Sophos ITDR enhances identity security with dark web monitoring and automated response

Sophos has launched Sophos Identity Threat Detection and Response (ITDR), a new solution for Sophos XDR and Sophos MDR that continuously monitors customer environments for identity risks and misconfigurations while scanning the dark web for compromised credentials. It enables organizations to detect and respond to identity-based attacks and identify risky user behavior that could threaten their business.

Sophos ITDR addresses identity-based attacks, one of the fastest-growing threat vectors globally. Sophos X-Ops observed a 106% increase in stolen credentials for sale on the dark web between June 2024 and June 2025. The Sophos Active Adversary Report further found that compromised credentials were the leading root cause of attacks across MDR and incident response cases for the second consecutive year, with 56% of incidents involving attackers logging into external remote services using valid accounts.

“Cloud and remote work have expanded the identity attack surface and created new opportunities for attackers,” said Rob Harrison, SVP, Product Management, Sophos. “Complex identity and access management systems with constantly changing settings and policies create gaps that attackers target. Sophos ITDR helps close those gaps by giving customers faster visibility into identity risks, monitoring for compromised credentials, and integrating with Sophos XDR and Sophos MDR for rapid, analyst-led response.”

Sophos ITDR uncovers identity risks and is designed to protect and detect against all known MITRE ATT&CK Credential Access techniques with detection rules for all of the techniques The solution performs more than 80 cloud identity posture checks, monitors for compromised credentials on the dark web, and uses AI-driven detections to identify identity-based attacks such as kerberoasting, privilege escalation, account takeover, brute force, and lateral movement.

Response playbooks within Sophos ITDR, enable automated remediation actions, including account lock, password reset, multi-factor authentication refresh, and session revocation.

Key features and benefits in Sophos ITDR:

• Identity catalog: Gain visibility across all identities across systems to reduce blind spots.
• Identity posture dashboard: Get a view of identity risks, including compromised credentials on the dark web, to act faster.
• Continuous assessments: Strengthen security posture with ongoing detection of misconfigurations, dormant accounts, vulnerabilities, and MFA gaps.
• Compromised credential monitoring: Protect users by detecting and alerting when stolen credentials surface in breach databases.
• Dark web intelligence: Stay ahead of attackers with proactive monitoring of underground markets for leaked credentials.
• User behavior analytics (UEBA): Spot insider threats and anomalous activity early to prevent account takeover and lateral movement.
• Advanced identity detections: Detect sophisticated identity attacks such as kerberoasting, account compromise, stolen credentials, password spray, brute force, and impossible travel.
• Identity response actions: Take immediate action on identity threats with integrated response actions to disable accounts, reset user sessions, reset passwords, or mark users as compromised in Microsoft Entra ID.

The Sophos ITDR solution integrates with Sophos XDR and Sophos MDR, generating cases when identity-based threats or high-risk findings arise. With Sophos MDR, Sophos security analysts then investigate and take response actions on behalf of customers, accelerating remediation and reducing risk.

“Sophos ITDR has improved visibility into our identity risks and streamlined how we manage them,” said an Information Security Director at a financial services firm. “Having identity risk data available within Sophos XDR is a game changer for strengthening our overall security posture.”

“Identity has become the new frontline of cyber defense, and Sophos ITDR delivers the visibility and automation needed to stay ahead of attackers. By covering the full spectrum of identities from users to service accounts and applications, it closes blind spots, strengthens our overall security posture, and provides clear remediation actions that help my team address risks quickly and effectively,” said a CISO at a financial services firm.