Sophos launches Identity Threat Detection and Response to combat surge in credential-based attacks

Cybersecurity firm Sophos has unveiled its latest offering, Identity Threat Detection and Response (ITDR), a new solution integrated into the Sophos Central platform that helps organizations detect, analyze, and respond to identity-based cyberattacks.

The launch marks a major step for Sophos following its acquisition of Secureworks, making ITDR the first Secureworks-developed technology fully integrated into Sophos’ portfolio. The company said the new solution enhances the capabilities of Sophos XDR (Extended Detection and Response) and Sophos MDR (Managed Detection and Response), both of which are used by more than 600,000 customers worldwide.

Sophos ITDR continuously monitors enterprise environments for identity misconfigurations, weak credentials, and potential signs of compromise. It also scans the dark web for stolen or exposed credentials linked to an organization’s users—an increasingly critical capability amid a sharp rise in credential theft incidents.

According to Sophos’ X-Ops Counter Threat Unit, the number of stolen credentials available for sale on underground forums rose by 106 percent between June 2024 and June 2025. The company’s Active Adversary Report found that compromised credentials were the leading cause of cyber incidents for the second consecutive year, accounting for 56 percent of attacks handled by Sophos’ MDR and incident-response teams.

“Cloud and remote work have expanded the identity attack surface and created new opportunities for attackers,” said Rob Harrison, Senior Vice President of Product Management at Sophos. “Complex identity and access-management systems with constantly changing settings and policies create gaps that attackers exploit. Sophos ITDR helps close those gaps by giving customers faster visibility into identity risks, monitoring for compromised credentials, and integrating with Sophos XDR and MDR for rapid, analyst-led response.”

The solution identifies identity-based threats aligned with the MITRE ATT&CK framework for Credential Access and performs more than 80 cloud-identity posture checks. It uses AI-driven detection engines to uncover tactics such as kerberoasting, privilege escalation, account takeover, brute-force attacks, and lateral movement within networks.

When a threat is detected, Sophos ITDR can trigger automated remediation playbooks that lock accounts, reset passwords, refresh multi-factor authentication tokens, or revoke active sessions. These automated actions integrate directly into Sophos’ security operations workflows, giving defenders both speed and context when responding to identity incidents.

Sophos said ITDR was designed in response to a surge in identity-centric attacks that exploit weak authentication controls, particularly as enterprises expand cloud and hybrid work environments. By consolidating identity-security telemetry with endpoint, network, and cloud data in Sophos Central, organizations can gain unified visibility into user behavior, authentication risks, and possible insider threats.

The company emphasized that the launch underscores its commitment to helping enterprises manage cyber risk in real time. “Credential theft and account compromise remain the most common—and the most preventable—root causes of attacks,” the company said in a statement. “Sophos ITDR gives customers the visibility, context, and control they need to prevent these intrusions before they escalate.”

With identity-based attacks now among the fastest-growing threat vectors globally, Sophos’ expansion into ITDR positions the company to compete directly with leading identity-security players while extending its XDR and MDR ecosystem to cover one of the most critical layers of enterprise defense.