Skip to content


Sophos XDR (Extended Detection and Response) lets you investigate detected threats (threat graphs) and search for new threats or security weaknesses. It also lets you monitor devices and fix issues remotely.

You can find most XDR features in Threat Analysis Center.

Sophos XDR Sensor offers an alternative way to get the XDR features. You don't get threat protection, but you do get some of the detection, investigation, and response functions. You can run Sophos XDR Sensor alongside existing anti-malware to try out XDR.

If you use Sophos XDR Sensor, make sure you have third-party protection installed to protect your devices.

Sophos XDR Sensor doesn't support Sophos Security Heartbeat, the feature that lets devices regularly report their security status to Sophos Firewall.

Both Sophos XDR and Sophos XDR Sensor are available if you have any license that includes XDR.

Threat graphs

Threat graphs let you investigate and clean up malware attacks.

You can find out where an attack started, how it spread, and which processes or files it has affected.

For help, see Threat Graphs.

Live Discover

Live Discover lets you check activity on devices. You can run queries about the software installed, processes running, registry changes, and more. This helps you detect security weaknesses or malicious activity.

You can run queries on devices or on our Data Lake, which stores device data in the cloud. The Data Lake lets you query devices even when they’re not connected, schedule your queries, and query data from multiple Sophos products.

You can send information to the Data Lake from the following products:

  • Sophos Endpoint Protection
  • Server Protection
  • Sophos Email
  • Sophos Firewall
  • Sophos Cloud Optix

For help with creating and running queries, see Live Discover.

Live Response

Live Response lets you connect directly to an individual device to investigate and fix possible security issues.

For help, see Set up and start Live Response.


Detections identify activity that’s unusual or suspicious and might need investigation. They're based on data that devices upload to the Sophos Data Lake.

You can use these detections to examine devices, processes, users, and events for signs of potential threats that other Sophos features haven’t blocked.

You can also use them as the starting-point of searches for security weaknesses or threats already seen elsewhere.

For more information, see Detections.


Cases let you analyze potential threats in depth.

Cases group together suspicious events reported by our Detections feature and help you or the MDR team do forensic work on them. We create cases for you automatically, but you can also create your own.

For more information, see Cases.