Skip to content
Avanet
Sophos Advisory Services Security Testing

Sophos Advisory Services: Expert Security Testing

With Sophos Advisory Services, Sophos is expanding its security services portfolio with proactive security assessments. The basic idea is simple: an organisation should not wait until an attack to find out whether its environment is truly resilient. A controlled test is better, with experienced security testers looking at the environment from an attacker’s perspective, proving weaknesses and providing concrete recommendations for improvement.

At first this sounds like classic penetration testing, and that is exactly where Sophos starts. Advisory Services are broader than a single “scan”, though. They cover technical tests, clear objective definition, reliable findings, prioritisation, reporting for technical and non-technical audiences and, for critical or high findings, validation of remediation within 90 days.

The distinction matters: Sophos Advisory Services are not a replacement for Sophos MDR, not a replacement for Sophos Managed Risk and not emergency help during an active attack. They are the proactive advisory and testing layer in between: assess, understand, prioritise, improve.

What are Sophos Advisory Services?

Sophos Advisory Services are expert-led security assessments. Sophos describes them as independent, proactive Security Testing services that assess networks, systems, applications and, depending on the engagement, organisational security aspects against real-world attack methods.

The service is delivered by the Sophos Red Team and other security experts. The methodology draws on insights from Sophos X-Ops, Incident Response engagements, Threat Hunting and many testing projects. The aim is for the test not just to work through known checklists, but to include current attacker tactics.

In practice, the value lies in four questions:

  • Where are the weaknesses that attackers could actually exploit?
  • How far could an attacker get from outside, internally, via Wi-Fi or through a web application?
  • Which technical and organisational measures reduce risk the most?
  • Which results can be shown clearly to management, partners, auditors or cyber insurers?

The result is not just “passed” or “failed”. A good test shows what was assessed, what was found, how critical a finding is, what the realistic impact is and what specifically needs to change.

The four currently available services

Sophos announced four Security Testing offerings at launch. More Advisory Services may follow later, but these four currently form the core.

External Penetration Testing

External Penetration Testing looks at the environment from the perspective of an external attacker. The focus is on publicly reachable systems such as websites, VPN portals, remote access services, email infrastructure, APIs, web servers, cloud services or other internet-exposed services.

The test primarily answers these questions:

  • Which systems are visible from the outside?
  • Are services misconfigured or outdated?
  • Are there known vulnerabilities that can be exploited?
  • Can initial access to the environment be achieved?
  • Which measures reduce the external attack surface?

External pentesting is especially useful when new services are published, after major infrastructure changes, before audits, or when the true size of the external attack surface is unclear. It also complements continuous exposure approaches such as Sophos Managed Risk, but does not replace them. Managed Risk monitors and prioritises continuously. A pentest goes deeper at a point in time and tries to prove in a controlled way what an attacker could achieve.

Internal Penetration Testing

Internal Penetration Testing assumes that an attacker is already inside the network or that a user account has been compromised. In practice, this is a realistic scenario: phishing, stolen credentials, insecure VPN access or an infected client are often enough to gain an initial foothold.

The internal test checks, for example:

  • whether segmentation really works,
  • whether privileged access is granted too broadly,
  • whether servers, clients and management systems are separated,
  • whether local administrator rights can be abused,
  • whether lateral movement is possible,
  • whether sensitive data can be reached from internal systems.

This is often where the difference between architecture diagrams and reality becomes visible. A network may look cleanly segmented on paper, but in daily operations it can be far more permeable because of exceptions, legacy systems, open management ports or weak permissions. Internal tests are therefore a good reality check for Zero Trust, segmentation and hardening projects.

Wireless Network Penetration Testing

Wireless Network Penetration Testing assesses Wi-Fi security. Sophos distinguishes between passive and active checks.

A passive assessment observes radio traffic and looks for issues such as rogue access points, unexpected SSIDs, weak encryption, faulty configurations or devices that do not fit the security model. An active assessment goes further and simulates attack attempts, for example against authentication, encryption or access controls.

Typical questions include:

  • Are corporate Wi-Fi, guest Wi-Fi and internal networks cleanly separated?
  • Are strong authentication methods being used?
  • Are there unwanted access points or misconfigured devices?
  • Can an attacker bypass protective controls?
  • Does the Wi-Fi configuration match internal security policies?

Wi-Fi is underestimated in many environments because it is seen as “just” an access layer. In reality, it is often a direct bridge into internal networks. A wireless test is particularly worthwhile for offices with sensitive areas, production sites, educational institutions, healthcare, retail spaces or environments with many guests and mobile devices.

Web Application Security Assessment

The Web Application Security Assessment checks web applications for security issues. These include classic vulnerabilities such as SQL Injection, Cross-Site Scripting, faulty authentication, Broken Access Control, Security Misconfiguration, insecure session management or design issues in the application.

