From point-in-time audits to continuous confidence: How Sophos IT transformed identity defense
Attackers don’t break in — they log in. That shift has made identity the new perimeter of modern cybersecurity.
Every enterprise wrestles with the same challenge: a constantly changing identity environment that’s hard to monitor and even harder to secure. Sophos is no exception. With thousands of users and hundreds of applications connected through Microsoft Entra ID (formerly Azure AD), our corporate identity landscape evolves daily.
“It’s a living, breathing animal,” said Rajeev Kapur, Vice President of IT Infrastructure at Sophos. “Every change, every new integration, every update introduces potential risk — even when your security posture is already strong.”
Traditional architecture reviews gave the team periodic snapshots, but they couldn’t keep pace with a cloud-first environment in constant motion. Sophos needed continuous visibility — not just confidence once a quarter.
When Kapur’s team switched on Sophos Identity Threat Detection and Response (ITDR), they expected gradual insights. Instead, they found results almost immediately.
“From logging in and connecting to Entra ID to seeing our first actionable findings — it took less than 45 minutes,” Kapur said. “That short time-to-value was incredible.”
Within the first hour, ITDR revealed two subtle but important risks that years of audits hadn’t caught:
- Over-permissive third-party app access: several integrations had broader permissions than necessary, expanding potential supply-chain risk.
- Untrusted device access loopholes: under certain conditions, an unmanaged device could reach a management portal.
“These weren’t glaring vulnerabilities,” Kapur said. “They were nuanced configuration issues you’d never see without continuous monitoring.”
The hidden complexity of cloud identity
Today’s attackers rarely break in the hard way. They log in, using stolen or leaked credentials.
As organizations move to the cloud, identity systems have become the new perimeter — and they’re constantly in motion. Every new app, new user, or policy change introduces potential risk.
Sophos’ own corporate environment, like many enterprises, runs on a global scale: thousands of users, hundreds of connected applications, and a steady stream of updates and permissions requests.
Even with regular audits and expert oversight, it’s difficult — often impossible — to maintain complete visibility. For years, the team relied on periodic assessments. Experts would conduct configuration reviews, deliver findings, and confirm remediation steps. But these reviews provided only a snapshot in time. As soon as a new integration went live or an admin made a small change, those results became outdated.
What Sophos ITDR brought to the table was something fundamentally different: continuous assurance. Rather than waiting for a new assessment, the system scans, analyzes, and flags identity anomalies around the clock.
Continuous confidence, not periodic certainty
Sophos’ internal experience reflects what many organizations face today. Cloud identity systems offer unmatched flexibility — but that flexibility comes with fragility. Unlike traditional defenses, identity risks often stem from weaknesses in security posture, not malware. And those risks are harder to spot without continuous visibility. A missed MFA policy here, an over-permissive app there — these small cracks can add up to major exposure.
What makes Sophos ITDR different is how quickly it provides clarity.
In less than an hour, Kapur says his team went from activating the solution to discovering potential issues that had previously gone unnoticed.
And that speed matters. In a world where attackers move faster than ever, the ability to see and fix problems before they’re exploited can mean the difference between routine remediation and a full-blown breach.
The new frontier of cyber defense
For Sophos, testing new technologies internally is a core part of our secure-by-design philosophy. Using our own products in live enterprise conditions validates effectiveness, accelerates improvement, and ensures every customer benefit is grounded in real-world performance.
Sophos ITDR is now an integral layer of that ecosystem — connecting identity insights with endpoint, network, and cloud telemetry through the Sophos Central platform and data lake.
“Even if you’re just looking for a way to validate your Entra ID configuration,” Kapur said. “Sophos ITDR is a fantastic tool. It’s fast to deploy, delivers instant value, and just works.”
Ready to better protect your digital identities? Start a free trial of Sophos ITDR today.
About Author
