” 

Integrated through the Sophos Central platform, Sophos Zero Trust Network Access (ZTNA) offers unified visibility and control over users, devices, and applications — from a single pane of glass.  It is a smarter, more secure way to connect remote users and ensure every interaction with your network is legitimate.

Don’t let encrypted traffic hide threats

With most internet traffic now encrypted, attackers use it to mask their movements. 

Sophos Firewall uses intelligent TLS inspection and AI-powered analysts to reveal hidden threats — without compromising performance.  

“There are technologies out there now that you can use that leverage AI to discover encrypted threat communications and network traffic without you actually having to do the heavy lifting of decrypting that traffic,” he said. 

By combining deep packet inspection with insight from Sophos X-ops threat intelligence, Sophos Firewall detects and blocks malware, command and control traffic, and exploits within encrypted sessions — ensuring attackers cannot hide in plain sight.

Detect and respond to active threats — Fast

Even with strong defenses, incidents can still happen — and speed is everything.

Segment your network to contain threats, monitor east-west traffic with Sophos Network Detection and Response (NDR), and unify response through Sophos Extended Detection and Response (XDR).  

“Technologies like NDR are typically something you would only find in large enterprise networks, but we’re making it available to everyone and for free,” McCormack said. “So, if a threat is detected by any of our products or an analyst, that information is shared immediately with all other software, and the response kicks off automatically.” 

Sophos XDR and NDR work together to give complete visibility across endpoints, firewalls, and email by correlating data to spot suspicious behavior, isolating compromised devices, and stopping attackers in their tracks. This synchronized defense, powered by real-time intelligence, gives security teams enterprise-grade speed and confidence. 

Source: Sophos

SealPath, a leading provider of data-focused security and digital rights management, announces the launch of its new product “SealPath Data Classification powered by Getvisibility”.

By utilizing the latest in Artificial Intelligence and Machine Learning technology, it provides its customers with advanced data visibility, protection, control, and dynamic understanding solutions as they are created.

This innovative tool, enhanced with AI for data classification and automatic protection of labeled information, provides the technology that corporate clients need to classify data securely and accurately throughout its lifecycle. This way, organizations from any sector gain the ability to prevent data leaks and comply with the strictest data protection regulations.

With SealPath’s classification, the user receives suggestions on the classification level when creating and editing a document. The software learns and adapts to different types of documents, continuously improving its accuracy through AI, and allows organizations to classify unstructured information with unprecedented confidence.

SealPath information protection is 100% integrated with the new intelligent data classification system, so those files labeled with a specific classification level or subject to specific regulation can be protected automatically and without user intervention.

“SealPath Data Classification powered by GetVisibility was born in response to the obsolete technologies that many companies are currently using to classify and manage their data. The solution’s machine learning models have been previously trained for years through data containing a wide range of document types, from personal, medical, and financial information, and different market verticals. These meticulously trained models, combined with robust software specialized in data classification, minimize human error, costs, and time in labeling corporate information. We hope that this new solution completely transforms the way organizations classify and protect their information,” says Luis Ángel del Valle, CEO of SealPath.

SealPath Data Classification employs a flexible approach, considering different dimensions like data sensitivity, associated regulations (PCI, GDPR, CMMC, etc.), data types, and distribution scope. In this way, the system can adapt the classification to the organization based on the aforementioned dimensions.

SealPath’s protection, along with the AI and Machine Learning classification system, streamlines an organization’s efforts to prevent data classification errors quickly and cost-effectively.

Learn more about SealPath Data Classification here.

Source: Sealpath

We’re excited to share that Silverfort is named as an Example Vendor in the 2025 Gartner A Well-Run Active Directory Requires Strong Identity Controls, authored by Paul Rabinovich, May 2025.

