Sophos introduces identity-first defence with ITDR launch

Cybersecurity firm Sophos has unveiled its new solution, Sophos Identity Threat Detection and Response, offering organisations continuous monitoring of identity risks, dark-web credential tracking and automated response capabilities within its Sophos Central platform. The UK-headquartered company positions the product as a strategic response to the “never-ending” rise of identity-based attacks.

The new ITDR module integrates with Sophos’ existing Extended Detection and Response and Managed Detection and Response offerings, offering organisations an expanded security operations footprint that addresses both endpoint and identity-based threats. Sophos claims to have observed a 106 per cent increase in stolen credentials offered for sale on the dark web between June 2024 and June 2025. The product reportedly includes more than 80 cloud-identity posture checks, covers all known credential-access techniques from the MITRE ATT&CK framework and uses user-behaviour analytics to detect anomalous or insider-driven activity.

Sophos highlights that ITDR enables immediate remediation actions—such as account locking, password reset, multi-factor authentication refresh and session revocations—automatically or via analyst intervention when deployed through its MDR service. According to expert commentary contained in the company’s announcements, cloud- and hybrid-work deployments have enlarged the identity-attack surface, while “complex identity and access management systems with constantly changing settings and policies create gaps that attackers target”. The launch follows the firm’s acquisition of Secureworks earlier this year, with ITDR cited as the first Secureworks technology to be fully integrated into Sophos’ platform.

The move aligns with a broader industry trend recognising identity as the new frontline in cyber defence. Analysts at Sophos’ X-Ops threat intelligence unit and independent sources alike note that compromised credentials remain the leading root cause in incident-response cases, representing 56 per cent of such incidents for the company in its own data. More broadly, cybersecurity firms note that identity-based attacks—including account takeovers, privilege escalation, and lateral movement—are growing faster than many traditional malware threats. Some vendors already classify identity-threat detection and response as a distinct segment emerging alongside endpoint detection and response and network-detection systems.

For customers, the advantage lies in the enhanced visibility of identity assets across systems, prioritised dashboards of risk, dark-web monitoring of leaked credentials and automated behavioural anomaly detection. The integration into Sophos’ existing security operations infrastructure means that organisations subscribing to the company’s XDR or MDR services may be able to deploy identity-centric protection without managing a separate system.

However, analysts caution that while product launches such as ITDR mark significant progress, they do not in themselves eliminate the underlying challenges that many organisations face. Identity systems often span on-premises, hybrid and cloud environments, with some legacy components and misconfigurations that are difficult to detect. Automated remediation actions can introduce business-risk trade-offs—such as locking accounts or resetting sessions—that require careful consideration and alignment with enterprise operations. Moreover, the growing identity-attack surface means that vendor tools like ITDR must be accompanied by strong governance, user training, and robust identity- and access-management frameworks.

From a market-perspective viewpoint, Sophos is aiming to deepen its position in managed-security services and identity security at a time when many firms are consolidating security vendors and seeking unified platforms to manage cyber risk. By incorporating Secureworks’ threat intelligence and dark-web monitoring capabilities, Sophos appears to be betting on identity security as a differentiator. For the vendor ecosystem, this may add pressure on competitors to bolster identity-specific offerings, particularly given that credentials and identity misconfigurations consistently rank high among root causes of breaches.