Sophos Firewall: NDR Active Threat Intelligence

With SFOS 22.0 MR1, Sophos has brought a new detection feature to Sophos Firewall: NDR Active Threat Intelligence. The name sounds like another major security component, but technically it needs to be placed a little more precisely. The firewall uses detection patterns from Taegis NDR. In the Sophos Community, iSensor is mentioned as the IPS engine from the Secureworks or Taegis world whose patterns now land in SFOS. The main goal is not to block every hit immediately and aggressively, but to make suspicious activity in the network visible and usable for XDR, MDR or SOC analysis.

That is an important distinction. When many admins think about firewall security, they first think about blocking: IPS blocks, Web Protection blocks, DNS Protection blocks, Threat Feeds block. NDR Active Threat Intelligence works differently. The feature detects potentially malicious or suspicious traffic, writes events to the logs and forwards the data to the Sophos Data Lake. There, it can be investigated further in Sophos Central, in the Threat Analysis Center, for Sophos XDR, Sophos MDR or a SOC.

In my view, this is a useful addition, but not a magic replacement for a proper detection-and-response concept. If you simply switch the feature on and then never look at logs, detections or cases, you gain little. But if you deliberately integrate it into firewall rules, TLS inspection, reporting and incident processes, you get additional signals exactly where many attacks become visible: in network traffic.

What NDR Active Threat Intelligence does

NDR Active Threat Intelligence uses high-signal detection patterns from Taegis NDR. Sophos Firewall checks suitable traffic against these patterns, generates detection events and forwards them to the Data Lake. Sophos describes the feature as detecting potentially malicious traffic and active attackers inside the network.

In practice, this is about situations that are not always clear enough for classic prevention, but become important for an investigation:

• a trusted Windows tool such as certutil being abused for suspicious downloads,
• a compromised system scanning SSH-capable hosts, for example in the context of NoaBot,
• unusual HTTP traffic over a port where DNS would actually be expected,
• outbound traffic that looks like data exfiltration or hidden communication, for example via the old finger tool.

Such signals are not always automatically a confirmed attack. That is exactly why the action in the configuration is designed as Log threats. The firewall collects indicators, makes them visible and provides them for correlation. If other signals are added, such as endpoint events, identity indicators or further firewall logs, they can become a reliable detection or case.

Why this is not the same as ATP or classic Threat Feeds

An obvious question is: is this simply Advanced Threat Protection under a new name? Not really. In the Sophos Community, the new firewall rule option was aptly described as new or improved IPS patterns, not as classic ATP. The distinction matters because it also makes expectations for the feature clearer.

Advanced Threat Protection and Sophos X-Ops Threat Feeds work more strongly on reputation and indicators. They focus on known malicious IPs, domains, URLs or command-and-control indicators. Such feeds are very valuable when a target or sender is already known to be malicious. The older article on Threat Intelligence Feeds for the firewall also fits here.

NDR Active Threat Intelligence looks more closely at suspicious traffic patterns. The traffic itself provides indicators: unusual protocol use, suspicious downloads, lateral movement behaviour or communication that does not fit the expected use. That is closer to Network Detection and Response than to a pure blocklist.

A second difference is also important: ATP is designed as a system-wide function, while NDR Active Threat Intelligence is additionally enabled in the relevant firewall rules. You therefore decide per rule or per traffic path which traffic should be analysed with these patterns.

Requirements and supported platforms

NDR Active Threat Intelligence is a feature for Sophos Firewall 22.0 MR1. In the release notes, it is listed for version 22.0 MR1 Build 490, which was released on 20 April 2026.

The following points are especially relevant for operation:

• A Sophos Firewall with Xstream Protection Bundle is required.
• XGS Series Firewalls are supported, including Gen.1 and Gen.2, as well as virtual, software and cloud deployments.
• Supported platforms include VMware, KVM, Hyper-V, Azure, AWS, XEN and software appliances.
• XGS 88, XGS 88w, XGS 87 and XGS 87w are not supported.
• A Sophos XDR licence is required for XDR analysis.
• MDR Essentials or MDR Complete is required for MDR analysis.
• For Sophos Central reporting, reports and logs must be sent to Sophos Central.
• The firewall must be registered in Sophos Central if you want to use the Central views.
• According to the Techvids note, Sophos Firewall Home Edition is currently not supported.

The point about XGS 87 and XGS 88 is important, but it is not the only operational check. The smallest desktop models are not supported for this feature, even though they can otherwise run current SFOS versions. Anyone working with XGS 87, XGS 87w, XGS 88 or XGS 88w in small branch offices or remote sites should therefore not plan NDR Active Threat Intelligence as an available protection component. At the same time, having the licence is not enough: Central reporting, Data Lake connectivity and IPS logging must be cleanly enabled, otherwise the operational value remains small.

NDR Active Threat Intelligence, NDR Essentials or Sophos Central NDR?

The names sound similar, but they do not mean the same thing. NDR Essentials is the firewall-adjacent flow feature: Sophos Firewall collects network flows, the analysis happens in the Sophos cloud, and no separate sensor VM is required. That is useful in environments where the firewall sees the relevant data flows and you want to start without an additional appliance.

