Analyst(s): Fernando Montenegro
Publication Date: May 29, 2026
Sophos releases 12 months of agentic SOC production data from its MDR service, now serving 40,000 customers, showing 89-second automated response times and 52% of cases resolved end-to-end by AI. The results offer rare production evidence in a market full of AI claims, while raising legitimate questions about autonomy governance, integration execution, and competitive pressure from larger vendors.
What is Covered in This Article:
- Sophos releases twelve months of production data from its agentic SOC, citing 89-second automated response and 52% of MDR cases resolved by AI without human intervention.
- The HOTL/HITL operating model and what it says about AI governance in a production SOC environment.
- How the Secureworks and Arco Cyber acquisitions are materializing into a coherent security operations platform.
- The competitive dynamics between Sophos’ midmarket strength, larger vendors pushing down-market, and Sophos’ own ability to move up-market.
- Open questions on AI autonomy governance, integration timelines, and the long-term analyst talent pipeline.
The News: Sophos released a report analyzing twelve months of production data from the agentic Security Operations Center (SOC) running inside its Managed Detection and Response (MDR) service, now at 40,000 customers and growing 39% year-over-year.
Key metrics: 89 seconds from case creation to fully automated response for AI-resolved cases, and 52% of all MDR cases closed end-to-end by AI without human intervention. The agentic model runs two operating modes: human-on-the-loop for high-volume, well-bounded cases and human-in-the-loop for high-stakes decisions requiring analyst judgment.
Sophos Central serves as the unifying platform, combining endpoint, firewall, identity, SIEM, network, email, cloud, XDR, and threat intelligence into a shared context lake with 350+ third-party integrations. Sophos is extending the agentic model across the portfolio through 2026, including XDR and next-gen SIEM unification and the fall 2026 launch of CISO Advantage.
The offerings build on Sophos’ acquisition of Secureworks (~$859M) in late 2024, which added Taegis XDR/MDR, next-gen SIEM, ITDR, and the Counter Threat Unit, and its February 2026 acquisition of UK-based Arco Cyber, which forms the foundation for the CISO Advantage governance and assurance capability.
Does Sophos’ Agentic SOC Data Change the MDR Conversation?
Analyst Take: Sophos is doing something the AI SOC market has been conspicuously short on: publishing production outcome data. Twelve months of agentic operation, specific metrics, and a clear articulation of what AI handles versus what stays with analysts. That combination is more analytically useful than most of what the category has produced so far.
The 52/48 Split Is the Right Frame
The 89-second figure will get the attention. The more important number is 52%, because it forces a question most vendors avoid: what happens in the other 48%? Sophos answers it directly. Human-on-the-loop for high-volume, well-bounded cases; human-in-the-loop where stakes, novelty, or business context require analyst judgment before action. That is the correct architecture for an AI-assisted SOC, reflecting genuine platform maturity rather than a marketing framing.
It also maps to a structural reality the industry keeps obscuring. AI in security operations creates value primarily by extending analyst reach, not by replacing analysts. The organizations furthest ahead on this have understood the distinction. Sophos appears to have built around it.
The Acquisition Thesis Is Becoming a Platform
Eighteen months ago, Sophos was an endpoint-and-MDR vendor with a strong SMB franchise. The Secureworks acquisition changed the scope considerably, adding Taegis XDR, next-gen SIEM, ITDR, and the Counter Threat Unit in a single move. The September 2025 integration of Sophos Endpoint natively into Taegis MDR and XDR subscriptions was the first visible sign of meaningful post-merger execution. The roadmap announced today, with XDR and next-gen SIEM unified into the context lake and CISO Advantage arriving in fall 2026, suggests integration is progressing on a reasonable timeline.
Arco Cyber, acquired in February 2026, is the strategically interesting piece. Scaling CISO-level governance and control assurance to organizations without dedicated security leadership is a different bet than MDR alone. The MSP and MSSP channel is central to that delivery model, consistent with how Sophos has always gone to market. Whether partners can execute on a governance and assurance conversation, rather than a product or monitoring sale, is the open question.
