In the first half of 2025 alone, sub-Saharan Africa saw more than 42 million web-based attacks and nearly 96 million on-device attacks, including malware, spyware and backdoors, up from the previous year.

In Nigeria, almost 1.5 million online attack attempts were blocked by security tools, with nearly one in five users (19.9 %) targeted.

This threat occurrence makes choosing the right cybersecurity stack important. Two widely adopted options worldwide and more in African markets are Palo Alto Networks and Sophos.

Both provide firewalls and Secure Access Service Edge (SASE)-related functions. But they differ in design, cost structure, manageability and suitability for smaller security teams.

This article compares Palo Alto Networks and Sophos across threat prevention, networking and SASE functions, cost, ease of deployment, management and local support.

The Threat Environment in 2025–2026

Before looking at products, it helps to understand what these tools must defend against.

Cybercrime reports from late 2025 show a surge in attacks across the continent, with ransomware, business email compromise (BEC) and digital extortion reaching new heights.

Interpol-led enforcement measures in late 2025 disrupted cybercrime operations in 19 African nations, where attackers caused more than $21 million in losses before law enforcement intervened.

Globally, ransomware incidents increased steeply in 2025, with some reports indicating that nearly 78% of organisations experienced ransomware attacks over the prior year.

These show the scale and sophistication of modern threats and African enterprises that may not have large security teams, and need to ensure prevention is both effective and realistic.

Threat Prevention Capabilities

Palo Alto Networks

Palo Alto firewalls are built on the PAN-OS platform and supported by a threat intelligence backbone known as WildFire. Users frequently mention strong traffic inspection, advanced threat detection and integrated intrusion prevention.

In independent comparisons, Palo Alto products usually edge out competitors on threat prevention and machine-learning-driven analysis.

Palo Alto’s platforms are typically paired with Cortex XDR for endpoint visibility, and the vendor has been expanding cloud and identity security through recent acquisitions.

Sophos

Sophos firewalls, including Sophos XGS, focus on coordinated security with endpoint protection and centralised policy management. Sophos Central allows visibility across network and endpoints, and the company emphasises simplicity and integration in a single console.

Independent comparisons show that Sophos provides strong basic threat protection and advanced malware blocking, though some users find deeper configuration and reporting less mature than in higher-end platforms.

Direct Comparison

In independent user rating reports updated in early 2026, Palo Alto’s firewall solutions generally score slightly higher in threat prevention, while Sophos scores strongly for usability and value.

In one comparison, Palo Alto firewalls had a slightly higher average rating, and both products had high user recommendations.

Palo Alto may provide richer telemetry and deeper real-time threat visibility, but Sophos gives solid protection with easier management for smaller teams.

SASE and Network Security

Palo Alto Networks

Palo Alto’s SASE services centre on Prisma Access, a cloud-delivered security service that combines secure web gateway, cloud access security broker (CASB), zero-trust network access (ZTNA) and firewall services.

Prisma is widely deployed in larger, distributed enterprises, providing consistent security policies regardless of user location.

Recent product activities, including acquisitions in cloud monitoring and identity security, show Palo Alto is doubling down on integrated security beyond traditional appliances.

For organisations with complex hybrid networks and global reach, this unified approach can reduce gaps between network and cloud security.

Sophos

Sophos places its security service through Sophos XGS firewalls integrated with cloud management and synchronised protection with endpoint products.

The company has also moved into SASE-like offerings combining secure connectivity and visibility, though its approach is considered less fully featured than some leading rivals.

Sophos’s strength lies in ease of deployment and ongoing management through Sophos Central, which can be valuable for teams without dedicated security engineers.

So…

Palo Alto Networks provides a more feature-rich SASE suite with strong integration across cloud and network security, while Sophos gives a simpler set of SASE-aligned management that can be easier to manage but may not cover all enterprise use cases.

Cost and Total Cost of Ownership

Cost is a big determinant for African enterprises with tight IT budgets.

Palo Alto Networks

Palo Alto products are typically higher priced. Licensing depends on throughput, feature sets and number of users. Support and subscription services add to long-term spend.

For enterprises with complex needs, the higher cost is usually justified by deep inspection and advanced analytics.

However, smaller organisations may find the licensing tiers and hardware requirements challenging to budget for.

Sophos

Sophos licences are bundled more broadly, with firewall, endpoint and some network protection included in single packages. This bundling can make budgeting more predictable.

Sophos is generally seen as more cost-friendly for small and mid-sized businesses, though total costs still depend on the scale of deployment and feature requirements.

In user comparisons, Sophos is described as offering a good return on investment for lean teams, while Palo Alto’s suite is positioned at the higher end of the market.

