CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

CONFIDENTIAL – SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

TREND MICRO ENDPOINT BATTLECARD

Vendor Profile Product Description Sophos Equivalent
Apex One (formerly OfficeScan) Endpoint protection product. Managed either on premise or in the cloud. Intercept X Advanced with XDR
Trend Micro is one of the largest endpoint
security vendors. The company has Apex One Server Management console for Apex One clients. Sophos Central
headquarters in Japan, and offices around
the world. Worry-Free Endpoint protection for small to medium businesses (SMBs). Managed either on premise or in the cloud. Intercept X Advanced

Console for consolidating management of multiple products (e.g., Apex One, Vulnerability Protection, Endpoint
Apex Central (previously Control Manager) Sophos Central
Encryption).

Deep Security Advanced protection for servers, mainly targeted at enterprise customers with large data center or cloud environments. Intercept X for Server

Competitor Strengths Competitor Weaknesses

Range of features - Broad feature set and list of products Disparate management - Multiple, complex and unintuitive management consoles
Lack of policy management - In Apex One, protection settings are applied to specific groups of machines – as opposed to
Server protection - Enterprise server protection features via Deep Security
providing policies that can be re-used across multiple groups
MQ Leader - A leader in the Gartner Magic Quadrant for Endpoint Protection Separate components - Plug-in based architecture requires additional downloads, product activations and installs

Why Sophos Wins

Ease of Use
Our management consoles are intuitive and make common tasks, such as applying
policies to machines, simple. Trend’s complex management consoles mean more
work for administrators and a greater chance of the wrong settings being
inadvertently applied.
Consolidated Management
Sophos Central provides multiple protection features across Windows, Mac and
Linux. Trend requires additional plugins and management consoles to achieve
similar functionality and with a much less coherent user experience.
Synchronized Security
With Sophos Synchronized Security, endpoints, servers and firewalls
communicate and share information, allowing stronger and simpler security.
This enables better protection, saves IT time and cost, and reduces incident
response time from hours to minutes.

Sophos Trend Micro

Endpoint License Comparison Intercept X Intercept X Intercept X Advanced
Worry-Free XDR Smart Protection Suites
Essentials Advanced with XDR (Endpoints/Complete)

Web Security     
Web Control / Category-Based URL Blocking ×    ×
Device Control (e.g., USB) ×    
PREVENT
Application Control ×    
Browser Exploit Prevention     
Data Loss Prevention (DLP) ×    
Exploit Prevention     
Machine Learning     
Malicious Traffic Detection (MTD)    × 
DETECT
CryptoGuard Ransomware Protection     
Synchronized Security Heartbeat    × ×
RESPOND Endpoint Detection and Response (EDR) × ×   
Extended Detection and Response (XDR) × ×  Add on Add on

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to change.
The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners may use only the NOVEMBER 2022
most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 1 of 8
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Feature Shoot-Out
Sophos Trend Micro See these Detailed Comparison sections for more info
Simple management  × ‘Integrated Management’, ‘Policy Management’

Synchronized Security  × ‘Synchronized Security’

Deep learning  × ‘Machine Learning’

25+ Exploit prevention techniques  × ‘Exploit Prevention’

Protect Windows, Mac and Linux from a single console  × ‘Multi-Platform Management’

Integrated device control and data loss prevention  × ‘Device Control’, ‘Data Loss Prevention’

Third Party Views

Comments Context
Sophos is also a Leader. The report noted broad platform coverage, but also hinted at concerns over
Trend is positioned within the Leaders quadrant of the 2021 Gartner Magic Quadrant for Trend’s XDR limitations - “The XDR platform has a different workflow and user interface from the main
Gartner
Endpoint Protection. EPP management console and, unlike some other XDR solutions, storage of data from other products
has different retention periods”.

The tests are performed on Windows 7, 8 and 10 platforms, and look at Protection, Performance and
AV-Test Apex One achieved high scores in recent AV-Tests.
Usability.

Trend Micro has not participated in SE Labs since Dec 2020 for SMB and Dec 2019 for Sophos Intercept X has consistently received the ‘AAA’ award in these tests. Sophos was awarded
SE Labs
Enterprise products Enterprise Endpoint product of the year, 2021.

