Video: Unlocking MDR: a game-changing business opportunity for Sophos Partners | Duration: 2968s | Summary: Unlocking MDR: a game-changing business opportunity for Sophos Partners | Chapters: Welcome and Introduction (5.7599998s), MDR Market Evolution (90.93s), Sophos Platform Overview (174s), MDR Team and Resources (455.85s), Microsoft Integration Capabilities (788.75s), Response Actions Explained (1431.34s), MDR Partner Resources (1685.1849s), XDR Solutions Coexistence (2695.255s), Concluding Q&A Session (2770.6802s), MDR Partnership Encouragement (2850.52s)

Transcript for "Unlocking MDR: a game-changing business opportunity for Sophos Partners": Good morning, everyone. Welcome to our introduction to, NDR. I'm Jess Ness. I'm the VP for our channel business here at Sophos, and I'm delighted to be joined today by Dave Murellis, who leads our, MDR business globally. Well, welcome, Dave. How are you? Hi, Jason. Good to be here. Good. Thanks. Excited for the show. How are you? Yeah. All good. Thanks. All good. So, look, MBR has been, as you know, a tremendous success for our partners over the last three or four years since we launched it. It is one of the the fastest growth areas in the security market. We just wanna say a big thank you for taking the time today and your interest in our MDR solution. Now I'm gonna pass over to Dave in a minute who's gonna go through our MDR solution in more detail, And I will take you through some of the programs and some of the commercial options that are available to you, and then we're gonna finish off with an update from our MSP team. And Josh, who's just stepped in at the last minute, will take us through some of the great things that we're doing, in our MSP business. Please feel free to leverage the q q and a tool that we have within the platform. We'll aim to answer as many of those questions as we possibly can. So it's now my pleasure to, pass over to you, Dave. Great. Thanks, Jason, and and hi, everyone. Thanks so much for investing your time to be here today to learn about something that's very close to my heart, all things MDR and security operations. Prior to being VP of product management here in in Sophos, I was a cofounder and CEO of a small startup called SocOS, which is very much in that sim and source space. And Sophos acquired that technology about three years ago to power the the MDR story to the next level, the next evolution of our MDR. And, very proud to to be here now to talk about the next evolution, the even more exciting next chapter that we have, now thanks to the the acquisition of SecureWorks and that Tejas platform. I'm not sure if anyone if you've heard about that, but that was a big investment we made and a big acquisition we made, and no doubt some of that will come out in the talk track. But very excited to give sort of MDR, the market, how we how we consider ourselves against competition, and then, a a a few slides to talk about the value prop. So hopefully, I'm you. You know, my job here is successful if someone, at least one of you learn something new. Hell, my job is very successful if, you feel inspired to go out and and and also start selling MDR to to your customers for a better outcome. So without further ado, let's jump into soft offset a glance, a level set on where we are as a business and very high level financial metrics and business performance metrics. Thanks now to the Secureworks, acquisition, this is the combined number. It's a healthy ARR, 1,500,000,000.0 US ARR. We're a pure play cybersecurity vendor, so that puts us in a very unique playing ground when you compare us to to the to the competition. There's only a handful of pure play cyber vendors that that have that accolade. But it's not that ARR number. It's it's on the right that I'm most proud about. If you have a look at that, the main pillars of Sophos started as an endpoint company back in the eighties, founded in Oxford. Endpoint customer base is still the the bleeding edge, the bleeding heart of Sophos. 300,000 endpoint customers, the all things protection. And then they move up the stack and say, well, I need to now bring in telemetry to do detection, investigation, and response. That's where XDR platform comes in. And then the customer base, and I'm sure you've you've seen it, your customer saying it. Technology is not enough. I don't have twenty four seven. I have a small team. I'm stretched. I have a security hat on. I've got a network hat on, infrastructure hat on. I need help. I need I need the peace of mind and the twenty four seven that someone the experts have my back. And and that's that's where we see that upgrade path from endpoint to XDR up to MDR, which is very much my baby. 32,000 customers and growing. It's roughly responsible for a third of that revenue number you see on the screen. Massive product market fit, massive pull from the customer base. And I encourage you all, if you're not selling it, go and go and look into it in great detail because there is an absolute, you know, absolute demand for this. Product market fit is absolutely being established, and we're on well on our way. Our our goal internally is to get to that 100,000 customer mark in the next few years. So come on that journey with us, provide a better outcome, and make some money whilst you're at it. But that MBR customer base, 32,000, thanks