Sophos has launched Identity Threat Detection and Response (ITDR) for its XDR and MDR platforms. The solution monitors identity risks, scans the dark web for stolen login credentials, and is designed to help organizations respond more quickly to identity-based attacks.
Identity-based attacks are one of the fastest-growing threats in the cybersecurity landscape. Between June 2024 and June 2025, Sophos X-Ops Counter Threat Unit observed a 106 percent increase in stolen login credentials being offered for sale on the dark web.
Integration with existing platforms
The new Sophos ITDR solution is the result of the acquisition of Secureworks and is the first product from that company to be fully integrated into the Sophos Central platform. It is designed to help Sophos users with comprehensive security operations.
Sophos ITDR integrates seamlessly with existing XDR and MDR solutions and automatically generates cases when identity-based threats or high-risk findings arise. With MDR, Sophos security analysts then take over investigation and response actions from companies, accelerating remediation and reducing risk.
Cloud and remote work increase attack surface
“Cloud and remote work have expanded the identity attack surface and created new opportunities for attackers,” said Rob Harrison, SVP of Product Management at Sophos. Complex identity and access management systems with constantly changing settings and policies create gaps that attackers can exploit.
The solution performs more than 80 cloud identity posture checks and uses AI-driven detections to identify identity-based attacks. These include kerberoasting, privilege escalation, account takeover, brute force, and lateral movement. Response playbooks within ITDR enable automated remediation actions such as account locks, password resets, and multi-factor authentication refresh.
Key features
The Identity Catalog provides complete visibility into all identities in systems to reduce blind spots. The Identity Posture Dashboard displays a prioritized overview of identity risks, including compromised credentials on the dark web.
With more than 80 detection rules for all known MITRE ATT&CK Credential Access techniques, Sophos ITDR positions itself as a solution for identity-based security. Continuous assessments strengthen the security posture through ongoing detection of misconfigurations, dormant accounts, and vulnerabilities.
User Behavior Analytics (UEBA) helps detect insider threats and anomalous activity early on to prevent account takeover and lateral movement. Advanced Identity Detections track advanced identity attacks such as credential theft, password spraying, and impossible travel.
The solution can also take immediate action on identity threats, such as disabling accounts, resetting user sessions, or marking users as compromised in Microsoft Entra ID. This integration into the existing ecosystem helps organizations improve their security operations without increasing complexity.