Cybersecurity firm Sophos has launched Sophos Fusion, a platform that connects security tools and data sources to help organizations detect and respond to increasingly automated attacks.
Introduced on July 16, Fusion uses agentic artificial intelligence to coordinate controls, services, and data across an organization’s IT environment, including products from Sophos and third-party providers. The system supports integrations with more than 500 security and IT technologies.
The launch comes as enterprises struggle with fragmented security systems. Sophos cited Gartner data showing that the typical enterprise operated more than 45 separate security products in 2025, creating data silos and adding manual work for security teams.
Fusion brings signals from different security tools into a unified data layer. When one control detects a potential intrusion, the system can coordinate a response across other connected tools.
The platform combines automated investigation and response with human oversight through Sophos Managed Detection and Response (MDR). Sophos said AI handled 52% of cases involving its MDR service without human intervention.
The service covers more than 40,000 customers, while threat intelligence gathered across Sophos’ broader customer base is fed back into the system.
“As AI increases the speed, scale, and complexity of attacks, organizations need a modern connected, intelligent, and adaptive defense,” Sophos CEO Joe Levy said.
“Sophos Fusion is built as a defense system optimized for Human-AI workflows. We bring the most complete solution to a new category, a timely advancement demanded by the AI era.”
Sophos said it would expand the platform beginning Aug. 15 with continuous threat hunting for MDR, additional threat detectors and security automation for Extended Detection and Response, and a next-generation Security Information and Event Management service offering long-term data retention, analytics, and compliance reporting.
The company also plans to launch Sophos CISO Advantage and Sophos AI Defense in October. The latter is intended to give organizations greater visibility and control over their use of AI tools while detecting potential misuse and AI-related risks.
Alongside the Fusion launch, Sophos released its 2026 State of Ransomware report, based on the experiences of more than 2,000 organizations in 17 countries during the first quarter.
The report found that compromised identities had overtaken exploited vulnerabilities as the main initial entry point for ransomware attacks. Stolen or compromised accounts were involved in 79% of the incidents examined.
“As we see ransomware criminals experiment with AI, it has the potential to accelerate their ability to steal valuable assets, hold them hostage and do it at a scale that exceeds their previous capability,” Sophos chief information security officer Ross McKerchar said.
“This speed requires careful round-the-clock monitoring of the most exploited means of entry, which our data shows to be stolen and compromised valid accounts.”
Rafe Pilling, director of threat intelligence at Sophos’ Counter Threat Unit, said attackers were using AI to shorten the time needed to carry out established techniques.
“We’re seeing adversaries use AI to accelerate familiar tradecraft, compressing attacks that once took weeks into days, or even hours,” Pilling said.
The proportion of ransomware attacks that successfully encrypted data also increased to 56% in 2026 from 50% in 2025.
About half of the organizations whose firewalls detected ransomware before its payload was launched avoided encryption. In contrast, 71% of organizations whose security tools failed to detect the attack had their data encrypted.
Sophos said the results showed that firewalls remained important but were insufficient when used in isolation. Combining firewall information with signals from email, identity, and endpoint systems could give security teams more time to stop an attack before encryption begins.
“Organizations can no longer rely on complexity or obscurity to hide gaps in their environment,” McKerchar said. “The same technology also gives defenders an opportunity to find and fix those gaps faster, but only if prevention, detection, and response work together as part of a unified cybersecurity strategy.”
“The report ultimately points to the conclusion that attacks are becoming faster, more automated, and more capable across multiple parts of the environment at the same time,” Pilling said.
“Disconnected security tools see individual events. In contrast, security systems that correlate and combine events see attacks as a whole and respond accordingly. That’s true whether we’re talking about ransomware, identity attacks, state-sponsored attacks, or AI-enabled threats.”