to the combined customer base now in Secureworks. The the why Sophos and what makes us tick is really rooted in this slide here. 32,000 customers, a thousand investigations on a daily basis. That is a lot of data, a lot of fresh insights into threats. Every corner of the globe, I think, a 120 something cost countries we're in, every vertical, every shape, every size, seeing very fresh data. And then that data then gets fed back into the machine of the products, making our products better, our threat intelligence better. Sophos, which 40% of the vendors out there, OEM, that is all being directly benefited from from that MDR customer base. And then don't forget the firewall business. Huge part of our business and our portfolio is our network side. So network, large chunk of that revenue is responsible. We're responsible for that on the network side. So Sophos at a glance, large portfolio company, but the rocket ship very much is that MDR. On the right, you see those accolades. Very proud of those accolades. The one I'm most proud of is what the customers are saying behind our back. We're the only vendor that the customers are saying, Gartner's customer choice as a as a leader in endpoint, firewall, and MDR. The next slide really solidifies how we play when you look at our, our platform and the breadth of the solutions, the categories which we play in. I mean, firewall is an enormous category in its own right. We're a leader. Endpoint, massive category in its own right. We're a leader. XDR, MDR, we're leaders. So just to play and just to solidify yourself as a market leader in one of these categories is no small feat, let alone four, five, plus. And that's what the next slide really articulates. You compare us to the competition across the plat if you look at our platform, the competition doesn't come close in terms of the breadth of the categories in which we play and how deep we play in those categories. Endpoint, XDR, MDR, firewall, email, IdentityNow with Tejas coming in. SIMNow with Tejas coming in. And Sassy on the road map. You look at those vendors, we always have a bit of a joke at the Arctic Wolf one. You know, it's we're giving them too much credit with the full tick on the endpoint. That should be a little tick. So just gone aboard a a a pretty crappy vendor out there called Cylance on the endpoint. So don't throw too much shade, but, you know, know, that's a a competitor of ours, but they realize that you need a really solid endpoint to be have a really compelling MDR offering. And and we've just done sixteen years in a row top right Gartner for for an endpoint. And that doesn't happen by accident. That's that's deliberate considered r and d and investment in technology and some really clever people doing some really innovative stuff behind the scenes. And so we're really proud of that. And this slide is a killer slide to go into a customer conversation with. Right? Look at the plat look at look at our platform It allow allow allows us to do the scale, and allows us to acquire companies and drop those technologies in at a really rapid pace. And then we play really deep in each one of those categories. So fantastic slide to go out to bat to talk about the why Sophos and the why platform story. Moving on. Let's now pivot to MDR. I'm gonna go into sort of sales mode. Now if I'm in a customer customer mode, I always start with our mission. Alright? And the mission of MDR is a simple one. It's an but yet it's an effective and it's a powerful one. It's to detect and stop threats against our customers and further their resilience. And I love this next paragraph. Two things I call out here and I I emphasize. We achieve this by putting the human forward. There is a human in the loop here. This is not Black box AI, SOC, automation, Black Box magic gen AI. There's a human in a loop, and I love it. It's about problem solving, and it's about partnership. MDR is a partnership. It's a big investment for customers. I frame this as we are gonna be the extension of your team. You have two people, now you have 500 people to lean on. Alright. This is a partnership game. This is a long term game, and I always pitch it's it's about the people element first. I'm a big basketball fan. I say it's like getting LeBron James to join the the college basketball team or the high school basketball team. Imagine the capability injection overnight. That's exactly what this does to that small infosec team when you become an MDR customer. You have now the ultimate SOC extension, the SOC multiplier here. It's partnership. It's long term. It's about furthering your resilience through time, partnership with humans. And so if I talk about humans, I then say, well, let's meet your team. Right? Let's meet your LeBron James. What does your what does your basketball team look like? Where do they live? And so here we go. We have a quick little look at we have now the combined base of all analysts. We have 500 security analysts all around the world in every corner of the globe. We always make a joke there's five lucky analysts living in Hawaii, but that's a really good spot for east to west transition. But the the this is roughly, this maps to sort of our data centers, but also this allows us to get full coverage twenty four seven. Follow the sun. Right? Your team now never sleeps. There's always