Silverfort is proud to be recognized as an Example Vendor in three key areas of the report:

• Implement MFA to Resources Integrated with AD
• Implement Identity Posture Management and Identity Threat Detection and Response (ITDR)
• MFA Integration Options for AD-Bound Legacy Applications (Authentication Forwarding Solutions)

As organizations race toward the future of the cloud, Active Directory remains one of the most challenging assets to protect. It’s deeply embedded in enterprise infrastructure, and while companies modernize, securing AD and other legacy systems can’t be an afterthought. They still hold the keys to critical access and remain prime targets for attackers.

Silverfort helps organizations secure every identity—human, machine and AI—from legacy to cloud, including the systems that traditional tools can’t cover.

Active Directory security demands strong identity controls

AD has long been the backbone of enterprise identity—and a prime target for attackers.

While AD remains critical, too many organizations are leaving it exposed to credential compromise, lateral movement and privilege escalation.

How Silverfort puts Gartner’s framework into action

Silverfort helps organizations put these best practices into action. Our identity security platform extends modern identity security to AD authentication paths, including systems and protocols traditional identity and access management (IAM) tools can’t reach.

Silverfort delivers MFA protection to every resource and access path, including homegrown applications, command-line tools, legacy systems, and OT environments, while continuously analyzing every authentication across AD and Entra ID for risky behavior.

With Silverfort’s Non-Human Identity (NHI) Security, organizations can discover all NHIs across AD and cloud, map their behavior and risk, and enforce real-time protection for AD service accounts through virtual fencing policies. By combining adaptive MFA, identity security posture management (ISPM), and real-time identity threat detection and response (ITDR), Silverfort helps secure the heart of enterprise identity from the attacks that target it most—all without any infrastructure changes.

Leading the next era of Identity Security

Identity is the new security perimeter, and AD remains central. As environments become more hybrid and threats more sophisticated, organizations need visibility into every authentication, real-time threat detection, and inline, risk-based enforcement for both human and non-human identities.

That’s the evolution Silverfort leads. By integrating seamlessly with both AD and cloud identity providers, Silverfort delivers the most compete security across all types of identities (including human, machine, and AI agents), systems, and applications.

With Silverfort, identity and security teams can work together to enforce MFA protection, continuous risk assessments, ISPM, and ITDR from a unified platform, securing every authentication without disrupting users or infrastructure. This approach embodies the same principles Gartner outlines in its framework: building strong, layered identity controls that protect AD today while preparing for the future of hybrid identity.

Source: Silverfort

In the last few articles on the topic of our latest Sophos Firewall release, we’ve discussed the importance of Secure by Design and covered one of the highlights of this release: the new Health Check feature. There are also a number of other important enhancements to Secure by Design in Sophos Firewall v22. Let’s take a look.

Next-Gen Xstream Architecture

Sophos Firewall introduced the Xstream Architecture as a key component of v18, enabling XGS Series appliances to take full advantage of the added processing power and capabilities it provided. Since then, Sophos Firewall’s Xstream Architecture has been constantly scaling and adapting to bring additional performance to customer networks.

This is all thanks to the programmable nature of Sophos Firewall’s Xstream Architecture that is NOT dependent on custom silicon ASICs – and in fact works equally well on general-purpose CPUs, virtual CPUs, and our XGS Series models that have dedicated flow processors.

Sophos Firewall v22 introduces our next-generation Xstream Architecture, which has an all-new control plane re-architected for maximum security and scalability to take us into the future. The new control plane enables modularization, isolation, and containerization of services like IPS for example, to run like “apps” on the firewall platform. It also enables complete separation of privileges for added security.

The net result is an ultra-secure, scalable, and streamlined architecture built for the future. This next-gen Xstream Architecture lays a foundation for highly secure, scalable, and modular containerized services, n-node clustering, and full RESTful APIs for high-performance remote management and automation.

High-availability self-healing

In addition, this Next-Gen Xstream Architecture adds a new self-healing capability to high-availability deployments that is continuously monitoring system state and fixes deviations between devices automatically.