Deployment and Ongoing Management

Palo Alto Networks

Palo Alto firewalls provide extensive configuration options but can require specialist knowledge to deploy and tune correctly. For small teams without senior security engineers, this complexity can be a barrier.

Training and certification are widely available, but they add to total implementation time and cost.

Sophos

Sophos prioritises a centralised, cloud-managed console and is generally easier to deploy. Most basic policies can be enabled quickly, and integrated endpoint support simplifies configurations.

Sophos’s management interface is friendlier for smaller teams, though advanced customisation options may be more limited.

Support Ecosystem and Regional Presence

Local support and partner networks can greatly influence operational success.

Palo Alto has a global partner ecosystem, but certified partners in Africa are often focused on larger enterprises.

Sophos also has a widespread partner network and is frequently chosen by regional managed service providers because of its easier onboarding and training.

For African organisations without in-house expertise, the availability of certified resellers and support partners able to assist with deployment and maintenance is a key factor.

Palo Alto Networks is a strong choice for organisations with adequate security staff, larger networks and complex compliance requirements. Its threat prevention capabilities, SASE maturity and integration across cloud and network environments offer broad protection for sophisticated threats.

Sophos suits smaller enterprises and lean IT teams. It provides effective threat prevention, straightforward deployment and bundled features that offer predictable cost and management simplicity.

There is no one-size-fits-all answer. For tight budgets and limited staff, Sophos provides the best balance of security depth and operational ease.

For larger enterprises or those facing persistent advanced threats, Palo Alto’s richer feature set may justify the higher cost.

Sophos, a global leader of innovative security solutions for defeating cyberattacks, shares its advice to internet users to ensure continuous protection of their credentials.

According to the upcoming Sophos Active Adversary Report, compromised credentials were the leading cause of attacks (42.06%) in 2025.

This is a strong trend that continues to dominate the scene, with cyber attackers demonstrating ever-increasing ingenuity and relying on new tools to compromise the security and privacy of internet users.

John Shier, Field CISO Threat Intelligence at Sophos, said:

“The way attackers are using automation and generative AI to massively increase the speed and volume of their attacks suggests that attacks will become faster and more sophisticated. The best approach to protecting our identities and digital data is to take a proactive stance on defense.”

“Criminals are increasingly targeting people rather than devices, and this trend is expected to continue and even accelerate. Once again, AI is being used as a weapon to create highly detailed phishing lures to entice people to disclose passwords or financial information through well-designed emails, text messages, and WhatsApp messages.”

1. Keep your devices up to date: the most important and simplest measure you can take to protect yourself in the long term.

Cybercriminals are constantly on the lookout for computers that don’t have all the latest security patches, making them easy targets for compromise.

This includes computers, laptops, smartphones, tablets, and home Internet/Wi-Fi routers. In most cases, you just need to click “Check for Updates” or “Update Now” and allow the device to restart.

2. Use a password management tool, whether it is built into an operating system or a third-party tool.

Password uniqueness and complexity are then managed automatically, greatly facilitating account isolation and protection.

3. Enhance protection with phishing resistant (MFA).

Many websites offer the option of using an “authentication app,” a smartphone app that displays a unique code for a short period of time, which must be entered after the password, making it much more secure than simply using a password.

Better still, there is a new solution called “passkeys,” which generally uses biometric authentication on your smartphone (face scan, fingerprint) to log in without any password. This is the best choice when available.

John Shier concludes:

“Criminals will never stop trying to steal from us, so we must remain vigilant. We know that they are constantly improving and becoming more skilled at deceiving us, so it’s up to us to move forward and improve our protections to stay safe.”

Sophos XDR detected 100% of adversary behaviours (sub-steps)¹ across two complex attack scenarios: Scattered Spider, which Sophos X-Ops tracks as GOLD HARVEST, a financially motivated cybercriminal collective, and Mustang Panda, which Sophos X-Ops tracks as BRONZE PRESIDENT, a People’s Republic of China (PRC) espionage group.

The Scattered Spider scenario included activity across Windows, Linux, and AWS cloud environments, and the Mustang Panda scenario focused on Windows only.

Further, Sophos achieved the highest-possible “Technique”-level rating for 86 out of 90 total sub-steps in the evaluation, by generating high-fidelity detections with details on execution, impact, and adversary behaviour, providing clear who, what, when, where, how, and why insights.

