Sophos Update: Partner Online Event News (SFOS 22 and more)

Introduction

Yesterday (24 June 2025) Sophos hosted an online event for partners to present the latest developments and the company’s future direction. This blog post highlights the key announcements and insights shared during the event. While many of the innovations showcased – such as the Sophos Firewall v21.5 – have already been available or partially known for several weeks, Sophos took the opportunity to promote them comprehensively once again. Nevertheless, there were also exciting glimpses into upcoming developments, which we examine in more detail here. Continuous development and a focus on prevention, protection, detection and response remain central pillars of the Sophos strategy.

Sophos + Secureworks: A strategic integration for comprehensive security

A central topic of the event was the update on Sophos’s acquisition of Secureworks, which was completed in February. The merger is intended to combine the strengths of both companies and create an even more comprehensive security portfolio:

• Prevention-first approach: Sophos, renowned for its expertise in endpoint protection, emphasises the importance of prevention. The earlier a threat is stopped, the lower the cost and effort needed for remediation. Sophos is proud of its 15-year leadership position in the Gartner Magic Quadrant for endpoint security and automatically blocks 99 percent of threats. Integrating Secureworks’ XDR capabilities with the Sophos endpoint agent (as an option) creates even greater value.
• The largest AI-native open platform: Sophos has been investing in AI since 2015, and the Sophos Central platform features more than 50 deep-learning and AI models. Over 900 terabytes of data are processed every day, enabling enormous visibility and telemetry. The Secureworks Taegis platform complements this with advanced security-operations workflows, custom reports, playbooks and integrations.
• Adaptability to your needs: Sophos pursues a strategy of openness and integration. XDR and MDR operations aim to provide full transparency across customers’ existing investments in third-party endpoints, firewalls, email, cloud and other security solutions.
• Synchronized Security: The goal is rapid remediation and response to threats. Products should work better together to shorten response times and effectively stop malicious behaviour. Unfortunately, Synchronized Security between endpoint and firewall with regard to web policies is still not fully mature even after years. This would be a major benefit for administrators.
• Highest customer satisfaction: Sophos is the only vendor to rank in the top four of all four Gartner Customers’ Choice categories (Endpoint, MDR, XDR and Firewall). Sophos also leads five categories on G2. The MITRE ATT&CK Evaluation 2024 (Round 6) confirms the strength of its endpoint protection and detection capabilities.

Portfolio consolidation and timeline

Sophos has made clear decisions to consolidate its portfolio:

• Endpoint protection: The Sophos endpoint agent will be the primary agent for all offerings.
• XDR: The Taegis XDR solution will become the primary XDR solution and will be integrated into Sophos Central. Existing Sophos XDR customers will be migrated to this enhanced Taegis experience.
• MDR: The two MDR offerings will be merged, with the best aspects of both solutions flowing into new combined MDR service tiers.
• SIEM capabilities: Taegis supports SIEM functions that will be made available to Sophos customers in the future (primarily log management and compliance as an add-on).

The acquisition was completed on 3 February. Integration is progressing rapidly:

• August 2025: Full integration of the Sophos endpoint agent with the Taegis XDR platform. Existing Secureworks Taegis customers will gain access to the Sophos endpoint agent.
• Autumn 2025: Expansion of the solution portfolio for both customer groups. Secureworks customers will gain access to all Sophos technologies, and Sophos customers will receive new features such as ITDR.
• End 2025 / early 2026: Full platform integration; Taegis will be integrated into Sophos Central.

Sophos Managed Risk: Proactively managing vulnerabilities

Another important area that was highlighted is the Managed Risk service, launched more than a year ago in partnership with Tenable. This is a vulnerability-management offering delivered as a managed service by Sophos experts in threat exposure and remediation.

• Core functions:
  • Visibility: Comprehensive detection of internal and external assets for a clear picture of the digital attack surface.
  • Continuous risk monitoring: The Sophos team identifies the most critical exposures and helps prioritise remediation measures.
  • Prioritisation: Use of Tenable’s AI-powered vulnerability prioritisation technology, augmented by Sophos expertise.
  • Notifications: Proactive alerting when critical vulnerabilities are discovered.
• Service expansion: The Managed Risk service has been expanded with Internal Attack Surface Management (IASM). This complements the existing External Attack Surface Management (EASM) and provides a holistic view of vulnerabilities in both external and internal assets.
• Licensing: Managed Risk is an add-on to the MDR service (MDR Essentials or MDR Complete) and is licensed not by IP address but by the number of users and servers, ensuring consistency with other Sophos licences.

Sophos ITDR (Identity Threat Detection and Response)

Sophos ITDR will be available as a powerful new add-on for Sophos MDR and Sophos XDR in October 2025. Gained through the Secureworks acquisition, it focuses on reducing identity risks:

What is ITDR?