Hardened kernel

The next-gen Xstream Architecture in Sophos Firewall OS is built upon a new hardened kernel (v6.6+) that provides enhanced security, performance, and scalability to maximize current and future hardware. The new kernel offers tighter process isolation and better mitigation for side-channel attacks as well as mitigations for CPU vulnerabilities (Spectre, Meltdown, L1TF, MDS, Retbleed, ZenBleed, Downfall). It also offers hardened usercopy, stack canaries, and Kernel Address Space Layout Randomization (KASLR).

Remote integrity monitoring

Sophos Firewall OS v22 now integrates our Sophos XDR Linux Sensor that enables real-time monitoring of system integrity, including unauthorized configuration, rule exports, malicious program execution attempts, file tampering, and more.

This helps our security teams who are constantly monitoring our entire Sophos Firewall customer base to better identify, investigate, and respond more quickly to any attack. This is an added security capability that no other firewall vendor provides.

New anti-malware engine

Sophos Firewall OS v22 integrates the latest Sophos anti-malware engine with enhanced zero-day, real-time detection of emerging threats using global reputation lookups. This is possible thanks to a massive cloud database of known malicious files, which is updated every 5 mins or less.

It also introduces AI and ML model detections and delivers enhanced telemetry to SophosLabs for accelerating their emerging threat detection analysis.

Get started today

Be sure to get involved in the Sophos Firewall v22 Early Access Program to better secure your and your customers’ networks and help make this release the best it can be. Also be sure to review the What’s New Guide for a full list of all the new capabilities in Sophos Firewall v22.

Source: Sophos

Keeper Security, the leading cybersecurity provider of zero-trust and zero-knowledge Privileged Access Management (PAM) software protecting passwords, passkeys, privileged accounts, secrets and remote connections, today announces Keeper Forcefield™, the first-of-its kind protection against memory-based attacks on Windows devices. Forcefield is a groundbreaking kernel-level endpoint security product that proactively defends against memory-based attacks, including credential theft from infostealers and runtime memory-scraping malware. Keeper® is the first cybersecurity software company to deliver real-time memory protection at both the user and kernel levels, raising the standard for endpoint security in enterprise environments.

Attackers are increasingly bypassing traditional cybersecurity defenses by targeting unprotected memory rather than exploiting vulnerabilities. Malicious software delivered through phishing attacks or other methods can access application memory to extract passwords, session tokens and other sensitive data – circumventing traditional encryption methods. Keeper Forcefield closes this dangerous gap by locking down memory access at the kernel level. Unlike conventional antivirus or Endpoint Detection and Response (EDR) tools, it enforces real-time memory protection capable of blocking non-privileged, fileless and zero-day attacks without degrading system performance.

“Forcefield closes one of the most dangerous blind spots in endpoint security,” said Craig Lurey, CTO and Co-founder of Keeper Security. “Malware can extract sensitive information directly from a device’s memory, even at the user level where administrative privilege isn’t required. Forcefield prevents this type of exploit entirely without disrupting trusted applications or everyday workflows.”

Forcefield provides peace of mind by actively safeguarding sensitive data from unauthorized access while operating silently in the background. It installs a lightweight, kernel-level driver that shields protected application memory from unauthorized access. Users can easily toggle Forcefield on or off within the Keeper Desktop application or deploy it via Group Policy. The solution continuously differentiates between trusted and untrusted processes in real-time, ensuring legitimate activity continues uninterrupted while malicious or unknown processes are blocked from scraping sensitive data.

How Keeper Forcefield works:

• Kernel-level protection – Actively monitors and restricts memory access to protected applications.
• Selective memory restriction – Blocks unauthorized processes from reading protected application memory.
• Smart process validation – Differentiates between trusted and untrusted processes in real time.
• Uninterrupted system performance – Runs quietly without impacting system or application performance.

Windows applications protected by Forcefield include:

• Web browsers – Chrome, Firefox, Edge, Brave, Opera and Vivaldi
• Keeper software – Desktop App, Web Vault, Browser Extensions, Gateway, Bridge, Commander and KeeperChat
• Operating systems – Windows 11 x64 and ARM64

Forcefield is available for both individual users and enterprise environments. Organizations can deploy protection across fleets of Windows devices in minutes using existing management tools, ensuring scalable and consistent endpoint defense without added friction.

