CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

CONFIDENTIAL – SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

COMPETITIVE OVERVIEW: WINDOWS SERVER PROTECTION

Why Sophos Wins
Superior Protection Cloud Native Application Protection Platform (CNAPP) Extended Detection and Response (XDR)
Protection that has been top-rated by industry experts combines with server The combination of Intercept X for Server and Cloud Optix unifies security tools Sophos XDR goes beyond servers and endpoints, integrating firewall, email, and
specific features to create a comprehensive, defense-in-depth solution. Block across workloads, cloud environments, and entitlements management. Resulting in other data sources to provide a holistic view of an organization’s security
malware even when it has never been seen before, stop ransomware in its tracks, comprehensive visibility, prioritized detections, and faster incident response time. posture. Our XDR is uniquely designed for both IT admins and security analysts
prevent dangerous exploit techniques and deny hackers. to solve IT operations and threat hunting use cases.

Sophos Trend Micro Symantec Microsoft

Cloud One - CrowdStrike Falcon- Trellix Cloud
Feature Comparison Intercept X for
Server Workload Security Cloud Workload
Protection
Defender for
Servers Prevent Workload Security
(Deep Security)
Single Console to protect Server, Endpoint, Mobile, Email and Wi-Fi  × × × × ×
Public Cloud Workload Discovery      
MANAGE
Automatic Scanning Exclusions (e.g., Exchange, SQL Server)  ×  Not supported on
Server 2012 R2 × ×
Virtualization: Thin Agent with Centralized Scanner   × × × 
Web Filtering (Block malicious websites)     × 
REDUCE
Web Control (Control access to potentially inappropriate sites)  × × × × ×
ATTACK
SURFACE
Application Whitelisting (Server Lockdown)   ×  × 
Category Based Application Control  × × × × ×
PREVENT Patch Assessment ×     ×
Machine Learning Malware Protection      
BEFORE
Exploit Prevention      
IT RUNS
AMSI Support  × ×   ×
Data Loss Prevention (DLP)  × × × × ×
Anti-Hacker (e.g., Credential Theft and Code Cave protection)  × ×  × ×
Ransomware protection (behavior detection and rollback)   × Detection but
no rollback
Detection but
no rollback ×
DETECT Disk and Boot Record Protection  × × × × ×

File Integrity Monitoring (FIM) / Change Monitoring    Consumption cost
($) for Log
× 
Analytics service
Synchronized Security (Out of the box integration with firewall)  × × × × ×
Managed in
Threat Chain Visualization  × × Defender for
Endpoint console
 ×
RESPOND Managed in
Threat Hunting  × × Defender for
Endpoint console
 ×
Managed Detection and Response (MDR) Service $ $ $ $ $ ×

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the presentation had no part in its preparation. The information contained in this comparison may be incomplete JULY 2024
or inaccurate and is subject to change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied.
This document is Sophos confidential information. Page 1 of 7
Copyright 2024 Sophos Group. All Rights Reserved.
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Sophos vs Trend Micro Cloud One - Workload Security (Deep Security)

Competitor Strengths Competitor Weaknesses
Broad Feature Set – Deep Security includes a wide range of features and settings Administration and Cost – The product is typically targeted at enterprises and is complex to license, configure, and maintain
Management Options – On-premises, SaaS or AWS/Azure Marketplace management is available Integration – Deep Security management console is separate from endpoint protection and other Trend products

How Trend Micro does it Why Sophos wins

Management Enterprise focus Simple setup, powerful features
Deep Security is targeted at enterprise customers with large data centers or cloud environments. The granular control over We focus on giving customers all the features that matter, while keeping administration to a minimum. Server
policies and settings leads to significant administration. Licensing is complex, with multiple modules available and pricing Lockdown, for example, takes just one click to lock down the current configuration.
based on various factors (e.g., number of server CPUs).
Ask: How much time do you have available to configure your server protection?
Administration
Deep Security is separate from Trend’s endpoint protection products (Apex One and Worry-Free). A degree of integration Consolidate protection
is possible via Trend’s Apex Central product, but the customer would still need to set up and maintain multiple servers and
consoles to protect endpoints and servers together. Point out: Customers can manage multiple security technologies and protect multiple control points in their
environment through Sophos Central (Endpoint, Firewall, Mobile, Server, Email, Wi-Fi)

