Penetration testing engagements

While we aim to identify and prevent security bugs in our software development pipeline, no system is perfect. That’s why we also run regular security assessments on our products. These assessments are typically performed in a white box scenario with access to architecture details and source code. Our approach results in more efficient and effective testing when compared to a black box scenario where little information about the product is provided.

For our recent assessments, we have started collecting and publishing letters of attestation. For the older assessments, we are happy to share details upon request. We aim to collect letters for subsequent/future tests as they are completed.

Assessment letters of attestation

Solution Product Date of Last Test Vendor Letter of Attestation
Endpoint Intercept X December 2022 MWR CyberSec LoA - MWR - Endpoint
Server December 2022 MWR CyberSec LoA - MWR - Endpoint
XDR February 2024 MDSec LoA - MDSec - MDR - XDR - SOC.OS
Sophos Mobile Control August 2024 MWR CyberSec LoA-MWR-SMC
Network Firewall October 2023 MWR CyberSec LoA - MWR - Firewall/ZTNA
SG UTM July 2022 Nettitude Contact Us
SD-RED Remote Ethernet Devices November 2021 MDSec Contact Us
ZTNA October 2023 MWR CyberSec LoA - MWR - Firewall/ZTNA
Switch January 2024 Sophos Red Team Contact Us
DNS Protection January 2024 MWR CyberSec LoA - MWR - DNS Protection
Security Operations MDR February 2024 MDSec LoA - MDSec - MDR - XDR - SOC.OS
XDR February 2024 MDSec LoA - MDSec - MDR - XDR - SOC.OS
Refactr February 2022 Sophos Red Team Contact Us
SOC.OS February 2024 MDSec LoA - MDSec - MDR - XDR - SOC.OS
Factory February 2024 MDSec LoA - MDSec - Sophos Factory
Messaging Central Email August 2024 Sophos Red Team Contact Us
Cloud Sophos Central January 2024 MWR CyberSec LoA - MWR - Central
Cloud Optix January 2024 MDSec LoA - MDSec - Optix
ZTNA October 2023 MWR CyberSec LoA - MWR - Firewall/ZTNA
Firewall October 2023 MWR CyberSec LoA - MWR - Firewall/ZTNA
Home Security Sophos Home August 2022 Sophos Red Team Contact Us
Other SophosLabs
(including Intelix)
December 2022 Sophos Red Team Contact Us

 

Tabletop exercises

At Sophos, we believe that it’s very important to test our capabilities regularly. We do this by developing tabletop scenarios with input from experts across the business and our risk management team.

The chart below details some of the recent tabletop scenarios we have run.

Recent tabletop scenarios

Team

Scenario

Date

Global Purchasing Malicious Vendor onboarding and fake purchase requisition Q2 2024
SophosLabs Insider threat Q1 2024
HR Ransomware and employee PII leakage Q4 2023
Support Targeted attack by someone posing as a customer Q3 2023
Marketing A compromised employee leading to the defacement of the company website
and social media
Q2 2023
Legal Malicious bug bounty researcher Q1 2023
Sophos Home Compromised engineer leading to large PII loss Q4 2022
SophosLabs Compromised analyst system, supply chain attack Q3 2022
Endpoint Compromised Sophos binaries, supply chain attack Q2 2022
Optix Phished engineer Q1 2022
IT Large-scale ransomware incident Q4 2021
Central Zero-day vulnerability in application leading to compromise of customer data Q4 2020

 

SecurityScorecard vendor risk management

IT vendor risk management (VRM) solutions support enterprises that assess, monitor, and manage risks associated with using third-party IT products, services, and vendors that can access their data. There are many IT VRM solutions available, all of which vary in their ability to accurately identify a vendor’s assets and the potential risks associated with those assets.

Sophos engages with SecurityScorecard and its VRM platform to support customers who use IT VRM tools as part of their procurement process. To see our current rating, visit  https://securityscorecard.com/security-rating/sophos.com.

securityscorecard