Sophos adds internal risk scanning to help IT teams spot hidden threats

Sophos has added unauthenticated internal scanning to its Managed Risk service, giving IT teams a way to spot exposed services and misconfigurations inside their networks—before attackers do.

Sophos has expanded its Managed Risk service to include internal attack surface scanning, aiming to help organizations spot weaknesses inside their networks before attackers do.

The new feature doesn't require logins or special access. Instead, it scans systems from the point of view of an outsider — the way a real attacker would. It checks for exposed services, open ports, and misconfigured devices that could leave the door open. The idea is to help IT teams fix blind spots that might otherwise go unnoticed.

This builds on the external scanning already available, offering a more complete picture of what attackers might see and target.

“With Sophos Managed Risk, organizations gain an attacker’s-eye view to identify and prioritize remediation of risks before adversaries can exploit them. The solution offers a unified view of both internal and external exposures, prioritized by risk and paired with clear remediation guidance. This enables organizations to focus their efforts where it matters most, on the most critical vulnerabilities, resolving them rapidly,” commented Rob Harrison, Senior Vice President, Product Management at Sophos.

According to Sophos' 2025 ransomware report, 40% of victims said the attack started through a vulnerability they didn't know existed. That's where visibility matters. The updated service now provides both internal and external views of possible entry points, helping IT teams spot gaps they might otherwise miss.

The risks are real. Nearly every attack in the past year led to data being encrypted, and only 31% of victims managed to recover everything. Even when companies paid the ransom — which 43% did — they only got back about 63% of their data on average. Meanwhile, the average payment hit $2 million, up from $1.5 million last year. More than 30% of organizations needed over a week to fully recover, showing how costly these attacks can be in both money and downtime.

Sophos' internal scanning uses Tenable's Nessus technology to detect weak points. It looks at systems without credentials, so security teams can understand what an attacker would find on the network with no special access. This includes things like unpatched software, outdated services, and improperly configured devices.

The goal is to reduce guesswork. Instead of juggling long vulnerability lists, IT teams get a ranked summary of the most urgent risks. Each one comes with clear instructions for what to do next.

The tool also uses AI to weigh the severity of each finding and sort it based on real-world risk, not just technical details. That's meant to help teams prioritize limited resources and respond faster.

Unlike some providers that separate internal and external tools into different products, Sophos has folded both into its Managed Risk service. That means existing customers can start using the new feature without needing new licenses or subscriptions. They just need to deploy the Nessus scanners in their console and schedule scans.

Sophos says its Managed Risk team, certified by Tenable, works alongside the MDR team to flag urgent issues like zero-days and high-risk misconfigurations. The goal is to catch warning signs early and reduce time between detection and response.

While no tool stops every attack, having a full view of what attackers could exploit makes a difference — especially when ransomware crews are getting faster and louder.