Penetration Testing Engagements
Whilst we aim to identify and prevent security bugs in our software development pipeline, no system is perfect. Thus we also run regular security assessments on our products. These are typically performed in a white box scenario with access to architecture details and source code. This results in more efficient and effective testing when compared to a black box scenario where little information about the product is provided.
For our recent assessments we have started collecting and publishing letters of attestation. For the older assessments we are happy to share details on request. We aim to collect letters for subsequent/future tests as they are completed.
| Solution | Product | Date of Last Test | Vendor | Letter of Attestation |
|---|---|---|---|---|
|
Endpoint |
Intercept X |
December 2022 |
MWR CyberSec |
|
|
|
Server |
December 2022 |
MWR CyberSec |
|
|
|
XDR |
February 2024 |
MDSec |
|
|
Network |
Firewall |
October 2023 |
MWR CyberSec |
|
|
|
SG UTM |
July 2022 |
Nettitude |
|
|
|
Red Devices |
November 2021 |
MDSec |
|
|
|
ZTNA |
October 2023 |
MWR CyberSec |
|
|
|
Switch |
January 2024 |
Sophos Red Team |
|
|
|
Sophos DNS Protection |
January 2024 |
MWR CyberSec |
|
|
Security Operations |
MDR |
February 2024 |
MDSec |
|
|
|
XDR |
February 2024 |
MDSec |
|
|
|
Refactr |
February 2022 |
Sophos Red Team |
|
|
|
SOC.OS |
February 2024 |
MDSec |
|
|
|
Sophos Factory |
February 2024 |
MDSec |
|
|
Messaging |
Email Protection |
Feb 2021 |
NCC |
|
|
|
Central Email |
June 2023 |
Sophos Red Team |
|
|
Cloud |
Sophos Central |
January 2024 |
MWR CyberSec |
|
|
|
Cloud Optix |
January 2024 |
MDSec |
|
|
|
ZTNA |
October 2023 |
MWR CyberSec |
|
|
|
Firewall |
October 2023 |
MWR CyberSec |
|
|
Sophos Home |
Sophos Home |
August 2022 |
Sophos Red Team |
|
|
Other |
Labs services (Including Intelix) |
December 2022 |
Sophos Red Team |
Tabletop Exercises
At Sophos we believe that it is very important to regularly test our capabilities. We do this by developing tabletop scenarios with input from experts from across the business and input from our risk management team.
The below details some of the recent tabletop scenarios we have run:
| Team | Scenario | Date |
|---|---|---|
| SophosLabs | Insider Threat | Q1 2024 |
| HR Team | Ransomware and employee PII leakage | Q4 2023 |
| Support Team | Targeted attack against support from attacker posing as customer | Q3 2023 |
|
Marketing Team |
Compromised employee leading to web defacement and company social media |
Q2 2023 |
|
Legal Team |
Malicious bugbounty researcher |
Q1 2023 |
|
Sophos Home |
Compromised Engineer leading to large PII loss |
Q4 2022 |
| SophosLabs | Compromised analyst system, supply chain attack | Q3 2022 |
|
Endpoint Team |
Compromised Sophos binaries, supply chain attack |
Q2 2022 |
|
Optix Team |
Phished engineer |
Q1 2022 |
|
IT |
Large scale ransomware incident |
Q4 2021 |
|
Central Team |
Zero-day vuln in application leading to compromise of customer data |
Q4 2020 |
Security Scorecard
IT Vendor Risk Management (VRM) solutions support enterprises that have to assess, monitor and manage their exposure to risks arising from their use of third parties that provide IT products and services or that have access to their information. There are many IT VRM solutions available, all of which vary in their ability to accurately identify a vendor’s assets and the risks possibly associated with those assets.
Sophos engages with SecurityScoreCard and their VRM platform to support customers who leverage IT VRM tools as part of their procurement process: https://securityscorecard.com/security-rating/sophos.com