Recent events with F5 and SonicWall underline a continuing issue: network infrastructure is constantly under attack, and the cybersecurity industry continues to grapple with deep product security challenges.

Our adversaries are targeting the very tools designed to defend us. These are not opportunistic attacks: they’re a long-term strategy requiring years of research and are increasingly involving direct breaches of vendors’ own engineering and product environments.

As disclosed in our Pacific Rim research from last year, Sophos has direct experience with this. We discovered an internal breach of our firewall division in 2018, followed by attacks against customer devices that demonstrated an uncanny knowledge of our product architecture. A handful of other vendors have disclosed similar internal intrusions but this likely only scratches the surface of a wider issue.

What can we do? As Ollie Whitehouse at the National Cyber Security Centre has pointed out, this is ultimately a market incentives problem. Buyers need to demand better. Not by punishing vendors who disclose breaches, but by rewarding vendors who embrace transparency and demonstrate a real commitment to Secure by Design principles.

Over the last several releases, we have continued to invest in implementing Secure by Design principles into all our products, including Sophos Firewall. Sophos Firewall has had numerous updates in the last few years to aggressively harden the product, make it easier to patch vulnerabilities, and to identify when a customer is under attack.

As you probably know, Sophos Firewall is unique in offering zero-touch over-the-air hotfixes that can be used to patch new vulnerabilities without scheduling downtime. Sophos is also the only vendor that is actively monitoring our install base to help identify signs of an attack early.

Sophos Firewall v22 takes Secure by Design to a new level with several important enhancements:

Improved workload isolation – With our next-gen Xstream Architecture, SFOS v22 introduces an all-new control plane re-architected for increased defense-in-depth and scalability. The new control plane enables deeper modularization, isolation, and containerization of services.

Hardened kernel – The next-gen Xstream Architecture in Sophos Firewall OS is built upon a new hardened kernel (v6.6+) that provides enhanced security, performance, and scalability to maximize current and future hardware. This new kernel offers tighter process isolation and better mitigation for side-channel attacks as well as mitigations for CPU vulnerabilities. It also offers hardened usercopy, stack canaries, and Kernel Address Space Layout Randomization (KASLR).

Remote integrity monitoring – Sophos Firewall OS v22 now integrates our Sophos XDR Linux Sensor that enables real-time monitoring of system integrity, including unauthorized configuration, rule exports, malicious program execution attempts, file tampering, and more. This helps our security teams – who are proactively monitoring our entire Sophos Firewall install base – to better identify, investigate, and respond more quickly to any attack. This is an added security capability that no other firewall vendor provides.

Sophos Firewall Health Check – A strong security posture depends on ensuring your firewall and other network infrastructure is optimally configured. Sophos Firewall v22 makes it much easier to evaluate and address the configuration of your firewall with the new Health Check feature, which checks dozens of different configuration settings on your firewall and compares them with CIS benchmarks and other best practices, providing immediate insights into areas that may be at risk.

Be sure to get involved in the Sophos Firewall v22 Early Access Program to better secure your network and help make this release the best it can be.

If you’re a researcher, we welcome security research on our products so please do participate in our bug bounty program. You can receive up to $50K for findings on our firewall platform.

Source: Sophos

Ransomware remains one of today’s most disruptive cyber threats, but it is far from the only one.   

Attackers are also exploiting unpatched systems, launching AI-driven phishing campaigns, and using stolen credentials to infiltrate systems and steal sensitive data. These tactics are evolving fast, and IT and security teams are feeling the pressure. 

According to Sophos’ 2025 State of Ransomware report: 

• 32% of attacks began with unpatched vulnerabilities. 

• 28% of victims experienced both encryption and data theft. 

• 49% paid the ransom to recover their data. 

• 41% of IT teams reported increased anxiety or stress post-attack. 

These numbers make one thing clear: organizations need to shift from reacting to preventing. 

“Security isn’t just about stopping attacks — it’s about taking back control,” says Joe Levy, Sophos CEO. “That starts with prevention. The earlier you act, the more control you have over your outcomes.” 

Inside the toolkit 

The Sophos free Cybersecurity Best Practices Toolkit brings together practical, prevention-first resources for organizations of every size. Each one is designed to help you prepare, protect, and practice your response before attackers strike. 

Plan Your Response: Incident Response Planning Guide 

Build a clear incident response playbook. Learn how to document actions, communicate with stakeholders, and capture lessons from post-incident reviews – get legal documentation tips, communication templates, and guidance on forensic analysis. 

 Protect your network: Network security best practices for preventing ransomware 

Apply proven best practices to harden your network against ransomware and other threats. Learn how to reduce your attack surface, inspect encrypted traffic, and implement zero-trust network access (ZTNA) to block lateral movement. 

Practice Readiness: Tabletop Exercise Guide 

This guide walks you through how to run realistic tabletop exercises that simulate attacks like insider threats, ransomware, and supply chain compromises, helping to find gaps before attackers do and improve cross-functional communication. 

As the guide notes, “Walking through responses in a simulated incident enables participants to develop fluency with the actions needed in a real attack, accelerating execution.”  

Why prevention must come first 

Every hour saved in detection or response reduces cost, risk, and stress for your team. Prevention isn’t a philosophy — it’s a measurable advantage. 

The toolkit outlines how to: 

• Run tabletop exercises regularly to test readiness. 

• Patch vulnerabilities quickly — addressing the top cause of ransomware in 2025. 

• Segment networks to limit attacker movement. 

• Replace VPNs with ZTNA to eliminate implicit trust. 

• Inspect encrypted traffic to reveal hidden threats 

Take control of your defenses today.
Whether you’re a small business, a school district, or a global enterprise, the Sophos Cybersecurity Toolkit gives you a clear path to stronger defenses and greater control, before attackers make their move. 

Explore the Cybersecurity toolkit and start building your prevention-first strategy today.

Source: Sophos

Adversaries exploit compromised identities, infrastructure weaknesses, and misconfigurations to gain unauthorized access to sensitive data and systems, putting user-based access and controls at the frontline of modern IT and cybersecurity.

However, with identities no longer confined to the network perimeter, and the widespread shift to cloud and remote work, monitoring and securing identity systems has become increasingly complex. Indicating the scale of the issue, Sophos Incident Response analysis shows that 95% of Microsoft Entra ID environments are misconfigured, creating an open door for threat actors to escalate privileges and launch identity-based attacks.

Protect against identity-based attacks

Introducing Sophos Identity Threat Detection and Response (ITDR) — a powerful new solution that prevents identity-based attacks by continuously monitoring your environment for identity risks and misconfigurations and providing dark web intelligence on compromised credentials.

Built on the proven Secureworks Taegis IDR product, Sophos ITDR is fully integrated into Sophos’ open, AI-native platform, Sophos Central, enabling new and existing customers to deploy with speed and confidence.

Sophos ITDR automatically runs more than 80 advanced identity posture checks, going far beyond basic hygiene to uncover risks in minutes. The solution includes full coverage of MITRE ATT&CK Credential Access techniques, alerts you when credentials are exposed in data breaches, and flags anomalous user activity.

Sophos ITDR helps you:

• Reduce your identity attack surface: Sophos ITDR continuously scans your Microsoft Entra ID environment to uncover misconfigurations, identify security gaps, and provides clear, actionable recommendations.
• Monitor for leaked or stolen credentials: In the past year, the number of stolen credentials offered for sale on one of the dark web’s largest marketplaces has more than doubled*. Sophos ITDR protects user accounts from unauthorized access by monitoring the dark web and breach databases and alerting you when credentials have been exposed.
• Identify risky user behavior: Sophos ITDR detects abnormal activity associated with stolen credentials or insider threats, such as unusual login patterns.
• Protect against identity-based threats: Sophos ITDR enables analysts to respond quickly and effectively with built-in actions such as forcing password resets and locking down suspicious accounts.