Forrester note that Trend customers “complain that the admin experience can be cumbersome at
Trend Micro was placed as a ‘Leaders’ in the 2021 Forrester Wave for Endpoint Security.
Forrester Wave times”.
The report notes that Trend offers one of the most complete endpoint solutions.
Sophos is rated as a strong contender in this report.

Watch Out For

Strong Third Party Reviews ‘Deep Security’ Server Protection
Sources such as Gartner and Forrester provide positive reviews of Primarily targeted at enterprise data center deployments, Deep Security protects
Trend products. Note that Sophos is also named a leader in the same physical, virtual, IaaS environments and offers significant functionality.
reports. While Deep Security comes with granular control over policies and settings, it
comes at a management cost. Sophos Intercept X for Server focuses on giving
customers the features that matter, while keeping administration to a minimum
using a cross-product management platform.
Client Firewall
Apex One includes an endpoint firewall component. In addition to the usual
block/allow of specific traffic and applications, it has an intrusion detection
system feature which looks for patterns of traffic that match known attacks.
However, as with other settings in Apex One, the method of applying
firewall policies to client machines is convoluted.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to change.
The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners may use only the NOVEMBER 2022
most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 2 of 8
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Detailed Comparison
How Sophos does it How Trend Micro does it How we win
Integrated Integrated and Unified Apex Central (previously Control Manager) Comprehensive cloud management platform
Management Sophos Central is a unified console for managing multiple products. Trend Micro touts Apex Central as the tool for consolidating management of products.
Advanced Endpoint Protection, Server Security, Mobile Control, Wi-Fi, Apex One, Vulnerability Protection, Deep Discovery and many other Trend products Point out: Customers can consolidate
Email and Encryption are all managed from the same interface. All can indeed be integrated with Apex Central. However, for most products, Apex Central management of various security technologies
settings for these products can be configured from Sophos Central, Manager only enables status overview, reporting and a few high-level actions. This through the Sophos Central console
meaning there is no need for the customer to access additional means customers still need to maintain and access individual product management
consoles. consoles to perform more specific tasks such as modifying policies. Show: Get Sophos Central in front of the
prospect, either in person, as a trial or with the
Hosted online demo.
As Sophos Central is cloud hosted, there is no need to for the customer
to perform any installation to get the console up and running. The
console is regularly enhanced by Sophos, with no action required by the
customer.

Policy Management Sophos Central provides simple management, allowing policies to be Apex One does not have the concept of policies and instead each group has a list of Simple policy management
applied per user or per machine. Policies can be re-used, meaning there ‘Settings’ where users configure the protection options they require. Some settings
is no need to duplicate settings. Each policy lists which users and/or (e.g., Firewall and DLP) need to be configured in a separate section from where other Ask: How many policies do you expect to have
groups it is applied to, making it easy to identify what settings are endpoint settings are configured. to manage?
How do you know what settings are actually
applied where.
As a result, administrators are more likely to use blanket policies, make mistakes or applied to your client machines?
simply avoid using features all together. In either case, it results in reduced value and
security. Show: Simple policy creation and enforcement
in Sophos Central

Synchronized With synchronized security, products communicate with each other both Deep Discovery Simple setup, automated, powerful features
Security across the network and on endpoints to mitigate risks and stop data loss. Trend Micro Deep Discovery is a set of products designed to provide advanced threat
Security information is shared and acted on automatically, isolating detection and correlation across the endpoint and gateway. It includes: Ask: If your firewall alerted you to suspicious
infected endpoints before the threat can spread and slashing incident ▪ Deep Discovery Inspector – a physical/virtual appliance which monitors traffic from an IP address on your network, how
response time. network traffic - it connects to a mirror port and works out of band rather than long would it take you to track down the
inline computer, isolate it from the network?
▪ Deep Discovery Email Inspector – a physical appliance which scans email - it
can be deployed inline or out of band, but either way an additional anti-spam Show: Enable Synchronized Security within a
gateway device is needed (i.e., the Email Inspector cannot act as the customer’s matter of clicks and demonstrate the XG
sole email appliance) Firewall automatically isolating a compromised
▪ Deep Discovery Analyzer – a physical appliance which performs file sandboxing endpoint client
and analysis

There is no cloud hosted option, meaning customers must install and maintain the
products themselves (each product requires its own management console). While the
products can be integrated with Apex Central, this does not provide management of
all features (see Integrated Management section). Trend also provide IPS appliances
(through their acquisition of Tipping Point) but these do not yet integrate with other
Trend products.

