Shopping Cart

No products in the cart.

Sophos Adaptive Attack Protection API

The threat landscape is constantly evolving and IT administrators are faced with the challenge of protecting their networks and endpoints against increasingly sophisticated attacks. One particularly innovative solution that helps with this is the Adaptive Attack Protection API from Sophos. This technology provides dynamic protection that automatically activates additional security measures when attacks are detected. This blog post explains how the Adaptive Attack Protection API works, what benefits it offers and how IT administrators can integrate it into their security strategy.

What is the Adaptive Attack Protection API?

Adaptive Attack Protection (AAP) is an automatic protection mechanism that activates additional security measures when active attacks are detected on an endpoint. This happens without manual intervention and enables administrators to effectively block attackers and gain time for further countermeasures.

Functionality

Sophos Central Policy - Adaptive Attack Protection
Sophos Central Policy – Adaptive Attack Protection

Adaptive Attack Protection detects suspicious activity using two main methods:

  1. Recognition of attack tools: AAP can identify the use of common attack tools and react accordingly.
  2. Detection of active malicious behavior: By analyzing behavior on the endpoint, AAP can detect early signs of an ongoing attack and activate appropriate defensive measures.

Source: Sophos KB – Adaptive Attack Protection

In such situations, temporary restrictions are activated that may be a hindrance in everyday life, but are necessary in the event of an attack to prevent the threat from spreading.

Advantages of the Adaptive Attack Protection API

1. automatic activation

The AAP is included as standard in all Sophos Central Endpoint products and does not need to be activated manually. As soon as a potential attack is detected, the appropriate steps are taken automatically.

2. extended protection against attacks

If AAP detects a “hands-on-keyboard” attacker, increased protection mechanisms are activated. This also blocks actions that are harmless in everyday life but dangerous in an attack situation. This gives the defenders more time to neutralize the attack.

3. extended API functionalities

Through the Endpoint API extensions, it is possible to manually enable or disable Adaptive Attack Protection. This is particularly useful when suspicious activity is observed, but complete isolation of the device could cause significant operational disruption.

4. increased visibility and control

Administrators are informed of new events and alerts as soon as AAP becomes active on a device. This enables proactive monitoring and rapid response to threats.

YouTube video
Sophos Adaptive Attack Protection (AAP) – Overview

Integration into the security strategy

The Adaptive Attack Protection API offers IT administrators the opportunity to adapt their security measures flexibly and depending on the situation. Here are some recommended deployment scenarios:

1. automated response to threats

By automatically activating the AAP functionalities, IT teams can react to threats without having to rely on manual intervention. This reduces the time it takes to take countermeasures and minimizes the risk of a successful attack.

2. targeted activation during examinations

When investigating suspicious activity, AAP can be manually activated to take additional defensive measures without completely isolating the device from the network. This allows potential damage to be minimized while investigations continue.

3. long-term activation for critical endpoints

For particularly critical endpoints or during an ongoing threat situation, AAP can remain activated for a longer period of time via the API. This provides additional security and protects sensitive systems from potential attacks.

Demo of the Adaptive Attack Protection

This demo video shows how Sophos’s AAP responds in real time to an active attack. The attacker attempts several common methods to compromise the system, including running malicious PowerShell scripts, downloading suspicious files, and creating new user accounts. See how Sophos Endpoint automatically activates heightened defenses to block these threats and protect your IT environment.

YouTube video
Demo: Sophos Adaptive Attack Protection (AAP)

FAQ

Does AAP have to be activated manually?

No, it is enabled by default in all Sophos Endpoint licenses and does not need to be configured manually.

How long will AAP remain active?

AAP remains active for as long as suspicious activity is detected.
The duration can also be extended manually.

Can AAP be used on servers?

Yes, Adaptive Attack Protection is available on both endpoints and servers.

Does AAP affect system performance?

The impact on system performance is minimal and only relevant during the activation of AAP.

David
David

David is responsible for order processing in our online store so that products and licenses are delivered quickly and efficiently. He provides our customers with comprehensive support in selecting the right Sophos product. David has in-depth knowledge of all Sophos products and provides specialized support for the Sophos Central segment.

Subscribe Newsletter

We send out a monthly newsletter with all the blog posts for that month.