A critical part of a complete security solution

Identity is a vital component of any modern security strategy. Sophos provides unmatched cyber defenses through an open, AI-native platform spanning identity, endpoints, network, firewall, cloud, email, and productivity tools. Sophos ITDR strengthens your defenses and is available as an add-on for Sophos Extended Detection and Response (XDR) and Sophos Managed Detection and Response (MDR):

• Sophos XDR + Sophos ITDR: Equip your in-house security teams with advanced tools to detect and stop active adversaries and identity-based threats.
• Sophos MDR + Sophos ITDR: Offload investigations and response activities for identity-based threats to our expert analysts, freeing your IT and security staff to focus on core business priorities.

Learn how Sophos ITDR can elevate your identity security — speak to an expert or visit Sophos.com/ITDR to start a free, no-obligation trial today.

Source: Sophos 

We’re pleased to announce that the early access program (EAP) is now underway for the latest Sophos Firewall release. This update brings several Secure by Design enhancements and many of your top requested features.

Secure By Design

Internet facing infrastructure has recently come under increasing attacks to exploit vulnerabilities and other weaknesses to gain a foothold on networks.

As you know, at Sophos, we take security very seriously and over the last several releases we have invested in implementing many Secure By Design principles to harden the product and make it a much more difficult target. This release takes Secure by Design to a whole new level.

Sophos Firewall Health Check

A strong security posture depends on keeping your firmware up to date and ensuring your firewall is optimally configured. Sophos Firewall v22 makes it much easier to evaluate and address the configuration of your firewall with the new Health Check feature.

This new feature evaluates dozens of different configuration settings on your firewall and compares them with CIS benchmarks and other best practices, providing immediate insights to areas that may be at risk. It will identify all high-risk settings and provide recommendations with quick drill-down to the areas of concern so you can easily address them.

The health check status is displayed on a new Control Center widget and a full report is available under the “Firewall health check” main menu item.

Other Secure By Design enhancements:

• Next-gen Xstream Architecture – introduces an all-new control plane re-architected for maximum security and scalability to take us into the future. The new control plane enables modularization, isolation, and containerization of services like IPS for example, to run like “apps” on the firewall platform. It also enables complete separation of privileges for added security. In addition, high-availability deployments now benefit from a self-healing capability that is continuously monitoring system state and fixes deviations between devices automatically.
• Hardened kernel – The next-gen Xstream Architecture in Sophos Firewall OS is built upon a new hardened kernel (v6.6+) that provides enhanced security, performance, and scalability to maximize current and future hardware. This new kernel offers tighter process isolation and better mitigation for side-channel attacks as well as mitigations for CPU vulnerabilities (Spectre, Meltdown, L1TF, MDS, Retbleed, ZenBleed, Downfall). It also offers hardened usercopy, stack canaries, and Kernel Address Space Layout Randomization (KASLR).
• Remote integrity monitoring – Sophos Firewall OS v22 now integrates our Sophos XDR Linux Sensor that enables real-time monitoring of system integrity, including unauthorized configuration, rule exports, malicious program execution attempts, file tampering, and more. This helps our security teams, who are proactively monitoring our entire Sophos Firewall install base to better identify, investigate, and respond more quickly to any attack. This is an added security capability that no other firewall vendor provides.
• New anti-malware engine – Sophos Firewall OS v22 integrates the latest Sophos anti-malware engine with enhanced zero-day real-time detection of emerging threats using global reputation lookups. It takes full advantage of SophosLabs’ massive cloud database of known malicious files, updated every five minutes or less. It also introduces AI and ML model detections and delivers enhanced telemetry to SophosLabs for accelerating their emerging threat detection analysis.

Other security and scalability enhancements:

• Firmware updates via SSL and certificate pinning ensures authenticity
• Active Threat Response logging improvements enhanced visibility
• NDR Essentials threat score is included in Logs for added insights
• NDR Essentials data center selection for data residency requirements
• Instant web category alerts for education institutions
• XML API access control enhancements with added granularity
• TLS 1.3 support for device access for the WebAdmin console and portals

Streamlined management and quality of life enhancements:

• Enhanced navigation performance
• Hardware monitoring for SNMP with a downloadable MIB
• sFlow Monitoring for real-time visibility
• NTP server settings defaults to “Use pre-defined NTP server”
• UI enhancements for XFRM interfaces with pagination and search/filter options

SG UTM features:

With Sophos UTM heading toward end-of-life soon (July 30, 2026), some migrating customers will appreciate these added features:

• SHA 256 and 512 support for OTP tokens
• MFA support for WAF form-based authentication
• Audit trail logs with before and after tracking to meet the latest NIST standards

Get the full details

Download the full What’s New Guide for a complete overview of all the great new features and enhancements in v22.

Get started today

You can download the upgrade package or installer for v22 from the Sophos Firewall v22 EAP Registration Page. Simply submit your details and the download links will be emailed to you straight away.

All support during the EAP will be through our forums on the Sophos Firewall Community.

Please provide feedback using the option at the top of every screen in your Sophos Firewall as highlighted below in red or via the Community Forums.

Source: Sophos

As cyber threats evolve, organizations must constantly adapt their identity security strategies to stay protected. One of the most significant elements of modern security strategies is network segmentation, which involves the division of a network into smaller, isolated segments to limit unauthorized access to sensitive resources.

As network segmentation is well-known and implemented by most organizations, the rise of identity threats presents a more modern approach to segmentation from the identity control plane.

A further extension of this concept is identity segmentation, which focuses on the identity and attributes of the users, devices, and applications. This approach enables organizations to apply granular access controls to specific identities, improving their overall security posture and protection against unauthorized access.

In this blog, we will explore the difference between network segmentation and identity segmentation. We will also explore how identity segmentation is the key to implementing a true Zero Trust strategy.

The Evolution of Network Segmentation

Network segmentation is a security approach that isolates segments in the enterprise network to reduce the attack surface. Network segmentation works best in the “castle and moat” enterprise environment, securing all exposure points in the environment. This approach has been heavily implemented since the early 2000s by security and IT teams.

While this approach has proven effective in most network security strategies, the evolving nature of cyber threats highlights gaps in network segmentation.

Network segmentation access policies are typically defined by firewall rules or VLANs, which tend to be static and dependent on network traffic. These static policies are dependent on the device and not the user’s access requirements, often granting broad access to users based on their location within the network. Attackers increasingly target user identities, exploiting compromised credentials to gain unauthorized access.

The approach does not adapt to the dynamic nature of modern work environments, where users access resources from a variety of devices and locations. Network segmentation fails to provide the granular control required to secure identities effectively.

Identity Segmentation Boosts Identity Security Posture

Identity segmentation is the approach to security that involves managing and controlling access based on user identities, roles, and attributes. Instead of relying on rigid network boundaries such as IP access lists and firewall rules, identity segmentation divides the network not just from a physical or geographical standpoint, but also from the perspective of the identity control plane.

This is done by segmenting an environment based on the identity and attributes of users, devices, and applications. By doing so, organizations can implement granular access controls, ensuring users only have access to the resources necessary for their roles.

Network Segmentation vs Identity Segmentation

Network segmentation involves dividing a network into different segments to enhance security and control. Traditional network segmentation relies on factors like IP addresses, VLANs, and physical separation to create these segments. While effective at limiting the impact of a breach within the network, network segmentation often falls short in addressing the dynamic and evolving nature of user identities.

