Sophos has taken a strategic step in its partnership with Microsoft by announcing the general availability of Sophos Intelix integrations with Microsoft Security Copilot and Microsoft 365 Copilot, unveiled during the Microsoft Ignite conference in San Francisco. This move places Sophos’s cyber intelligence directly at the heart of Microsoft’s security and productivity workflows, with a clear goal: to help organizations of all sizes investigate and respond to incidents much faster.
Headquartered in Oxford, UK, the company processes over 223 terabytes of telemetry daily on its Sophos Central platform, generates over 34 million detections, and automatically blocks more than 11 million threats. This vast, real-world database of attacks and suspicious behaviors powers Sophos Intelix, its threat intelligence repository, which is now available free of charge to users of Microsoft Security Copilot and Microsoft 365 Copilot.
The integration aligns with a clear trend: security operations centers (SOCs) and IT teams are overwhelmed by alert volumes, while attackers move faster and increasingly leverage AI to automate campaigns.
From dashboards to natural language: how Sophos Intelix integrates with Microsoft Security Copilot
Microsoft Security Copilot is Microsoft’s generative AI assistant designed for SOC teams and enterprise security professionals. It connects data from solutions like Microsoft Defender, Sentinel, Intune, Entra, and Purview, enabling analysts to investigate incidents and threats using natural language commands.
The key enhancement provided by Sophos is the advanced context from Intelix:
- Faster alert enrichment and triage: analysts can command Security Copilot to expand on a specific alert using insights from Sophos Intelix, including dynamic sandbox analysis and observed behavior.
- IOC investigation in seconds: files, URLs, or IP addresses can be queried directly from the copiloto, which returns reputation scores, global prevalence, and signals from Sophos X-Ops.
- Global context without leaving the workflow: all this information appears integrated within the conversation with the copiloto, eliminating the need to switch consoles or copy and paste indicators.
Additionally, Sophos Intelix will be available in the new Microsoft Security Store, a marketplace offering third-party agents, MCP services, and specialized APIs for the Microsoft security ecosystem.
Practically, the objective is to drastically reduce the time from alert reception at the SOC to understanding whether it is noise, a false positive, or the start of a serious attack.
From SOC console to any employee’s desktop: threat intelligence in Microsoft 365 Copilot
The second part of the announcement is the integration of Sophos Intelix with Microsoft 365 Copilot and everyday tools like Microsoft Teams and the Copilot chat in Microsoft 365.
Until now, access to high-level threat intelligence was typically restricted to highly technical profiles. With this integration, Sophos and Microsoft aim to democratize this knowledge and extend it to:
- IT administrators, who can check the reputation of links or suspicious attachments without leaving Teams or email.
- Risk and compliance managers, gaining additional context for security-related business decisions.
- Business users, who can ask in natural language whether a domain, file, or link is associated with known malicious activity before opening or sharing it.
The clear focus is that if most daily work already happens in Teams, Outlook, and other Microsoft 365 apps, it makes sense for parts of security defenses to also be integrated there. Users don’t need to learn new tools; the intelligence arrives where they are working.
Microsoft Agent 365: the control layer for the new wave of AI agents
Sophos’s announcement extends beyond Security Copilot and 365 Copilot. Intelix will also connect with Microsoft Agent 365, the new control framework Microsoft is building to manage AI agents within its ecosystem.
Agent 365 acts as a sort of “control tower” for AI agents interacting with corporate systems, sensitive data, and business applications. The integration with Sophos Intelix aims to:
- Extend threat intelligence to agents, enabling them to make informed decisions about what to execute, block, or escalate.
- Leverage Entra identity (formerly Azure AD) to ensure agents’ access complies with organizational policies, with full traceability and observability.
- Maintain regulatory compliance as AI agents begin automating critical tasks and handling regulated data.
Although these agent capabilities are still in progressive rollout, the message is clear: protection is no longer limited to human users but must also encompass future AI agents operating within corporate networks.
A high-pressure context: endless alerts and increasingly fast attackers
The decision to integrate Sophos Intelix into the Copilot ecosystem comes at a time when defense teams are under mounting pressure.
