The XDR Sensor is a new deployment option specifically designed for prospects/customers who are unwilling or unable to replace their existing, non-Sophos endpoint protection platform with the full Sophos Intercept X Advanced with XDR agent but are interested in benefiting from our endpoint detection, investigation, and response capabilities.  Primary use cases include: 

  • For customers interested in our upcoming MDR service who want want/need to continue running third party endpoint protection.  Those customers will run the XDR Sensor in combination with their existing endpoint protection technology while getting access to Sophos MDR, our fully managed 24/7 service.
  • Prospects who are currently using a non-Sophos endpoint protection tool but are interested in trialing Sophos as part of a proof-of-concept (POC) without it interfering with their existing endpoint protection platform. 
  • Existing customers who are using Sophos endpoint protection (Intercept X Essentials or Intercept X Advanced) in one segment of their environment while using one or more non-Sophos endpoint protection tools in other segments. These customers may be looking to move their entire organization to Sophos over time but need to use the Sophos XDR Sensor to bridge the gap during the consolidation process. 
  • Prospects who want to complement a non-Sophos endpoint protection tool with the detection, investigation, and response capabilities enabled through Sophos XDR. In many cases, these will be prospects who only have endpoint protection today but are looking for an immediate path to EDR and XDR capabilities. 

 What Capabilities Does the Sophos XDR Sensor Enable?

The Sophos XDR Sensor operates in a detection and response-only mode, which means it does not provide automated protection/prevention actions. The customer or prospect will continue relying on their existing third-party endpoint protection tool and will benefit from the following capabilities enabled by the Sophos XDR Sensor.

 Threat Detection Capabilities: 

  • On-device behavior and cloud-based detections

 Threat Investigation Capabilities:

  • Live Discover (direct device and data lake queries)
  • Scheduled / rule-based data lake queries

 Threat Response Capabilities: 

  • Live Response (manual response)
  • Isolation (on Windows platforms only)

Supported Platforms:

  • Windows 10 x64 and later
  • Windows Server 2016 and later
  • MacOS Big Sur and later
  • All current supported Linux platforms

 How to deploy:

The easiest method to deploy the Sensor is from the Protect Devices page in Central.  Customers with an Intercept X Advanced with XDR Endpoint and/or Server entitlement will now have access to the XDR Sensor installers (these installers are pre-configured to only install the XDR sensor):


When downloading the installer or managing endpoint software to deploy the XDR Sensor or to downgrade to the XDR Sensor a warning will appear to caution that you must ensure you are running third party protection if deploying in this mode:

To ensure you can run Live Discover Data Lake queries you should also ensure that you have enabled Data Lake uploads for your endpoints/servers:

XDR customers expecting full protection and detection capabilities should ensure they are running the full Intercept X Advanced with XDR agent and not the XDR Sensor.