Prevention Limited control features Prevent threats reaching machines in the first place
Deep Security can block malicious websites, but it has no category-based web control (e.g., block access to Social Media Category-based web control, application control and device control provide extensive (and simple) control over the
sites), application control, device control, or data loss prevention (DLP). attack surface. Server Lockdown delivers application whitelisting, and by automatically allowing updates from trusted
sources it minimizes the administrative workload.
Lockdown
Deep Security’s Application Control is a white/blacklisting tool to block or allow any new software installed on Windows Ask: What tools do you have in place to prevent exposure to threats?
and Linux servers. It is necessary to manually approve any exemptions or updated versions of existing applications.
Best of breed exploit prevention
Virtual patching We focus on protecting against the exploit techniques that are at the heart of threats, rather than individual
Deep Security’s ‘virtual patching’ feature is a set of IPS rules that protect against specific vulnerabilities. New rules are vulnerabilities. This means it is not necessary to deploy and maintain IPS rules to machines.
made available in response to the latest threats, but customers need to balance applying sufficient rules to receive the Point out: Sophos provides out of the box protection from 20+ exploit techniques
optimum protection without impacting performance.
Deep learning
Machine learning and anti-exploit Deep learning is based on neural networks, an advanced form of machine learning, and detects both known and
Both features are available, although there is little information about the depth of protection or the range of anti-exploit unknown malware as well as unwanted applications.
techniques, and third party testing by MRG Effitas has indicated limitations in the actual protection strength.

Detection Anti-ransomware Ransomware protection against both local and remote threats
Ransomware protection is available, but it does not detect the encryption of local files by a remote computer (e.g., CryptoGuard prevents inbound attacks from unprotected machines (e.g., a file server with CryptoGuard will be
ransomware on a client machine that encrypts shared files residing on a server). protected from an un-protected client attempting to encrypt files).

Limited post-compromise protection Protection that continues after a successful compromise

While Deep Security offers IPS to defend against network attacks, it provides limited protection from threats that occur Even if a server is compromised, Sophos continues to monitor behavior for signs of an attack. This includes, for
after a successful compromise. example, credential theft, code cave attacks, and privilege escalation.

Response Endpoint Sensor Endpoint Detection and Response (EDR)

Deep Security lacks EDR functionality. Trend offer a separate product (Endpoint Sensor) for threat hunting and Proactive protection and EDR features are provided through a single client agent and cloud hosted management
investigation, but this is managed through a different admin console and requires deployment of another agent. console, meaning there is no need to deploy additional agents and management consoles.

Show: Sophos Central’s Threat Analysis Center provides visibility across an organization’s estate (servers and
clients). Better understand the scope of security incidents and hunt for misuse of admin tools such as
PowerShell.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the presentation had no part in its preparation. The information contained in this comparison may be incomplete JULY 2024
or inaccurate and is subject to change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied.
This document is Sophos confidential information. Page 2 of 7
Copyright 2024 Sophos Group. All Rights Reserved.
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Sophos Server Protection vs Symantec Cloud Workload Protection

Competitor Strengths Competitor Weaknesses
Simplicity – Complex prevention and detection rules are favored over more intuitive features such as one-click lockdown or
System Hardening – Monitoring and protection for critical OS and application files and settings
category-based application control

Threat Correlation – Missing patches are linked to known vulnerabilities and exploits Integration – Managed through a separate console from other Symantec products

How Symantec does it Why Sophos wins

Management Multiple policies Intuitive management
Policies are split into ‘Prevent’ and ‘Detect’ settings, indicating the product’s background as a system hardening and file Protection policies are enabled within a matter of clicks; it is not necessary to configure complex settings.
monitoring product. Over 20 types of policy are available, but this means more work from the customer to ensure the
desired settings are applied. Ask: How many policies do you expect to have to manage?

Standalone Integrated
Cloud Workload Protection is managed through its own cloud portal, which is separate from other Symantec products such Server protection is managed alongside endpoint protection, firewall, encryption, mobile, email security, Wi-Fi. It
as endpoint protection. also integrates with Sophos Firewall via the Security Heartbeat.