NDR Active Threat Intelligence is the new firewall-side component. It uses curated Taegis/iSensor patterns and is additionally enabled in the relevant firewall rules. This is not a separate NDR appliance, but detection and logging signals for traffic that the firewall actually processes.

Sophos Central NDR is the standalone NDR product with a dedicated virtual sensor VM. This sensor is typically connected passively through a SPAN, mirror or TAP port and can therefore also see internal east-west traffic, unmanaged devices, IoT/OT systems or unauthorised assets that may never traverse the firewall, depending on the architecture. In short: NDR Essentials and NDR Active Threat Intelligence extend the firewall view. Sophos Central NDR provides the broader network view through its own sensor VM.

Where to enable the feature

The basic configuration is done on Sophos Firewall under:

Active Threat Response > NDR Essentials and Active Threat Intelligence

The menu item used to be called only NDR Essentials. With SFOS 22.0 MR1, it was expanded and renamed NDR Essentials and Active Threat Intelligence, because both areas are now brought together there.

There, NDR Active Threat Intelligence is enabled and a minimum severity is selected. Sophos names five severity levels:

• Critical (1)
• Major (2)
• Moderate (3)
• Minor (4)
• Warning (5)

The selection determines which patterns are considered. If you select Warning, all patterns from Critical to Warning are considered. If you select Critical, only critical patterns are evaluated. That sounds obvious, but it matters in operation. A threshold that is too high can hide interesting early indicators. A threshold that is too low can lead to significantly more events in larger networks.

My recommendation: do not start blindly with the most sensitive setting. A defined pilot with a few relevant rules, clean logging and subsequent evaluation is better. You can then decide whether the severity level fits or whether you want to roll it out more broadly step by step.

The following Sophos demo shows the activation and test flow compactly in the firewall GUI:

Firewall rules are decisive

After switching it on, the firewall reminds you that NDR Active Threat Intelligence must also be enabled in the appropriate firewall rules. This is one of the most important points, because otherwise the feature is not applied to the desired traffic.

In the rules, you can find the setting under Rules and policies > Firewall rules. Within the relevant rule, scroll to the Other security features section.

There, Scan with NDR Active Threat Intelligence must be enabled. This step must be completed for every rule whose traffic is to be analysed. This typically affects rules for user internet traffic, server traffic, DMZ traffic or certain internal communication paths.

The Techvids guide also points out that Scan HTTP and decrypted HTTPS should be enabled and SSL/TLS Inspection Rules must be set to Decrypt if decrypted HTTPS traffic is to be inspected. That is logical: the less the firewall sees of the traffic, the less it can meaningfully detect. At the same time, TLS inspection is always an operational project and not just an extra click.

In short: the global NDR Active Threat Intelligence feature alone is not enough. The rule option, HTTPS Scanning and SSL/TLS inspection must fit together, otherwise visibility remains limited.

Do not switch everything on at once

I would not immediately throw NDR Active Threat Intelligence onto every rule and every zone. Technically, that may work in many environments, but operationally it is rarely the best start. A staged rollout makes more sense:

1. Check user-to-internet rules.
2. Check server-to-internet rules.
3. Check DMZ and published services.
4. Check internal segmentation rules with high risk.
5. Evaluate logs and detections after a few days.

This lets you see early whether certain applications generate suspicious patterns, whether TLS inspection works cleanly and whether the event volume remains operationally manageable.

Where to see the detections

On the firewall itself, there are several ways to view the detections. Directly in the NDR Active Threat Intelligence area, a summary widget shows the total number of detections over the last seven days and a breakdown by severity.

For details, you can open the NDR Active Threat Intelligence Logs. Sophos refers to the IPS log type here. Alternatively, you can filter by category in the Log Viewer:

• Field: Category
• Condition: is
• Value: NDR Active threat intelligence

In addition, evaluations are visible under Reports > Network & Threat or, for intrusion attacks, in the corresponding reports.

In Sophos Central, there are two important perspectives:

• Firewall Management > Report Generator, with the report template IPS
• depending on XDR or MDR usage, Threat Analysis Center > Detections and, if required, Cases

The first path is described in the Sophos documentation. The second path mainly comes from the Techvids demo and is interesting for XDR and MDR environments. There you can see raw data such as Device Serial ID, Source IP and Destination IP and correlate the firewall detection with other signals.

What should happen when there is a hit

An NDR Active Threat Intelligence hit is an investigation signal. It should not automatically be considered done just because a log entry exists somewhere. In a good operational model, at least these questions are clarified:

• Who reviews these detections regularly?
• From which severity is a ticket or case created?
• Which logs are checked in addition?
• Is there a runbook step for Source IP, Destination IP and affected users?
• Is it checked whether the same host shows endpoint, DNS, web or identity anomalies?
• Is there a decision on when a device is isolated or a firewall rule is adjusted?

Particularly important: if Sophos MDR is in use, it should be clear which role the MDR analysts take on and which actions must be decided internally. If Sophos XDR is operated without MDR, someone internally needs to actually read and classify these detections.

