Shopping Cart

No products in the cart.

Active Threat Response for Sophos switches and access points

With the new Active Threat Response feature, Sophos extends the capabilities of Sophos Access Points (AP6 series only) and Sophos Switches. This feature enables an automatic response to threats in real time, especially in combination with Sophos MDR, Sophos XDR or third-party solutions. Sophos Firewall has recently been updated to version 20 with new protection features, and now Sophos Switches and Access Points will also benefit from this enhanced threat defense.

How Active Threat Response works

Sophos already offers effective protection against lateral movements by attackers on endpoints. Lateral movement refers to the spread of an attacker within a network after compromising an initial access point. The attacker attempts to move from one device to the next in order to steal sensitive data or infect other systems.

However, not every device in the network is equipped with Sophos Endpoint, and it is precisely these unprotected devices that are often the target of attacks. This is where Network Detection and Response (NDR) comes into play. NDR continuously monitors network traffic and analyzes data packets for anomalies that could indicate suspicious activity. This enables threats to be detected before they can cause serious damage.

Access Points and switches are often the first points of contact in the network communication of end devices. This makes them an ideal platform for quickly detecting and responding to threats. With Active Threat Response, compromised systems can be isolated in real time using threat feeds controlled via an API. This prevents lateral movement of the attackers in the network and enables targeted countermeasures.

Threat feeds and isolation

The threat feeds are obtained from trusted sources (Sophos or third-party providers) and contain the MAC addresses of the compromised devices. This information is forwarded to all AP6 Access Points and Sophos Switches in the network that are managed in the same Sophos Central account. As soon as a compromised device is identified, it is immediately isolated and loses access to the network. This prevents attackers from spreading further and provides valuable time for countermeasures and clean-up processes.

Active Threat Response - Network Attack
Active Threat Response – Network Attack Example

Advantages of the Sophos ecosystem

Active Threat Response extends the unique functionality of the Sophos ecosystem with several key benefits:

  1. Host isolation: Wired and wireless devices, including managed hosts (clients and servers with Sophos Endpoint) and unmanaged devices (such as printers).
  2. Prevent lateral movement: Immediate isolation of compromised systems prevents attackers from spreading further within the network, providing more time for incident cleanup.
  3. Use of threat feeds: Threat feeds from multiple trusted sources are used to ensure comprehensive and up-to-date threat detection.

Availability and licenses

Active Threat Response is now available via Sophos Central for Sophos Wireless (AP6 series only) and Sophos Switch. A valid support subscription for each AP6 Access Points or switch is required for use.

Integration with Sophos Firewall

Although a Sophos Firewall is not a prerequisite for using Active Threat Response, the combination with Sophos Wireless, Sophos Switch and Sophos Firewall provides comprehensive protection at all network levels. This combination enables different response measures and advanced automation, which allows security incidents to be resolved more quickly.

Overview and assessment


After a wait of over two years, Sophos is finally bringing Active Threat Response, a feature that really sets Sophos Switches apart. Up to now, Sophos Switches have hardly differed from those of other manufacturers, apart from the management via Sophos Central and this still with a slimmed-down range of functions.

Active Threat Response nevertheless represents a significant advance in threat defense. Integration with Sophos MDR, Sophos XDR and third-party solutions ensures a fast and effective response to threats. This not only provides better protection, but also enables security incidents to be managed more efficiently and network integrity to be maintained.

Access Points

The Sophos AP6 Access Points have only been on the market for six months, but are already technologically out of date with Wi-Fi 6. In addition, Sophos Central, the controller for the Access Points, still lacks functions that were available on the older APX models and will only be implemented towards the end of the year.

In addition, various customers report problems with the Access Points, particularly with regard to range. Only the introduction of Active Threat Response brings significant new functionality back into play.

However, it remains to be seen whether this is enough to compete with the extensive range offered by other manufacturers.

To summarize, Sophos Switches and Access Points have become more valuable with the introduction of Active Threat Response. Nevertheless, the decision whether to invest in Sophos network hardware depends heavily on the specific requirements and the existing IT infrastructure.


For which products is Active Threat Response available?

Active Threat Response is now available via Sophos Central for Sophos Wireless (AP6 series only) and Sophos Switch.

Do I need a special license or subscription to use Active Threat Response?

Yes, a valid support subscription is required for each AP6 Access Point or switch in order to use Active Threat Response.

Which devices support Active Threat Response?

Sophos AP6 Access Points and all Sophos Switches are supported.

What is Sophos Active Threat Response?

Active Threat Response is a new feature from Sophos that enables real-time, automated threat response by isolating compromised systems. It is available for Sophos Wireless Access Points (AP6 series only) and Sophos Switches.

Can Active Threat Response be used without Sophos Firewall?

Yes, Active Threat Response can also be used without Sophos Firewall. However, the combination with Sophos Firewall offers more comprehensive protection at all network levels.

Why are unprotected devices in the network a risk?

Unprotected devices that do not have Sophos Endpoint Protection installed are more vulnerable to attacks and can serve as an entry point for attackers to spread across the network.

How does host isolation work?

Hosts are isolated using Active Threat Response in combination with Sophos Central. When a compromised device is identified, its MAC address is forwarded via an API to all managed AP6 Access Points and Sophos Switches. These devices, whether wired or wireless, managed (with Sophos Endpoint Protection) or unmanaged (like a NAS), are immediately isolated and lose access to the network. This prevents attackers from spreading further.

Do I need MDR and XDR for Active Threat Response?

No, Sophos MDR and XDR are not mandatory for the use of Active Threat Response. However, threat intelligence from Sophos MDR and XDR and other solutions can be fed into the system to enable more effective threat detection and response.


Patrizio is an experienced network specialist with a focus on Sophos firewalls, switches and access points. He supports customers or their IT department in the configuration and migration of Sophos firewalls and ensures optimal network security through clean segmentation and firewall rule management.

Subscribe Newsletter

We send out a monthly newsletter with all the blog posts for that month.