Introducing Active Threat Response for Sophos Switch/Sophos Wireless (AP6)

ProductsAP6Sophos SwitchSophos Wireless

With Active Threat Response, we’re introducing exciting new functionality for our network access layer products, Sophos Switch and Sophos Wireless (AP6 Series only).

Corporate networks have become harder to control, with a broad array of managed and unmanaged, wired and wireless devices connecting. It’s no longer enough to monitor the status of managed devices only; when the need arises, you have to be able to block connectivity for potentially suspicious, unmanaged hosts, such as IoT devices, that could be the target of botnets.

According to the inaugural MSP Perspectives 2024 report conducted on behalf of Sophos, Managed Service Providers (MSPs) consider insecure wireless networking and a shortage of cybersecurity skills/expertise, as the biggest perceived cybersecurity risks that they face today. Active Threat Response and our single-platform approach help to address both of those concerns by making security management more efficient, and extending wired and wireless network security beyond the realms of what network infrastructure products can see.

How it works
An API-triggered threat feed containing the MAC addresses of potentially compromised hosts can be sent to any Sophos Central account. Once triggered, the threat feed is automatically propagated across the network to update all Sophos switches and AP6 access points. They respond by isolating the compromised devices, by effectively cutting communication for them. While MAC-based filtering cannot prevent MAC spoofing, it does buy precious time for remediation and prevents lateral movement which is often the primary goal when unmanaged devices are targeted.

The source of the threat feed could be any of a number of Sophos solutions; Sophos MDR, Sophos XDR, or Sophos NDR. In addition, our public API opens up this feature to customers with third-party security solutions.


  • Isolates wired and wireless, managed, and unmanaged hosts
  • Prevents lateral movement and buys you time for remediation
  • Detections can originate from multiple sources (Sophos or third-party solutions)

Active Threat Response for Sophos Switch and Sophos Wireless differs somewhat from the functionality offered with Sophos Firewall. The firewall provides different response actions and automation which is partially based on synchronized security functionality in combination with Sophos-managed endpoints. The combined use of Active Threat Response on Sophos Switch, Sophos Wireless, and Sophos Firewall, ensures the best protection at every network layer.

Strengthening the Sophos ecosystem story
Active Threat Response adds a new, unique dimension to your Sophos ecosystem story. It provides yet more proof of the benefits of consolidating security with a single vendor and using a single management platform, improving your customers’ security posture and strengthening your position to sell and support a broader range of solutions and services.

Rogue device detection
The concept of rogue device detection is well-known in the wireless world, however, in most solutions, that tends to go hand-in-hand with rogue AP detection, with a rogue device often defined as a device connected to a rogue AP. Rogue device detection can be prone to false positives and caution is required when using automation to avoid disruption. Active Threat Response is different; access points and switches ingest targeted, verified threat information from separate, trusted sources.

Prerequisites and activation
To use Active Threat Response, the Sophos Central account where it is activated must have a valid support subscription for each AP6 access point and/or Sophos switch. Customers can activate this feature for Sophos Wireless and Sophos Switch individually.

To receive threat feeds, the customer must also own a supported Sophos solution/service or a third-party solution capable of providing threat information using the public API.

The API framework
In this initial release, some knowledge of APIs would be required for customers who manage their own Sophos solutions. The API is used to ingest threat feed data and also provides the means to manage and update the isolated host list. In future releases, we plan to add further management and configuration options in Sophos Central, making this feature accessible to network admins of all skill levels.

Active Threat Response is available now for all Sophos AP6 Series and Switch customers who manage their devices in Sophos Central (and have a valid support subscription). The release notes are available on the Sophos Switch and Sophos Wireless Community sites.

For further information about Active Threat Response, please check the updated datasheets on the Partner Portal Asset Library or reach out to your local Sophos representative or distributor.