Practical examples

The most interesting examples are not the loud attacks that every IPS detects anyway. The quiet signals are interesting:

Living-off-the-Land

When a legitimate tool such as certutil is used for a suspicious download, at first glance it does not necessarily look like malware. Exactly these living-off-the-land techniques are popular in real attacks because they abuse existing operating system tools and are therefore less noticeable.

NDR Active Threat Intelligence can make such patterns visible. That does not automatically mean every hit indicates a compromise. But it does mean: this host deserves attention.

Lateral Movement

If an infected system starts scanning SSH hosts, that can be an indication of lateral movement. Sophos names NoaBot, among other things, in the documentation as an example of this pattern. In segmented environments, a client should not be able to freely reach all servers or management systems anyway. If such attempts become visible, that is not only a detection topic, but also an indicator for segmentation.

This connects with the article Sophos NDR - eliminating blind spots in the network: network traffic remains a place where attackers leave traces, even when endpoint signals are incomplete.

Unusual protocol use

HTTP over a DNS port or outbound connections designed to disguise data exfiltration are typical examples of “this is technically possible, but operationally wrong”. Sophos mentions traffic via finger, among other things, as an example of data exfiltration. Such patterns are rarely easy to assess cleanly with a single allow/deny rule. As a detection signal, however, they are valuable.

What the feature does not replace

NDR Active Threat Intelligence is a good additional sensor, but not a replacement for basic security work.

The feature does not replace:

• clean firewall rules,
• segmentation against lateral movement,
• TLS inspection planning,
• IPS, Web and DNS Protection,
• Endpoint Detection and Response,
• Sophos MDR or your own SOC,
• a SIEM with clear use cases,
• patch and hotfix processes,
• regular reviews of the firewall configuration.

The feature also does not automatically replace Sophos Central NDR with a dedicated sensor VM. That distinction is described above and should be reviewed deliberately before making an architecture decision.

My assessment

I find the feature interesting because it narrows a gap between classic firewall protection and security operations. The firewall is already in a strong position in the network. If additional NDR detection patterns run there and the data becomes visible in Central, XDR or MDR, real added value is created.

But the value does not come from switching it on alone. It comes from three things:

• suitable firewall rules,
• sufficient visibility into HTTP and decrypted HTTPS,
• a process that evaluates detections.

Anyone already using Sophos Central, Sophos XDR or Sophos MDR should review NDR Active Threat Intelligence and activate it in a controlled pilot. Anyone operating the firewall in isolation and not using Central reports or security operations processes should create the basics first. Otherwise, at best, the feature produces interesting logs that nobody looks at.

My recommendation is therefore pragmatic: start with a few relevant rules, check IPS logging, test Central connectivity and then decide how broadly to roll it out. For controlled test events, I would follow the Techvids demo. In the Sophos Community, it was mentioned that dedicated NDR Active Threat Intelligence tests for sophostest.com are still to be added.

Checklist for admins

Check immediately

• Is the firewall running SFOS 22.0 MR1 or newer?
• Is the Xstream Protection Bundle active?
• Is the firewall registered in Sophos Central?
• Are reports and logs being sent to Sophos Central?
• Is IPS logging enabled?
• Are there relevant firewall rules on which the feature can be tested?

During rollout

• Enable NDR Active Threat Intelligence under Active Threat Response.
• Choose the severity level deliberately.
• Enable Scan with NDR Active Threat Intelligence for each relevant firewall rule.
• Enable HTTP scanning and decrypted HTTPS only where it is operationally planned cleanly.
• Check SSL/TLS Inspection Rules and document exceptions.
• Check detections on the firewall and in Sophos Central.
• Trigger and document test events in a controlled way.

Clarify in operation

• Who looks at detections and cases?
• Which severity creates a ticket?
• Which hosts are prioritised for investigation after hits?
• Which logs are correlated?
• When is a device isolated?
• How are false positives documented?
• How often are rules, severity and event volume reviewed?

Conclusion

Sophos Firewall NDR Active Threat Intelligence is not another marketing label for an existing blocklist. The feature brings Taegis NDR detection patterns directly into Sophos Firewall and makes suspicious network activity more visible. That is particularly interesting for XDR, MDR and SOC environments, because firewall signals can then flow more strongly into investigations.

The most important limitation remains: it is primarily detection and logging. Anyone expecting immediate blocking needs to classify the feature correctly. Anyone who takes security operations seriously, however, gets an additional signal that can be helpful particularly for Living-off-the-Land, lateral movement and unusual protocol use.

For production environments, I would therefore start with a short pilot, a clear logging and case process and then a planned rollout to the truly relevant rules. NDR Active Threat Intelligence can then do exactly what modern firewalls need to do today: not only allow or block traffic, but make attacks visible earlier.

FAQ

Sources

• Sophos Techvids: Sophos Firewall: NDR Active threat intelligence
• YouTube: Sophos Firewall: NDR Active threat intelligence
• Sophos Docs: About NDR Active threat intelligence