Does Sophos’ Agentic SOC Data Change the MDR Conversation?

Does Sophos' Agentic SOC Data Change the MDR Conversation

Analyst(s): Fernando Montenegro
Publication Date: May 29, 2026

Sophos releases 12 months of agentic SOC production data from its MDR service, now serving 40,000 customers, showing 89-second automated response times and 52% of cases resolved end-to-end by AI. The results offer rare production evidence in a market full of AI claims, while raising legitimate questions about autonomy governance, integration execution, and competitive pressure from larger vendors.

What is Covered in This Article:

  • Sophos releases twelve months of production data from its agentic SOC, citing 89-second automated response and 52% of MDR cases resolved by AI without human intervention.
  • The HOTL/HITL operating model and what it says about AI governance in a production SOC environment.
  • How the Secureworks and Arco Cyber acquisitions are materializing into a coherent security operations platform.
  • The competitive dynamics between Sophos’ midmarket strength, larger vendors pushing down-market, and Sophos’ own ability to move up-market.
  • Open questions on AI autonomy governance, integration timelines, and the long-term analyst talent pipeline.

The News: Sophos released a report analyzing twelve months of production data from the agentic Security Operations Center (SOC) running inside its Managed Detection and Response (MDR) service, now at 40,000 customers and growing 39% year-over-year.

Key metrics: 89 seconds from case creation to fully automated response for AI-resolved cases, and 52% of all MDR cases closed end-to-end by AI without human intervention. The agentic model runs two operating modes: human-on-the-loop for high-volume, well-bounded cases and human-in-the-loop for high-stakes decisions requiring analyst judgment.

Sophos Central serves as the unifying platform, combining endpoint, firewall, identity, SIEM, network, email, cloud, XDR, and threat intelligence into a shared context lake with 350+ third-party integrations. Sophos is extending the agentic model across the portfolio through 2026, including XDR and next-gen SIEM unification and the fall 2026 launch of CISO Advantage.

The offerings build on Sophos’ acquisition of Secureworks (~$859M) in late 2024, which added Taegis XDR/MDR, next-gen SIEM, ITDR, and the Counter Threat Unit, and its February 2026 acquisition of UK-based Arco Cyber, which forms the foundation for the CISO Advantage governance and assurance capability.

Does Sophos’ Agentic SOC Data Change the MDR Conversation?

Analyst Take: Sophos is doing something the AI SOC market has been conspicuously short on: publishing production outcome data. Twelve months of agentic operation, specific metrics, and a clear articulation of what AI handles versus what stays with analysts. That combination is more analytically useful than most of what the category has produced so far.

The 52/48 Split Is the Right Frame

The 89-second figure will get the attention. The more important number is 52%, because it forces a question most vendors avoid: what happens in the other 48%? Sophos answers it directly. Human-on-the-loop for high-volume, well-bounded cases; human-in-the-loop where stakes, novelty, or business context require analyst judgment before action. That is the correct architecture for an AI-assisted SOC, reflecting genuine platform maturity rather than a marketing framing.

It also maps to a structural reality the industry keeps obscuring. AI in security operations creates value primarily by extending analyst reach, not by replacing analysts. The organizations furthest ahead on this have understood the distinction. Sophos appears to have built around it.

The Acquisition Thesis Is Becoming a Platform

Eighteen months ago, Sophos was an endpoint-and-MDR vendor with a strong SMB franchise. The Secureworks acquisition changed the scope considerably, adding Taegis XDR, next-gen SIEM, ITDR, and the Counter Threat Unit in a single move. The September 2025 integration of Sophos Endpoint natively into Taegis MDR and XDR subscriptions was the first visible sign of meaningful post-merger execution. The roadmap announced today, with XDR and next-gen SIEM unified into the context lake and CISO Advantage arriving in fall 2026, suggests integration is progressing on a reasonable timeline.

