New NDR tool targets blind spots inside the network

As ransomware actors increasingly evade traditional defenses, Sophos has introduced a Network Detection and Response (NDR) module designed to illuminate the internal shadows most tools miss. Integrated with the company’s existing XDR and MDR offerings, the NDR platform monitors east-west traffic across networks and flags anomalous behavior in environments often beyond the reach of firewalls and endpoint agents.

Unlike traditional perimeter-focused tools, Sophos NDR is deployed as a virtual appliance on platforms such as VMware, Hyper-V, and AWS. It connects directly to network switches via SPAN port mirroring, enabling visibility into unmanaged devices, rogue endpoints, and encrypted traffic patterns without decrypting payloads or exposing PII.

Key use cases include identifying compromised IoT/OT assets, detecting suspicious off-hours network activity, and surfacing new or zero-day command-and-control traffic. According to Sophos, the engine inspects encrypted flows using behavioral analytics—rather than relying solely on known IOCs or signatures—to detect bespoke or emerging threats in real time.

AI-powered engines feed Sophos MDR and firewall defenses

At the heart of the platform are five AI-assisted detection engines, including components for encrypted payload analysis, deep packet inspection, domain generation algorithm tracking, session risk analytics, and device fingerprinting. These engines collaborate to detect lateral movement, brute-force attempts, and stealthy reconnaissance—activities often missed by endpoint agents alone.

Notably, Sophos NDR integrates with Sophos Central and its Managed Detection and Response service. If paired with Sophos Firewall, the system can automate threat blocking across both the endpoint and network layers.

From a deployment perspective, the NDR platform offers flexible licensing based on user and server count, rather than per-sensor pricing—a move Sophos positions as more scalable than competitors’ approaches. Performance specs range from Intel NUC units supporting 2.5Gbps throughput to enterprise-grade Dell R660 appliances reaching 40Gbps and 120,000 connections per second.

As organizations confront rising threats from inside the perimeter and unmanaged assets, Sophos’ move into network-layer telemetry adds a critical layer to the MDR landscape—one that could shift how mid-sized organizations approach east-west visibility.