Security testing
Penetration testing engagements
While we aim to identify and prevent security bugs in our software development pipeline, no system is perfect. That’s why we also run regular security assessments on our products. These assessments are typically performed in a white box scenario with access to architecture details and source code. Our approach results in more efficient and effective testing when compared to a black box scenario where little information about the product is provided.
For our recent assessments, we have started collecting and publishing letters of attestation. For the older assessments, we are happy to share details upon request. We aim to collect letters for subsequent/future tests as they are completed.
Assessment letters of attestation
| Solution | Product | Date of Last Test | Vendor | Letter of Attestation |
|---|---|---|---|---|
| Endpoint | Intercept X | October 2024 | MWR CyberSec | LoA - MWR - Endpoint |
| XDR | February 2024 | MDSec | LoA - MDSec - MDR - XDR - SOC.OS | |
| Sophos Mobile Control | August 2024 | MWR CyberSec | LoA-MWR-SMC | |
| Network | Firewall | November 2024 | MWR CyberSec | LoA – MWR – Firewall LoA – MWR – Sophos Connect Client |
| SG UTM | July 2022 | Nettitude | Contact Us | |
| SD-RED Remote Ethernet Devices | November 2021 | MDSec | Contact Us | |
| ZTNA | October 2023 | MWR CyberSec | LoA - MWR - Firewall/ZTNA | |
| Switch | January 2024 | Sophos Red Team | Contact Us | |
| DNS Protection | January 2024 | MWR CyberSec | LoA - MWR - DNS Protection | |
| Security Operations | MDR | February 2025 | MDSec | LoA - MDSec - MDR |
| XDR | February 2024 | MDSec | LoA - MDSec - MDR - XDR - SOC.OS | |
| Refactr | February 2022 | Sophos Red Team | Contact Us | |
| SOC.OS | February 2024 | MDSec | LoA - MDSec - MDR - XDR - SOC.OS | |
| Factory | February 2024 | MDSec | LoA - MDSec - Sophos Factory | |
| Messaging | Central Email | August 2024 | Sophos Red Team | Contact Us |
| Cloud | Sophos Central | January 2025 | MDSec | LoA - MDSec - Central |
| Cloud Optix | January 2024 | MDSec | LoA - MDSec - Optix | |
| ZTNA | February 2025 | Pen Test Partners | LoA – PTP - ZTNA | |
| Firewall | October 2023 | MWR CyberSec | LoA - MWR - Firewall/ZTNA | |
| Home Security | Sophos Home | August 2022 | Sophos Red Team | Contact Us |
| Other | SophosLabs (including Intelix) | November 2024 | Sophos Red Team | Contact Us |
Tabletop exercises
At Sophos, we believe that it’s very important to test our capabilities regularly. We do this by developing tabletop scenarios with input from experts across the business and our risk management team.
The chart below details some of the recent tabletop scenarios we have run.
Recent tabletop scenarios
| Team | Scenario | Date |
|---|---|---|
| Finance Team | Targeted attack against finance from attacker posing as vendor | Q4 2024 |
| MDR Team | Developer and Analyst compromise leading to Customer Ransomware Attack | Q3 2024 |
| Global Purchasing | Malicious Vendor onboarding and fake purchase requisition | Q2 2024 |
| SophosLabs | Insider threat | Q1 2024 |
| HR | Ransomware and employee PII leakage | Q4 2023 |
| Support | Targeted attack by someone posing as a customer | Q3 2023 |
| Marketing | A compromised employee leading to the defacement of the company website and social media | Q2 2023 |
| Legal | Malicious bug bounty researcher | Q1 2023 |
| Sophos Home | Compromised engineer leading to large PII loss | Q4 2022 |
| SophosLabs | Compromised analyst system, supply chain attack | Q3 2022 |
| Endpoint | Compromised Sophos binaries, supply chain attack | Q2 2022 |
| Optix | Phished engineer | Q1 2022 |
| IT | Large-scale ransomware incident | Q4 2021 |
| Central | Zero-day vulnerability in application leading to compromise of customer data | Q4 2020 |
SecurityScorecard vendor risk management
IT vendor risk management (VRM) solutions support enterprises that assess, monitor, and manage risks associated with using third-party IT products, services, and vendors that can access their data. There are many IT VRM solutions available, all of which vary in their ability to accurately identify a vendor’s assets, and the potential risks associated with those assets.
Sophos engages with SecurityScorecard and its VRM platform to support customers who use IT VRM tools as part of their procurement process. To see our current rating, visit https://securityscorecard.com/security-rating/sophos.com.