On the other hand, identity segmentation shifts the focus to user identities. This approach aligns with modern security threats where users are the primary targets and threats often exploit compromised credentials. Identity segmentation involves creating access controls based on user attributes, roles, and behavior, so users can only access the resources necessary for their roles, irrespective of their network location.

The primary difference lies in their focus: network segmentation emphasizes securing pathways and infrastructure, while identity segmentation centers on safeguarding individual user identities. Network segmentation tends to rely on static policies based on network structure, whereas identity segmentation involves dynamic and context-aware access controls based on user attributes. Identity segmentation is particularly effective in countering identity-based threats, which have become increasingly prevalent in the cybersecurity landscape.

​​Adapting to the Zero Trust Architecture

To implement a Zero Trust architecture, all organizations must protect their identities, devices, networks, applications, and workloads, as well as data. It is important to note that while many organizations have successfully implemented a few principles of the Zero Trust model, most still need to strengthen their identity security posture management.

Strong identity management and protection enables organizations to respond more rapidly and precisely when a potential threat arises. IT teams can better track and alert on any identity threats that come up, prompting proactive measures to stop potential unauthorized access attempts.

To construct a complete Zero Trust architecture across your environments, identity management and identity protection must be the core components. This will enable you to manage and protect all aspects of identity effectively, which is essential for safeguarding all types of assets, including those that are on-prem.

Source: Silverfort

You face no shortage of challenges in securing your organization from cyberattacks. The threat landscape continues to evolve, attack surfaces are expanding with the advent of new technologies, new adversary tactics and techniques keep emerging, and there’s more scrutiny than ever about what you’re doing to safeguard your environment.

Accurately assessing where you’re vulnerable to threats isn’t easy. Testing your defenses is an effective, proactive way to measure the strength of your security and set a course for lowering your risk before a threat actor strikes.

Put your defenses to the test and determine your risk

Introducing Sophos Advisory Services – proactive security testing services that provide expert, independent assessment of your cyber defenses and recommendations for improvement. These services support a more strategic approach to cybersecurity by identifying weak spots in your environment, allowing you to fortify your resiliency against potential attacks.

We’re delighted to announce general availability of four security testing services: External Penetration Testing, Internal Penetration Testing, Wireless Network Penetration Testing, and Web Application Security Assessment.

These services…

• Discover weak spots in your defenses. Uncover vulnerabilities in your environment that adversaries could exploit, based on the powerful combination of our experience from performing thousands of engagements and the latest threat intelligence from Sophos X-Ops.

• Assess your risk of being breached. Understand your real-world risk of being impacted by a cyber incident before an attack hits your business.

• Demonstrate your sound security practices to business partners. Show your organization’s commitment to cybersecurity to your customers, partners, stakeholders, regulators, and cyber insurance provider.

• Fortify your cyber resiliency. Make your security programs more resilient against threats. Testing is infused with current and relevant threat information from our research and testing teams.

Available today!

Sophos now offers the following security testing and assessment services:

• External Penetration Testing: Assesses your defenses against an adversary trying to exploit your environment from outside the perimeter.
• Internal Penetration Testing: Evaluates controls inside your perimeter to gauge interior defenses and guard against insider threats.
• Wireless Network Penetration Testing: Assesses your wireless network security networks and how attackers may attempt to gain access.
• Web Application Security Assessment: Tests your web applications for known vulnerabilities.

Sophos Advisory Services are delivered by our world-class team of cross-discipline security testers, backed by hundreds of security analysts and threat research experts.

Our services aren’t check-the-box, generic pass/fail tests. Our security experts meet with you before testing begins to understand your challenges and objectives. When testing concludes, we provide you with a detailed report for technical and non-technical audiences, featuring all steps taken during the engagement, our findings, and actionable recommendations you can use to elevate your organization’s security posture.

Learn more about how Sophos Advisory Services can uncover weak spots in your defenses and fortify your cyber resiliency. Speak to an expert today or visit Sophos.com/Advisory-Services.

Source: Sophos

What’s more: the problem is getting worse, with 69% of respondents reporting that cybersecurity fatigue and burnout increased from 2023 to 2024.

The consequences of burnout

Unsurprisingly, burnout has significant negative impacts on the individuals that experience it, with almost half (46%) reporting heightened anxiety about cyberattacks or breaches, 39% admitting to reduced productivity at work, and a third saying they have had a reduced level of engagement at work.

These figures highlight a pervasive challenge that directly undermines the effectiveness and sustainability of cybersecurity defenses.

Core causes of strain

On average, respondents cited three separate factors that contributed to them experiencing burnout, highlighting the multiple pressures that IT teams face.

We’re proud to announce that Sophos has been named a Leader in the IDC MarketScape™: Worldwide Extended Detection and Response (XDR) Software 2025.

We believe this recognition reflects our commitment to delivering intelligent, integrated, and scalable security solutions that help organizations stay ahead of threats.

The IDC MarketScape for Extended Detection and Response cites Sophos’ protection capabilities as a strength, noting, “Sophos is viewed favorably in terms of the protections it offers. Key protection technologies included as standard features on the endpoint are host-based firewall and IDS/IPS, device control, DLP, antimalware scans, and encryption.”

The report also highlights Sophos’ proactive defense capabilities, stating, “Colloquially known as ‘Shields Up,’ Sophos’ Adaptive Attack Protection was introduced in 2023. Adaptive attack protection automatically enforces certain protections if there is evidence of a ‘hands-on-keyboard’ attack.”

“While Sophos has been working on many of these technologies internally, the integration of the Taegis XDR platform adds heft to existing capabilities and jumpstarts engineering cycles to newer initiatives.”

— Chris Kissel, IDC

When highlighting when to consider Sophos, the report notes, “Sophos has an international presence, and its ecosystem is designed to empower businesses of all sizes and all types. Cybersecurity novices, intermediate users, and experts will gain value from the Sophos XDR platform.”

Sophos XDR: Innovation that drives results

Sophos Extended Detection and Response (XDR) provides powerful tools and threat intelligence that enable you to detect, investigate, and neutralize threats across your entire IT ecosystem, delivered through Sophos’ adaptive AI-native, open platform.

• Start with the strongest defense: Organizations can focus investigations by stopping more breaches before they start. Sophos XDR includes the unparalleled protection of Sophos Endpoint to stop advanced threats quickly before they escalate.
• Accelerate security operations with AI: AI tools included with Sophos XDR help streamline investigations by providing real-time insights, contextualizing threat data, and offering natural language-driven recommendations. Designed in partnership with our frontline security analysts, the Sophos AI Assistant enables your in-house team to benefit from real-world workflows and the experience of Sophos experts.
• Integrated identity protection: Sophos delivers deep visibility across identity layers and cloud environments. With ITDR, Kubernetes monitoring, and integrations with Microsoft Entra ID and O365, we secure everything from endpoints to cloud workloads.
• Automated and adaptive defenses: Sophos offers a rich set of automated responses—from isolating endpoints to enforcing MFA and rolling back ransomware damage. Our adaptive defenses functionality activates protections during active attacks, minimizing impact and enabling swift recovery.
• Ecosystem flexibility: With an extensive ecosystem of integrations, Sophos XDR fits seamlessly into diverse IT stacks. Whether customers use third-party firewalls, email platforms, or endpoints, Sophos enhances existing investments without disruption.
• An open platform designed to optimize and unify: Benefit from a single view across your entire IT ecosystem in a unified detection and response platform and focus investigation efforts on high-priority items instead of noisy, unactionable alerts. Our open, extensible architecture provides visibility across the entire attack surface by integrating threat information from your existing and future security investments.