Machine Learning Intercept X’s deep learning model detects unknown malware and Apex One and Worry-Free include machine learning protection to analyze files pre- Proven effectiveness
potentially unwanted applications. The model can take a file, extract execution and their behavior when running. The endpoint extracts file characteristics
millions of features, run it through the host-based model, and determine and sends these to Trend’s cloud based Smart Protection Network, where the actual Show: Our extensive publications on our
if it is malicious before it executes. It does all of this in about 20 machine learning engine analysis takes place. This means it is necessary for machines website, Invincea NSS Labs report, invite the
to have internet connectivity, or access to the Trend Apex One server which could act customer to look at historic VirusTotal
milliseconds with a model that is under 20MB in size.
as a relay. feedback.
Our machine learning experience began as part of a 2010 DARPA project,
and we have proven high speed, low impact performance.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to change.
The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners may use only the NOVEMBER 2022
most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 3 of 8
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Exploit Prevention
Detailed Comparison
How Sophos does it How Trend Micro does it How we win
Sophos anti-exploit technology protects against the techniques that Exploits Robust exploit protection
attackers may use to exploit a software vulnerability. Intercept X delivers Exploit Prevention is available in Apex One and Worry-Free. While it defends against Requires no configuration or management of IPS rules
more than 25 exploit prevention techniques to ensure protection against some attacks, it delivers less protection than Intercept X. For example, there is
attacks that leverage previously unknown vulnerabilities. nothing to indicate it has any of the active adversary mitigations (e.g., credential theft Ask: How much time do you have available to
protection). configure your protection settings?
Intercept X also uses an unused hardware feature in mainstream Intel Virtual Patching Show: Create a Threat Protection policy and
processors to track code execution and augment the analysis and Trend also offer a ‘virtual patching’ feature, which is a set of IPS rules that protect enable exploit prevention within a matter of
detection of advanced exploit attacks at run time. against application or operating system vulnerabilities. Trend releases new rules in clicks
response to the latest publicly disclosed vulnerabilities, and the customer applies
these to machines. Virtual patching is available in Deep Security and Apex One. Virtual
patching requires management of IPS rules, to ensure machines receive the latest
protection without applying too many IPS rules and impacting network traffic.

Ransomware CryptoGuard technology detects ransomware through its behavior,
Protection stopping it from encrypting files, and automatically rolling back any files
that were encrypted before detection. CryptoGuard keeps a proprietary
rolling cache of the last few files accessed, allowing it to automatically
restore files in the event of a crypto-ransomware attack.
CryptoGuard stops ransomware from encrypting shared folders (e.g.,
prevents a local machine from encrypting files on a server). Also, it
prevents inbound attacks from unprotected machines (e.g., a file server
with CryptoGuard will be protected from an un-protected client
attempting to encrypt files).
Ransomware protection is included in both Apex One and Worry-Free, and works in a Ransomware protection against both local and remote
broadly similar way to CryptoGuard. It looks for unrecognized processes attempting to threats
modify multiple files over a short space of time, and has a roll back capability.
However, there are some important differences:
▪ An internet connection is required to determine the reputation of the
monitored process before a conviction is made (i.e., without an internet
connection a machine will not block the suspicious behaviour)
▪ It will only restore files up to 10 MB in size (CryptoGuard allows much larger
files to be restored)
▪ It monitors behaviour of local processes but does not detect the encryption of
shared local files by a remote computer.
▪ The Apex One admin guide warns that the Program Inspection component of
anti-ransomware (which is enabled by default) “may result in decreased system
performance”