For more information or to download Keeper Forcefield, visit www.keepersecurity.com/forcefield-endpoint-protection.

Source: Keeper Security and PR Newswire

Keeper Security, the leading cybersecurity provider of zero-trust and zero-knowledge Privileged Access Management (PAM) software, today announces that it has been recognized among leading vendors in the 2025 Gartner® Magic Quadrant™ for Privileged Access Management report.

The Gartner Magic Quadrant is widely considered one of the most influential evaluations in enterprise technology, providing security leaders with insights in selecting trusted solutions in today’s rapidly evolving technological landscape. KeeperPAM delivers a modern, cloud-native solution that unifies password and passkey management, secrets and connection management with zero-trust network access, remote browser isolation, privileged session management and endpoint privilege management in a single, easy-to-deploy platform. Designed for today’s hybrid IT environments, KeeperPAM leverages agentic AI and native integrations to provide organizations with complete visibility, control and compliance across every user, device and system.

Keeper differentiates itself in the PAM market with comprehensive enterprise-wide coverage and seamless integration with your technology stack. The next-gen PAM platform centralizes access to systems and data with zero-trust security, enforcing role-based policies and MFA across all assets.

• Password management: Protect and securely share passwords, passkeys and confidential data in a zero-knowledge vault with role-based access control, auditing and reporting.
• Secrets management: Integrate CI/CD pipelines, DevOps tools, custom software and multi-cloud environments into a fully-managed, zero-knowledge platform to secure infrastructure secrets and reduce secrets sprawl.
• Session management: Provide secure, credential-free access to sensitive systems while maintaining full visibility and control over privileged sessions.
• Remote browser isolation: Secure internal web-based applications, cloud apps and BYOD devices from malware, prevent data exfiltration and control browsing sessions with full auditing, session recording and password autofill.
• Endpoint privilege management: An advanced Privileged Elevation and Delegation Management (PEDM) solution that provides secure, Just-in-Time (JIT) privileged access across all Windows, Linux and macOS endpoints, with optional approval workflows and MFA enforcement.
• Admin console and control plane: Streamline deployment, user provisioning and policy enforcement through a centralized admin interface that seamlessly integrates with your existing identity stack.
• AI-powered session analysis that replaces manual log reviews with automated insights, giving organizations the speed and accuracy needed to stay ahead of modern cyber threats.

“KeeperPAM was engineered from the ground up to meet the realities of modern IT environments – cloud-first and hybrid, distributed and highly dynamic,” said Craig Lurey, CTO and Co-founder of Keeper Security. “Our platform eliminates the complexity of legacy PAM tools by delivering a unified, zero-knowledge solution that deploys in minutes and scales effortlessly. By integrating credential and privileged access management with advanced capabilities like  AI-powered session analysis and remote browser isolation, we’re empowering security and DevOps teams with tools that are both powerful and intuitive. We believe this recognition from Gartner affirms our commitment to redefining PAM through innovation, simplicity and uncompromising security.”

In 2025, Enterprise Management Associates (EMA) identified Keeper as a Value Leader in the PAM Radar Report, while GigaOm ranked Keeper the Overall Leader in its Password Management Report for the fourth consecutive year. Newsweek also highlighted Keeper among America’s Best Online Platforms, where it achieved the highest ranking of any cybersecurity vendor in the Business Solutions category.

Keeper’s innovation leadership has been further validated with multiple award wins in 2025, including being recognized as the Most Innovative Cybersecurity Company and earning top honors in both Privileged Access Management and Zero-Trust Security in the Cybersecurity Excellence Awards. The Globee Awards selected Keeper as the Cybersecurity Company of the Year, and the Global Infosec Awards honored the company in nine categories, including wins for privileged access management and zero trust.