Secureworks integration is a game-changer

Following our acquisition of Secureworks in February 2025, Sophos Endpoint is now natively integrated and automatically included with Taegis XDR and MDR subscriptions. This milestone delivers combined prevention, detection, and response in a single platform with lower licensing costs and simplified operations.

This integration strengthens protection, accelerates threat mitigation, and ensures customers maximize ROI while maintaining flexibility.

Industry validation that matters

Sophos XDR isn’t just leading in innovation; it’s earning trust across the board. From analysts to end users, the recognition is clear:

• Sophos is named a Leader in the Gartner® Magic Quadrant™ for Endpoint Protection Platforms for the 16^th consecutive report.
• Sophos is named a Leader in the 2025 Frost Radar™ for Managed Detection and Response.
• Sophos is named a Gartner “Customers’ Choice” for EPP for the fourth consecutive year, a “Customers’ Choice” for MDR for the second consecutive year, and a “Customers’ Choice” for XDR in the inaugural version of the report. ​
• Sophos is the ONLY vendor named a “Customers’ Choice” in both EPP and XDR​
• Sophos is named a G2 Leader in Endpoint Protection, EDR, MDR, Firewall, and XDR in its Fall 2025 Grid Reports.

This consistent validation reinforces Sophos as the go-to partner for organizations seeking proven, high-impact security outcomes.

What’s next: Building the future of XDR

We believe being named a Leader in the IDC MarketScape™ is a milestone that reflects our progress. It also marks the beginning of our next chapter: Full integration of Taegis XDR into the Sophos Central platform.

Read an excerpt of the IDC MarketScape™: Worldwide Extended Detection and Response (XDR) Software 2025 here.

Source: Sophos

G2 has published its Fall 2025 Reports, and customers once again put Sophos at the top. Sophos is ranked #1 Overall in Managed Detection and Response (MDR) and #1 Overall in Firewall Software. Speaking to the power of our platform, Sophos is named as a Leader for the 13th consecutive time across every G2 Overall Grid® that defines modern security operations: Endpoint Protection Platforms, Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Firewall Software, and Managed Detection and Response (MDR).  

These recognitions come from verified peer review and reflect what security teams value most: faster time to outcome, simpler operations, and the confidence of a platform that scales from prevention to managed response.  

Managed Detection and Response  

In addition to the #1 overall ranking among MDR solutions, Sophos MDR is also rated the top solution in five report segments for the category, including the Enterprise and Mid-Market Grids. Sophos MDR also earned the Best Results and Best Usability distinctions among Enterprise customers.  

Endpoint 

Sophos EDR/XDR was named a Leader across eight different segments in the Fall 2025 Reports, including the Overall, Enterprise, Mid-Market, and Small Business Grids. The Sophos XDR platform earned the Best Usability, Best Results, and Best Relationship distinctions, reinforcing its industry-leading security outcomes.  

Firewall 

The G2 Fall 2025 Reports marks Sophos Firewall’s 11th consecutive #1 Overall Firewall ranking. But for the first time, Sophos Firewall was also unanimously rated as the #1 firewall solution by all customer segments in the G2 Fall 2025 Reports (Enterprise, Mid-Market and Small Business users). Additionally, Sophos Firewall earned the Overall Best Results, Best Usability, and Best Relationship badges. 

What Sophos customers are saying 

“The level of comfort and security Sophos MDR has provided to us is immeasurable” said a Lead Infrastructure Engineer in the Mid-Market segment 

“[Sophos MDR] is a combination of powerful automation and real human expertise delivered through tightly integrated security ecosystems” said a user in the Enterprise segment 

“Sophos Firewall stands out because it combines strong protection with an easy-to-use interface” said a Technical Support Engineer in the Small Business segment 

“[Sophos Firewall] offers a robust set of features, including advanced threat protection, user-friendly reporting, and seamless integration with endpoint security” said a Manager in the Mid-Market segment 

“What I like best about Sophos Endpoint is its ability to provide powerful protection while remaining simple to manage and almost invisible to end users” said a Technical Engineer in the Small Business segment 

“With advanced threat detection powered by deep learning and behavioral analysis, [Sophos Endpoint] swiftly identifies and neutralizes even the most sophisticated threats” said an IT Manager in the Mid-Market segment 

For more information on our services and products, speak to your Sophos partner or representative and visit our website. 

Source: Sophos

If you’re evaluating endpoint protection, you’ve likely noticed something: Everything starts to sound the same. “AI-powered.” “Next-gen.” “Integrated.”

These claims are everywhere. And with over 90% of organizations now using some form of endpoint protection rather than antivirus, it’s easy to assume all solutions are equal.

They’re not.

That assumption breaks down quickly as organizations mature — moving from basic prevention to detection and response. In this evolution, what once looked like a checkbox exercise becomes a critical architecture decision. What you choose now impacts not just how well you’re protected, but how well you can adapt and reduce overall business risk in the face of evolving threats.

So how do you separate signal from noise?

The power behind the platform

One of the best indicators of what a protection solution can do for you — not just today, but long term — is the platform it’s built on. Not every feature may matter to you on day one, and that’s OK. What matters is whether the foundation gives you room to mature and improve your cyber defense.

This is where platform thinking becomes essential: Are you choosing a product or investing in a strategy?

Modern endpoint protection isn’t just about what’s installed on the device. It’s about the telemetry collected, the integrations supported, the workflows enabled, and the data pipelines behind it all. Especially as AI plays a larger role in threat detection and response, the sophistication of that underlying data infrastructure becomes a force multiplier.

It starts with data

Before AI can assist — let alone automate — you need high-quality, well-structured, and continuously refreshed data. This isn’t new thinking. In fact, data science has long relied on four foundational dimensions: Volume, Variety, Velocity, and Veracity.

Let’s apply those to endpoint protection:

• Volume: How much telemetry is being collected? Are you seeing real-world adversary behaviors at a global scale — not just malware, but hands-on-keyboard attacks, abuse of tools, and stealthy persistence methods?
• Variety: Does the platform only see endpoints, or does it ingest from email, network, cloud, identity, and more? Is the data coming from a diverse customer base across geographies, verticals, and maturity levels? More sources mean better visibility — and more context.
• Velocity: How fast does that telemetry arrive, and how often is it updated? Are your models learning from new threats in hours or days, or are you reliant on weekly signature pushes?
• Veracity: Can you trust the data? Is it enriched with threat intelligence and verified through real-world incident response? Are detections backed by research, not just automation?

The nuance in those answers is what separates one platform from another. And it’s what determines whether a solution can detect emerging threats before they become industry-wide problems, or whether it lags behind the curve.

Start with prevention. Scale to resilience.

The endpoint is often the first — and best — opportunity to stop an attack. But if your architecture allows it, you can extend that prevention to email, network, cloud, and identity. From there, you can build response capabilities across the entire attack surface, strengthening your ability to contain threats quickly and keep core systems operational when something breaks through.

Every step forward compounds your advantage. You reduce business risk, improve time to detect, and accelerate response. And if you don’t have the people to manage it all in-house, you can lean on partners who offer 24/7 managed detection and response services (MDR) that plug directly into your platform.

At Sophos, this isn’t just theory.

We protect over 600,000 organizations worldwide. Our platform, Sophos Central, processes over 223 Terabytes of threat telemetry daily, pulled from every region, sector, and attack surface. We see threats early and often, generating over 34 million detections daily, giving our defenders an edge. And behind that data is Sophos X-Ops, a global team of threat analysts, malware researchers, and response specialists who monitor hundreds of threat groups and thousands of campaigns in real time. Together, the intelligence and expertise built into Sophos Central stop an average of 11 million attacks daily, with 231 advanced threats resolved by our Managed Detection and Response team. Collectively, we keep customers safe and businesses running without disruption.