Sophos describes two possible perspectives:

  • Black-box Testing: The tester has no internal information and assesses the application like an external attacker.
  • White-box Testing: The tester receives access to source code, architecture information or technical documentation and can therefore test more deeply.

Which option makes sense depends on the objective. If the goal is to understand what an external attacker can achieve without prior knowledge, Black-box Testing fits. If a new application needs to be tested in depth before go-live, White-box Testing is often more valuable because structural issues in code or design also become visible.

Web Application Assessments are especially relevant for customer portals, shops, internal web tools, APIs, partner portals, login areas and applications with personal or business-critical data.

How an Advisory engagement typically works

A good security test does not start with tools, but with scope and objective. Sophos emphasises exactly this for Advisory Services: tests should be goal-based and assess systems in the context of the environment.

1. Define objective and scope

Before the test, it must be clear what will and will not be assessed. This includes:

  • target systems, domains, IP ranges, applications or locations,
  • permitted test types and excluded actions,
  • time windows and maintenance windows,
  • contacts for technical and business questions,
  • escalation paths for critical findings or operational disruption,
  • test accounts and required access,
  • handling of production data.

This phase matters because Security Testing can always have an effect. An active test against Wi-Fi, a web application or an internal network must not run uncontrolled into operations. The better the scope and rules are defined, the more useful and safer the result will be.

2. Perform the test

During the test phase, security experts work with a mix of manual analysis, tooling, experience and current Threat Intelligence insights. The difference from a pure vulnerability scan is that findings are not merely reported, but assessed and validated where possible.

A scanner can say: “A vulnerability may exist here.” A good pentest also answers: “Is it exploitable? Under what conditions? How far can one get with it? What is the real impact? Which measure actually helps?”

3. Document the results

After completion, Sophos provides a report. According to Sophos, it is aimed at technical and non-technical audiences. That is important because a purely technical report often does not help management, while a pure management report is too vague for admins.

A useful report should therefore include at least:

  • executive summary for management and risk owners,
  • technical findings with evidence,
  • severity and realistic impact,
  • affected systems and tested scope,
  • prioritised recommendations,
  • concrete remediation steps,
  • guidance on quick fixes and structural improvements.

Prioritisation is crucial. Many organisations have more findings than time. A good report helps fix the vulnerabilities first that are truly exploitable, exposed or business-critical.

4. Validate critical and high findings

One valuable point on the Sophos page is Remediation Validation: for remediated findings with critical or high severity, validation within 90 days is included. This is practical because it creates a real control loop, not just a PDF.

For operations, this means critical and high findings should quickly be converted into tickets, assigned to an owner and rechecked after remediation. Otherwise, the test remains a snapshot without lasting effect.

Differentiation from MDR, Managed Risk and Incident Response

Sophos now has several security services whose names are easy to mix up. The differences matter.

Advisory Services vs. Sophos MDR

Sophos MDR is an ongoing Managed Detection and Response service. Analysts monitor signals, detect threats and respond to active attacks or suspicious behaviour depending on the agreed model.

Advisory Services, by contrast, are project-based tests and assessments. They check whether controls, applications, networks or Wi-Fi are attackable. MDR continuously watches for active threats. Advisory Services assess how well the defence is prepared.

Advisory Services vs. Sophos Managed Risk

Sophos Managed Risk is a continuous vulnerability and attack surface management service. It identifies external assets, assesses risks, prioritises vulnerabilities and helps reduce open attack surfaces over time.

Advisory Services work differently: they are time-limited, manual or strongly expert-led assessments. An external pentest, for example, can validate how far an attacker could really get. Managed Risk provides the continuous view of the attack surface. The two complement each other well.

Advisory Services vs. Compromise Assessment

A Sophos Compromise Assessment answers a different question: is the environment already compromised, or are there signs of an ongoing or past attack?

Advisory Services ask instead: where could an attack succeed if someone tried? The focus is prevention and resilience, not primarily forensic hunting for already active attackers.

Advisory Services vs. Emergency Incident Response

If an organisation is currently under attack, a penetration test is not the right starting point. Incident Response, containment, analysis and recovery are needed. Advisory Services are intended for the phase before or after that: before an attack to reduce risk, or after stabilisation to improve the structure.

When Sophos Advisory Services are worthwhile

Advisory Services are particularly useful when an organisation wants to answer concrete questions, not just have “more security”.

Before go-live or after major changes

New web applications, a new VPN architecture, new cloud services, a new Wi-Fi concept or larger network segmentation should not reveal their weaknesses only during production operation. A targeted assessment before go-live can prevent a lot of expensive rework.

Before audits, certifications or cyber insurance

Many requirements from NIS2, ISO 27001, PCI DSS, SOC 2 or cyber insurance are not only about tools being present, but about demonstrable processes, testing and risk reduction. An Advisory engagement does not replace certification, but it can provide important evidence and concrete improvements. For the link between regulation and security measures, the article on the NIS 2 Directive is also relevant.