Prevention Vulnerability assessment Depth of machine learning and exploit protection

Cloud Workload Protection correlates missing OS and application patches to known vulnerabilities and threats. Intercept X for Server delivers protection that has been top-rated by industry experts. Deep learning blocks
malware even when it has never been seen before, while anti-exploit technology prevents dangerous exploit
Hardening techniques and denies hackers.
The product is strong on its system hardening features, in that it provides policies to monitor and restrict changes to critical
files and settings. However, this requires the appropriate policies to be applied to machines and does not have the simplicity Point out: Sophos includes best-of-breed exploit protection that leverages 20+ mitigation techniques.
of Sophos’ one-click server lockdown.

Machine learning and anti-exploit

Machine learning technology is included, along with just over 10 types of exploit mitigation.

Detection No behavior-based ransomware or post-compromise protection Detect and block malicious encryption
Symantec’s exploit prevention does not extend to post-compromise attack techniques, and it does not include a specific CryptoGuard utilizes behavioral analysis to stop never-before-seen ransomware and boot-record attacks, making it
ransomware protection feature. the most advanced anti-ransomware technology available.

File Integrity Monitoring (FIM) Show: CryptoGuard is enabled through a simple checkbox, and no further configuration is required
One of the product’s strengths is the ability to specify files and settings that should not be modified.
Protection that continues after a successful compromise
Even if a server is compromised, Sophos continues to monitor behavior for signs of an attack. This includes, for
example, credential theft, code cave attacks, and privilege escalation.

Response ATP: Endpoint Endpoint Detection and Response (EDR)

Cloud Workload Protection lacks EDR functionality. Symantec instead offer a dedicated EDR product called ATP: Endpoint. Proactive protection and EDR features are provided through a single client agent and cloud hosted management
Setting this up is not a trivial matter, as the product requires its own physical or on-premise management appliance along console, meaning there is no need to deploy additional agents and management consoles.
with the Symantec Endpoint Protection (SEP) agent.
Show: Sophos Central’s Threat Analysis Center provides visibility across an organization’s estate (servers
and clients). Better understand the scope of security incidents and hunt for misuse of admin tools such as
PowerShell.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the presentation had no part in its preparation. The information contained in this comparison may be incomplete JULY 2024
or inaccurate and is subject to change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied.
This document is Sophos confidential information. Page 3 of 7
Copyright 2024 Sophos Group. All Rights Reserved.
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Sophos Server Protection vs Microsoft Defender for Servers

Competitor Strengths Competitor Weaknesses
Platform – Ownership of the Windows and Azure platforms enables Microsoft to create native integration between products Cross Platform Protection – Limited protection for other cloud platforms (e.g., AWS) and operating systems (e.g., Linux or earlier
and services versions of Windows Server)
Deployment – Windows Defender Antimalware comes pre-installed on Windows Server 2016 and later Management Overhead – Security features are managed using separate management consoles and tools

How Microsoft does it How Sophos wins

Management Azure Single, intuitive console
Defender for Servers is managed alongside other Defender for Cloud subscriptions in Azure portal. All settings related to server protection are managed in Sophos Central. This means a customer can fully
configure server security in the same console they use to manage other Sophos products, including
Administration endpoint, firewall, email, wireless and more.
Management of protection features is split across consoles, for example:
▪ Core protection, including AV and EDR, is managed through Microsoft Defender console. This is because core Show: Get Sophos Central in front of the prospect, either in person, as a trial, or with the online
protection for servers is still provided by the Defender for Endpoint agent, which is included in the Defender for Servers demo.
subscription. Further, while an alert triggered by Defender for Endpoint for a server is shown in Defender for Cloud
console, performing detailed threat investigation (e.g., viewing alert process tree or incident graph) requires pivoting to Intuitive management
the Microsoft Defender portal.
▪ Server-specific protection, such as file integrity monitoring and server lockdown, is managed through Azure console Ask: Who will be responsible for managing server protection? How familiar are they with the two
Microsoft consoles: Azure and Defender?
Overall, achieving server protection using Microsoft’s tools involves significant administration.