When people ask us, “Aren’t all endpoint solutions the same these days?” — our answer is simple:

No. They’re not.

Look past the buzzwords. Ask what the platform sees, how fast it learns, and who is validating its insights. The truth is, what powers the protection matters as much as the protection itself. And those with the best data will always be one step ahead. Ultimately, strong cybersecurity isn’t just a technical need. It is a business imperative that defends operations, reputation, and long-term value.

Source: Sophos

True Privilege™ is BeyondTrust’s industry leading capability for providing a complete view of all the privileges an identity has access to, including both intended and unintended privileges. Made visible by the True Privilege Graph feature in Identity Security Insights™, it goes beyond traditional views of privileges directly assigned to encompass hidden misconfigurations that attackers can exploit to elevate privileges further.

How True Privilege Protects Against Modern Attacks

Meet Amy: a real-world example of hidden risk.

Let’s consider Amy, a developer whose identity has multiple accounts and access to different systems.

Amy has various privileges directly assigned to her accounts, which traditional solutions might have visibility into—but often in a disconnected way. This means one tool might see her AWS privileges, while another sees her Active Directory privileges, making it difficult to get a complete picture of her assigned privilege and access.

But the real risk lies in the indirect or unintended privilege pathways. These can arise from misconfigurations, inherited rights, or hidden connections within the identity infrastructure. In Amy’s case, several apps she manages in Azure have service principals with the ability to assign the Global Administrator role. This means that even though Amy isn’t a Global Administrator herself, a path exists for her to gain that highly privileged role, either for herself or someone else.

We’re pleased to announce new features to the Sophos AI Assistant, which puts easier case triage and investigation, MDR-grade expertise, guided workflows, and real-time threat hunting directly in the hands of every Sophos XDR and MDR customer.

What is the Sophos AI Assistant?

The Sophos AI Assistant is an integrated feature in Sophos Central that uses large language models (LLMs) and natural language understanding to enable all users — from IT generalists to experienced SOC analysts — to query security telemetry, enrich investigations, and take investigative actions without needing to write SQL-like queries.

It isn’t just another AI tool — it’s expertise from the team behind the world’s leading Managed Detection and Response service, distilled into an intelligent agent. The AI Assistant is included for all Sophos XDR and MDR customers at no additional charge.

With this release, the Sophos AI Assistant has been enhanced to support two key roles:

• Security Analyst – Focused on case investigation and triage.
• Threat Hunter – Focused on proactive, exploratory investigations across the environment.

Getting started with the AI Assistant

Key capabilities in this release

1. Updated navigation in Sophos Central

The Sophos AI Assistant is now accessible from a new “AI” menu in the Sophos Central Admin console. This update reflects the increasing importance of AI-powered tools in analyst workflows and ensures easier access to AI-driven insights and actions—whether you’re responding to alerts, investigating incidents, or proactively hunting threats.

2. New Security Analyst and Threat Hunter assistants

This release introduces a new AI assistant:

• Security Analyst assistant: Designed for triage, case management, and investigation tasks.
• Threat Hunting assistant: Adds support for proactive hunting workflows, allowing analysts to explore telemetry, craft queries, and investigate suspicious behavior across the estate.

Together, these new context aware assistants unify reactive and proactive capabilities under a single, AI-powered interface.

3. Contextual workflows based on analyst role

The AI Assistant now pulls in context based on the function an analyst is performing:

• Security Analysts receive case-aware prompts, enrichment support, and streamlined investigation flows.
• Threat Hunters are provided with advanced search suggestions, guided telemetry pivots, and custom prompt templates.

Whether you’re summarizing case findings or exploring detection anomalies, the AI Assistant ensures a seamless and role-aligned experience.

4. Smart prompt starters and in-workflow assistance

To reduce onboarding friction and improve usability, Sophos has introduced intelligent prompt suggestions tailored to common SOC activities. From device analysis to trend reviews, the AI Assistant helps you frame effective queries and make informed decisions—without needing deep familiarity with query languages or telemetry schemas.

Use cases in action

• Alert triage: Quickly summarize the context and related detections
• Investigation: Trace lateral movement using command-line data or user behavior
• Threat hunting: Search for PowerShell execution anomalies over time
• Enrichment: Perform live lookups on hashes, IPs, or domains

You can even add AI Assistant outputs directly into your case notebooks, ensuring that your insights and steps are preserved for auditing or handover.

Sophos Central Documentation – AI Assistant Use Cases

How to write effective prompts

We’ve published a new best practices guide for writing effective AI prompts. This guide helps you frame questions more clearly and precisely to ensure high-quality results from the AI Assistant.

Tips include:

• Be specific: Include device names, time ranges, or detection types
• Give context: Tie the prompt to a case or alert when possible
• Define format: Ask for lists, tables, or summaries if needed

How to craft effective prompts

Ready to try it?

Log in to Sophos Central today and start working with your new AI teammate.

AI Assistant documentation and training resources

Source: Sophos

Despite spending more than $18.5 billion on identity security products in 2024—a 15% increase year over year according to Gartner—identity remains the most common entry point for attackers. It’s the most used vector for initial compromise, and the trend is only expected to continue. This year alone, there have been over 800 million new sets of stolen credentials compromised as a result of the explosion of infostealers.

So, why are we still struggling?

The short answer is that identity security has not evolved fast enough. In contrast to other areas of cybersecurity, identity continues to be stuck in legacy thinking. Traditionally, it has been considered a function of compliance and business enablement, rather than a front-line security function. As a result, most organizations rely on fragmented tools, complex implementations, and reactive controls that are unable to keep up with modern threats.

Account compromise is not an anomaly, but an inevitable consequence of an outdated model. 

We’re still operating in what can only be called Identity Security v1. This is a first-generation approach that lacks the agility, integration, and focus necessary to combat today’s threats. The strategy is to layer controls over already exposed environments, often through projects that can take many years to complete. But attackers don’t wait—and neither should we.

A clear symptom of this lack of control is the uncomfortable conversations that many security leaders face: What is our residual risk? What does that mean in business terms? When will we be done? These questions are difficult to answer when you’re not fully in control and must constantly react to the environment as it changes beneath you.

Imagine a state where you can clearly define and enforce foundational identity controls: every admin is required to authenticate with MFA, service accounts are restricted to their usual, approved behavior, and all access is denied by default unless explicitly allowed. These controls aren’t aspirational: they’re implementable, enforceable and, most importantly, measurable. Their effectiveness is reflected in the threats that are blocked or contained before they can escalate, providing a direct line between control and risk reduction.

What is needed is a shift in both mindset and technology. Identity Security v2 puts compromise prevention at the centre. It is proactive, universal, and built to manage identity risk without getting in the way of business. As a result, identity is not treated as an afterthought, but as a control point.

There is an urgent need for this change. A perfect storm is brewing around outdated assumptions about identity’s role in security, a lack of modern tools that provide real-time control, and growing complexity across cloud, SaaS, and hybrid environments. Together, these forces call for a new approach, one that allows us to control now, everywhere it matters, and fine-tune later.

We cannot afford to wait. The cost of inaction is written clearly in breach reports and stolen credentials are piling up by the day.

Why identity is different and why that matters

Identity stands apart from other areas of security. Unlike most security domains, identity is fundamentally about people. Even non-human identities, service accounts, APIs, and machine identities ultimately reflect human decisions made by either developers, admins, or platform owners.

Identities are unique in that they are woven tightly into the day-to-day activities of an organization. It affects how people access tools, collaborate, and accomplish tasks—and, crucially, how they feel while doing so.

