Sophos has enhanced its Managed Risk offering by introducing Internal Attack Surface Management (IASM), delivering comprehensive visibility into both internal and external cyber vulnerabilities. The service, powered by Tenable technology, empowers organizations to proactively identify, prioritize, and remediate security gaps before attackers can exploit them.
MALAYSIA, 10 JULY 2025 – Sophos, a global leader in cybersecurity, today announced a major enhancement to its Sophos Managed Risk service with the launch of Internal Attack Surface Management (IASM). This latest development, built on Tenable’s industry-leading technology, empowers organizations to gain full-spectrum visibility of their internal and external attack surfaces—an essential capability in an age where cyberattacks are growing increasingly sophisticated.
According to the Sophos State of Ransomware 2025 report, 40% of ransomware victims last year were breached via previously unknown security exposures. Sophos Managed Risk now directly addresses this issue by combining external and internal attack surface management into a single, integrated service. This provides security teams with an attacker’s-eye view of their environment, enabling them to pinpoint and resolve critical risks before they are exploited.
“With Sophos Managed Risk, organizations gain an attacker’s-eye view to identify and prioritize remediation of risks before adversaries can exploit them,” said Rob Harrison, Senior Vice President of Product Management at Sophos. “The solution offers a unified view of both internal and external exposures, prioritized by risk and paired with clear remediation guidance. This enables organizations to focus their efforts where it matters most, on the most critical vulnerabilities, resolving them rapidly.”
The new unauthenticated internal scanning capability introduced in this release evaluates systems from the perspective of an external threat actor, without the need for login credentials or elevated privileges. This approach allows organizations to detect high-risk vulnerabilities such as open ports, exposed services, and misconfigurations that may otherwise go unnoticed but could be easily exploited by attackers.
Key features of the IASM integration include automated, routine vulnerability scans, AI-powered prioritization to identify the most urgent risks, and the use of Tenable Nessus scanners, a trusted standard in the industry, to evaluate and classify internal threats based on severity and exploitability.
Unlike other cybersecurity vendors that treat External and Internal Attack Surface Management as separate tools, Sophos offers a fully integrated, managed solution that combines both capabilities under a single service umbrella. This consolidated approach is supported by Sophos’ world-class Managed Detection and Response (MDR) team, further reinforcing its ability to assess, investigate, and respond to real-time threats effectively.
The IASM functionality is now available to all new and existing Sophos Managed Risk customers without any changes to licensing or pricing. Customers can take advantage of the service immediately by deploying Tenable Nessus scanners and scheduling automated scans directly from the Sophos Central console.
Sophos’ Managed Risk team is Tenable-certified, ensuring expert deployment and analysis, and works closely with the Sophos MDR unit to share actionable intelligence on zero-day vulnerabilities, exposure risks, and potential compromise indicators across customer environments.
As cyberattacks continue to evolve, Sophos’ latest offering reinforces its commitment to providing organizations with proactive and intelligent cybersecurity defenses. The expansion of Managed Risk ensures businesses are better prepared, more resilient, and fully equipped to address both known and hidden vulnerabilities—before they become entry points for threat actors.