Identity Threat Detection and Response (ITDR) is a security solution specifically aimed at detecting and effectively countering attacks on digital identities at an early stage. Unlike classic Identity and Access Management (IAM), ITDR continuously analyses identity data, user behaviour and threat intelligence to reveal suspicious activities immediately.

Main goals and functions

• Protection against identity threats
  Constant scanning of identity services (e.g. Microsoft Entra ID / Azure AD) for vulnerabilities and misconfigurations.

• Reducing the attack surface
  Monitoring for compromised credentials and alerting when access data appears on the dark web or other insecure sources.

• Minimising the risk of stolen credentials
  Detecting and blocking unusual sign-in or access attempts that indicate stolen credentials.

• Detecting risky user activities
  Uncovering advanced identity-based attacks, lateral movement in the network and unauthorised privilege escalations, followed by automated counter-measures.

In short, ITDR provides a proactive shield for identities by continuously monitoring the security posture and reacting in real time to any suspicious or malicious activity around user accounts. ITDR will be available as a paid add-on for all Sophos XDR and MDR customers and will greatly enhance Sophos’s Security Operations portfolio.

Sophos Incident Response and Advisory Services

Sophos has consolidated and expanded its incident-response offerings:

• Emergency Incident Response: Sophos’s Rapid Response service and Secureworks’ incident-response capabilities have been combined into a new consolidated emergency service. This is billed hourly and aligned with cyber-insurer expectations. It offers rapid identification and neutralisation of active threats, remote and on-site support, and extended IR services such as digital forensics and ransom-negotiation support. For customers with MDR Complete, unlimited incident response is already covered.
• Advisory Services: The proactive approach to risk reduction has been expanded with additional advisory services based on Secureworks’ capabilities. These include external penetration testing, internal WLAN network penetration testing and web application security assessments. These services aim to proactively reduce risk and improve overall security strategy.

Sophos Firewall: A trinity strategy

The Sophos Firewall differs from many other firewall solutions through its holistic approach, based on three central pillars:

1. Mitigation: This is about reducing the attack surface and minimising the risk of an attack. Sophos integrates features such as Zero Trust Network Access (ZTNA) and the “Secure by Design” initiative to harden infrastructure and avoid unnecessary exposure to the internet.
2. Protection: This is the classic threat-prevention arena, where the Sophos Firewall blocks attacks before they can even reach the network. This includes state-of-the-art threat engines that proactively detect and stop malicious activity.
3. Detection and Response: The decisive difference lies here. The Sophos Firewall is not only designed to fend off attacks but also to automatically detect and isolate active attackers within the network. This is enabled by Synchronized Security and Active Threat Response, which ensure fast and coordinated responses to threats.

Most firewalls focus primarily on protection, but neglect mitigation as well as detection and response capabilities. Sophos has recognised this and invested heavily in all three areas to provide comprehensive protection that makes your infrastructure more resilient.

What’s new in Sophos Firewall v21.5? (A taste of v22)

The recently released version Sophos Firewall v21.5 , available free of charge to all Sophos Firewall customers, already offers an impressive insight into the direction in which the Sophos Firewall is evolving. The highlights are:

• Integration of Network Detection and Response (NDR): This is an industry-first feature and a real novelty. NDR Essentials is integrated directly into your Sophos Firewall – at no additional cost and with no impact on firewall performance, as the analysis takes place in the Sophos Cloud. It offers two key components:
  • Encrypted Payload Analysis (EPA): This technology can identify malware payloads and network traffic without requiring TLS man-in-the-middle decryption. It converts the first session packets into a graphical spiral image, which is then analysed by an AI engine for malicious patterns. This is a huge advantage, especially for small and medium-sized businesses that cannot or do not want to carry out TLS inspection.
  • Domain Generation Algorithm (DGA) Detection: This function detects domains generated by malware algorithms, often before they are registered or used. This allows malicious communication with hacker servers to be prevented even when the domains are still unknown.
• Single Sign-On (SSO) support for Entra ID (Microsoft Azure AD): A long-awaited feature that significantly simplifies login for remote-access VPN users with the Sophos Connect Client or VPN portal.
• Enhanced DNS services: New status, troubleshooting and tutorial tools for the DNS service simplify configuration and use.
• Additional “Secure by Design” principles: Further hardening and monitoring features improve firewall security.
• Management-friendliness improvements: Numerous usability enhancements based on customer requests have been implemented.

The NDR integration is a game changer. Sophos Firewall is the only provider that integrates NDR directly into the firewall and offers this function at no extra charge as part of the Extreme Protection Bundle. This underscores Sophos’s focus on comprehensive and advanced threat detection even at the network edge.