Sophos XDR achieved:

• 100% detection coverage¹ for all 90 adversary sub-steps across two complex attack scenarios across Windows, Linux, and AWS cloud environments

• Highest possible (“Technique”) ratings for 86 of 90 sub-steps, demonstrating deep visibility and actionable detections

• Highest possible (“Technique”) ratings for 61 out of 62 of sub-steps in the Scattered Spider scenario involving identity abuse, cloud exploitation, and data exfiltration

“Scattered Spider and Mustang Panda represent distinct threat profiles that challenge defenders in very different ways,” said Simon Reed, chief research and scientific officer, Sophos. “Achieving full detection coverage against both validates the accuracy and depth of Sophos’ analytics and demonstrates how the company’s AI-native XDR platform converts complex telemetry into clear, actionable intelligence, helping security teams detect, understand, and stop advanced attacks with confidence. Sophos’ consistently strong performance in these rigorous evaluations underscores the power and precision of our threat detection and response capabilities, and our commitment to stopping the world’s most sophisticated cyberthreats. Over the five years that Sophos has participated in ATT&CK Evaluations, we have continually invested in strengthening our platform, and that investment has translated into stronger results year after year – both in the evaluations, and in the security outcomes we deliver for our customers.”

These results demonstrate the power of the Sophos XDR platform to defend against sophisticated cyber threats. Every day, Sophos processes 223+ terabytes of telemetry in Sophos Central, generating 34+ million detections and automatically blocking 11+ million threats.

This scale of customer insights ensures that Sophos’ detections are being tested and improved to provide continuous protection while delivering stronger outcomes for organizations worldwide.

Understanding The Threat Actors

Sophos X-Ops has tracked GOLD HARVEST (Scattered Spider) since 2022, observing a loosely affiliated cybercriminal collective driven by both financial motives and a desire to elevate their reputations on underground forums.

Despite several arrests, operators and associates continue to launch high-profile attacks across the U.K. and U.S., at times partnering with major Russian-speaking ransomware groups.

Their sophisticated social engineering capabilities enable them to compromise even well-defended organizations, underscoring the importance of strong behavioural detections within modern security operations.

In parallel, Sophos X-Ops has monitored BRONZE PRESIDENT (Mustang Panda) for many years.

This long-running PRC espionage group conducts intelligence-led operations that align closely with priorities of China’s Ministry of State Security. Recent targeting includes activity against Tibetan communities surrounding the Dalai Lama’s 90th birthday, as well as intrusions on Thai government and military offices during periods of heightened regional tension.

BRONZE PRESIDENT remains one of the most active and persistent state-aligned threat actors operating today.

MITRE ATT&CK Evaluations are among the world’s most rigorous independent security tests.

They emulate the tactics, techniques, and procedures (TTPs) used by real-world adversaries to assess each participating vendor’s ability to detect, analyze, and articulate threats in alignment with the MITRE ATT&CK Framework.

These evaluations continually strengthen Sophos’ capabilities for the benefit of the organizations it protects. This was the seventh round of MITRE’s “Enterprise” ATT&CK Evaluation, a product-focused assessment designed to help organizations better understand how security operations solutions like Sophos EDR and Sophos XDR can help them defend against sophisticated, multi-stage attacks.

When evaluating EDR or XDR solutions, Sophos recommends reviewing MITRE ATT&CK Evaluations alongside other independent proof points.

• Manufacturing experienced a 40% encryption rate, reflecting stronger early detection
• Attackers escalated data theft and extortion to maintain leverage
• Sophos X-Ops reported Akira, Qilin and PLAY among the most prominent ransomware groups targeting manufacturing

Sophos, a global leader of innovative security solutions for defeating cyberattacks, has announced new findings from the Sophos State of Ransomware in Manufacturing and Production 2025 report.

The study reveals that manufacturers are stopping more ransomware attacks before data can be encrypted; however, adversaries are increasingly stealing data and using extortion-only tactics to maintain pressure.

As a result, more than half of manufacturing organizations impacted by encryption paid the ransom despite progress in defensive measures. The report is based on an independent survey of 332 manufacturing organizations that were hit by ransomware in the last year.

The Sophos State of Ransomware in Manufacturing and Production report found:

• Encryption rates are falling, but adversaries are shifting tactics: 40% of attacks on manufacturers resulted in data encryption, the lowest level in five years and down from 74% last year. However, extortion only attacks surged to 10% from just 3% in 2024 as attackers increase reliance on data theft for leverage.
• Data theft remains a significant concern: 39% of manufacturers that experienced encryption also had data stolen, one of the highest rates across all surveyed sectors.
• More organizations are stopping attacks before encryption: 50% of manufacturing organizations stopped the attack before data could be encrypted, more than double last year’s 24%.
• Expertise shortfalls and inadequate protection fuel attacks: Lack of expertise was cited by 42.5% of organizations. Unknown security gaps were cited by 41.6%, and a lack of protection by 41%. Respondents identified an average of three internal factors that contributed to the attack.
• More than half of manufacturers with encrypted data paid the ransom: 51% of affected organizations paid the ransom. The median ransom paid was $1 million dollars, compared to a median demand of $1.2 million dollars.
• Recovery costs and timelines are improving: The average cost to recover from a ransomware attack, excluding ransom payment, declined by 24% to $1.3 million dollars. 58% of manufacturers fully recovered within one week, up from 44% last year.
• Ransomware incidents affect IT and security teams: 47% of manufacturers reported increased team stress after experiencing data encryption. 44% said pressure from senior leaders increased, and 27% reported leadership change as a result of the attack.

“Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains,” said Alexandra Rose, Director of Threat Research, Sophos Counter Threat Unit. “Attackers exploit this pressure: despite encryption rates falling to 40%, the median ransom paid still reached $1 million. While half of manufacturers stopped attacks before encryption, recovery costs average $1.3 million and leadership stress remains high. Layered defenses, continuous visibility, and well-rehearsed response plans are essential to reduce both operational impact and financial risk.”

What Sophos is Seeing in Manufacturing

Over the past twelve months, Sophos X-Ops has observed ransomware activity across leak sites and found that 99 distinct threat groups targeted manufacturing organizations. The most prominent groups targeting manufacturing organizations based on leak site observations are GOLD SAHARA (Akira), GOLD FEATHER (Qilin) and GOLD ENCORE (PLAY).

Reflecting the trends revealed in the report, in over half of the ransomware incidents that Sophos Emergency Incident Response was brought in to remediate, attackers both stole and encrypted data, highlighting the use of double extortion tactics where data is held for ransom and threatened with release on a leak site.

Strengthening Defenses for the Long Term

Based on its experience protecting manufacturing organizations worldwide, Sophos recommends the following best practices to help businesses stay ahead of ransomware and other cyberthreats:

• Eliminate Root Causes: Take proactive steps to address common technical and operational weaknesses, such as exploited vulnerabilities, that adversaries frequently target. Solutions like Sophos Managed Risk can help organizations assess their exposure and reduce risk across their environments.
• Defend Every Endpoint: Ensure all endpoints, including servers, are protected with dedicated anti-ransomware defenses to prevent attacks from gaining a foothold.
• Plan and Prepare: Establish and routinely test a comprehensive incident response Maintain reliable backups and practice data restoration regularly to minimize downtime in the event of an attack.
• Monitor Around the Clock: Continuous visibility is essential. Organizations without in-house resources can strengthen their resilience by partnering with a trusted Managed Detection and Response(MDR) provider for 24/7 threat monitoring and expert response.

Introduced at the Microsoft Ignite Conference in San Francisco, organizations of all sizes gain real-time access to Sophos threat intelligence within Microsoft’s AI-powered environments, helping them strengthen defenses and respond to threats more effectively.

Every day, Sophos processes more than 223 terabytes of telemetry in its Sophos Central platform, generating over 34 million detections and automatically blocking more than 11 million threats.

This global scale of customer insight continuously informs Sophos product and services and fuels the intelligence within Sophos Intelix, now accessible for free to users of Microsoft Security Copilot and Microsoft 365 Copilot.

This milestone underscores Sophos’ mission to empower every organization with resilient, intelligent cybersecurity and to democratize cybersecurity for organizations of all sizes, meeting them wherever they are in their cybersecurity journey, within the Microsoft Copilot ecosystem.

Sophos Intelix for Microsoft Security Copilot

Sophos Intelix provides advanced threat context and enrichment capabilities directly into Microsoft Security Copilot, Microsoft’s generative AI assistant for Security Operation Center (SOC) and IT teams.

Security Copilot connects data across Microsoft Defender, Sentinel, Intune, Entra, and Purview, allowing analysts and expert users to query and investigate threats using natural language enriched with Sophos’ insights from protecting more than 600,000 organizations.

These teams are often protecting organizations 24/7/365 and require the latest intelligence at their fingertips at all times to protect their organization.

 Through this integration, security analysts and IT teams can:

• Enrich alerts and triage incidents faster using Sophos Intelix intelligence and services including sandbox detonation and dynamic analysis.
• Investigate indicators of compromise (IOCs) with file, URL, and IP reputation lookups.
• Access global insights and prevalence data from Sophos X-Ops directly within Security Copilot.

Sophos Intelix will also be available in Microsoft’s new Security Store for third-party agents, MCP services, and APIs.

Sophos Intelix for Microsoft 365 Copilot 

Sophos Intelix also integrates with Microsoft 365 Copilot, making comprehensive threat intelligence available and accessible for the masses within everyday Microsoft productivity tools such as Teams and Microsoft 365 Copilot Chat.

With Sophos Intelligence in Microsoft 365, IT administrators, risk managers, and business users can:

• Query Sophos threat intelligence in natural language directly within Microsoft 365 Copilot Chat and Microsoft Teams.
• Check whether links, files, or domains are associated with known malicious activity.
• Strengthen cyber awareness and decision-making abilities within productivity tools they’re using daily.

