Sophos Workload Protection

Licensing Guide
Intercept X for Server, XDR, Cloud Native Security, and MTR Overview
Managed by Sophos Central

Intercept X Advanced Intercept X Advanced

Intercept X Essentials Intercept X Advanced Intercept X Advanced
Features Cloud Native Security for Server with MTR for Server with MTR
for Server for Server for Server with XDR
Standard Advanced
Management

Multiple Policies ✔ ✔ ✔ ✔ ✔

Controlled Updates ✔ ✔ ✔ ✔ ✔

Attack Surface Reduction

Application Control ✔ ✔ ✔ ✔ ✔

Peripheral Control ✔ ✔ ✔ ✔ ✔

Web Control / Category-based URL blocking ✔ ✔ ✔ ✔ ✔

Application Whitelisting (Server Lockdown) ✔ ✔ ✔ ✔ ✔

Download Reputation ✔ ✔ ✔ ✔ ✔ ✔

Web Security ✔ ✔ ✔ ✔ ✔ ✔

Before It Runs On Device

Deep Learning Malware Detection ✔ ✔ ✔ ✔ ✔ ✔

Anti-Malware File Scanning ✔ ✔ ✔ ✔ ✔ ✔

Live Protection ✔ ✔ ✔ ✔ ✔ ✔

Pre-execution Behavior Analysis (HIPS) ✔ ✔ ✔ ✔ ✔ ✔

Potentially Unwanted Application (PUA) Blocking ✔ ✔ ✔ ✔ ✔ ✔

Intrusion Prevention System (IPS) ✔ ✔ ✔ ✔ ✔ ✔

Stop Running Threat

Data Loss Prevention ✔ ✔ ✔ ✔ ✔

Runtime Behavior Analysis (HIPS) ✔ ✔ ✔ ✔ ✔ ✔

Antimalware Scan Interface (AMSI) ✔ ✔ ✔ ✔ ✔ ✔

Sophos Workload Protection Licensing Guide

Intercept X Advanced Intercept X Advanced

Intercept X Essentials Intercept X Advanced Intercept X Advanced
Features Cloud Native Security for Server with MTR for Server with MTR
for Server for Server for Server with XDR
Standard Advanced
Malicious Traffic Detection (MTD) ✔ ✔ ✔ ✔ ✔ ✔

Exploit Prevention (details on page 5) ✔ ✔ ✔ ✔ ✔ ✔

Active Adversary Mitigations (details on page 5) ✔ ✔ ✔ ✔ ✔ ✔

Ransomware File Protection (CryptoGuard) ✔ ✔ ✔ ✔ ✔ ✔

Disk and Boot Record Protection (WipeGuard) ✔ ✔ ✔ ✔ ✔ ✔

Man-in-the-Browser Protection (Safe Browsing) ✔ ✔ ✔ ✔ ✔ ✔

Enhanced Application Lockdown ✔ ✔ ✔ ✔ ✔ ✔

Detect

Live Discover (Cross Estate SQL Querying for

✔ ✔ ✔ ✔
Threat Hunting & IT Security Operations Hygiene)
SQL Query Library (pre-written,
✔ ✔ ✔ ✔
fully customizable queries)
Fast Access, On-disk Data
✔ ✔ ✔ ✔
Storage (up to 90 days)

Cross-product Data Sources e.g. Firewall, Email ✔ ✔ ✔ ✔

Prioritized List of Detections ✔ ✔ ✔ ✔

Sophos Data Lake (Cloud data storage) 30 days 30 days 30 days 30 days

Scheduled Queries ✔ ✔ ✔ ✔

Container Runtime Visibility and Detections ✔ ✔ ✔ ✔

Investigate

Threat Cases (Root Cause Analysis) ✔ ✔ ✔ ✔ ✔

Deep Learning Malware Analysis ✔ ✔ ✔ ✔

Advanced On-demand SophosLabs

✔ ✔ ✔ ✔
Threat Intelligence

Forensic Data Export ✔ ✔ ✔ ✔

AI-guided Investigations ✔ ✔ ✔ ✔

2
Sophos Workload Protection Licensing Guide

Intercept X Advanced Intercept X Advanced

Intercept X Essentials Intercept X Advanced Intercept X Advanced
Features Cloud Native Security for Server with MTR for Server with MTR
for Server for Server for Server with XDR
Standard Advanced
Remediate