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to change.
The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners may use only the NOVEMBER 2022
most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 4 of 8
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Detailed Comparison
How Sophos does it How Trend Micro does it How we win
Endpoint Detection Intercept X Advanced with XDR suits both IT administrators and security Threat Visibility and Response Ease – quickly isolate an endpoint
and Response (EDR analysts. While it is accessible to IT generalists by replicating tasks Endpoint Sensor is Trend’s EDR offering. The product provides threat chain Guided incident response
and XDR) normally performed by skilled analysts, it also provides the core manual visualizations and sandbox submissions, but machine isolation is only available via
tools that trained analysts would expect. integration with Apex Central (the cloud console). Administrators can search across Point out: Sophos EDR’s guided investigations
machines for specific files or network connections, and upload YARA rules as search provide suggested next steps
criteria.
Threat Visibility:
Deep Learning Threat Indicators and Analysis XDR
For the grey area between known-good and known-bad, deep (machine) Trend’s XDR offering is named Vision One. It can ingest data from various sources
learning prioritizes a list of suspicious files for further investigation. The including endpoints, email, servers, cloud workloads, and networks. It helps run a
comprehensive file analysis report enables customers to quickly root-cause analysis, look at the execution profile of an attack, and identify the scope
determine if a suspicious file should be blocked or allowed. of impact across assets. XDR data lake includes sensor activity data such as telemetry,
metadata, logs and netflow.
Threat Hunting:
Live Discover search: Allows customers to quickly discover IT operations Hunting:
Customers can search event data using OpenIOC or Yara rules and custom queries.
issues or to hunt down suspicious activity on both Windows and Mac.
However, you can only query data in the cloud data lake. There is no way to directly
- On-disk data: Windows and Mac endpoint data store with query endpoints to get live information.
super detailed, live data covering up to the last 90 days
- Cloud data lake: Cross product data with 30 days’ worth of Response:
data Trend offers a remote shell connection from the Vision One console (not Apex One)
- XDR Platforms: Endpoint, Server, Firewall, Email, Mobile, with a limited set of commands compared to Sophos.
Cloud Optix, Microsoft 365 connector (Azure AD, Exchange,
Teams, SharePoint) The product does not offer guided actions to help customers decide the suggested
- Air to ground reconnaissance: Quickly scan an entire estate next steps nor does it have an equivalent of Sophos’ Deep Learning Malware Analysis
feature.
and then drill down to file content on a single device
- Flexible: Includes out-of-the-box, fully customizable SQL
queries. Customers can create completely new, custom
queries
- Schedule: Retrieve critical data from the data lake overnight
- Comprehensive: Provides up to 90 days fast access to
current and historical on-disk data. Data includes insight
into artifacts’ reputation and machine learning scores from
SophosLabs and Sophos AI

Response:
Automatic response – The intelligent Sophos endpoint agent can
automatically clean up or block threats. It is also capable of isolating the
endpoint.

Live Response command line: Customers can remotely access Windows,

Mac and Linux devices via a native command line to perform further
investigation, install and uninstall software, or remediate any issues that
Intercept X cannot address automatically. It can also be used for IT
operational actions such as rebooting or installing and uninstalling
software.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to change.
The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners may use only the NOVEMBER 2022
most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 5 of 8
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Detailed Comparison
How Sophos does it How Trend Micro does it How we win
Multi-Platform Windows, Mac and Linux machines can all be protected from Sophos Windows and Mac Protects Windows, Mac and Linux from the same cloud
Management Central. Apex One can only protect Windows machines. To manage Mac endpoints, it is hosted console
necessary to install an additional plug-in (Trend Micro Security for Mac). If the plug-in
is licensed and installed, Mac endpoints are still managed through a separate console. Ask: Which operating systems do you have in
your environment?
Worry-Free can protect both Windows and Mac, but not Linux.
What would it mean to be able to manage all
Linux your endpoint platforms, including mobile from
Linux protection is provided through separate products, either Deep Security or one console?
ServerProtect. Deep Security does not protect Mac devices, and ServerProtect only
supports servers (i.e., no Windows clients or Mac).

All this means extra time and effort for administrators to setup and maintain separate
components.

Device Control Sophos device control is simple yet powerful. It can control access to a Apex One and Worry-Free Control peripheral access for Windows and Mac devices
wide range of devices, and exclusions can be made per make or model, Basic device control is available in Apex One. This has several limitations, such as not with ease
giving administrators flexibility and control. Device control is available for being able to configure device exclusions (i.e., you would have to block/allow all CD or
both Windows (endpoints and servers) and Mac. USB devices). Also, only a small number of media types can be controlled (e.g., Show: Demonstrate blocking USB drives, and
wireless, Bluetooth and MTP/PTP are missing). then creating an exception for a drive that was
previously plugged in
More advanced device control features are available in the Data Protection module
but, unless the customer has Smart Protection license, this is a separate purchase.
They are also configured from within another section of Apex One console, which
adds to the administrative overhead.

