Skip to content

Active threat response

Active threat response consists of MDR threat feeds and Sophos X-Ops threat feeds.

MDR threat feeds enables a security analyst (part of the Sophos MDR team) to share threat intelligence with the firewall in real-time to respond to active threats on the network.

Sophos X-Ops threat feeds is a SophosLabs-managed global threat database that's regularly updated and pushed to the firewall.


Sophos X-Ops threat feeds was previously called Advanced threat protection (ATP).


The firewall first implements MDR threat feeds. If an entry exists in both Sophos X-Ops and MDR threat feeds, and MDR threat feeds is set to Log and drop, the firewall drops the traffic, logs the event under MDR, and doesn't check further.

Security Heartbeat

If you have Synchronized Security, the firewall automatically identifies any Sophos-managed endpoints that may be compromised (attempting to communicate with a malicious server) based on a red Security Heartbeat. It queries the device for additional information, such as the host, user, and process, which helps you determine any Indicators of Compromise (IoC). Synchronized Security supports both MDR threat feeds and Sophos X-Ops threat feeds.

Sophos NDR

If you have Internet of Things (IoT), unmanaged endpoints, or third-party devices, Active threat response protects your network from threats through Sophos Network Detection and Response (NDR) in Sophos Central. See Sophos NDR.