Ransomware attacks surged 40% in the second quarter of 2026. Attackers are now using AI to compress attacks that once took weeks into hours. And the typical enterprise runs more than 45 separate security products that don't talk to each other. That disconnect is exactly what Sophos set out to solve with Sophos Fusion, an AI-native defense platform launched July 16 that treats security as a coordinated nervous system rather than a collection of independent alarms.
Sophos Fusion is not another endpoint detection tool or firewall update. It is a platform built on agentic AI that connects security tools, data sources, and response mechanisms across an organization's entire IT environment, including products from Sophos and more than 500 third-party technologies. The system ingests signals from firewalls, identity systems, email gateways, and endpoint agents, correlates them in a unified data layer, and orchestrates automated responses across every connected tool simultaneously.
The timing matters. Sophos's concurrent 2026 State of Ransomware report, based on data from over 2,000 organizations across 17 countries, found that compromised identities have overtaken exploited vulnerabilities as the primary entry point for ransomware attacks. Stolen or compromised accounts were involved in 79% of incidents examined. The proportion of attacks that successfully encrypted data rose to 56% in 2026 from 50% the year before. And attackers are closing the detection gap: organizations whose firewalls caught the attack before encryption only avoided it about half the time, while those whose tools missed the early signs saw encryption occur in 71% of cases.
The Problem: Fragmented Security at AI Speed
The security industry has spent two decades adding layers: firewalls, antivirus, EDR, SIEM, SOAR, email security, identity management, cloud access brokers. Each layer solves a specific problem, but each also operates in relative isolation. When an attacker compromises a valid account and moves laterally across the environment, individual tools see fragments of the attack. The firewall sees unusual traffic. The identity system sees a login from an unexpected location. The endpoint agent sees a process spawning a child process. But no single tool sees the full picture until it is too late.
Sophos CEO Joe Levy framed the challenge directly: "As AI increases the speed, scale, and complexity of attacks, organizations need a modern connected, intelligent, and adaptive defense." The key word is connected. Fusion's architecture ingests signals from disparate security controls into a shared data layer, then uses AI to correlate events and orchestrate responses. When one component detects an intrusion signal, the system automatically coordinates a response across every connected tool, blocking the attacker at multiple chokepoints simultaneously rather than relying on a single control to catch everything.
The results from Sophos's Managed Detection and Response (MDR) service, which feeds into and is augmented by Fusion, are striking. AI handled 52% of MDR cases without any human intervention at all. The service now covers more than 40,000 customers, and the threat intelligence gathered across that broad customer base continuously feeds back into the system, creating a flywheel where each detection improves the model for every other customer.
The Technology: Agentic AI Meets Unified Defense
Fusion's architecture rests on three pillars. First, a unified data layer that ingests and normalizes signals from across the security stack, including more than 500 third-party integrations. Second, AI models trained on real-time threat data that correlate events, identify attack patterns, and determine the appropriate response. Third, an orchestration engine that executes responses across connected tools automatically, from blocking an IP at the firewall to quarantining a compromised account to rolling back unauthorized encryption.
The platform is designed for what Sophos calls "Human-AI workflows," where the AI handles the detection, correlation, and initial response, while human analysts focus on complex investigations, strategic decisions, and edge cases that the model flags for review. This is a fundamentally different approach from the traditional SIEM model, where humans sit in a SOC staring at dashboards and manually triaging alerts. Fusion's AI does the triage. Humans do the thinking.
Sophos CISO Ross McKerchar emphasized that firewalls remain important but are no longer sufficient in isolation: "Organizations can no longer rely on complexity or obscurity to hide gaps in their environment. The same technology also gives defenders an opportunity to find and fix those gaps faster, but only if prevention, detection, and response work together as part of a unified cybersecurity strategy." The data backs him up. Organizations with disconnected tools saw encryption rates 20 percentage points higher than those with correlated defenses.
The Results: What 52% Autonomous Resolution Means
The headline number in Fusion's launch is that Sophos's AI now handles 52% of MDR cases autonomously. For context, that means more than half of the security incidents detected across 40,000+ organizations are resolved without a human analyst ever touching the keyboard. The AI investigates the alert, determines whether it represents a genuine threat, executes the containment response, and documents the outcome. Only cases that exceed a confidence threshold or involve novel attack patterns get escalated to human analysts.
This autonomy rate matters because the security talent shortage is not getting better. There are roughly 4 million unfilled cybersecurity positions globally. AI that can handle half of all incidents autonomously effectively doubles the coverage of every human analyst on the team, letting them focus on the cases that actually require judgment rather than spending 80% of their time triaging false positives.
Rafe Pilling, director of threat intelligence at Sophos's Counter Threat Unit, described the attacker side of the equation in stark terms: "We are seeing adversaries use AI to accelerate familiar tradecraft, compressing attacks that once took weeks into days, or even hours." When attackers can move from initial access to encryption in hours, the traditional security model of detect-analyze-respond over days or weeks becomes irrelevant. The only viable response is automated detection and response operating on the same timescale as the attack.
Sophos plans to expand Fusion significantly in the coming months. Starting August 15, the platform will add continuous threat hunting for MDR, additional threat detectors, security automation for Extended Detection and Response (XDR), and a next-generation SIEM service with long-term data retention and advanced analytics. In October, Sophos will launch CISO Advantage (a strategic advisory service) and AI Defense, a tool designed to give organizations visibility and control over employee AI tool usage while detecting AI-related risks and misuse.
Key Lessons for Founders
Sophos Fusion offers several takeaways for founders building AI products, regardless of industry. First, the integration strategy matters as much as the core model. Sophos's decision to support 500+ third-party integrations is not an afterthought; it is the entire point. A security AI that only works within a single vendor's ecosystem is dramatically less valuable than one that coordinates across the entire stack. If you are building an AI product that needs to fit into existing workflows, invest in integrations early.
Second, the Human-AI workflow model is the right design pattern for most enterprise AI applications. Sophos doesn't claim Fusion replaces humans. It claims Fusion handles the cases that don't need human judgment, so humans can focus on the ones that do. That is a pitch enterprises trust because it acknowledges reality: AI is not magic, and security decisions still need human accountability. The autonomous resolution rate of 52% is impressive precisely because it is not 100%. It signals competence, not overclaim.
Third, the attacker-side story is a reminder that AI is a double-edged sword. The same technology that powers Fusion's autonomous defense is being used by adversaries to compress attack timelines and evade traditional detection. Founders building in security-adjacent spaces need to design for an environment where both defenders and attackers have AI, and the difference between winning and losing is measured in minutes, not days. The era of the slow, manual security response is ending. The organizations that adapt fastest to AI-speed defense will be the ones that survive the next wave of attacks.




