Introducing Active Threat Response for Sophos Switch/Sophos Wireless (AP6) – Sophos News

With Active Threat Response, we’re introducing new functionality for our network access layer products, Sophos Switch and Sophos Wireless (AP6 Series only).

Corporate networks have become harder to control, with a broad array of managed and unmanaged, wired and wireless devices connecting. It’s no longer enough to monitor the status of managed devices only; when the need arises, you have to be able to block connectivity for potentially suspicious, unmanaged hosts, such as IoT devices, that could be the target of botnets.

According to the inaugural MSP Perspectives 2024 report conducted on behalf of Sophos, Managed Service Providers (MSPs) consider insecure wireless networking and a shortage of cybersecurity skills/expertise, as the biggest perceived cybersecurity risks that they face today.

Active Threat Response and our single-platform approach help to address both of those concerns by making security management more efficient, and extending wired and wireless network security beyond the realms of what network infrastructure products can see.

Rogue device detection

The concept of rogue device detection is well-known in the wireless world, however, in most solutions, that tends to go hand-in-hand with rogue AP detection, with a rogue device often defined as a device connected to a rogue AP. Rogue device detection can be prone to false positives and caution is required when using automation to avoid disruption. Active Threat Response is different; access points and switches ingest targeted, verified threat information from separate, trusted sources.

How it works

An API-triggered threat feed containing the MAC addresses of potentially compromised hosts can be sent to any Sophos Central account. Once triggered, the threat feed is automatically propagated across the network to update all Sophos switches and AP6 access points.

They respond by isolating the compromised devices, effectively cutting communication for them. While MAC-based filtering cannot prevent MAC spoofing, it does buy precious time for remediation and prevents lateral movement, which is often the primary goal when unmanaged devices are targeted.

The source of the threat feed could be any of a number of Sophos solutions; Sophos MDR, Sophos XDR, or Sophos NDR. In addition, our public API opens up this feature to customers with third-party security solutions.


  • Isolates wired and wireless, managed, and unmanaged hosts
  • Prevents lateral movement and buys you time for remediation
  • Detections can originate from multiple sources (Sophos or third-party solutions)

Active Threat Response for Sophos Switch and Sophos Wireless differs from the functionality offered with Sophos Firewall. The firewall provides different response actions and automation, partially based on synchronized security functionality in combination with Sophos-managed endpoints.

The combined use of Active Threat Response on Sophos Switch, Sophos Wireless, and Sophos Firewall ensures the best protection at every network layer.

Strengthening the Sophos ecosystem story

Active Threat Response adds a new, unique dimension to the Sophos ecosystem story. It further demonstrates the benefits of consolidating security with a single vendor and using a single management platform, improving our customers’ security posture, and strengthening our channel partners’ position to sell and support a broader range of solutions and services.

Prerequisites and activation

To use Active Threat Response, the Sophos Central account where it is activated must have a valid support subscription for each AP6 access point and/or Sophos switch. Customers can activate this feature for Sophos Wireless and Sophos Switch individually.

To receive threat feeds, the customer must also own a supported Sophos solution/service or a third-party solution capable of providing threat information using the public API.

The API framework

In this initial release, some knowledge of APIs would be required for customers who manage their own Sophos solutions. The API is used to ingest threat feed data and also provides the means to manage and update the isolated host list. In future releases, we plan to add further management and configuration options in Sophos Central, making this feature accessible to network admins of all skill levels.


Active Threat Response is available now for all Sophos AP6 Series and Switch customers who manage their devices in Sophos Central (and have a valid support subscription).

For further information about Active Threat Response, please check our website at or

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button