Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/mdr/help/en-us/index.html?contextId=mode

More About Threat Response Mode

We know that teams responsible for managing IT security vary greatly in terms of their size, capabilities, and needs. We want you to be able to decide how potential threats are escalated, what response actions (if any) you want us to take, and who should be included in those communications.

There are 2 Threat Response Mode options, regardless of whether you subscribed to MDR Essentials or MDR Complete:

  • Collaborate

    The Collaborate Threat Response Mode sends you notifications of observed activities, and corresponding recommendations. The MDR Ops team will investigate but no response actions will be taken without your consent or active involvement. Selecting Collaborate gives you the option to have some response actions performed by the MDR Ops team and others to be performed by your team or another partner (e.g. an IT managed service provider).

    In this mode, the MDR Ops team must receive written authorization before performing response actions. We’re your co-pilot and you’re the captain.

    An option exists under Collaborate that authorizes the MDR Ops Team to operate in Authorize mode in the event Sophos does not receive acknowledgment after attempting to reach all customer defined contacts by phone. If you prefer for us to work this way, please be sure to check the box under Collaborate in Sophos Central.

  • Authorize

    The Authorize Threat Response Mode also sends you notifications of observed activities, but the MDR Ops team will proactively manage all containment actions (with full neutralization for MDR Complete customers) on your behalf and inform you of the action(s) taken. Selecting Authorize means you want us to handle as much workload as possible, notify you of the response actions taken, and only escalate things that require specific actions from you or your team that we are unable to take. In this case, we act as the captain.

Response Modes in Action

Let’s look at how Response Modes work using a practical example:

The MDR Ops team identifies an active ransomware attack in your environment.

  • Collaborate

    The MDR Ops team follows the same phone and email notification process as noted above. But perhaps you’re unable to perform the required response actions because you’re on holiday with no laptop, or you’re at home caring for a sick child and need us to take those actions for you. In situations like these, all we need is your permission to perform those actions and we manage things from there.

  • Authorize

    The MDR Ops team rapidly executes response actions to neutralize the ransomware attack. Once the threat is neutralized, the MDR Ops team contacts you via phone and/or email and provides detailed information on the threat and the action(s) taken to neutralize it.