Automated Malware Removal ✔ ✔ ✔ ✔ ✔ ✔

Synchronized Security Heartbeat ✔ ✔ ✔ ✔ ✔ ✔

Sophos Clean ✔ ✔ ✔ ✔ ✔ ✔

Live Response (Remote Terminal Access

✔ ✔ ✔ ✔
for further investigation and response)

On-demand Server Isolation ✔ ✔ ✔ ✔

Single-click “Clean and Block” ✔ ✔ ✔ ✔

Container Runtime Visibility and Detections ✔ ✔ ✔ ✔

Control

Synchronized Application Control

✔ ✔ ✔ ✔ ✔ ✔
(visibility of applications)

Update Cache and Message Relay ✔ ✔ ✔ ✔ ✔ ✔

Automatic Scanning Exclusions ✔ ✔ ✔ ✔ ✔ ✔

File Integrity Monitoring ✔ ✔ ✔ ✔

Cloud Environments

Cloud Environment Monitoring:

AWS, Azure, GCP, Kubernetes, IaC One per provider One per provider Unlimited One per provider One per provider
and Docker Hub registries
Security Monitoring Scheduled, daily and
Daily scans Daily scans Daily scans Daily scans
(CSPM best practice rules) on-demand scans

Asset Inventory ✔ ✔ ✔ ✔ ✔

Advanced Search Capabilities ✔ ✔ ✔ ✔ ✔

AI-powered Anomaly Detection ✔ ✔ ✔ ✔ ✔

SophosLabs Intelix Malicious Traffic Alerts ✔ ✔ ✔ ✔ ✔

Email Alerts ✔ ✔ ✔ ✔ ✔

AWS Native Service Integrations

(Amazon GuardDuty, AWS Security ✔ ✔ ✔ ✔ ✔
Hub, Amazon Inspector etc.)
Azure Native Service Integrations
✔ ✔ ✔ ✔ ✔
(Azure Sentinel and Advisor)
Cloud Workload Protection: Sophos
✔ ✔ ✔ ✔ ✔
Intercept X Server agent discovery
Cloud Workload Protection: Automatic
✔ ✔ ✔ ✔ ✔
Sophos Intercept X Server agent removal

3
Sophos Workload Protection Licensing Guide

Intercept X Advanced Intercept X Advanced

Intercept X Essentials Intercept X Advanced Intercept X Advanced
Features Cloud Native Security for Server with MTR for Server with MTR
for Server for Server for Server with XDR
Standard Advanced
CIS Benchmarks, ISO
27001, EBU R 143,
Compliance Policies and Reports CIS Benchmarks CIS Benchmarks FEDRAMP FIEC, GDPR, CIS Benchmarks CIS Benchmarks
HIPAA, PCI DSS, SOC2,
Sophos Best Practices

Custom Policies ✔

Network Visualization ✔ ✔ ✔ ✔ ✔

IAM Visualization ✔ ✔ ✔ ✔ ✔

Spend Monitor ✔ ✔ ✔ ✔ ✔

Alert Management Integrations

(Jira, ServiceNow, Slack, Teams, ✔ ✔ ✔ ✔ ✔
PagerDuty, Amazon SNS)
SIEM Integrations
✔ ✔ ✔ ✔ ✔
(Splunk, Azure Sentinel)

Rest API ✔ ✔ ✔ ✔ ✔

Infrastructure as Code Template Scanning ✔ ✔ ✔ ✔ ✔

Environment Access Control ✔ ✔ ✔ ✔ ✔

Container image scanning

✔ ✔ ✔ ✔ ✔
(ECR, ACR, Docker Hub, API)

