Sophos has announced Fusion, a platform that will unify endpoint, network, email, cloud, and identity protection with SIEM, XDR, and managed detection and response. The company describes it as a native AI cybersecurity system, though in practice it also represents the evolution of Sophos Central and the technological integration of Taegis following their acquisition of Secureworks.
The key points of Sophos Fusion in 20 seconds
- Fusion will share data and context across major security controls.
- It will incorporate Taegis analytics and over 500 announced third-party integrations.
- The new SIEM and XDR are scheduled to launch on 08/15/2026.
- Sophos claims its AI already resolves 52% of MDR cases with an average response time of 89 seconds.
The proposal addresses a common issue in security operations centers: companies have accumulated products generating alerts but do not always share information or coordinate responses. An endpoint might detect suspicious activity while the firewall, email, identity, and cloud systems operate through their own consoles and rules.
Sophos aims to have all these signals reach a common layer so that a detection can trigger measures across different parts of the environment. For example, a compromised identity could lead to isolating the device, blocking communications in the firewall, and conducting an investigation into activity on cloud applications.
The manufacturer asserts that Fusion will serve the 625,000 organizations using its technology. Previous corporate pages still listed that base above 600,000 customers, so the higher figure should be seen as an update within this new announcement.
Sophos Central integrates Secureworks’ Taegis technology
Fusion is not starting from scratch. Its foundation is Sophos Central, the console from which the company manages products like Endpoint, Firewall, Email, and MDR. The main technical innovation is the addition of Taegis analytics, the platform developed by Secureworks for XDR, SIEM, and managed services.
Sophos finalized its acquisition of Secureworks in February 2025 through a cash deal valued at approximately $859 million. At that time, they announced they would combine Sophos’s prevention controls with Taegis’s telemetry, integrations, and security operations. Fusion represents the next step of that integration.
| Fusion Element | Main Source or Function |
|---|---|
| Sophos Central | Unified management of products and policies |
| Taegis Analytics | Correlation, detectors, and analysis for XDR and SIEM |
| Sophos Endpoint | Prevention, telemetry, and response on devices |
| Sophos Firewall | Traffic control and response on network |
| Sophos ITDR | Threat detection related to identities |
| Sophos MDR | 24/7 managed monitoring and response |
| Sophos X-Ops | Threat investigation and intelligence |
| External Integrations | Incorporating third-party tools data |
The company refers to the “shared context lake” as the layer where events converge. The idea is for each signal to retain information about the user, device, identity, application, and prior actions instead of appearing as an isolated alert.
This model can facilitate investigating attacks that span multiple systems. An unusual login might not be enough to confirm intrusion, but it gains significance if it coincides with the execution of unknown tools, changes in identity directory, and data transfer to a new destination.
Fusion will rely on four principles defined by Sophos:
| Principle | Intended Application |
|---|---|
| Shared Context | Consolidate signals into a single data layer |
| Synchronized Security | Coordination of measures across controls |
| Autonomy with Supervision | Allow agents to act within defined limits |
| Cumulative Intelligence | Use observed threats to improve future detection |
The term “cyber defense system” is a category Sophos is striving to establish to differentiate Fusion from a collection of products. Whether it becomes recognized as its own category depends on its adoption and whether other providers use a comparable definition.
A single console won’t eliminate all complexity. Organizations will still need to fine-tune rules, classify assets, manage permissions, and decide which actions the system can perform automatically.
AI can investigate and respond within defined limits
Sophos presents Fusion as a platform ready for joint workflows between humans and AI agents. These agents will analyze alerts, relate signals, and execute certain responses, but only when analysts have previously authorized such interventions.
This model is already used in Sophos Managed Detection and Response (MDR). According to operational data, AI fully resolves 52% of managed cases without direct human intervention. The average time from alert creation to fully automated response is 89 seconds in authorized instances.
| Indicator Reported by Sophos MDR | Result |
|---|---|
| Clients under agent-based model | 40,000 |
| Year-over-year service growth | 39% |
| Cases fully resolved by AI | 52% |
| Average time to automated response | 89 seconds |
| Coverage | 24/7 continuous operation |
These figures are provided by Sophos and reflect their own MDR service operation. They do not imply that 52% of any incident can automatically be resolved or that all threats are contained within 89 seconds. The measurement covers cases where AI has approval and operational boundaries set by analysts.