In the report “Sophos Addressing the Cybersecurity Skills Shortage in SMBs”, 96% of respondents acknowledged difficulties investigating suspicious alerts, and 75% reported challenges in rapidly remediating incidents.
On the attacker side, the Sophos Active Adversary Report 2025 paints an equally alarming picture:
- Data exfiltration begins, on average, in just 3 days after initial intrusion.
- The median time from exfiltration to detection is only 2.7 hours.
- Attackers can reach Active Directory in about 11 hours from first access.
In this environment, relying solely on traditional dashboards and manual workflows becomes increasingly unrealistic. Both Sophos and Microsoft agree: AI is the “force multiplier” for defenders—so long as it’s fueled with high-quality data and integrated into existing processes, rather than adding complexity.
AI for agents and cybersecurity “for everyone”: impacts on SMBs and large enterprises
A subtle but significant aspect of the announcement is that access to Sophos Intelix within Security Copilot and Microsoft 365 Copilot is free for users of these copilots.
This aligns with Sophos’s broader mission to “democratize cybersecurity”:
- SMBs, often lacking their own SOC or advanced specialists, can benefit from the same threat intelligence used by MDR teams and large corporations.
- Large organizations, already overwhelmed with tools and dashboards, can consolidate some of their analysis work within Microsoft copilots, enriched with Sophos data.
- Managed Service Providers (MSPs and MSSPs) find these integrations a way to standardize workflows across widely deployed platforms like Microsoft 365.
At the same time, Sophos reinforces its position as a key strategic partner for Microsoft in security, at a time when Redmond is heavily betting on copilots and AI agents as the main interface with its services.
Beyond the headline: what changes in the daily operations of a security team
For a SOC analyst, the difference between juggling five consoles and asking a copiloto a question is huge. With Intelix integrations, a typical workflow might be:
- Security Copilot receives a correlated alert from Defender or Sentinel.
- The analyst requests the copiloto to enrich the alert with data from Sophos Intelix: hash reputation, global prevalence, associated campaigns.
- If the verdict indicates high risk, the copiloto can suggest actions or automations based on predefined policies.
- Meanwhile, an IT manager can ask in Teams or Microsoft 365 Copilot chat to verify if a link received by email is part of an active campaign.
The result is a more efficient use of human time: less manual indicator copying, more focus on strategic decisions, coordinated responses, and communication with the business.
Frequently Asked Questions about Sophos Intelix and its integration with Microsoft Copilot
What is Sophos Intelix and what does it bring to Microsoft Security Copilot?
Sophos Intelix is Sophos’s threat intelligence platform, powered by the global telemetry collected daily via Sophos Central. When integrated into Microsoft Security Copilot, it enhances alert enrichment, investigates indicators of compromise (files, URLs, IPs), and provides data on campaign context and prevalence—all through natural language queries within the copiloto.
How does the use of Sophos Intelix differ between Microsoft Security Copilot and Microsoft 365 Copilot?
In Security Copilot, Intelix mainly serves SOC/security teams by providing deep technical context for triage, investigation, and response. In Microsoft 365 Copilot, the same intelligence is exposed via tools like Teams or Outlook, allowing less technical profiles—IT admins, risk managers, business users—to quickly check if a link, file, or domain is associated with malicious activity before engaging with it.
How does this integration help small and resource-constrained organizations improve cybersecurity?
Since it’s available free for Microsoft Security Copilot and Microsoft 365 Copilot users, the integration enables small and medium-sized businesses to access global threat intelligence without investing in additional platforms or expanding their expert teams. The copilots act as an AI layer guiding security personnel through alert investigations, reducing repetitive tasks, and supporting informed decision-making during incidents.
What role does Microsoft Agent 365 play in protecting AI agents with Sophos Intelix?
Microsoft Agent 365 functions as a control framework for AI agents operating within Microsoft 365. By integrating Sophos Intelix, organizations can extend threat intelligence to these agents, ensuring they make decisions aligned with security policies, respect identity and permissions managed via Entra, and have their activities logged and auditable. This is increasingly critical as advanced automation and AI-driven workflows expand.
via: sophos