Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Active threat response

Active threat response consists of MDR threat feeds, Sophos X-Ops threat feeds, and Third-party threat feeds.

  • MDR threat feeds


    Allows a security analyst (part of the Sophos MDR team) to share threat intelligence with the firewall in real-time to respond to active threats on the network.

    Configure MDR threat feeds

  • Sophos X-Ops threat feeds


    A SophosLabs-managed global threat database that's regularly updated and pushed to the firewall.

    Configure Sophos X-Ops threat feeds

  • Third-party threat feeds


    Allows the integration of third-party threat intelligence to the firewall for additional protection.

    Configure Third-party threat feeds

How the firewall implement and log events

The firewall first implements MDR threat feeds followed by Sophos X-Ops and Third-party threat feeds.

If an Indicator of Compromise (IoC) exists in all the three threat feeds, and MDR threat feeds is set to Log and drop, the firewall drops the traffic, logs the event under MDR, and doesn't check further.

If the Action is set to Log only or Monitor, the firewall logs separate events for MDR, Sophos X-Ops, and Third-party threat feeds.

Security Heartbeat

Active threat response implements the same Synchronized Security response for Security Heartbeat conditions, including enforcing firewall rules.

The firewall automatically identifies Sophos-managed endpoints that may be compromised (attempting to communicate with a malicious server) based on a red Security Heartbeat. It queries the device for additional information to provide insights on the host, user, and process that accessed the IoC.

The firewall also coordinates lateral movement protection, which informs all healthy managed endpoints that a compromised host is on the LAN so they will block traffic from that device.

Synchronized Security supports MDR, Sophos X-Ops, and Third-party threat feeds.

See Security Heartbeat overview.

Sophos NDR

If you have Internet of Things (IoT), unmanaged endpoints, or third-party devices, Active threat response protects your network from threats through Sophos Network Detection and Response (NDR) in Sophos Central. See Sophos NDR.