Identity has historically been funded for two reasons:

1. How can we quickly onboard new joiners and make authentication seamless for everyone?
2. How can we meet compliance requirements and avoid costly violations?

Now, a third and fundamentally different driver has emerged: how can we defend against identity-based threats? It requires new skills and a new mindset that may not always be aligned with traditional efficiency or compliance objectives.

In many cases, efficiency is associated with an increase in risk and over-provisioned access is a common consequence. The scope of compliance is narrow and deep, whereas security requires broad, real-time visibility and control. Due to these competing priorities, identity teams need to evolve into identity security teams with a new mandate and dedicated tools.

In most areas of security, this evolution is already well established: network, endpoint, and cloud teams all work alongside their specialized security counterparts, supported by purpose-built tools. But in identity, that model is often missing. Teams managing systems like Active Directory, Entra, or Okta are rarely partnered with dedicated security teams, who are themselves enabled by specialized technology. They often lack the tools required to take a truly security-first approach.

To meet today’s threats, that must change.

Why today’s identity security tools are not enough

As identity security has not evolved organizationally, technology has also lagged—especially when compared to other security disciplines.

Let’s take network security as an example. Modern tools don’t just offer visibility; they serve as a universal control plane that enforces guardrails across the entire environment. Security teams can proactively define and apply security policies to control risk and respond in real time to threats. These controls are consistently applied, ensuring no part of the network operates outside the organization’s security framework.

Identity has not had the same evolution.

Today’s identity security tools fall into one of three categories:

• Tools that treat identity as a set of vulnerabilities to be remediated (e.g., weak passwords, excessive privilege, orphaned accounts)
• Tools that isolate risky accounts (e.g., vaulting via PAM)
• Tools that attempt to detect identity-based threats and respond (e.g., ITDR)

The solutions are fragmented, focusing only on cloud, SaaS, or native identity platforms, and are often implemented in silos. As a result, attackers can exploit these gaps easily.

More critically, these tools do not empower identity security teams to take control of risk. They keep teams reactive, forcing them to chase down threats, remediating after the fact, and layering controls in response to what has already happened.

In today’s more complex environments, that model simply does not work. Treating identity as a list of backlog items to fix means exposure persists until everything is perfectly remediated, which is something no organization can realistically achieve.

It is possible to reduce exposure by locking down high-risk accounts; however, this is typically a difficult process, degrades the user experience, and does not scale well. This approach demands perfection: perfect visibility, perfect execution, and complete coverage across every critical system. No company can honestly claim they have achieved that.

Solving account compromises requires more than a patchwork. It requires a new kind of identity security technology—one that gives teams real control, closes gaps proactively, and puts you in the driver’s seat.

How do we take control?

Authentication today is not designed with security as the primary goal. When designing networks, security is front and center. Firewalls, segmentation, and controls are built to limit blast radius and contain threats. You would not accept a network without built-in security controls. Yet authentication is typically designed to ensure uptime and availability. The priority is operational: will users be able to log in when needed? Will the systems stay up and running to support the business? This mindset reflects identity’s legacy as a business enabler, not a security control.

But why is authentication not built security-first?

Why don’t we start from a position of denying by default and applying security controls to enforce security standards in line with our risk appetite? As a result, the blast radius will be narrowed, and the risk of account compromise will be reduced.

Imagine if these were the default policies:

• Require MFA for all access to sensitive infrastructure
• Deny any connection not originating from trusted sources
• Block authentication using legacy or insecure protocols

When we approach identity with this mindset, the game changes. Security risks become less urgent because the environment is controlled by design. It is now easier to explain risk to executives, not because the problems have disappeared, but because we have taken charge of how identity is protected.

This gives you the space and time that you need to modernize your identity landscape while staying in control of risk every step of the way—whether that’s adopting ephemeral credentials, moving toward zero standing privilege, or rethinking how access is granted.

Source: Silverfort

Sophos is delighted to announce that Sophos Endpoint is now natively integrated and automatically included in all Taegis™ Extended Detection and Response (XDR) and Taegis Managed Detection and Response (MDR) subscriptions.

Customers gain immediate access to combined prevention, detection, and response capabilities in a single platform – while lowering costs and simplifying operations. The integration follows Sophos’ acquisition of Secureworks in February 2025 and represents a major milestone in combining the companies’ strengths to help customers defeat cyberattacks with a higher ROI.

Endpoint protection remains one of the most critical layers of defense against today’s cyberthreats, delivering both frontline prevention and vital telemetry for detection and response. With Sophos Endpoint included in all new and existing Taegis XDR and MDR subscriptions, customers can benefit from unmatched ransomware defenses and adversary mitigation capabilities that automatically deploy in the event of an attack. The integration enables organizations to strengthen protection while lowering licensing costs, reduce management overhead through native integration, and accelerate threat mitigation with expanded response actions.

Taegis remains a fully open platform, ensuring customers continue to receive full value from their existing cybersecurity investments and maintain the freedom to use the endpoint protection solution of their choice. This ensures that customers maximize ROI while allowing room in their budget for other cybersecurity priorities.

Watch this 2-minute video to learn more about the integration.

Organizations need superior protection

Too many organizations still treat endpoint protection like a commodity, and that’s exactly the mistake attackers are counting on. The reality is that not all endpoint products are built to stop today’s hands-on-keyboard attacks.

Sophos Endpoint’s prevention-first capabilities, like CryptoGuard anti-ransomware protection and Adaptive Attack Protection, shut down attacks before they can escalate, which is a true game changer for enterprises managing thousands of devices. And by simplifying deployment and policy management, we’re helping organizations stay ahead of threats, lower their total cost of ownership, and maximize the return on their security investments.

Key benefits for Taegis customers

• Lower costs and improved ROI: Sophos Endpoint is now automatically included with all Taegis XDR and Taegis MDR subscriptions, eliminating the need to purchase a separate endpoint security solution.
• Vendor choice preserved: Taegis remains an open platform, allowing organizations to continue using their preferred endpoint solution.
• Industry-leading protection: A 16-time leader in the Gartner® Magic Quadrant™ for Endpoint Protection Platforms, Sophos Endpoint provides unmatched defense against ransomware and other advanced threats, with features such as CryptoGuard and Adaptive Attack Protection, accessible directly from the Taegis console.
• Workflow continuity: Telemetry and detections from Sophos Endpoint are ingested into the Taegis platform, allowing customers to retain existing detection and response workflows.
• Simplified management: Customers can download, install, and manage Sophos Endpoint directly from Taegis.

Meeting customers where they are

To support a range of environments, customers can now choose between three deployment options for endpoint protection:

• Sophos Endpoint: Natively integrated for comprehensive prevention, detection, and response in a single agent.
• Non-Sophos native integrations: Telemetry ingestion ensures full visibility from products such as CrowdStrike, Microsoft Defender, SentinelOne and Carbon Black by Broadcom.
• Other non-Sophos endpoint security solutions: Supported through a detection-only sensor deployment option.

Streamlined Sophos deployment experience for Taegis users

Upgrading to Sophos Endpoint is an easy and frictionless process for Taegis users.

• Customers can download the Sophos Endpoint installers directly from within the Taegis platform – no additional licenses required.
• Documentation and upgrade instructions can be found on the Sophos Endpoint Agent page in the Secureworks documentation.
• Customers can retain their existing detection and response workflows as endpoint telemetry and detections from Sophos Endpoint are now ingested directly into the Taegis platform.
• Additional response capabilities are now available with Live Response functionality for Sophos Endpoint, directly from the Taegis console. This enables security teams to execute commands to terminate suspicious processes, reboot endpoints and servers, delete files, and more, with full, secure shell access. (Note: an endpoint must be running Sophos Endpoint to use Live Response – either the full agent or sensor).