there someone watching you back. It's the digital SWAT team constantly watching your your business. And this collective team here, a thousand investigations on a daily basis. There's a thousand unique things that we are seeing. And that as that customer base grows, those that a thousand numbers are gonna continue to increase, and we're just gonna get we're gonna continue to get better. We're gonna continue to hone and to tune our detection rules and our threat intel based on all the threats we see from every corner of the globe. So that for the time we I live in I'm an Aussie, but I live in London. You know, one of our New Zealand friends gets popped or there's a there's an investigation that's taking place. We respond. We find the IOCs. We feed it back into the machine. By the time we're awake in London, in The UK, in Europe, that that intel is has been disseminated through through the through the product stack, and your protected detection rules have been tuned and the gaps have been closed. So that herd immunity model for us is not just a a marketing strap line. It's something that we absolutely do and breathe every single day. And that's what makes this machine and this Sophos MDR pitch. That's why we're a market leader. That's why we're gonna continue our market leading position. Right. The team. That's that's where they are. But look look okay. Let's have a look at your SOC team now. It's it's it's Dave as the IT manager, but now look what Dave has access to. He has access to a massive amount of resources, t one, t two, t three, team leads, SOC managers all around the world. Dave now has access to threat intelligence, absolute gurus tracking the bad guys, threat hunting teams. You can you can talk to them. You can speak with them. You can ask them to do threat hunts. Detection engineering, hundreds of detection engineers. MDR is not just, an analyst looking at alerts. It's much more than that. It's all the what I call the peacetime investments that you would need to make if you want to stand up in an existing capability. And when you go, ROI, Dave, it's expensive. Customers push back. Show them this slide. Ask them. If they wanna reduce risk and they wanna hire this team here, how much is that gonna cost them? And then you look at the price we put on the table and that ROI, it it it sort of the business case sells itself. So fantastic set of resources, detection engineers, threat hunting, threat intelligence, that that makes the machine better and that works with those with that with that the team that's in the hot seat, t one, t two, t three, twenty thousand cases a month. It's a hot seat, nine hours shifts, one hour overlap between shifts to to really ensure that if there's an incident, you get a the the customer gets a consistent experience when they hand over across teams. But that's the team. So your pitch here is, wow, you have a a large a large set of resources, compelling resources, really deep expertise, but that is now your team. You pitch this to the customer and say, welcome. Like, you guys, this is your SOC team now. You have access to this team. This is who's who's watching your estate twenty four seven. Now that's the MDR team. That's what I've just shown on the right here on the slide, Sophos MDR. But on this screen here, when you're an MDR customer, you benefit from a larger backing of a larger organization, SophosLabs, SophosAI. Those are thousand threat hunts that we see every day, the investigations. Feeds labs to get better with threat intelligence, to harden our product set, to then feed models and improve our data our models. Custom custom machine learning models for detection and protection. And on the screen here, it's about a thousand over a thousand employees. So imagine that pitch, mid market customer, enterprise customer, two people in the team. So you've now a thousand of resources at your disposal backing you, protecting you against the ever evolving threat landscape. It's a pretty powerful slide. So that's the team. Alright? So I pitched the team. That's the value prop. It's really rooted in partnership and the teamwork. But then it's about what about technology, Dave? Right? Remember, cyber is about people, process, philosophy, technology. And so let's look at the technology side. And so this is yeah. We're very unique from an MDR vendor point of view because on the left, you see the Sophos stack. We could literally sell a customer the stack, the entire security almost the entire security stack. It's all blue, all Sophos. Same point. We have servers. We have cloud detection and response. We have an email product. We have a network detection and response product. We have a firewall product. We got mobile, zed t and a DNS protection. We can sell it all, and then we can provide a great outcome on top as an MDR layer. Or we can go very little blue on the right and, in fact, just deploy a sensor, monitor mode, sensor mode, and endpoints and servers and run alongside a CrowdStrike on the endpoint or a Microsoft, and then pull in all the other technologies which are non Sophos, pull in all that data, transform that data, correlate it, enrich it, pardon me, and provide a great outcome as well. And we can play in anywhere on that continuum, and that's a very unique position to to claim as a vendor there. So this is about, I I don't care