“We believe Keeper’s recognition in the Gartner Magic Quadrant underscores the momentum we’ve built by challenging legacy approaches to privileged access management,” said Darren Guccione, CEO and Co-founder of Keeper Security. “KeeperPAM reimagines PAM for the modern enterprise, making it simple and scalable, while preserving the foundation of zero-trust and zero-knowledge security. Our vision is to empower organizations everywhere with a platform that is more secure, more intuitive and more accessible, enabling them to stay ahead of today’s rapidly evolving cyber threats.”

With FedRAMP and GovRAMP Authorization; SOC 2 Type II attestation; ISO 27001, 27017 and 27018 certifications and FIPS 140-3 validation; KeeperPAM meets the highest standards of compliance. These achievements provide customers with assurance that Keeper’s platform not only strengthens security but also simplifies audit and regulatory requirements.

Access the full Gartner Magic Quadrant Report for Privileged Access Management to learn more. To learn more about Keeper’s enterprise, business and government solutions, visit KeeperSecurity.com.

Source: Keeper Security and PR newswire

Sophos Firewall v22 is now in early access and the participation has been outstanding.

One of the highlights of this release is the new Health Check feature. This is just one of the many Secure by Design elements in this release, but it’s an important one.

A critical part of keeping your network secure is ensuring your firewall is optimally configured to prevent attackers from exploiting any openings or weak points in your security posture.  Sophos Firewall v22 makes your job of optimally securing your firewall much easier with the new Health Check feature.

This new feature evaluates dozens of different configuration settings on your firewall and compares them with CIS (Center for Internet Security) benchmarks and our own recommended best practices, providing immediate insights into areas that may be at risk. It will identify all high-risk settings and provide recommendations with easy drill-down to the areas of concern so you can easily address them.

Watch this short video to see how to take advantage of this new feature:

As shown in the video, there’s a new Control Center dashboard widget with click-through drill-down to the new feature:

The new Health Check feature has a dedicated main menu item on the left side to access the full detailed report on the compliance of your device:

You might be wondering about CIS. The Center for Internet Security (CIS) is a nonprofit community of IT professionals dedicated to evolving standards and best practices for securing IT systems and data.

You can get more insights into our partnership by visiting the Sophos page on the CIS Benchmarks website. You can also download the benchmark PDF from their website for deeper insights into why these configuration changes are considered a best practice.

The current version on the website was developed based on SFOS v21, but of course also applies just as well to v22.  We will be updating the document in partnership with CIS going forward.

Be sure to get involved in the Sophos Firewall v22 Early Access Program to better secure your network and help make this release the best it can be. Also be sure to review the What’s New Guide for a full list of all the new capabilities in Sophos Firewall v22.

 Source: Sophos

Recent events with F5 and SonicWall underline a continuing issue: network infrastructure is constantly under attack, and the cybersecurity industry continues to grapple with deep product security challenges.

Our adversaries are targeting the very tools designed to defend us. These are not opportunistic attacks: they’re a long-term strategy requiring years of research and are increasingly involving direct breaches of vendors’ own engineering and product environments.

As disclosed in our Pacific Rim research from last year, Sophos has direct experience with this. We discovered an internal breach of our firewall division in 2018, followed by attacks against customer devices that demonstrated an uncanny knowledge of our product architecture. A handful of other vendors have disclosed similar internal intrusions but this likely only scratches the surface of a wider issue.

What can we do? As Ollie Whitehouse at the National Cyber Security Centre has pointed out, this is ultimately a market incentives problem. Buyers need to demand better. Not by punishing vendors who disclose breaches, but by rewarding vendors who embrace transparency and demonstrate a real commitment to Secure by Design principles.

Over the last several releases, we have continued to invest in implementing Secure by Design principles into all our products, including Sophos Firewall. Sophos Firewall has had numerous updates in the last few years to aggressively harden the product, make it easier to patch vulnerabilities, and to identify when a customer is under attack.

