Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Most attacks do not start with malware. They mostly start with access. Attackers find new ways to steal credentials, which they then use to gain unauthorized access. They also use legitimate tools to gain access to systems without triggering alerts. To repeat their actions across environments, they make use of automation. Modern attacks, such as phishing, ransomware, zero-day exploits, and insider threats, target both systems and users.

Sophos X-Ops looks at the Atomic macOS Stealer and its capabilities Sophos Managed Detection and Response (MDR) teams recently responded to a customer incident involving an infostealer infection on a macOS host. When we investigated, we found that the infostealer appeared to be a variant of AMOS (Atomic macOS), a well-known malware family we’ve written about before. The attack began with a ClickFix-style ruse, where a user was tricked into running a terminal command.

Defenders have long known that richer evidence improves security outcomes by enabling faster triage, deeper analysis, and more complete investigation. Although Corelight was founded on this premise, it’s been hard for us to quantify the impact of better network data - until now. Recently, we built an agentic test harness to measure the success of frontier LLMs in responding to real-world attack scenarios, using a range of source data.

Sophos Endpoint in action: Blocking a novel supply chain attack How the unique anti-exploitation capabilities included with Sophos Endpoint blocked a supply chain attack. Sophos Endpoint is architected from the ground up to automatically block exploits, ransomware, and attacker techniques by default with zero manual tuning.

The State of Identity Security 2026: Identity is the new perimeter Discover the causes and consequences of identity threats based on a survey of 5,000 organizations across 17 countries. In the modern cybersecurity landscape, the traditional network perimeter has dissolved. Today, identity as a perimeter keeps getting stronger and stronger. As organizations accelerate cloud adoption and integrate AI systems, the number of digital identities, both human and non-human, has grown exponentially.

Seven things security teams can start doing today to reduce risk.

GPT-5.5-Cyber is here. What it means for defenders operating at the frontier. OpenAI’s May 7 release of GPT-5.5 and the limited preview of GPT-5.5-Cyber put frontier AI in verified defenders’ hands. As a member of the Trusted Access for Cyber program, Sophos is using these models to sharpen what we already operate: an agentic SOC that resolves more than half of cases without a human, and an endpoint architecture purpose-built to stop AI-generated zero-days.

Ransomware: AI changes the writer. It doesn't change the math. Why most endpoint protection still treats ransomware as just another piece of malware, and what changes when you watch the data instead of the attacker. In 2013, CryptoLocker introduced the modern ransomware playbook. It also introduced something most of the industry has still not come to terms with: remote encryption.

Last summer we introduced Automated Leads, a transformative approach to threat detection designed to surface the subtle signs of an attack before it turns into a full-blown breach. It’s powered by CrowdStrike Signal (distinct from SGNL) and delivered via the CrowdStrike Falcon platform. Since that launch, the goal has remained the same: to move beyond the limitations of traditional alerting and give analysts a head start on detecting the most sophisticated adversaries.