A look into the future: Sophos Firewall v22

Version 22 of the Sophos Firewall, expected later this year, will build on these innovations and deepen three key themes:

1. Secure By Design:

   • Health Check feature: A highlight of v22 is the new Health Check feature. It will examine dozens of configuration areas of your firewall and immediately identify high-risk areas that are not optimally configured. This helps administrators ensure best security practices and proactively fix potential vulnerabilities, even if they were overlooked during initial setup.

     Sample excerpt of the controls currently checked

     No.	Control statement	Severity	Status
     1.1	Password complexity is set (enabled by default)	High	Pass
     1.2	MFA for admin account is set	Medium risk	Pass
     1.3	Admin session “lock”, “logout” and “block” is configured for failed attempts	High	Failed
     1.4	NTP servers are configured appropriately	Low risk	Pass
     1.5a	HTTPS on WAN is disabled	High	Pass
     1.5b	User portal on WAN is disabled	High	Pass
     1.6	A valid certificate is used to access the Webadmin interface	High	Pass
     2.1	SNMPv3 is selected for queries and traps	High	Pass
     2.2	Notification is configured to send system and admin alerts	High	Pass
     2.3	Hotfix is enabled	High	Error
     3.1	Active Threat Response > X-Ops is enabled and action set	High	Pass
     3.2	Active Threat Response > NDR-E is enabled and action set	High	Pass
     3.3	Active Threat Response > MDR is enabled and action set	High	Pass
     3.4	Zero-day protection is enabled	High	Pass
     3.5	IPS is enabled and one or more firewall rules are configured	High	Pass
     3.6	No firewall rule with “Any” as criteria for Network and Services	High	Pass
     3.7	Firewall rule configured with Security Heartbeat	High	Pass
     3.8	SSL / TLS inspection is enabled on all relevant policies	High	Pass
     3.9	DoS & Spoof Protection is enabled with threshold	High	Pass
     3.10	Firewall rule configured with user-based policy	High	Pass

     • Unfortunately, hardware is completely left out here. Common problems like a defective SSD or a corrupted database still have to be laboriously traced in the logs via SSH. Email notifications or an automatic hardware health check are still missing. The general hardware quality also needs to be improved, as we are still seeing very many RMAs with certain models.

   • Enhanced architecture, automated detection, secure de-secure: v22 will further improve the architecture to enable even more effective automated detection and an even more secure design.

2. Networking and scalability:

   • Performance enhancements: The Sophos team is continuously working to improve firewall performance. v22 will bring significant performance improvements, especially for larger education and distributed network environments. However, all customers will benefit, regardless of the size of their environment.
   • Distributed hardware: There will be further developments in the area of distributed hardware to increase the scalability and flexibility of the solutions.

3. Day-to-day management:

   • Improved user experience: Sophos will continue to respond to customer feedback and optimise daily firewall administration through enhancements to the user interface and usability.
   • Hardware monitoring, MSA enhancements: Improvements in hardware monitoring and management services will further increase firewall-management efficiency.

     • Notification management on the firewalls could be improved. When maintenance is indicated, you cannot hide it yourself, which can lead to unnecessary disruptions.

Sophos Firewall Roadmap on schedule

Sophos positions Firewall v22 as the ideal solution for the new era of detection and response services, especially for customers using Sophos XDR and MDR. The unique proactive-monitoring features and the ability to apply patches without downtime underscore Sophos’s innovative strength.

Final words

Yesterday’s Sophos online event once again underscored the company’s strategic orientation: comprehensive, prevention-oriented security complemented by advanced detection and response mechanisms. The integration of Secureworks brings significant expansions in XDR, MDR and Identity Threat Detection. The Sophos Firewall, particularly with the innovations in v21.5 and the outlook for v22, positions itself as a leading network-security solution that goes far beyond traditional firewall functions. Through the deep integration of NDR and the focus on proactive detection and response, Sophos offers a forward-looking defence against the constantly evolving cyber-threat landscape. We are convinced that these developments will significantly improve security posture and protect networks even better. Stay tuned for further updates and deeper insights into the new features as soon as v22 becomes available!

As is often the case, the event was unfortunately drenched in self-praise 🤮. Nevertheless, at the company I work for we have many dissatisfied customers, and in the past year in particular many customers have switched from Sophos XG/XGS to other vendors.
Sophos’s pricing policy is extremely questionable. For more than eight years there have been repeated new-customer promotions, while existing customers are often left empty-handed. This causes discontent and the feeling of not being valued.
The promotions for switches and access points are also sad and show that apparently nobody wants these products. A customer recently forwarded us a promotion where you get two free when you buy three products. That speaks volumes.
Another amusing anecdote from life with Sophos: A customer recently complained that he received a switch with a manufacturing date of 2021 – a good four years old. It seems as if Sophos ordered too many and nobody wants these products, which, given the promotions, does not surprise us.
Even if these points may not be addressed in such an event, I hope that the well-known weaknesses are recognised internally and are being actively addressed.

See you soon
Joe