Prevention Platform dependent Cross platform protection

The latest features (e.g., Credential Guard, Exploit Guard) are only available on the newer Server OS, meaning earlier OS versions Protect Windows, Linux physical and virtual servers from the unified Sophos Central console.
suffer from reduced protection. Microsoft is heavily Windows focused and offers little in the way of protection for Linux servers – for
example, Microsoft Defender console lists only AV and EDR as supported protection policies for Linux servers.
Prevent threats reaching machines in the first place
Control features Category-based web control, application control and device control provide extensive (and simple) control
Microsoft’s web protection feature (Smart Screen) is enabled by default, but application control is not supported on servers. Further, over the attack surface.
configuring a device control (DLP) policy is a significant undertaking.
Ask: What tools do you have in place to reduce exposure to threats?
Exploit prevention
Exploit Guard lets the administrator configure exploit prevention techniques for the operating system as well as for individual
applications. Administration is a challenge. Policies are assigned by enabling the required mitigations on an individual machine,
exporting the machine settings, and then distributing these to other machines. The process needs to be repeated all over whenever
a change is required.

Detection Ransomware protection Detect and block malicious encryption

Microsoft has a ‘Controlled Folder Access’ feature which allows specified folders to be locked down so that only explicitly allowed CryptoGuard utilizes behavioral analysis to stop never-before-seen ransomware and boot-record attacks,
applications can write to the controlled folders. A key challenge of this approach, in addition to the extensive configuration, is that it making it the most advanced anti-ransomware technology available. It also prevents inbound attacks from
does not protect against legitimate applications that have been exploited (e.g., a malicious macro in a Word document). Controlled unprotected machines (e.g., a file server with CryptoGuard will be protected from an un-protected client
Folder Access is only available on Server 2019 and later. attempting to remotely encrypt files).

Response Defender for Endpoint integration Integrated

Defender for Servers integrates with Defender for Endpoint, the latter enabling EDR capabilities. Microsoft’s EDR is designed for Intercept X for Server delivers EDR features alongside other server protection settings, meaning it is not
security teams who have the significant time and expertise to analyze the detailed information provided and get the most from the necessary to set up and use an additional management console. Sophos EDR is designed to be intuitive – it
integration. Further, as mentioned earlier, Defender for Endpoint has its own management console, meaning customers need to replicates the tasks normally performed by skilled analysts, so organizations can add expertise without
manage it separately from core server protection. having to add staff.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the presentation had no part in its preparation. The information contained in this comparison may be incomplete JULY 2024
or inaccurate and is subject to change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied.
This document is Sophos confidential information. Page 4 of 7
Copyright 2024 Sophos Group. All Rights Reserved.
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Sophos Server Protection vs CrowdStrike

Competitor Strengths Competitor Weaknesses
Depth of protection – CrowdStrike lacks tools to prevent exposure to threats (e.g., web protection, application control) and its
EDR – Detailed threat information and hunting tools are available
machine learning and exploit prevention features are weaker than Intercept X
Single agent and management console – Server protection is managed alongside CSPM and endpoint protection in the same Server specific functionality – It offers little in the way of server specific functionality e.g., no File Integrity Monitoring (FIM) or a
cloud hosted admin console lightweight agent for virtual environments

How CrowdStrike does it How Sophos wins

Management Falcon Security ecosystem
CrowdStrike’s products are managed through the cloud hosted Falcon admin console. It does not have a server specific section, CrowdStrike focuses on threat detection and threat hunting but doesn’t extend to areas such as gateway
instead servers appear alongside client machines in the list of devices. It also lacks server specific policies. protection. With Sophos Central, server protection is managed alongside endpoint, firewall, encryption,
mobile, email and wi-fi security, enabling customers to consolidate administration.
AWS integration
CrowdStrike has an AWS connector that allows it to automatically discover servers within a customer’s AWS environment. This
feature is part of the Falcon Discover product, meaning the customer would need to ensure this is included in their license or factor Show: Get Sophos Central in front of the prospect, either in person, as a trial, or with the online
in the cost of purchasing it. demo.

Prevention Threat exposure Defense in depth

CrowdStrike lacks features such as web protection, web control and application control, meaning there is less opportunity to Intercept X employs a comprehensive defense in depth approach to protection. Web protection, web
prevent attacks at the earliest stages of the threat chain. control and application control reduce the attack surface, while industry leading deep learning, anti-exploit
and anti-ransomware technology tackle threats that reach a device.
Falcon Prevent
CrowdStrike’s threat prevention product (Falcon Prevent) includes machine learning anti-malware protection along with a limited set Proven protection
of anti-exploit and anti-ransomware techniques. The strength of Sophos’ protection has been repeatedly validated by multiple 3rd party testing
organizations.

