Sophos Endpoint Detection and Response - Private Early Access Program

Sophos are pleased to announce the Endpoint Detection and Response early access program for Central Windows Endpoints.  The new Sophos Endpoint Detection and Response capabilities empower admins with deeper insights into the activity on their endpoints to identify and respond to advanced threats.  Initially this will be a private early access program before opening up to a public early access program in a few months.  If you are using Central Endpoint Advanced and Intercept X, please contact us to join the Early Access Program. 


The key new capabilities being delivered in this first phase of the program are:


Enhanced and Enriched Threat Cases (Formerly Root Cause Analysis)


We’ve been hard at work overhauling Root Cause Analysis (RCA) and implementing a number of additional features to make it easier for admins to investigate detections.  With this new functionality comes a new name – Threat Cases.  In addition to automatically identifying the root cause or sequence of events that led to a malicious or suspicious file to be on the endpoint, we will display more useful information to aid in investigating a Threat Case and will look to provide suggested next steps to deal with those threats.


Submit to SophosLabs for latest Threat Intelligence:


Dynamically request the latest Sophos Threat intelligence on a highlighted processes from within in a Threat Cases (formerly RCA).  When choosing to request the latest intelligence, the file will be submitted from the endpoint in question to SophosLabs for a detailed analysis where feedback will be supplied within minutes.


Sophos Data Recorder Exporter


For admins looking to do more detailed investigations than Threat Cases (formerly RCA) currently allow, a new utility will be provided which can convert the Sophos Data Recorder on an endpoint into a format where advanced queries can be run. Ideal for forensic deep dives and unleashing the power behind RCA.


As we continue the project and enter a Public Early Access in the autumn, at that point in time we will also introduce additional capabilities such as:

  • Endpoint isolation to stop compromised or suspicious endpoints communicating to other devices on the network
  • Administrator defined block list capability to restrict the access and execution of files
  • Cross-estate search capability to identify all endpoints that have seen portable executable files with an uncertain Sophos file reputation
  • Further enhancing Threat Intelligence feedback when submitting to SophosLabs to leverage multiple, new machine learning technologies



If you are interested in joining the Private Early access program, please send a request to