Skip to content
Click here to open the documentation of locally-managed switches, including the CLI and API guides.

Active Threat Response

Active Threat Response (ATR) provides API-triggered responses to automatically isolate malicious hosts across the network. This extends threat intelligence from Sophos MDR, Sophos XDR, Sophos NDR, and third-party solutions to the access layer, quickly preventing lateral movement via any wired, wireless, managed, or unmanaged host.

Sophos Switches registered with Sophos Central with a valid support and services license can access ATR. The ATR API ingests threat feed data, allowing MDR analysts and network administrators to quickly isolate malicious hosts across the network.

MDR/XDR Threat Feed

The MDR/XDR Threat Feed lists the isolated hosts across all Sophos Switches and AP6 access points managed in Sophos Central.

You can click the radio button next to AP6 to turn ATR on or off for AP6 access points.


If you turn ATR on for AP6 access points, it overrides any MAC filtering configured on the SSIDS on those access points.

You can click the radio button next to Switch to turn ATR on or off for Sophos Switches.

Isolated devices

You can see information about devices connected to your switches.

The MAC address column lists the MAC addresses of devices.

The Switch and AP6 columns show the status of devices with the following icons:

  • A green check mark Green check mark icon. indicates that a device is isolated.
  • A hyphen Hyphen icon. indicates that a device isn't isolated.

Active Threat Response API

The ATR APIs are available on Sophos Central. The APIs allow third-party integrations and workflows to swiftly isolate malicious activity at the network access layer. For information on how to access and use the ATR APIs from Sophos Central, see the following links: