Cybersecurity firm Sophos has announced a significant backend integration that connects its Sophos Intelix threat intelligence repository directly into the Microsoft ecosystem.
Announced effectively during the Microsoft Ignite conference, this update means that organizations using Microsoft Security Copilot (for IT teams) and Microsoft 365 Copilot (for general staff) can now query Sophos’s threat database in real-time using natural language, without leaving the Microsoft interface.
This move effectively turns Microsoft’s AI assistants into interfaces for Sophos’s massive dataset, which processes 223 terabytes of telemetry daily.
Understanding the “Data Feed”
To understand why this integration matters, you have to look at the volume of data involved. Sophos Central (their management platform) generates over 34 million detections and blocks 11 million threats every day across 600,000 organizations.
Previously, accessing this data required logging into Sophos-specific dashboards or using their APIs separately. Now, this data fuels Sophos Intelix – a cloud-based threat intelligence service – which is being piped directly into Microsoft’s AI.
This integration is split into three specific areas:
1. Integration for Security Professionals (Microsoft Security Copilot)
This is the heavy-lifting integration designed for Security Operation Centers (SOCs) and IT administrators. Microsoft Security Copilot is an AI assistant specifically for security analysis.
With the Intelix integration, analysts can now:
- Perform Sandbox Detonation: If a suspicious file is found, the AI can trigger a “detonation” in a sandbox (a safe, isolated environment) to see how the file behaves, using Sophos’s technology.
- Dynamic Analysis: The AI can analyze code execution in real-time to spot malicious patterns.
- Investigate IOCs: Analysts can ask the Copilot about specific Indicators of Compromise (IOCs) – such as file hashes, URLs, or IP addresses – to check their reputation against Sophos’s global database.
Why this matters: It unifies data. Security Copilot already pulls data from Microsoft Defender, Sentinel, and Intune. Adding Sophos Intelix gives it a “second opinion” or broader context from a different telemetry source, potentially catching threats that one vendor might miss.
2. Integration for General Users (Microsoft 365 Copilot)
This is the consumer-facing side of the integration, affecting tools like Microsoft Teams and Microsoft 365 Chat. This integration allows non-technical staff (risk managers, HR, finance) to utilize threat intelligence.
For example, a user could effectively ask the Copilot in Teams: “Is this link safe?” or “Is this domain associated with known malware?”
The Copilot will query the Sophos Intelix database and provide a natural language answer. This shifts the burden of “cyber awareness” from human intuition to a database lookup, theoretically reducing the click-rate on phishing links.
3. The “Agentic AI” and Microsoft Agent 365
The release highlights the use of “Agentic AI.” In simple terms, traditional AI helps you write or read; Agentic AI is designed to act.
Sophos Intelix is integrating with Microsoft Agent 365, which serves as a control plane (management layer) for AI agents. Powered by Microsoft Entra for identity management, this allows the AI to perform tasks across the company’s infrastructure securely.
This moves the system beyond just a “chatbot” that answers questions, toward a system that can be authorized to take protective actions based on the intelligence it receives.
The Context: Speed of Attack vs. Speed of Response
The push for AI integration is largely driven by the disparity between attack speed and human response time.
According to the Sophos Active Adversary Report 2025:
- Data Exfiltration: Begins, on average, just 3 days after an initial breach.
- Detection Gap: The median time between an attacker stealing data and the victim realizing it is only 2.7 hours.
- Active Directory Compromise: Attackers can reach Active Directory (the keys to the kingdom) in as little as 11 hours.
Conversely, 96% of Small and Mid-sized Businesses (SMBs) report difficulty investigating suspicious alerts due to skills shortages. The logic behind this integration is that by allowing AI to query the threat database instantly, defenders can shave hours off the investigation process.
Simon Reed, Chief Scientific Research Officer at Sophos, noted that the industry is moving away from the graphical user interfaces (GUIs) relied upon since the 1980s. The new paradigm is “Human-AI collaboration,” where analysts use natural language to sift through datasets that would otherwise take hours to analyze manually.
Availability
These integrations are generally available now. Sophos Intelix is accessible within the Microsoft Security Copilot and Microsoft 365 Copilot environments, as well as the Microsoft Security Store for third-party agents.
