Sophos MDR grows 39% year-over-year to 40,000 customers, revealing twelve months of production data from the world’s largest SOC
Managed security has had an uncomfortable structural problem for years that the industry has talked around more than it has solved. The volume of telemetry modern environments generate has outgrown what analyst teams can process, the gap between cybersecurity demand and available expertise keeps widening, and adversaries are not waiting for procurement cycles or governance reviews before adopting new tools. Sophos has spent the past year running a different model inside its Managed Detection and Response service, and the production data from twelve months of agentic operation is specific enough to be worth examining closely.
The headline figures: 89 seconds from case creation to fully automated response, 52% of MDR cases closed end-to-end by AI without human intervention, across 40,000 customers. Sophos MDR grew 39% year-over-year to reach that customer base.
What 89 Seconds Actually Measures
The 89-second figure is not a lab benchmark or an average pulled from a best-case scenario dataset. It measures the time from case creation to completed automated response on cases that the system is authorized to resolve without human involvement. In practical terms, it reflects how quickly the Sophos Central Defense System acts when the decision falls within boundaries that analysts have defined and continuously calibrated.
That calibration piece matters more than the number itself. Automated response speed is only useful if the system is acting on the right cases. The 89 seconds are meaningful because it sits inside a framework where AI is operating within boundaries that experienced analysts have set, not because the system is simply moving fast without guardrails.
For context on why speed matters at all here: attacks that move at machine speed, credential stuffing, lateral movement after initial access, and ransomware deployment do not pause while a Tier 1 analyst works through an alert queue. The window between initial detection and meaningful damage is often measured in minutes. A response that closes in 89 seconds is operating in a fundamentally different time frame than one that waits for human review.
The 52% Figure and the 48% That Comes With It
More than half of MDR cases last year were closed end-to-end by AI, without a human needing to intervene. That is the number that tends to get attention in coverage of this announcement, and it is genuinely significant as a production metric rather than a capability claim.
Rob Harrison, SVP of Product Management at Sophos, addressed the other half directly: “The 52% gets the attention, but the 48% is just as important. When AI takes the volume off the human queue, our analysts get the bandwidth to do the work that requires their judgment: the novel attack patterns, the high-stakes decisions, the cases where context and business implications matter. AI speed and human judgment are the two halves of the same operating system, and intelligence compounds across both with every threat we stop.”
The model Sophos is running distinguishes between human-on-the-loop and human-in-the-loop operation. High-volume, well-bounded cases where speed is the primary variable run with humans monitoring rather than approving each action. High-stakes decisions, cases involving novel adversary behavior, or situations where business context needs to inform the response, keep a human actively in the decision chain before action is taken.
What this means in practice is that analyst time has shifted. The work that previously consumed Tier 1 and much of Tier 2 capacity, processing volume, triaging alerts, and closing routine cases, now runs autonomously. Human analysts are doing threat hunting, deeper investigation, customer advisory work, and governance of the autonomous systems themselves. Whether that represents a better use of scarce security expertise is not a difficult argument to make.
Intelligence Compounding Across 40,000 Customers
Raja Patel, President of Sophos, described the scale dimension of the model: “When you run the world’s largest SOC, every threat encountered makes every customer’s defense stronger. No other vendor operates with our breadth, from small businesses to global enterprises with tens of thousands of employees, and no other vendor compounds intelligence across that scale. A customer using the Sophos Central Defense System benefits from the learnings of every other customer in it.”
This is the network effect argument for managed security, and at 40,000 customers, it carries more weight than it does as a theoretical proposition. A threat pattern that appears against one customer feeds into the detection model that protects the other 39,999. An adversary technique that works once gets harder to repeat as it propagates through the shared context lake.
Sophos Central ingests tens of millions of detections daily across endpoint, firewall, identity, SIEM, network, email, cloud, threat intelligence, XDR, and MDR, all sharing a unified context layer. The practical result is that correlation happens across signal types that would sit in separate tools in most enterprise environments, which changes what the system can detect and how quickly it can act.
Third-Party Validation
The production metrics sit alongside independent assessments that arrived over roughly the same period.
G2‘s Summer 2026 reports ranked Sophos number one across Endpoint Protection, EDR, XDR, MDR, and Firewall simultaneously, based entirely on verified customer reviews. Sophos describes this as the eighth consecutive quarter MDR has held the overall leader position in G2’s MDR category.
The 2026 Gartner Peer Insights Voice of the Customer for MDR named Sophos a Customer’s Choice with a 4.8 out of 5.0 rating across 290 reviews, making it the most-reviewed vendor in the report. KuppingerCole‘s 2026 Leadership Compass for MDR named Sophos an Overall Leader across four categories, including Product, Innovation, and Market Leadership.
Third-party rankings based on verified customer feedback carry a different weight than analyst positioning, and the volume of reviews behind the Gartner figure makes it harder to dismiss as a small sample.
What Sophos Is Building Toward
The agentic model is expanding across Sophos Central through the rest of 2026. XDR and Next-Gen SIEM capabilities are being integrated into the unified context lake. Secure AI capabilities for customer AI tooling are in development. Sophos CISO Advantage, described as strategic security guidance for organizations with and without dedicated security leadership, is slated for launch in the autumn.
Each of those additions is built on the same agentic foundation that the MDR service has been running in production for the past year. The argument Sophos is making is that the production results from MDR demonstrate the model works at scale, and that extending it across the broader portfolio is a logical next step rather than a speculative expansion.
For organizations that cannot staff or fund full security operations in-house, which is most organizations, the question of whether managed security can actually keep pace with adversaries moving at AI speed has been genuinely open. Twelve months of production data from 40,000 customers does not answer every version of that question, but it moves it considerably further along than a product roadmap or a benchmark test.
Research and Intelligence Sources: Sophos, Gartner, G2, kuppingercole
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
