Sophos has integrated Internal Attack Surface Management (IASM) into its Managed Risk service, giving organisations a single view of both internal and external exposures. By combining Tenable-powered unauthenticated internal scans with Sophos’ MDR expertise, the update aims to close the 40% blind-spot gap that still fuels many ransomware attacks.
Why Internal Attack Surface Management Matters
Blind Spots Drive Modern Breaches
The State of Ransomware 2025 report shows 40% of victims were breached through an exposure they did not know existed. Traditional External Attack Surface Management (EASM) flags internet-facing risks, but internal misconfigurations, open ports and forgotten services remain invisible until actively scanned.
Speed of Attacks Keeps Rising
Sophos’ Active Adversary Report 2025 found data exfiltration now happens within three days of initial access, often via legitimate but exposed services or credentials. Closing internal gaps is therefore as urgent as patching perimeter flaws.
How Sophos Managed Risk with IASM Works
Unauthenticated Internal Scanning
Tenable Nessus scanners probe internal networks without credentials, mimicking an attacker’s viewpoint. They detect:
- Open or weakly protected ports
- Exposed services (e.g., RDP, SMB, database listeners)
- High-risk misconfigurations and unpatched vulnerabilities
AI-Powered Prioritisation
Sophos ranks findings by exploitability and business impact, surfacing only the most critical issues for remediation.
Integrated MDR Collaboration
Because IASM lives inside Sophos Managed Risk, results feed directly into Sophos’ 24/7 MDR team. If a zero-day or active exploit surfaces, analysts can:
- Trigger immediate threat hunting
- Correlate findings with external telemetry
- Escalate validated incidents to in-house responders
No Extra Licensing Hurdles
Existing Managed Risk customers simply deploy Nessus scanners from the Sophos Central console with no pricing or contract changes.
Benefits for Security & Compliance Teams
Deployment Steps
- Activate IASM in the Sophos Central console
- Install Nessus scanners on representative internal segments (start with data centres and cloud VPCs)
- Schedule automated scans (daily or weekly) during low-traffic windows
- Review prioritised findings in the Managed Risk dashboard
- Remediate or escalate according to Sophos’ guidance or via MDR
Potential Drawbacks to Consider
- Initial scan noise – First-run scans may highlight hundreds of findings; expect a tuning period
- Credential-less scope – Unauthenticated scanning sees only what is externally reachable; deep application flaws still need authenticated reviews
- Network load – Large environments should stagger scans to avoid performance hiccups
How This Update Fits into a Broader Defence Strategy
Sophos’ move aligns with industry momentum toward Continuous Threat Exposure Management (CTEM), where detection, exposure management and compliance converge. Organisations that already leverage MDR for response gain a natural extension into proactive risk reduction—all inside one console.
The integration also demonstrates how modern cybersecurity providers are moving beyond traditional perimeter-focused approaches. As cyber threats continue evolving, organisations need unified visibility across their entire attack surface, not just internet-facing assets.
For enterprises evaluating this update, the key advantage lies in the seamless integration between internal vulnerability discovery and active threat response. Unlike standalone scanning tools that generate reports requiring manual interpretation, Sophos’ IASM feeds directly into expert-led incident response workflows. This means critical findings get immediate attention from security analysts who understand both the technical implications and business context.