By embedding these capabilities into Microsoft 365 Copilot, Sophos helps organizations of all sizes make faster, better-informed security decisions without leaving their workflow.

This integration doubles down on Sophos’ vision to democratize access to advanced cybersecurity insights, giving Microsoft 365 Copilot users the same level of intelligence leveraged by sophisticated SOC teams.

Microsoft Agent 365 Capabilities for Sophos Intelix

Sophos Intelix will also integrate with Microsoft’s growing Copilot and agent ecosystem, extending Sophos intelligence across the Microsoft 365 ecosystem.

Powered by Entra-based identity management, this integration enables organizations to bring Sophos Intelix into their agent portfolio with full observability and compliance.

Microsoft Agent 365 serves as the control plane for AI agents, allowing organizations to extend their existing infrastructure, applications, and protections to agents, while using familiar capabilities that have been adapted to agent needs.

Together, these integrations further strengthen Sophos’ commitment to delivering advanced intelligence wherever organizations operate within the Microsoft agent ecosystem.

Meeting the Growing Demands of Defenders 

AI is transforming industries worldwide, and cybersecurity is no exception. Security teams are flooded with alerts yet often lack the resources to keep pace, with small and mid-sized businesses most affected.

In the Sophos Addressing the Cybersecurity Skills Shortage in SMBs report, 96 percent of respondents reported difficulties investigating suspicious alerts and 75 percent struggled to remediate incidents quickly.

At the same time, attackers are accelerating: the Sophos Active Adversary Report 2025 found that data exfiltration begins in just three days on average, with a median of only 2.7 hours between exfiltration and detection, and attackers can reach Active Directory in as little as 11 hours. These findings underscore the urgent need for defenders to adopt faster, more effective ways of analyzing and investigating alerts.

Powered by Deep Intelligence

By exposing Sophos Intelix within the Microsoft Copilot ecosystem, Sophos makes threat intelligence universally accessible, helping organizations accelerate analysis, reduce response time, and improve security outcomes.

“The Microsoft Copilot ecosystem is transforming how people interact with technology by bringing natural language interfaces into the core of its Copilot ecosystem,” said Simon Reed, Chief Scientific Research Officer, Sophos. “The future of SOC productivity is moving beyond the graphical user interfaces we’ve relied on since the 1980s, toward a new paradigm of human–AI collaboration. AI assistants powered by expansive datasets, deep threat intelligence, and advanced systems are fundamentally reshaping how analysts work. By making Sophos threat intelligence available through both Microsoft Security Copilot and Microsoft 365 Copilot, we’re giving defenders faster, more natural access to insights that help them respond to threats with speed, precision, and confidence.”

“AI is the force multiplier for defenders, and when partners like Sophos bring their agentic innovation into the Microsoft Copilot ecosystem, the impact is exponential. Together, we’re not just building tools—we’re creating a new era of intelligent, collaborative cyber defense,” said Vasu Jakkal, Corporate Vice President, Microsoft Security.

To learn more about Sophos Intelix integrations for Microsoft Security Copilot, Microsoft 365 Copilot, Microsoft Copilot Studio for creators, and Microsoft Agent 365, check here.

Here are 10 key takeaways from this year’s findings:

1. Unknown Security Gaps Still Dominate

Nearly half (46%) of retail ransomware incidents were traced back to previously unknown vulnerabilities, highlighting major visibility and risk assessment challenges within retail IT environments.

2. Known Flaws Remain an Open Door

For the third consecutive year, exploiting known vulnerabilities ranked as the top technical cause of ransomware attacks, proving that patch management remains a weak link for many retailers.

3. Ransom Payments Are Rising

A staggering 58% of retailers with encrypted data admitted to paying the ransom, marking one of the highest payment rates in five years.

4. Ransom Demands Double

The median ransom demand soared to $2 million, doubling from 2024, while the average payment climbed to $1 million, a 5% increase.

5. Encryption Rates Hit a Five-Year Low

There’s a silver lining: only 48% of attacks now result in data encryption, the lowest figure in five years. Retailers are getting better at detecting and stopping attacks midstream.

6. Extortion-Only Attacks Are Rising

Even as encryption declines, extortion-only attacks, where hackers steal and threaten to leak data, have tripled from 2% in 2023 to 6% in 2025.

7. Recovery Costs Are Falling

The average cost of recovery, excluding ransom payments, dropped 40% to $1.65 million, the lowest in three years, a positive sign that incident response and resilience strategies are improving.

8. Limited Expertise Still Hurts Defenses

45% of respondents cited limited in-house cybersecurity expertise as a major weakness, followed closely by gaps in protection coverage (44%). Skills shortage remains a top operational challenge.