what your technology stack looks like, customer. Sure. I prefer using the best endpoint products in the market. I prefer you using Sophos' endpoint product. If you're not, if you're if you're using whatever you are using, I can disconnect the services outcome conversation from the technology decisions that your customer is making. It's a really compelling pitch to the CTO. Right? Don't worry about swapping out your powers to FortiGate. It's just for us, it's a different set of logs, but we understand those logs in great detail. We know how to transform them, make them sing and dance, and provide a good outcome from a detection and response point of view. So vendor agnostic. And I'm gonna I'm gonna just put some more meat on the bones and talk about Microsoft because that's the biggest integration by far. It's permeated every fabric of every organization around the world, and we have a very compelling Microsoft proposition, What we do with that Microsoft data just to sort of make this a little bit more, appreciate just saying that at that level of we correlate. We pull in a lot of them to say that I'm gonna try to make it alive to show you sort of what detections we actually create on top of the Microsoft stack. But visibility across those technology stacks and agnostic. And now with the Tejas capability, this you're gonna see hundreds of vendors come on the screen. Right? Sometime next year when we bring all of that capability in, you're gonna see that capability, you know, explode in terms of what we can actually ingest. So what what do you actually sell when you position to a customer? What are the things you're positioning? We have two tiers, Sophos MDR essentials. It's it's the essential MDR. Right? So this is just the competitive MDR SKU. MDR essentials allows us to run alongside any third party endpoint provider, whether Microsoft, CrowdStrike, Trend, whatever it may be. You deploy us you deploy our sensor, and you get a good outcome. You get twenty four seven monitoring. You get detections. You get reporting. You get a webinar, Unlimited threat response with our sensor and really what sets us apart is we don't just isolate. Alright? We can go deep even with our sensor. I can delete a file, terminate a process, isolate a machine. It's run of the mill. Hand hand on keyboard, it's really what sets us apart, and that that's really as a nod to the heritage of our endpoint expertise. So we have Sophos MDR essentials. I typically put in essentials plus a retainer to protect you in that in case of an interactive attacker, a p one, you know, a ransom break or an interactive attacker on on, you know, that p one event, you get an incident retainer. That's what typical MDR providers do. They pitch their version of essentials. Every competitor we have, they have essentials and they have a retainer. That's standard. And then for the real upgrade, we have MDR complete, which is possibly the most compelling and most, generous MDR to market, which includes that p one incident coverage, and it also comes with a financial warranty. So think of that as the manufacturing guarantee, but it comes with a caveat. You need to use the full XDR agent. You need to be using our technology in full XDR mode, which means our protection technology must be deployed. So you're not selling MDR complete and you're not running MDR complete on top of Defender. It has to be, XDR. And roughly the customer base, we see about it's about 75% of our entire customer base is on MDR complete. That's because of our large base that gets upgraded. So customers, partners out there going, where do I start? Go target a NextGen AV customer that has Sophos AV and then do a nice upgrade path into MDR complete because that sells like hotcakes. So there are two positions. Right? Two very compelling propositions, MDR complete, a more well rounded one because of the breach protection warranty up to a million dollars plus that that critical incident coverage is is is covered on the house unlimited. Right. That's the service tiers. Now let's just let's wrapping up shortly, but let's just, talk a little bit about one of the compelling propositions, which I'm sure a lot of you guys are having conversations and probably a lot of you guys are making money selling the services, selling technology on Microsoft. We have thousands of customers with Microsoft integrations, and as you know, heavily it it heavily varies depending on, license type. Right? So customers have all sorts of a mix of licenses. The beauty of what I'm about to say is if your customer has a business basic and above, what the next slide is gonna portray is gonna be valid for your customers. So we are not a vendor that says drink the e five Kool Aid to get security value. We say, I don't care what license you have, provided it's business basic and above. I'm gonna provide security value and make your Microsoft investments, sing and dance, from a detection point of view. And so here we go. This is probably the most compelling slide I have today in a in a in a sales conversation, in a pitch with a customer. This really is powerful. And let's just there's a lot on the slides, so bear with me as I tell the story. Bottom left, MDR management activity API. Can you see how it says 12,625 on the screen? That is six that that's that's the number of API connections we have