Learn more

Sophos Endpoint is available immediately for all existing and new Taegis XDR and MDR customers. Watch this 2-minute video, explore the Taegis platform, and learn more about Sophos Endpoint. To discuss how Sophos and Taegis can support your cybersecurity goals, speak to your Sophos representative today.

Source: Sophos

The cybersecurity world was jolted by the recent announcement that Palo Alto Networks will acquire CyberArk in a landmark deal valued at approximately $25 billion. Beyond the financial scale of the transaction, this acquisition marks a shift in how the industry views identity security. The recent acquisition validates what we’ve been emphasizing already: identity is both the first and last line of defense, and it demands its own dedicated security layer. Just as we’ve seen in other domains like endpoint and cloud security, protecting identities requires an end-to-end platform—one that offers unified visibility, intelligent insights, and inline protection.

CyberArk, rooted in Privileged Access Management (PAM), has expanded its identity capabilities in response to market needs. But this acquisition surfaces a more critical and timely question:

What is the future of PAM?

We believe we’re witnessing the beginning of a transformation. A future where securing privileged access will no longer revolve around a vault. In fact, vault-based approaches will no longer be the primary method of enforcing privileged access security.

This shift parallels transformations we’ve already seen in other areas of cybersecurity:

• Cloud security has gone agentless, replacing intrusive deployments with lightweight, API-based visibility.

• Multi-Factor Authentication (MFA) does not require code changes or proxies as in the past. Today it is enforced by the identity provider or an extension to the identity provider.

• Identity protection platforms now enforce policies in real time without injecting keys or passwords, reducing the attack surface.

• Network security moved away from physical firewalls and VPNs to Zero Trust Network Access (ZTNA), which grants access dynamically based on identity, context, and posture.

In each of these cases, the core idea was the same: move away from securing secrets or infrastructure, and instead focus on securing the access itself. PAM is now undergoing a similar evolution.

The problem with vault-based PAM

Vaults were introduced as a way to protect the credentials used by privileged accounts—admin usernames and passwords for servers, databases, switches, and more. The premise was sound: don’t let users know or reuse powerful passwords. Instead, let them retrieve credentials from a secure vault when needed, and rotate those passwords after use.

But in practice, vault-based PAM creates several problems:

1. It secures the credential, not the access. Once a user retrieves the credential, the vault’s protections end. That password can be stolen from memory, logged by malware, misused by insiders, or intercepted in a man-in-the-middle attack. The access itself isn’t protected—just the storage of the password.

2. It’s operationally complex. Vault-based PAM introduces major friction into workflows. Changing how users log into systems—redirecting them through a proxy, forcing them to check out passwords, re-authenticate constantly—often requires training, workarounds, or exceptions. On the NHI front, to rotate service account credentials multiple approvals are typically required and careful work to avoid breaking changes. This change in behavior complicates adoption and makes PAM deployments time-consuming and expensive. Many organizations take years to roll out PAM at scale, especially in hybrid environments where legacy systems, service accounts, and third-party access all require separate configurations.

3. It’s not breach-proof. Vaults themselves are high-value targets. Attackers know that compromising a vault can yield credentials for the most sensitive systems in the organization. We’ve seen real-world breaches that prove this. In a high profile 2022 breach, the attacker reportedly gained access to the company’s privileged access vault by harvesting credentials and tricking an employee into approving MFA requests. Once inside, the attacker had access to admin tools, infrastructure, and sensitive data. In other incidents, attackers have exploited vault misconfigurations, API tokens, or integration weaknesses to escalate their access. The idea that vaults are unbreachable is no longer tenable.

4. It creates a false sense of security. Security teams often assume that rotating credentials and limiting access to the vault is enough. But if the password is still being handed to the user—even for a short time—it can still be exfiltrated or abused. The security controls (like MFA, session recording, or approval workflows) are tied to the vault, not to the privileged access itself. Once the login is done, there is no additional enforcement point to apply security controls.

Vault-centric PAM worked well in the era of static infrastructure and long-lived accounts. But today’s IT environments are dynamic, distributed, and identity-driven. Simply protecting credentials in a vault is no longer enough.

From privileged account management to privileged access security

The real opportunity—and what defines the vault-free future—is to shift from managing privileged accounts to securing privileged access.

In this model, organizations no longer rely on permanent accounts with vaulted passwords. Instead, privileges are granted dynamically, just-in-time, and removed as soon as they’re no longer needed. Access is brokered and monitored in real time based on user identity, context (device, location, time), and policy.

This eliminates many of the risks associated with vault-based PAM:

• There is no standing credential to steal or reuse.

• The change to user behavior is minimal; no login disruption, and no password checkout process.

• All access is tightly monitored and tied to a verified identity.

• Even if the attacker gains hold of the password, the access is still secured and the attack can be stopped there.

This model also extends seamlessly to non-human identities (NHIs)—like service accounts, scripts, AI agents, and automation tools—which now make up the majority of privileged access in most organizations. Rather than managing thousands of long-lived credentials for these entities, organizations can enforce policies that allow specific systems to initiate privileged access under strict controls, without static secrets. As NHIs become more manageable through identity providers, cloud-native tools, and runtime enforcement, the vault-free approach becomes both more feasible and more secure.

Identity-centric access: A more secure approach

This shift toward privileged access security is made possible by technological advances in identity security. Organizations can now apply strong security controls at the identity layer—enforcing MFA, risk-based policies, session monitoring, and just-in-time elevation—without injecting credentials or modifying infrastructure.

In fact, modern platforms can secure privileged access in a way that’s:

• Proxyless – doesn’t require routing all of the network traffic through a gateway or rewriting apps.

• Credential-free – avoids injecting or exposing privileged credentials.

• Inline & real-time – dynamically responds to access attempts with adaptive policy decisions.

This architectural shift allows organizations to apply Zero Trust principles to privileged access—validating every request continuously, applying least privilege policies, and responding to anomalies instantly.

And it aligns with how security teams want to work: reducing the attack surface, minimizing user disruption, and simplifying operations.

Will vaults disappear?

Vaults will remain part of the privileged access landscape for the foreseeable future. Some systems will continue to require passwords. Some compliance requirements will mandate secure storage of credentials. And in certain break-glass or legacy scenarios, having a vault as a fallback mechanism still makes sense.

But vaults will no longer be the primary way organizations secure privileged access. Instead, the center of gravity will shift to real-time, identity-aware controls—a model that doesn’t rely on handing users credentials, and doesn’t require those credentials to exist in the first place.

We’re already seeing this transition unfold. Modern identity security platforms are being used to enforce granular access controls for privileged sessions across cloud and on-prem environments. These controls—based on who the user is, what resource they’re accessing, and under what context—are more precise, more scalable, and more secure than vault-based approaches.

And importantly, they’re faster to deploy and easier to manage, because they don’t require users to change how they log in or IT teams to redesign their environments.

Looking ahead

The future of privileged access is vault-free. Vaults served a critical function in an earlier era. But as identity becomes the new perimeter, and access becomes the control point, it’s time to move on.

Security leaders who want to reduce risk, accelerate zero trust adoption, and simplify their operational burden should begin by asking: Do I need to protect this password, or can I eliminate it altogether?

By shifting the focus from accounts to access, we can finally secure identities in a way that’s invisible to users, resistant to breaches, and built for the dynamic environments of today—and tomorrow.

Learn more about Privileged Access Security and how it benefits identity and security teams.