Managed Service

24/7 Lead-driven Threat Hunting ✔ ✔

Security Health Checks ✔ ✔

Data Retention ✔ ✔

Activity Reporting ✔ ✔

Adversarial Detections ✔ ✔

Threat Neutralization & Remediation ✔ ✔

24/7 Lead-less Threat Hunting ✔

Threat Response Team Lead ✔

Direct Call-in Support ✔

Proactive Security Posture Management ✔

Ransomware File Protection (CryptoGuard) ✔

4
Sophos Workload Protection Licensing Guide

Operating System Feature Comparison

Features Windows Linux*

Management

Multiple Policies ✔ ✔

Controlled Updates ✔ ✔

Attack Surface Reduction

Web Security ✔

Download Reputation ✔

Web Control / Category-based URL blocking ✔

Peripheral Control ✔

Application Control ✔

Application Whitelisting (Server Lockdown) ✔

Before It Runs On Device

Deep Learning Malware Detection ✔ ✔

Anti-Malware File Scanning ✔ ✔

Live Protection ✔ ✔

Pre-execution Behavior Analysis (HIPS) ✔

Potentially Unwanted Application (PUA) Blocking ✔

Intrusion Prevention System (IPS) ✔

Stop Running Threat

Data Loss Prevention ✔

Runtime Behavior Analysis (HIPS) ✔

Antimalware Scan Interface (AMSI) ✔

Malicious Traffic Detection (MTD) ✔ See note

Exploit Prevention (details on page 5) ✔

Active Adversary Mitigations (details on page 5) ✔

Ransomware File Protection (CryptoGuard) ✔

Disk and Boot Record Protection (WipeGuard) ✔

Man-in-the-Browser Protection (Safe Browsing) ✔

Enhanced Application Lockdown ✔

5
Sophos Workload Protection Licensing Guide

Features Windows Linux*

Detect

Live Discover (Cross Estate SQL Querying for Threat Hunting & IT Security Operations Hygiene) ✔ ✔

SQL Query Library (pre-written, fully customizable queries) ✔ ✔

Fast Access, On-disk Data Storage (up to 90 days) ✔ ✔

Cross-product Data Sources e.g. Firewall, Email ✔ ✔

Prioritized List of Detections ✔ ✔

Sophos Data Lake (Cloud data storage) ✔ ✔

Scheduled Queries ✔ ✔

Container Runtime Visibility and Detections ✔

Investigate

Threat Cases (Root Cause Analysis) ✔

Deep Learning Malware Analysis ✔

Advanced On-demand SophosLabs Threat Intelligence ✔

Forensic Data Export ✔

AI-guided Investigations ✔ ✔

Remediate

Automated Malware Removal ✔

Synchronized Security Heartbeat ✔ See note

Sophos Clean ✔

Live Response (Remote Terminal Access for further investigation and response) ✔ ✔

On-demand Server Isolation ✔

Single-click “Clean and Block” ✔

Control

Synchronized Application Control (visibility of applications) ✔

Update Cache and Message Relay ✔

Automatic Scanning Exclusions ✔

6
Sophos Workload Protection Licensing Guide

Features Windows Linux*

File Integrity Monitoring ✔

Managed Service

24/7 Lead-driven Threat Hunting ✔ ✔

Security Health Checks ✔ ✔

Data Retention ✔ ✔

Activity Reporting ✔ ✔

Adversarial Detections ✔ ✔

Threat Neutralization & Remediation ✔ ✔

24/7 Lead-less Threat Hunting ✔ ✔

Threat Response Team Lead ✔ ✔

Direct Call-in Support ✔ ✔

Proactive Security Posture Improvement ✔ ✔

*Linux includes two deployment options. 1) Sophos Protection for Linux deployment gives access to the features noted in the table. 2) Sophos Anti-Virus for Linux deployment that includes: Anti-malware, Live Protection, Malicious Traffic Detection and
Synchronized Security. Please note that the two deployment options cannot be used together.

7
Sophos Workload Protection Licensing Guide

Sophos Protection Overview

Details of workload protection features included with Intercept X and Cloud Native Security

Features Features

Exploit Prevention CTF Guard ✔

Enforce Data Execution Prevention ✔ ApiSetGuard ✔

Mandatory Address Space Layout Randomization ✔ Active Adversary Mitigations

Bottom-up ASLR ✔ Credential Theft Protection ✔

Null Page (Null Deference Protection) ✔ Code Cave Mitigation ✔

Heap Spray Allocation ✔ Man-in-the-Browser Protection (Safe Browsing) ✔

Dynamic Heap Spray ✔ Malicious Traffic Detection ✔

Stack Pivot ✔ Meterpreter Shell Detection ✔

Stack Exec (MemProt) ✔ Anti-Ransomware

Stack-based ROP Mitigations (Caller) ✔ Ransomware File Protection (CryptoGuard) ✔

