Sophos Updates September 2025 – Firewall, Endpoint, E-Mail
In September 2025, Sophos introduced a range of new features. Instead of summarizing everything in one long list, this post is structured by product areas. This way, every administrator can quickly find the relevant points for their environment. After all, not everyone uses Sophos switches or access points – and if you do, my sincerest condolences.
Overview of the key points
Credential theft remains the main risk – Sophos is focusing on passkeys and ITDR. The endpoint updates significantly reduce resource consumption and enable new forensic options. Firewall, switches, and access points also received important additions. E-mail security is moving further into the spotlight with a freely available DMARC tool and TLS reporting. In addition, there are promotions for firewalls, new video content, and events such as ITSA and Partner Business Breakfasts.
Sophos Endpoint Security
Performance improvements
It was about time: with version 2025.2.x, Sophos has noticeably improved endpoint performance. CPU and RAM consumption have been reduced – according to Sophos, by up to 40% less RAM and 30% less CPU load, depending on the use case (Sophos News - Sophos Endpoint: Major performance enhancements). This is particularly evident in VDI environments or on older systems. Many customers have been frustrated in recent years that Sophos endpoints were too resource-intensive. Some switched to Microsoft Defender because of this – and those customers won’t come back. Sophos not only has to catch up technically but also regain lost trust.
Sophos Endpoint Performance improvements
The rollout is staggered; in mixed environments, the Canary group should be defined properly and measurements taken before a broad rollout. Sophos itself is positioning the new versions aggressively against competitors who have so far gained ground with “we are lighter/faster” claims.
Legacy support
For companies still running older platforms, there is the newly named Sophos Endpoint for Legacy Platforms. It officially supports discontinued systems such as Windows 7 or Windows 10 after October’s end-of-support. Not pretty, but practical: in tenders where legacy systems are still a reality, Sophos won’t be ruled out immediately.
Forensics API
A real step forward is the new Forensics API. Complete memory images can now be pulled remotely and written directly into an Amazon S3 bucket – including RAM dumps. This saves time in the incident response process, as on-site visits are no longer required. These dumps can be analyzed via the XDR/MDR platform. Separate memory forensics tools remain essential, but data collection is now a script instead of a service trip.
Domain Controller & Identity Telemetry
Telemetry for domain controllers has also been expanded. Attacks such as PetitPotam can now be detected directly via Central. From endpoint version 2025.1 onwards, the option “Monitor Domain Controller Events” is included by default in the server policy and immediately usable.
Identity-related telemetry is also more tightly integrated: via Microsoft Graph Security (available free in XDR/MDR), sign-in events, impossible travel patterns, and anomalous token usage can be correlated. Based on this, response actions can be defined in Central – up to and including session invalidation and user lock.
Sophos Firewall & Network Security
There are several interesting new developments in the network space. Through the TAGIS platform, the Sophos Firewall can now also be controlled via Active Threat Response (ATR). This means IOCs, IPs, or FQDNs detected in XDR or MDR operations can be automatically passed to the firewall. This tightens the integration between endpoint and perimeter and allows IOC events to be blocked directly – without an analyst frantically switching between consoles.
Also important: customers already on TAGIS/XDR can switch to Sophos Endpoint at no extra cost. This reduces friction when consolidating platform telemetry.
Promo note: For new firewall deals, Sophos is offering up to 25 endpoint licenses. That’s marketing, sure – but operationally useful to integrate endpoint signals into ATR decisions and keep the perimeter from flying blind. More details on firewall features can be found in my post Sophos Firewall v21.5 .
Sophos Switches
Switches also received an upgrade: starting with MR 2.1, the Spanning Tree Protocol (STP/RSTP) can now be configured directly in Sophos Central. Previously, you had to log in locally to the switches and set STP manually – a clear disadvantage compared to other vendors. Now it’s centralized, with consistent policies per site and a documented root bridge. For rollouts, this means fewer typos, fewer isolated configurations, and somewhat reproducible behavior in case of failure.