Where the Competitive Picture Gets Complicated
Sophos’ clearest strength is also its clearest constraint. The midmarket focus has produced a large, loyal customer base and a repeatable channel motion. But the vendors with the most market visibility in security operations are not standing still at the enterprise tier. CrowdStrike, Palo Alto Networks, Cisco, and Microsoft are each moving down-market with packaging, pricing, and partner programs calibrated to reach exactly the organizations Sophos considers its core. Google Security Operations, with Chronicle and its SIEM and SOAR capabilities now deeply integrated into the broader Google Cloud security stack, adds another well-resourced competitor with hyperscaler economics behind it. Sophos can compete on MDR service depth and Microsoft environment coverage, but the pressure is real and increasing.
The reverse is also true. Sophos now has the portfolio architecture to pursue larger enterprise accounts, particularly those wanting a pure-play security operations vendor without the platform sprawl that comes with a hyperscaler or mega-suite vendor. The Taegis MDR tier, available alongside Sophos MDR as a distinct enterprise-grade option, gives the combined portfolio genuine reach into accounts that would not previously have considered Sophos.
Tensions Worth Holding
Three things deserve scrutiny. First, MDR at scale carries a persistent risk: the better the service, the less detection judgment customers develop internally. That dynamic does not disappear because the SOC is fast. Second, two material acquisitions within fifteen months is a real integration burden, and the Taegis and Sophos Central architectures are not fully unified yet. Third, the 52% autonomous resolution figure, while credible as a directional metric, raises legitimate questions about false positive governance at scale, specifically what the containment action false positive rate looks like in production and how that is communicated to customers.
None of these negate what Sophos has built. They are the right questions to ask of any vendor making autonomous SOC claims.
What to Watch:
- How does Sophos govern AI autonomy at scale? The 52% autonomous resolution figure is compelling, but containment action false positive rates in production are the real test. What that number looks like, and how transparently it is shared with customers, matters.
- Can the MSP/MSSP channel sell governance? CISO Advantage requires partners to shift from a monitoring conversation to a risk and assurance one. Not every partner will make that transition.
- How fast does platform unification actually land? Two architectures, two customer bases, fifteen months post-close. Integration roadmaps at this scale routinely slip.
- Does the midmarket focus hold as larger vendors push down? Service depth is a differentiator, but procurement dynamics increasingly favor vendors already in the enterprise agreement.
- What happens to the analyst talent pipeline? As AI absorbs more volume, the apprenticeship layer for developing junior analysts thins. Whether Sophos is deliberately designing replacement pathways is worth watching.
For more information, read the full announcement from Sophos here.
Disclosure: Futurum is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum as a whole.
Other Insights From Futurum:
Security Operations Platforms – Futurum Signal
RSAC 2026: The AI ‘Tragedy of the Commons’ and the Future of Agentic Security
CrowdStrike Deepens Agentic SOC Strategy Across Partners, Services, and Devices
Author Information
Fernando Montenegro serves as the Vice President & Practice Lead for Cybersecurity & Resilience at The Futurum Group. In this role, he leads the development and execution of the Cybersecurity research agenda, working closely with the team to drive the practice's growth. His research focuses on addressing critical topics in modern cybersecurity. These include the multifaceted role of AI in cybersecurity, strategies for managing an ever-expanding attack surface, and the evolution of cybersecurity architectures toward more platform-oriented solutions.
Before joining The Futurum Group, Fernando held senior industry analyst roles at Omdia, S&P Global, and 451 Research. His career also includes diverse roles in customer support, security, IT operations, professional services, and sales engineering. He has worked with pioneering Internet Service Providers, established security vendors, and startups across North and South America.
Fernando holds a Bachelor’s degree in Computer Science from Universidade Federal do Rio Grande do Sul in Brazil and various industry certifications. Although he is originally from Brazil, he has been based in Toronto, Canada, for many years.