Source: Silverfort

Legacy operating systems that have reached end-of-support often lack security features and updates that are present in newer systems, making them targets for exploitation by adversaries. However, organizations within industries such as manufacturing and healthcare often need to run endpoints with these operating systems for specialized systems, including machinery and medical devices.

Endpoints in operational technology (OT) environments can be difficult and prohibitively expensive to upgrade or replace, resulting in devices being left unsecured or requiring additional security solutions and mitigations.

Comprehensive protection for legacy Windows and Linux endpoints

Introducing Sophos Endpoint for Legacy Platforms — a solution that provides comprehensive next-gen security for a range of Windows and Linux operating systems beyond the standard end-of-support dates provided by platform vendors.

Simplify deployment and management of endpoint security across all devices. Security solutions that limit support to modern operating systems drive organizations to deploy separate solutions for legacy systems, introducing a management burden on IT and security teams. Sophos provides industry-leading endpoint security for both legacy and modern platforms in Sophos Central — a powerful, cloud-based management platform that unifies all Sophos next-gen security solutions.

Protect critical devices beyond operating system vendor support timeframes. Defer difficult and costly upgrades for specialized systems. Sophos Endpoint for Legacy Platforms enables organizations to protect a range of legacy Windows and Linux operating systems beyond standard end-of-support dates offered by platform vendors.

Legacy systems protected by next-gen technologies. Web, application, and peripheral controls reduce the threat surface and block common attack vectors on legacy and out-of-support devices, while deep learning AI models protect against both known and never-before-seen attacks. CryptoGuard anti-ransomware and anti-exploitation technologies stop threats fast, so resource-stretched IT teams have fewer incidents to investigate and resolve.

Neutralize sophisticated attacks that can’t be stopped by technology alone. Legacy devices are attractive targets for exploitation by adversaries. Sophos’ AI-powered EDR and XDR tools enable organizations to detect, investigate, and respond to suspicious activity across all devices, including legacy platforms. Organizations with limited in-house resources can engage industry-leading Sophos MDR services to monitor and respond to threats across the entire IT environment.

Legacy systems deserve industry-leading security

Don’t risk the security of your legacy devices with inferior solutions. Devices running out of support operating systems are often critical to an organization. That’s why at Sophos, we believe these systems deserve the strongest protection, from a proven, market-leading endpoint security vendor.

• Sophos has recently been named a Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms, marking our 16th consecutive report as a Leader in this category.
• Sophos is named a “Customers’ Choice” vendor in the 2025 Gartner® Peer Insights™ Voice of the Customer Report for Endpoint Protection Platforms for the fourth consecutive year and in the inaugural Voice of the Customer Report for Extended Detection and Response. This makes Sophos the only vendor named a “Customers’ Choice” in both reports.
• Sophos is the only vendor named a Leader across the G2 Spring 2025 Overall Grid® Reports for Endpoint Protection Suites, Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Firewall Software, and Managed Detection and Response (MDR).

Available today!

Sophos Endpoint for Legacy Platforms is available as an optional add-on for customers with a Sophos Endpoint, Sophos XDR, or Sophos MDR subscription.

It’s ideal for:

• Organizations with critical systems and devices running on legacy or out-of-support operating systems, such as manufacturing, healthcare, and energy.
• Organizations with large endpoint estates that struggle to fully upgrade to newer OS versions before a platform vendor’s end-of-support timeframes.
• Organizations who currently use different endpoint security solutions for legacy vs. modern platforms.

To explore how Sophos Endpoint can help secure your legacy systems, speak to an expert today and download the solution brief.

Source: Sophos

Email remains one of the primary malware delivery methods. With over 90% of successful cyberattacks starting with phishing¹ and business email compromise (BEC) attacks accounting for nearly $3 billion in losses per year², email security has never been more important.

Furthermore, with the advent of generative AI (GenAI), these phishing and BEC attacks are expected to pose an even greater threat. According to a survey by 451 Research S&P Global Market Intelligence, 83% of security leaders express concern about GenAI enabling more advanced phishing and BEC attacks, up from 21% a year ago.³

The need for a comprehensive email security solution is clear, but the threat posed by email-based attacks goes deeper. Given email’s prominent role as the starting point of an attack and/or as part of a multi-stage attack, siloed email security proves to be less effective in combating the dynamic threat landscape. An​ email security solution’s level of integration with a broader MDR service or XDR platform to provide deep visibility and – optimally – control to SecOps teams provides the best outcomes.​

Following multiple enhancements to Sophos Email, the only MDR-optimized email security solution, Sophos is introducing two new offerings to boost email security posture. Sophos EMS provides deployment flexibility and integration into Sophos MDR and XDR, while Sophos DMARC Manager ensures DMARC compliance for improved security and brand trust.

Sophos Email

Sophos Email is the only MDR-optimized email security solution, providing comprehensive email security via a single offering.

• Sophos Email delivers protection against phishing and BEC attacks through multi-layered defenses powered by natural language processing (NLP). With NLP-powered message scanning, phishing and BEC attacks are blocked from inboxes before users can interact with them.
• Sophos Email’s native integration with Sophos MDR and Sophos XDR provides truly unmatched threat visibility, response capabilities, and centralized control for security teams. These capabilities enable security teams to have a holistic view of email telemetry and take actions during critical events.
• Sophos Email also seamlessly integrates with M365 and Google Workspace, enhancing the security posture of organizations’ existing investments.

NEW Sophos Email Monitoring System

Sophos Email Monitoring System (EMS) is an easy-to-deploy, powerful sensor that detects threats other email security products miss and provides unrivaled visibility and control to Sophos MDR and XDR. EMS is not an alternative to Sophos Email – it is designed for customers of third-party email security solutions. By providing a second layer of scanning, EMS also helps evaluate the efficacy of an existing third-party solution.

• Sophos EMS easily deploys on top of any existing email security solution to add a layer of threat identification with zero disruption to existing email flow or security policies. Leveraging 20+ AI/ML models, including NLP, Sophos EMS identifies malicious emails otherwise missed.
• Sophos EMS natively integrates email telemetry into Sophos MDR and Sophos XDR. This native integration provides visibility and control to Sophos MDR and XDR that third-party email security solutions can’t.
• Manual clawback functionality in Sophos EMS allows email administrators and security analysts to remove malicious emails from user inboxes that were missed by the existing third-party solution but identified by EMS.

NEW Sophos DMARC Manager – Powered by Sendmarc

Sophos DMARC Manager is the result of a partnership between Sophos and Sendmarc, one of the leading DMARC solution providers. As a protection add-on for Sophos Email and Sophos EMS customers, Sophos DMARC Manager quickly and easily helps organizations ensure and maintain DMARC policy compliance​, an increasingly prominent requirement backed by major email providers, governments, and regulators.

• Sophos DMARC Manager protects an organization’s users by verifying a sender’s identity. This protection prevents two increasingly sophisticated types of phishing and BEC attacks: domain spoofing and impersonation attacks.
• By ensuring an organization’s DMARC compliance, Sophos DMARC Manager helps protect an organization’s brand reputation while improving delivery rates for outbound emails.
• DMARC compliance is an ongoing endeavor. Sophos DMARC Manager’s intuitive dashboards, automated monitoring, and comprehensive reporting simplify the otherwise onerous task of maintaining DMARC compliance.

As email continues to be a primary vector for cyberattacks, organizations must evolve their defenses to meet increasingly sophisticated threats, especially those amplified by generative AI. Sophos’ MDR-optimized email security portfolio, now enhanced with EMS and DMARC Manager, reflects the market’s shift toward integrated, visibility-rich solutions. These additions not only enhance email threat detection and response but also support broader security operations through MDR and XDR integration.

– Monika Soltysik, senior research analyst for Security and Trust at IDC

Source: Sophos