As you probably know, Sophos Firewall is unique in offering zero-touch over-the-air hotfixes that can be used to patch new vulnerabilities without scheduling downtime. Sophos is also the only vendor that is actively monitoring our install base to help identify signs of an attack early.

Sophos Firewall v22 takes Secure by Design to a new level with several important enhancements:

Improved workload isolation – With our next-gen Xstream Architecture, SFOS v22 introduces an all-new control plane re-architected for increased defense-in-depth and scalability. The new control plane enables deeper modularization, isolation, and containerization of services.

Hardened kernel – The next-gen Xstream Architecture in Sophos Firewall OS is built upon a new hardened kernel (v6.6+) that provides enhanced security, performance, and scalability to maximize current and future hardware. This new kernel offers tighter process isolation and better mitigation for side-channel attacks as well as mitigations for CPU vulnerabilities. It also offers hardened usercopy, stack canaries, and Kernel Address Space Layout Randomization (KASLR).

Remote integrity monitoring – Sophos Firewall OS v22 now integrates our Sophos XDR Linux Sensor that enables real-time monitoring of system integrity, including unauthorized configuration, rule exports, malicious program execution attempts, file tampering, and more. This helps our security teams – who are proactively monitoring our entire Sophos Firewall install base – to better identify, investigate, and respond more quickly to any attack. This is an added security capability that no other firewall vendor provides.

Sophos Firewall Health Check – A strong security posture depends on ensuring your firewall and other network infrastructure is optimally configured. Sophos Firewall v22 makes it much easier to evaluate and address the configuration of your firewall with the new Health Check feature, which checks dozens of different configuration settings on your firewall and compares them with CIS benchmarks and other best practices, providing immediate insights into areas that may be at risk.

Be sure to get involved in the Sophos Firewall v22 Early Access Program to better secure your network and help make this release the best it can be.

If you’re a researcher, we welcome security research on our products so please do participate in our bug bounty program. You can receive up to $50K for findings on our firewall platform.

Source: Sophos

Ransomware remains one of today’s most disruptive cyber threats, but it is far from the only one.   

Attackers are also exploiting unpatched systems, launching AI-driven phishing campaigns, and using stolen credentials to infiltrate systems and steal sensitive data. These tactics are evolving fast, and IT and security teams are feeling the pressure. 

According to Sophos’ 2025 State of Ransomware report: 

• 32% of attacks began with unpatched vulnerabilities. 

• 28% of victims experienced both encryption and data theft. 

• 49% paid the ransom to recover their data. 

• 41% of IT teams reported increased anxiety or stress post-attack. 

These numbers make one thing clear: organizations need to shift from reacting to preventing. 

“Security isn’t just about stopping attacks — it’s about taking back control,” says Joe Levy, Sophos CEO. “That starts with prevention. The earlier you act, the more control you have over your outcomes.” 

Inside the toolkit 

The Sophos free Cybersecurity Best Practices Toolkit brings together practical, prevention-first resources for organizations of every size. Each one is designed to help you prepare, protect, and practice your response before attackers strike. 

Plan Your Response: Incident Response Planning Guide 

Build a clear incident response playbook. Learn how to document actions, communicate with stakeholders, and capture lessons from post-incident reviews – get legal documentation tips, communication templates, and guidance on forensic analysis. 

 Protect your network: Network security best practices for preventing ransomware 

Apply proven best practices to harden your network against ransomware and other threats. Learn how to reduce your attack surface, inspect encrypted traffic, and implement zero-trust network access (ZTNA) to block lateral movement. 

Practice Readiness: Tabletop Exercise Guide 

This guide walks you through how to run realistic tabletop exercises that simulate attacks like insider threats, ransomware, and supply chain compromises, helping to find gaps before attackers do and improve cross-functional communication. 

As the guide notes, “Walking through responses in a simulated incident enables participants to develop fluency with the actions needed in a real attack, accelerating execution.”  