9. Human and Leadership Impact is Growing

Beyond financial loss, ransomware is taking a human toll. 47% of IT teams reported increased stress post-attack, and 26% of retailers replaced leadership teams after data encryption incidents.

10. Ransomware Groups Are Expanding Their Reach

Sophos tracked nearly 90 ransomware or extortion groups targeting retailers in the past year, with Akira, Cl0p, Qilin, PLAY, and Lynx among the most active.

The Bottom Line

The Sophos report underscores a critical truth: while retailers are becoming more prepared, attackers are also adapting. Proactive visibility, skilled personnel, and 24/7 threat monitoring are no longer optional, they’re essential.

This milestone gives customers immediate access to combined prevention, detection, and response capabilities in a single platform, while lowering costs and simplifying operations.

The integration follows Sophos’ acquisition of Secureworks in February 2025 and represents a major milestone in combining the companies’ strengths to help customers defeat cyberattacks with a higher ROI.

Endpoint protection remains one of the most critical layers of defense against today’s cyberthreats, delivering both frontline prevention and vital telemetry for detection and response.

With Sophos Endpoint included in all new and existing Taegis XDR and MDR subscriptions, customers can benefit from unmatched ransomware defenses and adversary mitigation capabilities that automatically deploy in the event of an attack.

The integration enables organizations to strengthen protection while lowering licensing costs, reduce management overhead through native integration, and accelerate threat mitigation with expanded response actions.

Taegis remains a fully open platform, ensuring customers continue to receive full value from their existing cybersecurity investments and maintain the freedom to use the endpoint protection solution of their choice.

This ensures that customers maximize ROI while allowing room in their budget for other cybersecurity priorities.

“Integrating Sophos Endpoint with Taegis delivers a best-in-class unified protection, detection, investigation, and response platform – while also reducing customer costs,” said Raja Patel, chief product officer at Sophos. “Too many organizations still treat endpoint protection like a commodity, and that’s exactly the mistake attackers are counting on. The reality is, not all endpoint products are built to stop today’s hands-on-keyboard attacks. Sophos Endpoint’s prevention-first capabilities, like CryptoGuard anti-ransomware protection and Adaptive Attack Protection, shut down attacks before they can escalate, which is a true game changer for enterprises managing thousands of devices. And by simplifying deployment and policy management, we’re helping organizations stay ahead of threats, lower their total cost of ownership, and maximize the return on their security investments.”

Key benefits for Taegis customers include:

• Lower costs and improved ROI: Sophos Endpoint is now automatically included with all Taegis XDR and Taegis MDR subscriptions, eliminating the need to purchase a separate endpoint security solution.

• Vendor choice preserved: Taegis remains an open platform, allowing organizations to continue using their preferred endpoint solution.

• Industry-leading protection: A 16-time leader in the Gartner® Magic Quadrant for Endpoint Protection Platforms, Sophos Endpoint provides unmatched defense against ransomware and other advanced threats, with features such as CryptoGuard and Adaptive Attack Protection, accessible directly from the Taegis console.

• Workflow continuity: Telemetry and detections from Sophos Endpoint are ingested into the Taegis platform, allowing customers to retain existing detection and response workflows.

• Simplified management: Customers can download, install and manage Sophos Endpoint directly from Taegis.

To support a range of environments, customers can now choose between three deployment options for endpoint protection:

• Sophos Endpoint: Natively integrated for comprehensive prevention, detection, and response in a single agent.

• Non-Sophos native integrations: Telemetry ingestion ensures full visibility from products such as CrowdStrike, Microsoft Defender, SentinelOne and Carbon Black by Broadcom.

• Other non-Sophos endpoint security solutions: Supported through a detection only sensor deployment option.

“This integration expands the value and flexibility we deliver to customers and partners,” said Chris Bell, senior vice president of Global Channel, Alliances and Corporate Development at Sophos. “By including Sophos Endpoint in Taegis, organizations gain stronger protection, reduced costs and simplified operations. For partners, it creates new opportunities to help customers consolidate tools, drive renewals and expand enterprise relationships.”

This year’s survey found that nearly 50% of companies paid the ransom to get their data back – the second highest rate of ransom payment for ransom demands in six years.

Despite the high percentage of companies that paid the ransom, over half – 53% – paid less than the original demand.

In 71% of cases where the companies paid less, they did so through negotiation – either through their own negotiations or with help from a third party.

In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50%, illustrating how companies are becoming more successful at minimizing the impact of ransomware.

Overall, the median ransom payment was one million dollars, although the initial demand varied significantly depending on organization size and revenue.

The median ransom demand for companies with over $1 billion in revenue was five million dollars, while organizations with $250 million revenue or less, saw median ransom demands of less than $350,000.