But this is not an innovation leap, rather an overdue basic function. While Sophos is catching up here, other vendors have long offered extended features such as BPDU guards, FlexLink, or automated loop prevention. For enterprise or campus environments, comparison with established vendors remains essential.
Sophos Access Points
For AP6 access points, the last usage/visibility gap compared to the old APX models has been closed: application/client visibility, top APs/SSIDs, peak times – the metrics are now available. The problem: these features should have been there from launch.
The AP6 series was released at the end of 2023 and took almost a year to run stably. It then took another six months until the devices had the same functionality as their predecessors. In that time, other vendors developed new features – better QoS automation, RF optimizations, WPA3 enterprise convenience, cloud RRM with heatmap backtesting. Sophos, on the other hand, was playing catch-up. Those deploying AP6s today finally get what APX has long had – but valuable time was lost in the meantime.
For productive environments, this is a clear warning: stay away from the access points until Sophos shows they can do more than just catch up. For Central-only environments that need few feature levers, AP6 is now stable. For everyone else, the competition remains the first choice. More on this in my post Sophos Access Points AP6 – From Hell .
Sophos Identity & ITDR
The September focus is on credential theft. Attacks via adversary-in-the-middle proxies such as “evilginx” show that even MFA is no longer a guarantee. Sophos recommends switching to passkeys, which, unlike traditional MFA methods, cannot be intercepted. The message is clear: MFA remains mandatory, but only passkeys truly close the AitM gap.
In addition, Sophos Central now offers new ways to automatically detect suspicious logins – impossible travel, parallel logins from multiple countries/browser tokens, suspicious inbox rules as a precursor to BEC – and respond immediately. Compromised sessions can be invalidated, users locked, and manipulative mail rules removed. For October, Sophos also announced Identity Threat Detection and Response (ITDR). Originating from the SecureWorks acquisition, ITDR will be embedded in Central as an identity-focused situational detection tool, complementing XDR/MDR with exactly this missing layer.
Sophos E-Mail Security
Email security remains a central theme. In 2025, the BSI declared it the “Year of Email Security” – Sophos is listed in the Hall of Fame. Fittingly, a freely available analysis tool has been released: at https://tools.sophosdmarc.com/, DMARC records of a domain can be checked. This is useful for quick health checks in pre-sales and for audits of existing customers.
In addition, the DMARC Manager is available as an add-on (MSP-capable as well). A staged hardening is recommended: from p=none to p=quarantine to p=reject – but only once SPF and DKIM are properly in place. TLS reporting complements the picture by showing what proportion of communication is actually encrypted and which partners still need work.
Important for XDR/MDR teams: even if emails are running through a third-party provider, the Email Monitoring Service (EMS) can be connected. This ensures telemetry and events still land in Central – right where response playbooks are waiting for you.
Content, Events & Compliance
Summer slump is over: activity is back on the German YouTube channel and the international tech channel – with a new video on Sophos Firewall deployment in Microsoft Azure. Live formats are also restarting: particularly relevant is a compliance webinar (drivers: Ransomware, Insurance, Compliance – “R I C”). Preparations are also underway for it-sa in October; tickets are available via the Sophos website/newsletter. In November, Partner Business Breakfasts will be held at at least eleven locations in DACH, split into business track and technical update track. If you want to attend both, of course you can.
Final words
The September 2025 updates show that Sophos is mainly sharpening its focus on identity protection, efficiency, and email hygiene. Passkeys and ITDR directly address credential theft. Endpoint 2025.2.x significantly reduces system load, while forensic APIs open new paths in incident response. In networking, ATR strengthens the coupling between firewall and endpoint, while switches and access points mainly show overdue catch-up features. For email security, there are simple tools that deliver immediate value. At the same time, the webinar shows that Sophos is also pushing compliance, events, and marketing – partly useful, partly delayed.
Personally, I am most looking forward to SFOS v22, which will be released in early December. I expect significantly more exciting innovations there that could outshine the updates we’ve seen so far.
see you soon
Joe