Skip to content

Managed Risk Settings

You must have an MDR Essentials or MDR Complete license before you can subscribe to the Managed Risk service.

The Sophos Managed Risk service reports on all internet-facing assets associated with your domains, scans the assets you specify for vulnerabilities, reports risks, and suggests remediations.

After you activate your license for Managed Risk, you must set up the service. To start setup, go to My Products > Managed Risk > Settings.

You can also change your settings anytime on the same page.

Authorized contacts

Enter contacts in your organization so we can send them notifications and updates on security vulnerabilities we're investigating.

You must enter at least one contact, and your primary contact must be a Sophos Central admin.

  1. Go to My Products > Managed Risk > Settings.
  2. Select the Authorized Contacts tab.

    If you need to create a new Sophos Central admin, click Create new Central administrator and add a user with the Super Admin, Admin, or Help Desk role. Otherwise, skip this step.

    Create Central Admin.

  3. Click the drop-down arrow beside Primary and select one of your Sophos Central admins. Enter their contact details.

    Authorized contacts settings.

  4. Enter Secondary and Tertiary contacts, if you want to. You can select a Sophos Central admin from the drop-down list, or create a new contact by completing the form.

    We recommend that you have multiple contacts.

  5. Click Save.

Scan settings

Scan settings only become available after you save your authorized contacts.

Enter the settings needed for scanning your assets.


Currently, when you've submitted these settings, you can't change them yourself. Raise a case to ask the Managed Risk team to reset them for you. See Managed Risk cases. We'll remove this limitation in a future version.

  1. Select the Scan Settings tab.

    Scan Settings tab.

  2. In Add Domains, enter your external-facing domains separated by commas and click Add. You can paste in multiple domains. For example,,,

    You can enter up to 25 domains.

    We need these details so we can produce the attack surface management report, which identifies assets associated with the domains.

    Add domains.

  3. In Add IP addresses, enter your external IP addresses or ranges separated by commas and click Add.

    You can enter up to 100 IP addresses or CIDR ranges. You can't add a CIDR range with a suffix less than /24.

    We need these details so we can run the weekly vulnerability scan. We can scan up to 1000 devices.

    Add IP addresses or ranges.

Schedule weekly vulnerability scanning

You must schedule scanning for vulnerabilities.

  1. In Schedule weekly vulnerability scanning, select the day of the week when you want scanning to start.

    Add IP addresses or ranges.

  2. Set the time zone.

    Scans start when it's approximately 12 midnight in the time zone you selected.

  3. Click Submit.

What happens next?

If you've just set up the Managed Risk service for the first time, here's what to expect next.

  • The service runs weekly scans and generates reports. We notify you when a new report is ready. See Managed Risk report history.
  • After 30 days, our Managed Risk team contacts you to set up a baseline meeting. This meeting reviews the domains and IPs monitored and the findings of initial vulnerability scans and attack surface management reports. This helps us understand your security needs.
  • Every three months, you have further meetings with our team to review recent findings, learn about emerging risks, and discuss our recommendations.
  • When a critical vulnerability is found, we create a case and email you with details of the vulnerability. See Managed Risk cases.