Sophos is doubling down on managed detection and response (MDR) services with last week’s agreement to acquire SecureWorks. The $859 million all-cash deal, set to close in early 2025 pending customary approvals, will accelerate Sophos’ push into MDR and extended detection and response (XDR) with SecureWorks’ popular Taegis platform at the core, the company said.
SecureWorks has only 4,000 customers to Sophos’ 600,000, but the company offers advanced XDR capabilities built on a cloud-native data lake architecture to larger enterprises delivered by service providers. Building on its managed XDR capabilities, SecureWorks this year has added network detection and response (NDR), vulnerability detection and response (VDR) and most recently, identity threat detection and response (ITDR) to the Taegis platform.
Dell Technologies, which owns nearly 80% of SecureWorks’ publicly traded shares, has been exploring ways over the years to divest its control of the security provider. Dell joins the small club of large companies quitting the operations business this year: IBM abruptly announced the sale of its QRadar SaaS portfolio to Palo Alto Networks, and AT&T spun out its managed security business, now known as LevelBlue.
Meanwhile, Sophos was looking to add an advanced XDR and MDR platform that it could integrate with its own Sophos Central security operations center (SOC). The central management tool provides endpoint, server and email protection and access to other security services, including firewall, cloud and encryption, among other point offerings.
Sophos, which also added its “vendor agnostic” MDR service to its portfolio in late 2022, quickly saw demand for it from its customers, says Enterprise Strategy Group principal analyst Dave Gruber. “Scaling operations to serve an audience of this size is challenging, making this acquisition a smart move for Sophos, as SecureWorks has many of the best and brightest security professionals in the industry,” Gruber says.
Building an XDR Platform on Taegis
Sophos CEO Joe Levy says he can’t reveal specific integration plans before the deal closes in the first quarter of 2025 as it undergoes regulatory clearance processes. But he doesn’t dispute that bringing Taegis and Sophos Central together is what is driving this deal, which would mark the largest since the company was founded in 1985.
“We’re aiming toward this world where we bring together the best hits of the two operations,” Levy tells Dark Reading. “We will figure out that combination of the technology stack–Taegis inside Sophos Central and the security operations center itself.”
According to Levy, that will include delivering the MDR business and the vulnerability detection and response, managed risk, identity, threat, detection and response. “[It’s] the service component that customers are relying on to help to keep them secure,” he says.
Levy explains that besides determining a unified approach to provisioning services from SecureWorks and Sophos offerings, a key challenge will be enabling collaboration among the security operation teams within its MDR business, customers and partners, notably MSPs and MSSPs who deliver the two companies’ respective offerings.
“We want to produce the best possible workflows while demonstrating empathy and understanding of what the security operators are doing every single day,” Levy says. “These are the driving principles that are going to be guiding the way that we undertake this.”
SecureWorks Shift to XDR Platform
SecureWorks began developing Taegis in 2017 and launched it in early 2021. Taegis is built with a data lake architecture designed to ingest and normalize data and an analytics engine built to identify, prioritize, and block threats.
Wendy Thomas, SecureWorks CEO, told investors during the company’s Q2 2025 quarterly earnings call in September that she sees continued growth potential for Taegis. “We’ve increasingly seen customers more than ready to move away from noisy, hard and expensive to maintain SIEMs to an XDR approach to detection and response,” she said. “That trend is only accelerating.”
Since Taegis was released, analysts and customers have given the platform high marks. “The Taegis platform from SecureWorks has great detection and response capabilities,” says IDC analyst Craig Robinson.
While SecureWorks’ and Sophos’ respective MDR services offer many similar features, Robinson notes that Sophos’ offering has a more vendor-independent model than Taegis. “While there’s overlap, Sophos has more individual products while Taegis is a platform,” he says.
Independent consultant William Klusovsky believes that adding SecureWorks is poised to deepen Sophos’ reach into larger enterprises and offer richer services to small and mid-sized organizations. But he warns Sophos could “fumble” that potential if it doesn’t adequately invest in the integration of the products.
“If they are too short-sighted and focus only on financials and returns, they could end up with two businesses that don’t work together and lose the talent they need to create the right business,” Klusovsky says. “They need to have a vision, stick to it, and believe in it.”
Transition to Managed Security Services
Klusovsky notes that Sophos is owned by private equity firm Thoma Bravo, whose portfolio he says is mostly product companies, while both SecureWorks and Sophos have been shifting to services.
“The services industry is very different,” he says. “The good news is the product road maps, and integrations should be something they can create efficiency with and drive in a positive direction. The unknown is going to be in managing service delivery, sales, the channel, and go-to-market as these motions are very different for a managed services provider than a product company.”
Levy says he first started driving the shift from a product-only cybersecurity business to a hybrid product and services business in 2018 before Sophos agreed to be acquired by Thoma Bravo.
“We now think of it more in terms of life cycles of engagement with our customers, rather than just selling them a product or selling them a service,” Levy says. “We’re working in collaboration with this ecosystem of cyber security players to maintain life cycle engagements with customers, so just pray that the next point solution they buy is actually going to provide better security.”
Similarly, SecureWorks has undergone several significant changes, having shifted from operating as a managed security services provider (MSSP) to a platform supplier. Instead, SecureWorks tapped its ecosystem of channel partners to offer the Taegis platform with their own managed security services.
IDC forecasts that demand for managed security services will grow to $44 billion in 2024, up from $39.5 billion in 2023. Demand is estimated to grow to $49.2 billion next year, IDC’s Robinson says. Driving the growth are shrinking budgets and a dearth of skilled security operations talent.
“Everyone’s looking at and making sure that for every dollar spent, it’s being spent in the right way,” he says. “And managed security services is not only a better way, but it’s also, more often, a better outcome.”