Arco Cyber, acquired in February 2026, is the strategically interesting piece. Scaling CISO-level governance and control assurance to organizations without dedicated security leadership is a different bet than MDR alone. The MSP and MSSP channel is central to that delivery model, consistent with how Sophos has always gone to market. Whether partners can execute on a governance and assurance conversation, rather than a product or monitoring sale, is the open question.

Where the Competitive Picture Gets Complicated

Sophos’ clearest strength is also its clearest constraint. The midmarket focus has produced a large, loyal customer base and a repeatable channel motion. But the vendors with the most market visibility in security operations are not standing still at the enterprise tier. CrowdStrike, Palo Alto Networks, Cisco, and Microsoft are each moving down-market with packaging, pricing, and partner programs calibrated to reach exactly the organizations Sophos considers its core. Google Security Operations, with Chronicle and its SIEM and SOAR capabilities now deeply integrated into the broader Google Cloud security stack, adds another well-resourced competitor with hyperscaler economics behind it. Sophos can compete on MDR service depth and Microsoft environment coverage, but the pressure is real and increasing.

The reverse is also true. Sophos now has the portfolio architecture to pursue larger enterprise accounts, particularly those wanting a pure-play security operations vendor without the platform sprawl that comes with a hyperscaler or mega-suite vendor. The Taegis MDR tier, available alongside Sophos MDR as a distinct enterprise-grade option, gives the combined portfolio genuine reach into accounts that would not previously have considered Sophos.

Tensions Worth Holding

Three things deserve scrutiny. First, MDR at scale carries a persistent risk: the better the service, the less detection judgment customers develop internally. That dynamic does not disappear because the SOC is fast. Second, two material acquisitions within fifteen months is a real integration burden, and the Taegis and Sophos Central architectures are not fully unified yet. Third, the 52% autonomous resolution figure, while credible as a directional metric, raises legitimate questions about false positive governance at scale, specifically what the containment action false positive rate looks like in production and how that is communicated to customers.

None of these negate what Sophos has built. They are the right questions to ask of any vendor making autonomous SOC claims.

What to Watch:

  • How does Sophos govern AI autonomy at scale? The 52% autonomous resolution figure is compelling, but containment action false positive rates in production are the real test. What that number looks like, and how transparently it is shared with customers, matters.
  • Can the MSP/MSSP channel sell governance? CISO Advantage requires partners to shift from a monitoring conversation to a risk and assurance one. Not every partner will make that transition.
  • How fast does platform unification actually land? Two architectures, two customer bases, fifteen months post-close. Integration roadmaps at this scale routinely slip.
  • Does the midmarket focus hold as larger vendors push down? Service depth is a differentiator, but procurement dynamics increasingly favor vendors already in the enterprise agreement.
  • What happens to the analyst talent pipeline? As AI absorbs more volume, the apprenticeship layer for developing junior analysts thins. Whether Sophos is deliberately designing replacement pathways is worth watching.

For more information, read the full announcement from Sophos here.

Disclosure: Futurum is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum as a whole.

Other Insights From Futurum:

Security Operations Platforms – Futurum Signal

RSAC 2026: The AI ‘Tragedy of the Commons’ and the Future of Agentic Security

CrowdStrike Deepens Agentic SOC Strategy Across Partners, Services, and Devices

Author Information

Fernando Montenegro

Fernando Montenegro serves as the Vice President & Practice Lead for Cybersecurity & Resilience at The Futurum Group. In this role, he leads the development and execution of the Cybersecurity research agenda, working closely with the team to drive the practice's growth. His research focuses on addressing critical topics in modern cybersecurity. These include the multifaceted role of AI in cybersecurity, strategies for managing an ever-expanding attack surface, and the evolution of cybersecurity architectures toward more platform-oriented solutions.

Before joining The Futurum Group, Fernando held senior industry analyst roles at Omdia, S&P Global, and 451 Research. His career also includes diverse roles in customer support, security, IT operations, professional services, and sales engineering. He has worked with pioneering Internet Service Providers, established security vendors, and startups across North and South America.