Worry-Free has limited device control, in that it can only restrict access to USBs, and it
is not possible to add exclusions based on device ID.

Trend’s Mac product (Security for Mac) does not provide device control.

Deep Security
Deep Security does not include device control for servers. This is important for
physical servers that may not have robust physical security, or customers that haven’t
moved to IaaS.

Data Loss DLP is integrated into Sophos Endpoint meaning no additional plugins DLP features are not included in the standard Apex One Server application and are Simple configuration
Prevention (DLP) are required. It is simply enabled and configured in the policy section. only available through the additional Data Protection component. Data Protection is
included in the Smart Protection license suite, but for all other suites it is a costly add- Ask: What measures do you have in place to
There are a large set of predefined detection rules for common data on. prevent important data leaving the
types, and, if required, customers can build their own custom rules using organization?
regular expressions. If the separate module is purchased, installed and configured, it does offer powerful Do you have the resources to purchase an
data control features. These include many pre-configured templates to control additional data control module?
common data (such as credit card numbers) and the ability to configure your own
detailed rules.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to change.
The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners may use only the NOVEMBER 2022
most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 6 of 8
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Detailed Comparison
How Sophos does it How Trend Micro does it How we win
Web Control Web Control policies block potentially unwanted sites categories such as Apex One and Worry-Free Prevent users accessing inappropriate websites
adult, gambling, hate, crime directly at the endpoint inside or outside Apex One provides no simple way to control the types of websites that users can Simple configuration
the corporate network. The feature is available for both Windows access. Administrators must manually create a list of allowed/blocked websites for
(endpoint and server) and Mac. each group of machines. There are no pre-defined URLs, categories or updates. This Ask: How do you plan to restrict which types of
means it is impractical to control what websites users can access. websites users can access?

To achieve category-based filtering, customers would need to use another product What about controlling web browsing on Mac?
such as Trend Worry-Free (which does offer category based web control) or use
Trend’s InterScan Web Security product. Show: Create a policy to block access to social
media sites
Trend’s Mac product (Security for Mac) has no web control functionality at all.

Deep Security
Deep Security has a Web Reputation module which blocks access to malicious
websites. Although it is possible to manually exempt specific URLs or domains, it does
not provide category-based blocking of websites (e.g., block access to social media).

Protection for Hypervisor Agnostic Agentless scanning Lightweight agent for VMware and Hyper-V
Virtual Machines Sophos for Virtual Environments (SVE) is specifically designed for Apex One provides the option of agentless protection of virtual machines, which
virtualized environments providing centralized off-board scanning, includes file whitelisting and technology to prevent CPU conflicts. However, this is Ask: Which virtual machines do you have in
malware protection, customer defined file exclusions, advanced caching achieved through the separate Virtual Desktop Infrastructure (VDI) plug in, which your environment?
means further administration for customers.
and automated clean up. SVE supports Microsoft Hyper-V and VMware
ESXi hypervisors. Worry-Free does not have any specific tools for managing virtual machines.

Thin Agent or Full Agent Options Deep security

SVE uses a thin agent installed on guest virtual machines to provide Trend also offers their Deep Security product, which can integrate with VMware NSX
optimized performance. Alternatively, if customers prefer our complete to provide agentless scanning of virtual machines. As well as performing malware
next gen feature set, the full Sophos Endpoint or Server agent can be scanning, Deep Security enables other features such as intrusion prevention, web
installed and managed from Sophos Central in the normal way. filtering or integrity monitoring. However Deep Security does not provide agentless or
off-board scanning for Hyper-V or other virtual environments.
Simple Licensing
See ‘Server’ section below for more information on Deep Security.
Sophos provides simplified licensing by including SVE in the Server on
premise and Central licenses. Customers can mix and match between
SVE and full agent deployments on supported hypervisors as long as
they have license entitlement.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to change.
The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners may use only the NOVEMBER 2022
most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 7 of 8

