Sophos-SecureWorks Deal Focuses on Building Advanced MDR, XDR Platform

Source: DigitalStorm via iStock Photo

Sophos is doubling down on managed detection and response (MDR) services. Last week’s agreement to acquire SecureWorks in an $859 million all-cash deal is set to close in early 2025 pending customary approvals, accelerating Sophos’ push into MDR and extended detection and response (XDR) with SecureWorks’ popular Taegis platform at the core, the company said.

SecureWorks has only 4,000 customers to Sophos’ 600,000, but the company offers advanced XDR capabilities built on a cloud-native data lake architecture to larger enterprises and delivered by service providers. Building on its managed XDR capabilities, SecureWorks this year added network detection and response (NDR), vulnerability detection and response (VDR), and, most recently, identity threat detection and response (ITDR) to the Taegis platform.

Dell Technologies, which owns nearly 80% of SecureWorks’ publicly traded shares, has been exploring ways over the years to divest its control of the security provider. Dell joins the small club of large companies that have quit the operations business this year: IBM abruptly announced the sale of its QRadar SaaS portfolio to Palo Alto Networks, and AT&T spun out its managed security business, now known as LevelBlue.

Meanwhile, Sophos was looking to add an advanced XDR and MDR platform that it could integrate with its own Sophos Central security operations center. The central management tool provides endpoint, server and email protection, and access to other security services, including firewall, cloud, and encryption, among other point offerings.

Sophos, which also added its vendor-agnostic MDR service to its portfolio in late 2022, quickly saw demand for it from its customers, says Enterprise Strategy Group principal analyst Dave Gruber.

“Scaling operations to serve an audience of this size is challenging, making this acquisition a smart move for Sophos, as SecureWorks has many of the best and brightest security professionals in the industry,” Gruber says.

Building an XDR Platform on Taegis

Sophos CEO Joe Levy says he can’t reveal specific integration plans while the deal, set to close in the first quarter of 2025, undergoes regulatory clearance processes. But he doesn’t dispute that bringing Taegis and Sophos Central together is what is driving this deal, which would mark the largest since the company was founded in 1985.

“We’re aiming toward this world where we bring together the best hits of the two operations,” Levy tells Dark Reading. “We will figure out that combination of the technology stack — Taegis inside Sophos Central and the security operations center itself.”

That will include delivering the MDR business and the VDR, managed risk, and ITDR, he adds.

"[It’s] the service component that customers are relying on to help to keep them secure," Levy says.

Besides determining a unified approach to provisioning services from SecureWorks and Sophos offerings, a key challenge will be enabling collaboration among the security operation teams within its MDR business, customers, and partners — notably MSPs and MSSPs that deliver the two companies’ respective offerings, Levy explains.

“We want to produce the best possible workflows while demonstrating empathy and understanding of what the security operators are doing every single day,” he says. “These are the driving principles that are going to be guiding the way that we undertake this.”

SecureWorks Shift to XDR Platform

SecureWorks began developing Taegis in 2017 and launched it in early 2021. Taegis is built with a data lake architecture designed to ingest and normalize data and an analytics engine built to identify, prioritize, and block threats.

SecureWorks CEO Wendy Thomas told investors during the company’s Q2 2025 quarterly earnings call in September that she sees continued growth potential for Taegis.

“We’ve increasingly seen customers more than ready to move away from noisy, hard, and expensive-to-maintain SIEMs [security information and event management] to an XDR approach to detection and response,” she said. “That trend is only accelerating.”

Analysts and customers have given Taegis high marks.

“The Taegis platform from SecureWorks has great detection and response capabilities,” says IDC analyst Craig Robinson.

While SecureWorks’ and Sophos’ respective MDR services offer many similar features, Robinson notes that Sophos’ offering has a more vendor-independent model than Taegis.

“While there’s overlap, Sophos has more individual products while Taegis is a platform,” he says.

Independent consultant William Klusovsky says he believes that adding SecureWorks is poised to deepen Sophos’ reach into larger enterprises and offer richer services to small and midsize organizations. But he warns that Sophos could “fumble” that potential if it doesn’t adequately invest in the integration of the products.

“If they are too short-sighted and focus only on financials and returns, they could end up with two businesses that don’t work together and lose the talent they need to create the right business,” Klusovsky says. “They need to have a vision, stick to it, and believe in it.”

Transition to Managed Security Services

Sophos is owned by private equity firm Thoma Bravo, whose portfolio is mostly product companies, while both SecureWorks and Sophos have been shifting to services, Klusovsky notes.

“The services industry is very different,” he says. “The good news is the product road maps and integrations should be something they can create efficiency with and drive in a positive direction. The unknown is going to be in managing service delivery, sales, the channel, and go-to-market as these motions are very different for a managed services provider than a product company.”

Levy says he first started driving the shift from a product-only cybersecurity business to a hybrid product and services business in 2018, before Sophos agreed to be acquired by Thoma Bravo.

“We now think of it more in terms of life cycles of engagement with our customers, rather than just selling them a product or selling them a service,” Levy says. “We’re working in collaboration with this ecosystem of cybersecurity players to maintain life cycle engagements with customers, so just pray that the next point solution they buy is actually going to provide better security.”

Similarly, SecureWorks has undergone several significant changes, having shifted from operating as a managed security services provider to a platform supplier. Instead, SecureWorks tapped its ecosystem of channel partners to offer the Taegis platform with their own managed security services.

IDC forecasts that demand for managed security services will grow to $44 billion in 2024, up from $39.5 billion in 2023. Demand is estimated to grow to $49.2 billion next year, IDC’s Robinson says. Driving the growth are shrinking budgets and a dearth of skilled security operations talent.

“Everyone’s looking at and making sure that for every dollar spent, it’s being spent in the right way,” he says. “And managed security services is not only a better way, but it’s also, more often, a better outcome.”

About the Author

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.