Why prevention must come first 

Every hour saved in detection or response reduces cost, risk, and stress for your team. Prevention isn’t a philosophy — it’s a measurable advantage. 

The toolkit outlines how to: 

• Run tabletop exercises regularly to test readiness. 

• Patch vulnerabilities quickly — addressing the top cause of ransomware in 2025. 

• Segment networks to limit attacker movement. 

• Replace VPNs with ZTNA to eliminate implicit trust. 

• Inspect encrypted traffic to reveal hidden threats 

Take control of your defenses today.
Whether you’re a small business, a school district, or a global enterprise, the Sophos Cybersecurity Toolkit gives you a clear path to stronger defenses and greater control, before attackers make their move. 

Explore the Cybersecurity toolkit and start building your prevention-first strategy today.

Source: Sophos

Adversaries exploit compromised identities, infrastructure weaknesses, and misconfigurations to gain unauthorized access to sensitive data and systems, putting user-based access and controls at the frontline of modern IT and cybersecurity.

However, with identities no longer confined to the network perimeter, and the widespread shift to cloud and remote work, monitoring and securing identity systems has become increasingly complex. Indicating the scale of the issue, Sophos Incident Response analysis shows that 95% of Microsoft Entra ID environments are misconfigured, creating an open door for threat actors to escalate privileges and launch identity-based attacks.

Protect against identity-based attacks

Introducing Sophos Identity Threat Detection and Response (ITDR) — a powerful new solution that prevents identity-based attacks by continuously monitoring your environment for identity risks and misconfigurations and providing dark web intelligence on compromised credentials.

Built on the proven Secureworks Taegis IDR product, Sophos ITDR is fully integrated into Sophos’ open, AI-native platform, Sophos Central, enabling new and existing customers to deploy with speed and confidence.

Sophos ITDR automatically runs more than 80 advanced identity posture checks, going far beyond basic hygiene to uncover risks in minutes. The solution includes full coverage of MITRE ATT&CK Credential Access techniques, alerts you when credentials are exposed in data breaches, and flags anomalous user activity.

Sophos ITDR helps you:

• Reduce your identity attack surface: Sophos ITDR continuously scans your Microsoft Entra ID environment to uncover misconfigurations, identify security gaps, and provides clear, actionable recommendations.
• Monitor for leaked or stolen credentials: In the past year, the number of stolen credentials offered for sale on one of the dark web’s largest marketplaces has more than doubled*. Sophos ITDR protects user accounts from unauthorized access by monitoring the dark web and breach databases and alerting you when credentials have been exposed.
• Identify risky user behavior: Sophos ITDR detects abnormal activity associated with stolen credentials or insider threats, such as unusual login patterns.
• Protect against identity-based threats: Sophos ITDR enables analysts to respond quickly and effectively with built-in actions such as forcing password resets and locking down suspicious accounts.

A critical part of a complete security solution

Identity is a vital component of any modern security strategy. Sophos provides unmatched cyber defenses through an open, AI-native platform spanning identity, endpoints, network, firewall, cloud, email, and productivity tools. Sophos ITDR strengthens your defenses and is available as an add-on for Sophos Extended Detection and Response (XDR) and Sophos Managed Detection and Response (MDR):

• Sophos XDR + Sophos ITDR: Equip your in-house security teams with advanced tools to detect and stop active adversaries and identity-based threats.
• Sophos MDR + Sophos ITDR: Offload investigations and response activities for identity-based threats to our expert analysts, freeing your IT and security staff to focus on core business priorities.

Learn how Sophos ITDR can elevate your identity security — speak to an expert or visit Sophos.com/ITDR to start a free, no-obligation trial today.

Source: Sophos 

We’re pleased to announce that the early access program (EAP) is now underway for the latest Sophos Firewall release. This update brings several Secure by Design enhancements and many of your top requested features.

Secure By Design

Internet facing infrastructure has recently come under increasing attacks to exploit vulnerabilities and other weaknesses to gain a foothold on networks.