Branch-based ROP Mitigations (Hardware Assisted) ✔ Automatic file recovery (CryptoGuard) ✔

Structured Exception Handler Overwrite (SEHOP) ✔ Disk and Boot Record Protection (WipeGuard) ✔

Import Address Table Filtering (IAF) ✔ Application Lockdown

Load Library ✔ Web Browsers (including HTA) ✔

Reflective DLL Injection ✔ Web Browser Plugins ✔

Shellcode ✔ Java ✔

VBScript God Mode ✔ Media Applications ✔

Wow64 ✔ Office Applications ✔

Syscall ✔ Deep Learning Protection

Hollow Process ✔ Deep Learning Malware Detection ✔

DLL Hijacking ✔ Deep Learning Potentially Unwanted Applications (PUA) Blocking ✔

Squiblydoo Applocker Bypass ✔ False Positive Suppression ✔

APC Protection (Double Pulsar / AtomBombing) ✔ Respond Investigate Remove

Process Privilege Escalation ✔ Threat Cases (Root Cause Analysis) ✔

Dynamic Shellcode Protection ✔ Sophos Clean ✔

EFS Guard ✔ Synchronized Security Heartbeat ✔

8
Sophos Workload Protection Licensing Guide

Managed Threat Response (MTR)

Sophos Managed Threat Response (MTR) provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service. MTR
customers also receive Intercept X Advanced for Server with XDR.

Sophos MTR: Advanced

Sophos MTR: Standard Includes all Standard features, plus the following:

24/7 Lead-Driven Threat Hunting 24/7 Leadless Threat Hunting

Confirmed malicious artifacts or activity (strong signals) are automatically blocked or terminated, Applying data science, threat intelligence, and the intuition of veteran threat
freeing up threat hunters to conduct lead-driven threat hunts. This type of threat hunt involves the hunters, we combine your company profile, high-value assets, and high-risk users
aggregation and investigation of causal and adjacent events (weak signals) to discover new Indicators to anticipate attacker behavior and identify new Indicators of Attack (IoA).
of Attack (IoA) and Indicators of Compromise (IoC) that previously could not be detected.
Enhanced Telemetry
Security Health Check Threat investigations are supplemented with telemetry from other Sophos Central products
Keep your Sophos Central products--beginning with Intercept X Advanced for Server extending beyond the endpoint to provide a full picture of adversary activities.
with XDR--operating at peak performance with proactive examinations of your
operating conditions and recommended configuration improvements.
Proactive Posture Improvement
Proactively improve your security posture and harden your defenses with prescriptive guidance for
Activity Reporting addressing configuration and architecture weaknesses that diminish your overall security capabilities.
Summaries of case activities enable prioritization and communication so your team knows what
threats were detected and what response actions were taken within each reporting period.
Dedicated Threat Response Lead
When an incident is confirmed, a dedicated threat response lead is provided to directly collaborate with
Adversarial Detections your on-premises resources (internal team or external partner) until the active threat is neutralized.
Most successful attacks rely on the execution of a process that can appear legitimate to monitoring
tools. Using proprietary investigation techniques, our team determines the difference between
Direct Call-In Support
legitimate behavior and the tactics, techniques, and procedures (TTPs) used by attackers.
Your team has direct call-in access to our security operations center (SOC). Our MTR Operations Team
is available around-the-clock and backed by support teams spanning 26 locations worldwide.

Asset Discovery
From asset information covering OS versions, applications, and vulnerabilities to identifying
managed and unmanaged assets, we provide valuable insights during impact assessments,
threat hunts, and as part of proactive posture improvement recommendations.

United Kingdom and Worldwide Sales North America Sales Australia and New Zealand Sales Asia Sales
Tel: +44 (0)8447 671131 Toll Free: 1-866-866-2802 Tel: +61 2 9409 9100 Tel: +65 62244168
Email: sales@sophos.com Email: nasales@sophos.com Email: sales@sophos.com.au Email: salesasia@sophos.com

© Copyright 2022. Sophos Ltd. All rights reserved.

Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK
Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are
trademarks or registered trademarks of their respective owners.

22-07-25 EN (DD)