Share: Consistent top ratings (AAA)in SE Labs tests, 1st place in NSS Labs 2019 Advanced Endpoint
Protection (AEP) report, MRG Effitas malware and exploit prevention tests

Detection Anti-exploit Industry leading protection

Falcon Prevent includes a small number of exploit mitigation techniques, such as detecting ASLR bypass attempts and heap spray Intercept X delivers more than 25 exploit prevention techniques to ensure protection against the widest
attacks. It also has an ‘Exploitation Behavior Prevention’ module which provides protection against suspicious executables being range of attacks. In addition to common techniques, features such as credential theft, code cave attacks,
created by browsers (drive by downloads) and attempts to stop an exploited browser or plugin from creating processes. This is a and privilege escalation focus on blocking the most advanced threats.
subset of the anti-exploit protection techniques delivered in Intercept X.
Show: Point to the Exploits Explained whitepaper for details on these advanced protections

Ask: What would it mean to you if you could run one of the industry’s most comprehensive anti-
exploit tools?

Response Complex Intuitive

EDR is an area of strength for CrowdStrike. It provides significant details on threat detections and visibility into the surrounding Sophos EDR replicates the tasks normally performed by skilled analysts, so organizations can add expertise
events. Customers who purchase the Falcon Insight product get even further information about device events and actions. The without having to add staff. Guided investigations make EDR approachable yet powerful. Security teams of
downside to all this is that the product is very much tailored to customers with mature Security Operations Centers (SOC) that have all skill levels can quickly determine the suggested next steps, such as investigating a highlighted process
the knowledge and resources to spend on manual threat hunting and investigation. or isolating a machine.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the presentation had no part in its preparation. The information contained in this comparison may be incomplete JULY 2024
or inaccurate and is subject to change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied.
This document is Sophos confidential information. Page 5 of 7
Copyright 2024 Sophos Group. All Rights Reserved.
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Sophos Server Protection vs Trellix Cloud Workload Security (CWS)

Competitor Strengths Competitor Weaknesses
Administration – Features are split across multiple products, making it necessary to install and configure various separate
Features – License suite includes multiple products and therefore a broad range of features
products and policies – the ePO management console is complex, time consuming and targeted at large enterprises

Deployment – McAfee’s server protection suite is not available through its cloud hosted management console (MVISION ePO),
Single Management Console – ePO (ePolicy Orchestrator) can manage most McAfee products
meaning the customer is required to set up and maintain an on-premise admin console

How McAfee does it Why Sophos wins

Management Complex Simple administration
The ePO interface is complex, and even common tasks require the user to navigate through various
screens and complete multiple steps. Point out: Complexity is the enemy of security and can lead to misconfiguration and holes in
protection.
On-premise
Although there is a cloud hosted version of ePO (‘MVISION ePO’), McAfee’s server protection products Cloud hosted, modern interface
can only be managed through an on-premise installation of ePO. There is no need for the customer to install or maintain an on-premise management server. Get Sophos
Central in front of the prospect, either in person, as a trial, or with the online demo.

Prevention Application control Prevent threats reaching machines in the first place
McAfee Application Control is a single product within the broader server license suite. While offering Category-based web control, application control and device control provide extensive (and simple)
granular controls to lock down a system, it involves significant administration, such as specifying whether control over the attack surface. Server Lockdown delivers application whitelisting, and by automatically
files and folders are write-protected or read-protected. allowing updates from trusted sources it minimizes the administrative workload.

Exploit prevention Ask: What tools do you have in place to prevent exposure to threats?
McAfee Endpoint Security includes some generic anti-exploit techniques (e.g., defense against DEP and
Stack Pivot attacks), along with more specific protections to defend against recently disclosed Prevent threats with machine learning and exploit prevention
vulnerabilities. Intercept X delivers a far wider range of exploit prevention features and is not reliant on Deep learning detects both known and unknown malware without relying on signatures. Sophos also
responding to the latest known vulnerabilities. delivers best-of-breed exploit protection that leverages 20+ mitigation techniques.