For the third year in a row, exploited vulnerabilities were the number one technical root cause of attacks, while 40% of ransomware victims said adversaries took advantage of a security gap that they were not aware of – highlighting organizations’ ongoing struggle to see and secure their attack surface.

Overall, 63% of organizations said resourcing issues were a factor in them falling victim to the attack, with lack of expertise named as the top operational cause in organizations with more than 3,000 people and lack of people/capacity most frequently cited by those with 251-500 employees.

“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director, field CISO, Sophos.

“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”

Additional Key Findings from the State of Ransomware 2025 Report:

• More Companies are Stopping Attacks in Progress: 44% of companies were able to stop the ransomware attack before data was encrypted – a six-year high. Data encryption was also at a six-year low with only half of companies having their data encrypted.
• Backup Use is Down: Only 54% of companies used backups to restore their data – the lowest percentage in six years.
• Silver Lining: Ransomware Payments and Recovery Costs are on the Decline: The average cost of recovery dropped from $2.73 million in 2024, to $1.53 million in 2025. While ransom payments are high, they declined by 50% from $2 million in 2024 to $1 million in 2025.
• Ransom Payments Vary by Industry: State and local government reported paying the highest median amount ($2.5 million), while healthcare reported the lowest ($150,000).
• Companies are Getting Faster at Recovery: Over half (53%) of organizations fully recovered from a ransomware attack in a week – up from 35% last year. Only 18% took more than a month to recover – down from 34% in 2024.

Additionally, the 2025 edition of the Sophos Active Adversary Report reveals that the average time between the start of an attack and data exfiltration is only 72.98 hours (3.04 days), while the average time between exfiltration and attack detection is just 2.7 hours.

Cyberattacks are becoming increasingly fast, and the longer a compromised identity remains active, the greater the potential damage.

In light of this, Sophos, one of the world’s leading providers of innovative security solutions designed to neutralize cyberattacks, is taking advantage of Identity Management Day, which takes place on Tuesday, April 8, 2025, to remind businesses of the best practices they should follow to manage and secure digital identities.

Cybercriminals can use a compromised identity to access confidential information, steal data, move laterally within the organization, and launch further attacks.

It is therefore crucial to take immediate action to contain breaches and minimize their consequences.

In this context, automation plays a key role by enabling organizations to respond quickly and effectively to identity-related threats.

Five Automated Measures to Protect Against Identity Theft

1. Disable the User

When an identity breach is detected, one of the first steps is to disable the compromised user account. By preventing the attacker from using the stolen identity to access company systems and data, this measure outpaces the hacker and helps contain the breach.

Automation significantly speeds up this process. With automated response tools, businesses can quickly identify compromised accounts and disable them in real-time. This reduces the attack window and minimizes potential damage.

2. Force Password Reset

Passwords are often the first line of defense against unauthorized access attempts. In the event of an identity breach, it is essential to immediately force a password reset for the compromised account to prevent hackers from using stolen credentials.

Automated rules can be set up to trigger an instant password reset as soon as a breach is detected. This saves time and ensures that the reset process is initiated without delay, reducing the risk of further unauthorized access attempts.

3. Force Multi-Factor Authentication (MFA) Reset

Multi-factor authentication (MFA) adds an extra layer of security by requiring users to enter a verification code in addition to their password. If an identity breach occurs, it is crucial to reset MFA for the compromised account.

This means that the user will have to re-authenticate using their MFA tool, which automatically invalidates any stolen authentication tokens the attacker may have acquired.

Automated rules can trigger the refresh of MFA tokens, ensuring that compromised accounts are quickly reauthenticated. This prevents cybercriminals from using stolen authentication tokens to access company systems.

4. Lock the Account

Locking a compromised account prevents hackers from attempting to use it until the issue is resolved.

This also gives the organization time to investigate the breach and apply the necessary corrective measures.

Automation streamlines the account locking process, allowing businesses to lock compromised accounts as soon as a breach is detected. This immediate response helps contain the breach and blocks further unauthorized access attempts.

5. Revoke Active Sessions

In addition to disabling the user account and forcing a password reset, it is essential to revoke all active sessions associated with the compromised identity.

This ensures that the attacker is immediately logged out of all systems they accessed using stolen credentials.

Automated actions can be configured to revoke active sessions in real-time, instantly disrupting any unauthorized access. This is a critical measure to neutralize the breach and prevent further malicious activity.

The collaboration introduces the most comprehensive portfolio of cybersecurity solutions available to Pax8’s network of more than 40,000 managed service providers (MSPs).

MSPs in the Pax8 network now have a complete one-stop shop of best-in-class cybersecurity solutions available from a single vendor – including Sophos Managed Detection and Response (MDR), Sophos Endpoint powered by Intercept X and Sophos Firewall.