When internal security is assumed but not proven

Many environments look stable until they are deliberately tested. Internal tests often reveal old admin rights, flat networks, open management ports, unprotected service accounts or missing segmentation. Especially after years of organic growth, this external view of the internal world is worthwhile.

As a complement to MDR, XDR, NDR and firewall protection

Detection and response technologies are strong, but they do not answer every prevention question. An organisation can use Sophos Firewall NDR Active Threat Intelligence, XDR or MDR and still have weaknesses in Wi-Fi, web applications or internal segmentation. Advisory Services help find those gaps in a targeted way.

What to prepare before a test

Security Testing is not something to “just do”. Good preparation determines whether the test delivers usable results or only creates stress.

Clarify immediately

  • Which systems and applications are in scope?
  • Which systems must explicitly not be tested?
  • Are there production systems with special risk?
  • Which maintenance windows are possible?
  • Who is the technical contact?
  • Who may make risk decisions?
  • Which log sources are monitored during the test?

Prepare before the test

  • Document test approval and legal permission.
  • Create a contact list with emergency numbers.
  • Check backups and recoverability.
  • Inform monitoring, SIEM, MDR or SOC about the test.
  • Provide test accounts with defined permissions.
  • Document target systems and versions.
  • Involve business owners of the tested applications.
  • Check whether a change freeze is needed for critical systems.

Operationalise after the test

  • Convert findings into tickets.
  • Prioritise critical and high findings.
  • Define owner and due date for each finding.
  • Separate quick wins from architecture topics.
  • Document remediation.
  • Plan validation within the 90-day period.
  • Add recurring assessments to the security roadmap.

Limits and realistic expectations

Sophos Advisory Services can be very valuable, but they are not a magical proof of security.

A test is always dependent on scope and time. What is not in scope is not assessed. Anything newly published or changed after the test can create new risks. A clean report therefore does not prove that an environment is “secure”. It shows what was tested within the agreed framework and which risks were found.

Also important: the service does not automatically fix vulnerabilities. It provides findings, prioritisation and recommendations. Implementation remains the responsibility of IT, development, network teams, security teams, service providers or application owners. That is exactly why an owner model after the test is so important.

It is also worth distinguishing between passive and active tests. An active test can put load on systems, trigger alerts or cause unexpected side effects if scope and time windows are poorly defined. That is not an argument against testing, but it is an argument for clean preparation.

My assessment

I find Sophos Advisory Services interesting mainly because Sophos is expanding its portfolio in a sensible direction. Many organisations now have good security products, but too little tested reality. There may be endpoint protection, firewall, MDR, backups, policies and perhaps a few compliance documents. The hard question remains: does it hold when someone really tests it?

That is exactly where Advisory Services fit. The service is not daily monitoring like MDR and not continuous vulnerability management like Managed Risk. It is the planned reality check. It becomes especially valuable when the results do not disappear into a drawer, but are translated into tickets, architecture decisions, segmentation projects and recurring reviews.

My recommendation: do not treat Advisory Services as a one-off audit stamp. A small programme is better: first assess the external attack surface, then critical web applications, then internal movement and Wi-Fi. In parallel, Managed Risk, MDR, logging and firewall reviews should provide ongoing visibility. That creates a continuous improvement process instead of a single report.

FAQ

What are Sophos Advisory Services?

Sophos Advisory Services are proactive Security Testing and assessment services. Sophos experts assess networks, systems, Wi-Fi or web applications from an attacker’s perspective and provide concrete recommendations for risk reduction.

Which services are currently available?

At launch, Sophos names four offerings: External Penetration Testing, Internal Penetration Testing, Wireless Network Penetration Testing and Web Application Security Assessment.

Are Sophos Advisory Services the same as Sophos MDR?

No. MDR is an ongoing Detection and Response service for active threats. Advisory Services are project-based security assessments that make vulnerabilities and attack paths visible.

What is the difference from Sophos Managed Risk?

Managed Risk continuously monitors and prioritises vulnerabilities and external attack surfaces. Advisory Services assess more deeply and in a targeted way, for example through manual penetration tests or Web Application Assessments.

Does a penetration test replace a security strategy?

No. A test shows risks within the defined scope and at the time of testing. Afterwards, findings must be remediated, controls improved, logs monitored and security processes continued.

What happens after the test?

Sophos provides a report with findings, evidence, assessment and recommendations. According to Sophos, Remediation Validation within 90 days is included for remediated critical and high findings.

Who benefits most from Sophos Advisory Services?

The service is useful for organisations that want to know how attackable their environment really is before go-live, an audit, certification, cyber insurance, an architecture change or after a longer period of operation.

Can Sophos Advisory Services help with NIS2 or ISO 27001?

Yes, as supporting evidence and to improve the security posture. The service does not replace certification or legal review of regulatory requirements.

More information

David

David

David is responsible for content, structure, and digital implementation at Avanet. His focus is on making complex technical topics clear, precise, and search-friendly.