Show: Point to the Exploits Explained whitepaper for confirmation of the depth of our exploit
protection

Detection Ransomware Detect and block malicious encryption

McAfee has a Dynamic Application Containment (DAC) feature which prevents low reputation CryptoGuard utilizes behavioral analysis to stop never-before-seen ransomware and boot-record attacks,
applications from performing certain processes (e.g., modifying specific registry settings). McAfee refer making it the most advanced anti-ransomware technology available. It also prevents inbound attacks
to this feature as being anti-ransomware, although there is nothing within it that specifically identifies from unprotected machines (e.g., a file server with CryptoGuard will be protected from an un-protected
rapid file encryption or other common ransomware behavior. Granular settings are available to tweak client attempting to encrypt files).
what actions are/aren’t allowed, which suggests false positives are a likely side effect of DAC.

Change control
McAfee offers file integrity monitoring and protection for critical files, through its Change Control
product.

Response EDR Endpoint Detection and Response (EDR)

McAfee’s server protection offering does not include EDR functionality. McAfee has a separate EDR Proactive protection and EDR features are provided through a single client agent and cloud hosted
product called MVISION EDR meaning the customer would need to set up and manage an additional management console, meaning there is no need to deploy additional agents and management consoles.
product to benefit from threat hunting and investigation capabilities.
Show: Sophos Central’s Threat Analysis Center provides visibility across an organization’s estate
(servers and clients). Better understand the scope of security incidents and hunt for misuse of
admin tools such as PowerShell.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the presentation had no part in its preparation. The information contained in this comparison may be incomplete JULY 2024
or inaccurate and is subject to change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied.
This document is Sophos confidential information. Page 6 of 7
Copyright 2024 Sophos Group. All Rights Reserved.
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Other competitors
Intercept X for Carbon Black Palo Alto Kaspersky BlackBerry
Feature Comparison Server Endpoint Cortex XDR Hybrid Cloud
Security (Cylance) Protect

Single Console to protect Server, Endpoint, Mobile, Firewall, Email and Wi-Fi  × × × ×
AWS/Azure Workload Discovery  × ×  ×
MANAGE
Automatic Scanning Exclusions (e.g., Exchange, SQL Server)  N/A × × ×
Virtualization: Thin Agent with Centralized Scanner  × ×  ×
Web Filtering (Block malicious websites)  × ×  ×
REDUCE
Web Control (Control access to potentially inappropriate sites)  × ×  ×
ATTACK
SURFACE
Application Whitelisting (Server Lockdown)   ×  
Category Based Application Control   × × ×
PREVENT Patch Assessment × × ×  ×
Machine Learning Malware Protection  ×   
BEFORE Exploit Prevention     
IT RUNS
AMSI Support   ×  
Data Loss Prevention  × × × ×
Anti-Hacker (e.g., Credential Theft and Code Cave protection)  × ×  ×
Detection but Detection but
Ransomware protection (Behavior detection and rollback)  × no rollback  no rollback
DETECT
Disk and Boot Record Protection  × × × ×
File Integrity Monitoring (FIM) / Change Monitoring   ×  ×
Synchronized Security (Out of the box integration with firewall)  × Partial × ×
Threat Chain Visualization  × × × ×
RESPOND
Threat Hunting  × × × ×
Managed Detection and Response (MDR) service $ $ $ $ $
Asset Inventory across multi-cloud providers  × $ (Prisma Cloud)  ×
Cloud Security Configuration Assessment – Daily/On-demand scans  × $ -“- × ×
Posture Management
(CSPM) Anomaly Detection – Outbound network traffic and user login behavior  × $ -“- × ×
Compliance Policies – CIS  × $ -“- × ×

Server or Endpoint protection?

Some competitors allow their endpoint products to be installed on servers. However, this comes at the expense of server-specific protections and features. Tools such as Server Lockdown and integration with AWS/Azure are not found in endpoint solutions,
meaning the customer receives reduced functionality and protection. Make sure the customer is aware of the advantages of using a solution that is specifically designed to protect servers, and the reason for choosing this over standard endpoint protection.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the presentation had no part in its preparation. The information contained in this comparison may be incomplete JULY 2024
or inaccurate and is subject to change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied.
This document is Sophos confidential information. Page 7 of 7
Copyright 2024 Sophos Group. All Rights Reserved.