Fernando holds a Bachelor’s degree in Computer Science from Universidade Federal do Rio Grande do Sul in Brazil and various industry certifications. Although he is originally from Brazil, he has been based in Toronto, Canada, for many years.

Related Insights
Can Anthropic's GRAM 'Off Switch' Make Dual-Use AI Safer Without Killing Utility?
July 10, 2026

Can Anthropic’s GRAM ‘Off Switch’ Make Dual-Use AI Safer Without Killing Utility?

Anthropic and AE Studio introduced GRAM, enabling selective removal of sensitive AI capabilities without retraining, potentially addressing privacy and security concerns for organizations adopting generative AI....
Exprivia Bets Big on Banking Security: Can Partnership Drive Real Innovation?
July 10, 2026

Exprivia Bets Big on Banking Security: Can Partnership Drive Real Innovation?

Exprivia announced partnership with ABI's WeSec summit as Main Partner, aligning with surging demand for cybersecurity and AI solutions across Italian banking. The move positions the company to capitalize on...
Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?
July 8, 2026

Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?

Kore.ai and Atos announce a strategic partnership to deliver Sovereign AI solutions to UK organizations, addressing data residency and compliance requirements in the rapidly expanding $181B AI platforms market....
ServiceNow and Accenture Bet on Migration to Win Enterprise Risk
July 7, 2026

ServiceNow and Accenture Bet on Migration to Win Enterprise Risk

Fernando Montenegro, VP at The Futurum Group, examines the ServiceNow and Accenture cybersecurity offering, and why its AI-powered migration and the Armis acquisition point to a bid to become the...
Compliance as Code Is No Longer Optional: Why Manual Reviews Can’t Keep Up
July 4, 2026

Compliance as Code Is No Longer Optional: Why Manual Reviews Can’t Keep Up

Qodo's 'Compliance as Code' framework automates enterprise AI compliance through PR checks, solving the data privacy and security gaps that plague manual reviews at scale....
Brave's Browser Containers Raise the Bar for Privacy and Workflow Flexibility
July 3, 2026

Brave’s Browser Containers Raise the Bar for Privacy and Workflow Flexibility

As AI platform adoption accelerates to $181.3B projected market size, Brave's v1.92 release introduces native browser containers addressing data privacy concerns for 52.6% of enterprise decision makers managing multi-cloud AI...

Book a Demo

Welcome

The vision behind everything in Futurum’s Custom Research practice is this: research should show you what is happening, what comes next, and what to do about it. It should be personal to each audience, easy for people to grasp, and structured so LLMs can reason over it accurately. And it should be fast and turnkey; you want answers now, not another project to carry for quarters.

Whether you are defining business, channel, or go-to-market strategy; evaluating vendors or justifying ROI; or commissioning research to fill an emerging market need, we have your back, with a program that answers your questions with the objectivity and credibility to drive real decisions.

To do it, we bring unmatched data to bear: Futurum research, surveys, and market projections; validated market feeds; ETR’s 15 years of insight from 10,000 technology decision-makers; G2’s buyer and user data; and what our analysts hear every day. Add leading primary collection, from AI-moderated voice interviews to surveys and analyst-led interviews, all turnkey, and every project comes out credible, nuanced, and actionable.

And we don’t just drop the results in your lap. For internal work, we provide analyst-led sessions, interactive dashboards, and a range of formats. For market-facing work, Futurum delivers turnkey activation and amplification that actually gets seen, by people and by LLMs, through our media and share of voice. This is research that moves decisions and markets.

We will meet you wherever you are, from a fast-turn brief to a multi-year program, and shape the work to your goals, timeline, and budget. The right program for your moment.

If any of this is useful, I would love to talk.

Benjamin Brown, VP Custom Research, Futurum Research

Benjamin Brown

VP, Custom Research · The Futurum Group

Newsletter Sign-up Form

Get important insights straight to your inbox, receive first looks at eBooks, exclusive event invitations, custom content, and more. We promise not to spam you or sell your name to anyone. You can always unsubscribe at any time.

All fields are required






Thank you, we received your request, a member of our team will be in contact with you.