Sophos has unveiled its latest cybersecurity innovation, Sophos Identity Threat Detection and Response (ITDR), a major step in its strategy to combat one of the fastest-growing areas of cyber risk: identity-based attacks. The launch expands Sophos’ flagship threat detection ecosystem, including Sophos XDR (Extended Detection and Response) and Sophos MDR (Managed Detection and Response).
It adds continuous identity monitoring, behavioral analytics, and automated remediation to protect organizations from credential compromise and account-based intrusions.
The rollout also marks the first Secureworks-derived product fully integrated into the Sophos Central platform, a milestone following Sophos’ acquisition of Secureworks’ managed detection assets earlier this year. The integration reflects the company’s growing emphasis on unifying endpoint, network, and identity protection into a single operational framework for its more than 600,000 enterprise customers worldwide.
Identity-related threats have surged to the top of the cyber risk agenda, driven by the twin forces of remote work and cloud transformation. According to Sophos X-Ops, the company’s global threat intelligence unit, the number of stolen credentials advertised for sale on the dark web rose 106 percent between June 2024 and June 2025. Sophos’ Active Adversary Report further revealed that 56 percent of attacks investigated over the past year involved valid accounts being misused to access external remote services – making credential compromise the leading cause of breaches for the second consecutive year.
“Remote work and the cloud have greatly expanded the identity attack surface,” said Rob Harrison, Senior Vice President of Product Management at Sophos. “Attackers are exploiting the complexity of modern identity and access systems, where policies shift dynamically and visibility is limited. Sophos ITDR closes those gaps by giving organizations continuous visibility, detecting compromised credentials early, and integrating response directly into the XDR and MDR workflows that our customers already rely on.”
Sophos ITDR introduces a deep set of detection and remediation capabilities built to address every phase of identity compromise. Using the MITRE ATT&CK Credential Access framework as its reference model, the system identifies all known credential access methods—such as brute force, password spraying, and Kerberoasting – while leveraging AI-driven analytics to detect anomalies including lateral movement, privilege escalation, and account takeover attempts.
Active Prevention & Response, Identity Catalog
Beyond detection, the platform emphasizes active prevention and response. It performs over 80 automated cloud identity posture checks, scanning for configuration errors, dormant accounts, and missing multi-factor authentication (MFA) settings. Sophos ITDR also continuously monitors dark web sources for leaked credentials, alerting users and administrators when potential compromises are detected.
Through response playbooks, the platform can automatically initiate defensive actions such as account locking, password resets, MFA re-enrollment, and session revocation in Microsoft Entra ID (formerly Azure AD). These automated workflows aim to cut response time from hours to minutes, minimizing the window of opportunity for attackers.
The solution also introduces a centralized Identity Catalog that consolidates all user, service, and application identities across hybrid environments into a single, ranked dashboard view. This gives security teams a real-time perspective on their organization’s identity posture, helping them prioritize the most critical threats and compliance risks.
In practice, when ITDR identifies a high-risk event – such as an attempted account takeover or detected credential leak – it automatically generates a case in Sophos XDR or Sophos MDR. From there, Sophos’ 24/7 global security operations team can investigate and respond on the customer’s behalf, offering a combination of automation and human expertise that has become central to modern MDR strategies.
Early adopters report measurable gains in efficiency and visibility. An information security director at a European financial services firm described ITDR as “a game changer in understanding our identity exposure and integrating it into our broader security posture.” Another customer, a chief information security officer in the banking sector, noted that “Sophos ITDR provides the visibility and automation required to stay ahead of attackers. It closes blind spots, strengthens our security posture, and allows my team to act quickly and effectively.”
The introduction of Sophos ITDR comes amid a growing consensus among cybersecurity professionals that identity is now the new frontline of cyber defense. As enterprises grapple with hybrid workforces, multi-cloud architectures, and increasingly sophisticated adversaries, identity has become both a critical control point and a primary target.
By fusing identity analytics, dark web intelligence, and active response into its existing detection ecosystem, Sophos positions ITDR as a bridge between traditional endpoint protection and the emerging identity security layer – one designed to make identity not just a vulnerability, but a defensible asset in the enterprise cybersecurity stack.
With identity-based attacks now driving the majority of modern breaches, Sophos’ move signals a broader industry trend: the convergence of detection, response, and identity governance into a unified, intelligence-led security model for the AI and cloud era.