into the Sophos into our XDR platform. So 12 that roughly translates the number of customers that have plugged in their Microsoft, API. Now that API is the most valuable API we have. It is the audit logs from Microsoft. All of those audit logs get streamed in, and then we have a a team of threat hunters, threat researchers, and detection engineers purely focused on detecting threats based on that log stream. That is the audit logs of everything that's happening on Exchange Online, your SharePoint, your Teams activity, all of that is coming in. And then we have custom threat detection use cases, which are constantly evolving and detecting threats at an alarming rate. So if you see the graph on the left, the traction and coverage, look at the trajectory. In quarter two, literally this year, a few months ago, I'm gonna refresh the q three shortly, but the last quarter, that number, 5,400 represents the number of times based on that 12,000 count number, 5,400, true positive detections, true positive threats that we detected based on our proprietary custom detection rules on top of that raw audit log. 5,400 times. That is an alarming figure, and it's a true positive. So don't David's false positive. Nonsense. This is us calling your customer saying there's been a compromise in your Office three six one. Someone's in your inbox. Someone's been compromised. You've had a session hijacked. Someone's authenticated with with some creds they bought on the dark web. Look at the detection rules here. Session hijack. Adverse are in the middle. The thing that keeps the CSU up at night is this short story. Phishing link lands in your in a in an employee's inbox. Let's call him Dave. Let's pick on Dave. Dave clicks on the phishing link. You've got the MFA prompt because you're you're a good you're you're a good cyber hygiene company. MFA prompt. Dave puts his legit creds in. Dave gets redirected to the browser where he looks at that email he clicked on, and there's nothing there. You think Dave reports that to the security team? That'd be silly. He doesn't. He deletes. He closes the browser. It moves on. Meanwhile, the attacker has has reverse proxied that, stolen the session ID, and have also logged in. That's what we call an adversary in the middle attack. It's happening at an alarming rate. In fact, 9,500 times in a in a in a course of a year, we have seen that. So if you see the session hijack, our detection rules are all focused around finding and detecting that threat. We're looking at the same session ID logs in and there's two operating systems. Well, that doesn't make any sense. Why is there a Windows and a Windows or Windows or a Mac logging into Dave's inbox on the browser? That's probably a signal for a high fidelity detection. Right? And that's what you see here on the screen. Multiple OS. What what am I looking at here? There are multiple operating systems. Two machines logging into the session. And then when they're in, what do you do when you got Dave's inbox? You create inbox rules. You send more emails. You stay you stay on the DL. You create inbox rules with a full stop or a question mark or a slash. And you try to do things like if if I see emails from inbox, pros order processing, so money invoices, automatically mark them as read, put them in the archive so that the legit David Marils doesn't get to see it, but but I'm gonna but I'm gonna be watching and monitoring. And then if an inbox if one of my rules gets hit, I'm gonna go in. I'm gonna try to do something nefarious such as invoice fraud. Right? So inbox rules, huge detection focus for us. Session hijack. Authentication. Look at the authentication on the right. 5,700 times. I know it's a bit of nerdy language here, credential stuffing. What is that? That's just someone going to the dark web, buying creds, and then trying to log on to, you know, using the Azure directly in the Azure CLI command line interface or the enter ID using the actual creds. We're tracking that. We're looking at that and we're detecting it. And this is constantly evolving at an alarming rate. It is now our highest fidelity detection source across our entire stack, Sophos or non Sophos alike. That's pretty alarming. And it tells you just what an attractive honeypot this is for attackers. Wouldn't what what would you go after if You had some capabilities to go after. Of course, you're gonna target Microsoft because every single organization is using Office three sixty five in the planet. So we have this we have a a strategy internally which you preach, which is Microsoft and Sophos is better together. So fascinating, and it's all included in essentials or complete. You get real security value, deep expertise from a detection point of view, focused around really pertinent and real threat detection use cases. And I've sort of, spoiler alert, I've refreshed the dashboard for q three and it's already it's already higher than 5,400. So we are seeing just threats after threat. Every new detection rule, every tuning of a detection rule, we're uncovering more and more threats for our customers. And it's super valuable because, again, business basic and above. So sell MDR, plug in the management activity API and you've got a really well rounded capability even if you don't even consider any other integrations. Just those two alone Sophos from