This revolutionizes opportunities for channel partners to streamline operations, simplify billing and significantly reduce the complexity of cybersecurity management across customers.

According to the Sophos MSP Perspectives 2024 report, MSPs that consolidate their security stack with a single vendor can cut daily security management time by nearly 50% – a savings that jumps to 69% for those juggling six or more security vendors.

By partnering with Pax8, Sophos is removing a key operational barrier for MSPs, enabling them to seamlessly manage cybersecurity through a single vendor platform trusted by 600,000 organizations to streamline solution integration and enhance efficiency while strengthening their security posture and simplifying cloud procurement cycles.

“Sophos and Pax8 are strongly aligned in our mission to empower MSPs with best-in-class end-to-end security services and products while simplifying lifecycle management of these solutions and reducing operational overhead. MSPs want to align with vendors who are easy to work with and this agreement will make it even easier for MSPs to work with Sophos, something we’ve long been committed to,” said Joe Levy, CEO of Sophos. “With cybersecurity, speed and innovation are essential for defending against attackers. This partnership with Pax8 accelerates MSP access to critical cybersecurity tools, enabling them to better protect their customers in an increasingly complex and volatile threat landscape.”

Key advantages of the Sophos and Pax8 partnership for MSPs include:

• Driving new revenue opportunities for partners by providing the most comprehensive portfolio of security offerings by a single vendor on the Pax8 Marketplace.
• Reducing overhead costs and freeing up partners’ billable hours by simplifying procurement and billing via a fully integrated Pax8 Marketplace experience.
• Empowering partners with seamless experiences through coordinated MSP enablement, support and sales training initiatives.
• Compatible and comprehensive 24/7 security for MSPs’ Microsoft Defender customers with Sophos’ MDR service for Microsoft environments.

“MSPs today need solutions that align with the way they operate—cloud-first, flexible and easy to manage at scale. Pax8 is revolutionizing the way MSPs access and deploy cloud-based solutions, and cybersecurity is an important piece of the overall stack,” said Scott Chasin, chief executive officer of Pax8. “By bringing Sophos’ innovative security offerings to our marketplace, Pax8 is providing our partners with access to enterprise-grade security solutions for their SMB customers in a way that simplifies management, reduces risk and drives profitability.”

Comprehensive Security, Unparalleled Efficiency

“MSPs say they could cut day to day management time almost in half by consolidating on a single cybersecurity platform – and Sophos enables them to achieve that goal. By managing all their customers’ cybersecurity in the cloud-based Sophos Central platform, MSPs can reduce workload and free up valuable billing hours,” said Raja Patel, Chief Product Officer, Sophos. “What’s more, with a complete portfolio of Sophos cybersecurity solutions at their fingertips, Pax8 MSPs enjoy extensive opportunities to sell additional revenue-generating products and services that meet their clients’ evolving cybersecurity needs.”

Last minute change: Backed by real-time threat intelligence from Sophos X-Ops, a global team of elite threat hunters and security analysts, Sophos’ solutions provide proactive, AI-driven protection against cyberattacks.

As the leading pure-play cybersecurity provider of MDR services, Sophos protects over 28,000 organizations globally. Insights from Sophos MDR further strengthens security by providing MSPs and their customers with unparalleled protection. 

Automated threat detection, managed response, and deep security insights across Sophos’s portfolios equip MSPs to enhance defenses, minimize risk exposure, deliver enterprise-grade protection and cut through the noise to reduce management complexity.

Better security for Microsoft environments

More than 60% of Sophos MDR’s customers are managed via MSPs, giving Sophos unparalleled insights into attacks on MSP-managed environments.

Sophos leverages these learnings to update customers’ defenses in real-time, optimizing their protection from ever-evolving attacks and providing peace of mind to both clients and partners.

Furthermore, with Sophos’s robust MDR service for Microsoft environments, Pax8 MSPs can elevate the security of clients using Microsoft Defender while enabling their customers to see greater return on their Microsoft investments.

The Sophos MDR service through Pax8 supports MSPs in several ways. They can either leverage Sophos’ managed service completely or to augment their customers’ in-house department, including coverage on nights and weekends, which are critical times to defend networks because they are when attackers often strike. For MSPs that provide in-house MDR services, the new AI Assistant in Sophos XDR enables operators of all skill levels to neutralize adversaries faster with existing threat investigation and response intelligence from frontline Sophos MDR analysts.

Availability

The Sophos offering will be available on the Pax8 Marketplace starting February 28, 2025. Pax8 partners interested in learning more about Sophos offerings coming to the Pax8 Marketplace can learn more and sign up at www.sophos.com/msp.