Human oversight will still be needed for ambiguous investigations, incidents affecting critical assets, or actions with potential business impact. Disabling accounts, isolating servers, or blocking applications can stop a attack but may also disrupt legitimate operations if the diagnosis is incorrect.
Fusion will allow each organization to define which decisions can be made automatically by agents and which require approval. This distinction is especially important in hospitals, government agencies, industrial sectors, and financial firms where automated measures could affect essential processes.
The manufacturer mentions over 500 external integrations within the new platform. The public Sophos MDR documentation still lists more than 350 third-party technologies. The difference may be due to additional connectors or broader criteria, but Sophos will need to clarify which integrations will be available in each product and timeline.
A new SIEM without volume-based billing
Sophos Next-Gen SIEM will be one of the earliest features of Fusion to launch. Its general availability is scheduled for 08/15/2026, and it will include long-term retention, compliance reports, and analytics over the shared data layer.
Pricing will differ based on how it is calculated. Sophos states it will bill based on protected users and servers, rather than mainly on data volume ingested.
| Pricing Model | Potential Effect |
|---|---|
| Per volume of telemetry | Costs increase with more records sent |
| Per users and servers | Easy to estimate the expense based on the protected environment |
| Extended retention | Enables investigation of old incidents and audit preparations |
| Shared data with XDR and MDR | Prevents maintaining completely separate repositories |
Billing based on ingestion might lead some companies to filter logs to control costs, which reduces immediate expenses but could remove valuable information during investigations.
The alternative model from Sophos encourages clients to send all telemetry without fearing unpredictable bills. Its real attractiveness depends on pricing per user and server, retention periods included, and premiums for large environments. These details are not specified in the announcement.
The Sophos XDR will also be available on 08/15. It will utilize Taegis analytics, add thousands of detectors, and offer automation via orchestration and response playbooks, known as SOAR.
On the same day, Sophos MDR will expand its continuous threat hunting and response capabilities across endpoint, firewall, cloud, email, and identity.
Schedule of Sophos Fusion’s upcoming features
| Feature | Announced Availability |
|---|---|
| Sophos Next-Gen SIEM | 08/15/2026 |
| New Sophos XDR based on Taegis | 08/15/2026 |
| Expanded Sophos MDR | 08/15/2026 |
| Sophos AI Defense | Early access in August 2026 |
| Sophos AI Defense | General availability in October 2026 |
| Sophos CISO Advantage | Starting October 2026 |
Sophos AI Defense will focus on AI tools used within companies. It will enable discovering approved services and uncontrolled applications, applying policies, and monitoring data access.
The company previously advanced this strategy with Workspace Protection, a solution to monitor web applications, unauthorized AI tools, and hybrid work environments. Fusion will extend this context to other security controls.
CISO Advantage will launch in October, combining control validation, risk assessment, benchmarking with similar organizations, and compliance framework mapping. The service is supported by the technology and team of Arco Cyber, a company acquired by Sophos in February 2026.
The goal is to provide guidance comparable to that of a Chief Information Security Officer for organizations lacking that role. For those with a CISO, the platform can prepare data to justify investments, assess control status, and communicate risks to leadership.
Fusion also strengthens Sophos’s channel model. Managed service providers will be able to manage protection, detection, response, and consulting through a unified platform. This can streamline operations but also centralizes critical functions in one vendor’s technology.
Sophos’s main promise is not to add another tool, but to reduce the fragmentation among existing ones. Its success will depend on maintaining Taegis’s quality in the shared layer, integrating third-party products without limiting features, and allowing automation while preserving analysts’ control over sensitive decisions.
Frequently Asked Questions
What is Sophos Fusion?
It is the evolution of Sophos Central toward an architecture that shares data, analysis, and responses across endpoint, network, email, identity, cloud, SIEM, XDR, and MDR.
Will Fusion replace tools from other vendors?
Not necessarily. Sophos states that the platform will support over 500 integrations to incorporate external products into its data and response layer.
Will AI be able to block threats automatically?
Yes, provided the organization has authorized such responses and set operational boundaries. Ambiguous or sensitive cases will still require analyst approval.
When will Sophos Fusion be available?
The platform will be rolled out in phases. SIEM, XDR, and MDR enhancements arrive on 08/15/2026, with AI Defense and CISO Advantage completing in October.