As you know, at Sophos, we take security very seriously and over the last several releases we have invested in implementing many Secure By Design principles to harden the product and make it a much more difficult target. This release takes Secure by Design to a whole new level.

Sophos Firewall Health Check

A strong security posture depends on keeping your firmware up to date and ensuring your firewall is optimally configured. Sophos Firewall v22 makes it much easier to evaluate and address the configuration of your firewall with the new Health Check feature.

This new feature evaluates dozens of different configuration settings on your firewall and compares them with CIS benchmarks and other best practices, providing immediate insights to areas that may be at risk. It will identify all high-risk settings and provide recommendations with quick drill-down to the areas of concern so you can easily address them.

The health check status is displayed on a new Control Center widget and a full report is available under the “Firewall health check” main menu item.

Other Secure By Design enhancements:

• Next-gen Xstream Architecture – introduces an all-new control plane re-architected for maximum security and scalability to take us into the future. The new control plane enables modularization, isolation, and containerization of services like IPS for example, to run like “apps” on the firewall platform. It also enables complete separation of privileges for added security. In addition, high-availability deployments now benefit from a self-healing capability that is continuously monitoring system state and fixes deviations between devices automatically.
• Hardened kernel – The next-gen Xstream Architecture in Sophos Firewall OS is built upon a new hardened kernel (v6.6+) that provides enhanced security, performance, and scalability to maximize current and future hardware. This new kernel offers tighter process isolation and better mitigation for side-channel attacks as well as mitigations for CPU vulnerabilities (Spectre, Meltdown, L1TF, MDS, Retbleed, ZenBleed, Downfall). It also offers hardened usercopy, stack canaries, and Kernel Address Space Layout Randomization (KASLR).
• Remote integrity monitoring – Sophos Firewall OS v22 now integrates our Sophos XDR Linux Sensor that enables real-time monitoring of system integrity, including unauthorized configuration, rule exports, malicious program execution attempts, file tampering, and more. This helps our security teams, who are proactively monitoring our entire Sophos Firewall install base to better identify, investigate, and respond more quickly to any attack. This is an added security capability that no other firewall vendor provides.
• New anti-malware engine – Sophos Firewall OS v22 integrates the latest Sophos anti-malware engine with enhanced zero-day real-time detection of emerging threats using global reputation lookups. It takes full advantage of SophosLabs’ massive cloud database of known malicious files, updated every five minutes or less. It also introduces AI and ML model detections and delivers enhanced telemetry to SophosLabs for accelerating their emerging threat detection analysis.

Other security and scalability enhancements:

• Firmware updates via SSL and certificate pinning ensures authenticity
• Active Threat Response logging improvements enhanced visibility
• NDR Essentials threat score is included in Logs for added insights
• NDR Essentials data center selection for data residency requirements
• Instant web category alerts for education institutions
• XML API access control enhancements with added granularity
• TLS 1.3 support for device access for the WebAdmin console and portals

Streamlined management and quality of life enhancements:

• Enhanced navigation performance
• Hardware monitoring for SNMP with a downloadable MIB
• sFlow Monitoring for real-time visibility
• NTP server settings defaults to “Use pre-defined NTP server”
• UI enhancements for XFRM interfaces with pagination and search/filter options

SG UTM features:

With Sophos UTM heading toward end-of-life soon (July 30, 2026), some migrating customers will appreciate these added features:

• SHA 256 and 512 support for OTP tokens
• MFA support for WAF form-based authentication
• Audit trail logs with before and after tracking to meet the latest NIST standards

Get the full details

Download the full What’s New Guide for a complete overview of all the great new features and enhancements in v22.

Get started today

You can download the upgrade package or installer for v22 from the Sophos Firewall v22 EAP Registration Page. Simply submit your details and the download links will be emailed to you straight away.

All support during the EAP will be through our forums on the Sophos Firewall Community.

Please provide feedback using the option at the top of every screen in your Sophos Firewall as highlighted below in red or via the Community Forums.

Source: Sophos