How Sophos does it
Server Intercept X for Server protects physical and virtual Windows and Linux
servers. Advanced protection features such as deep learning, exploit
prevention and anti-ransomware are coupled with server specific
capabilities such as server lockdown and automatic scan exclusions.
Intercept X for Server also provides a native integration with public
clouds such AWS and Azure to enhance and simplify management of
Sophos Server Protection in these environments.
Managed Detection Sophos MDR is a fully managed threat hunting, detection and response
and Response service that provides organizations with a dedicated 24/7 security team
(MDR) to not only detect but neutralize the most sophisticated and complex
threats. Regardless of the service tier selected Threat Advisor, MDR, or
MDR Complete), customers can opt to have the MDR team operate in
any of three Response Modes to accommodate their unique needs.
- Fully managed – allows customer to effectively outsource its SOC
if needed
- Three operational modes – Collaborate, Collaborate and Authorize
if not reachable, or Authorize
- Compatible with third-party products – Sophos MDR is compatible
with security telemetry from several third-party vendors including
Microsoft, CrowdStrike, Fortinet etc. Telemetry is automatically
consolidated, correlated, and prioritized with insights from the
Sophos Adaptive Cybersecurity Ecosystem (ACE) and Sophos X-Ops
threat intelligence unit.
- Any size customer – from SMB to enterprise
- Best protection – based on Intercept X ensure maximum
protection
The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to change.
The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners may use only the
most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE
Detailed Comparison
How Trend Micro does it How we win
Windows servers can be protected using Apex One or Worry-Free Business Security. Simple configuration – be confident that your servers have
However, Trend also has two separate products specifically for servers: the correct settings applied
▪ Deep Security – multi-layered protection for physical, virtual and cloud servers Ask: How much time do you have to configure
▪ ServerProtect – anti-malware protection for physical Windows, Linux and and manage complex policies and application
Novell machines control rulesets?
Deep Security Show this: Trigger lockdown on a server
Deep Security is an extensive product covering servers, virtualization, and
infrastructure-as-a-service (IaaS). However, it is typically targeted at enterprises as it is
expensive and complex to configure/maintain. For example:
▪ Policies rely on ‘Common Objects’ which include scan settings, IP addresses and
file extension lists – changing one of these Common Objects affects all policies
(and therefore clients) which rely on them
▪ No automatic exclusions – the customer must manually exempt common
server files (e.g. .mdf database files) from scans. Sophos provides a simple one-
click automatic exclusions feature
▪ Application whitelisting/lockdown requires more administration from the
customer than our Server Lockdown (e.g., it has no concept of trusted
updaters). Sophos Server Lockdown requires a single-click to lock a server, and
very little additional administration. Sophos also provides an Application
Control feature, in addition to Lockdown, which allows customers to block or
monitor the use of specific applications or categories of applications, which
may be suitable for servers that cannot be completely locked down
▪ Deep Security can block malicious websites, but has no category-based control
(e.g., block access to Social Media sites) - Windows servers are commonly used
for remote desktop services, so features such as web control are valuable
▪ There is no peripheral control (USB etc) which can be an important tool for
physical on-premise servers,
▪ There is no DLP which, like web control, can be valuable for customers who
allow end users to access the server directly
▪ A different installer is used for each operating system and version, which makes
deployment cumbersome for customers with environments comprising several
different platforms. Sophos provides one installer for all Linux distributions.
▪ Little integration with other Trend products – contrast this with Sophos Central
where Server Protection is managed alongside Endpoint Protection, Encryption,
Mobile, Email security, Web Security and more, and integrates with Sophos XG
Firewall via Sophos Security Heartbeat
Trend Micro XDR – Managed Detection and Response Service provides the usual MDR is a fully managed service – response times are
services like 24/7 hunting, monitoring and alerts. Managed XDR is included in Service minimized
One Essentials and Complete. While Essentials only includes alerting, Complete adds Ask: What would it mean if you could truly
response guidance, access to response team, and a service manager (account outsource your SOC in part or entirely?
manager). The ‘Worry-Free with Co-Managed XDR’ is a recently introduced service
specifically for MSPs. Sophos MDR can be delivered via our proprietary
technology or using your existing cybersecurity technology
- Not fully managed – the service is not authorized to take any remediation investments
actions. It will only alert you and give you a root cause analysis.
- Not flexible – there are no different operational modes
- Not suitable for any customer – customer is assumed to have its own SOC team
- Not compatible with third-party products – unlike Sophos MDR, no possibility
to leverage a customer’s existing cybersecurity technologies to detect and
respond to threats
- XDR – Beyond endpoint, the service also includes monitoring of network, cloud
workloads, email, and servers.
NOVEMBER 2022
Page 8 of 8