the endpoint to protect the crown jewels which is the endpoint and service, plug in the order logs and then and then watch Sophos NDR in action. So we detect something, but what happens if we detect something? Well, you you if it's 2AM in the morning and we detect a compromised user, you sure as hell wanna know that we're gonna be taking a response action, right, on the intro. Kick them out of of of wouldn't it be beautiful to say that hacker who's logged in using some, you know, some automatic it could be even automated. Right? Those those phishing kits are automated. They just log in to Dave's inbox. What then? You don't wanna wait till Monday morning to for your customer to come back in the office because it's been at the weekend where they've been in Dave's inbox and playing around with with the environment in Office three six five. So we have high fidelity response actions that our analysts take. We can block the user sign in. We can re enable it. We can then we can disconnect current session to revoke the session to absolutely stop them in their track and kick them out of that session. And we can even disable inbox rules if the attacker has created them. And this has launched earlier this year. High fidelity, intra ID, Office three sixty five response actions, is now live in Sophos and is providing immense amount of value. We've already seen, I think, over 1,500 automated response actions. Customers can even set this up to say, I want you to automate this, and you're gonna see this automation in action in a short while. So if you look at the case of the month, this is pretty compelling. It's probably the most compelling slide I have for you before then. Hand over to Jason and the team to take you through the rest of the content, but check this out. Adversary in the middle attack with response actions on the right. This is a perfect example of all the capabilities I just spoke about. The case summary, August 13. This is just this is fresh. Right? Not even a month old. 04:54PM, proprietary to Sophos detection identifies an adversary in the middle attack. Axios user agent, one of the the no bads that we track. This customer is a business standard customer, and they get that detection. And then we detect it, so someone known, compromised, there's been someone who's hijacked the session and they're in. What happens? Well, a minute later, 04:55PM, Microsoft Office three six five response actions are automatically executed. We disable the sign in. We terminate the session. The attacker is kicked out of that environment straight away. And that compromised user account, we then automatically and and straight away activate, you know, escalate that to the customer. Right? But we say, hey. We've detected something that takes the Sophos' proprietary detections, and you don't have any five. Even if you had any five, you're not gonna get this. So we we detected something, and you're a business standard customer, and then we also took action. And we did that in a minute. It's pretty impressive. And then the customer wakes up the next day, 06:48 gets in the office. He goes, thank you, Sophos. Customer's confirmed the user password has been resected. We're not gonna we're not gonna do that. Customer does that. Or you as a partner does that. I would be seriously thinking if I was you guys, how do I make money doing this? Look at selling Microsoft tech and then layering a service like this on it and then making money by doing, remediation actions such as the password reset. And here we go. The Sophos analyst then reenables the sign in. And Dave, naughty Dave, who clicked on that link, gets restores access to that Office three six five account. This is compelling. This is real. This is live now, and it's providing value to thousands of customers. So that's me. I hope that provides a a nice overview of MDR. We've covered Sophos at a glance, massive portfolio company, but we play deep in a lot of categories. And we're the leader in a lot of categories, and we're head and shoulders above the competition from a platform scalable point of view and, you know, across that when you look at all the categories we play in. MDR is the rocket ship, 32,000 customers and growing. We're the market leader by far. And we have a very compelling it's not just a Sophos closed ecosystem. We're vendor agnostic, and we have a focus on Microsoft, which every one of your customers, I'm sure, leverages in some way. We're providing real security value, and that hopefully demonstrates how we pitch it, the the the the value prop to the customer about the team and the partnership and resiliency through time, and hopefully also shows you a little bit under the hood and put some meat on the bones around the really interesting and compelling threat detection use cases that are very real and providing value in a global and a very meaningful way and and scale that we've never seen before. So I'm pretty excited where we are, even more excited about SQX acquisition and what all that stuff brings to us. So, yeah, I'm gonna I'm gonna pause there. Looking forward to any q and a you guys have. Jason, over to you for the next section. Thanks, mate. Thanks very much, Dave. We really appreciate that. So, look, I just wanted to take everyone just through a a couple of practical steps. Obviously, as we mentioned before, we have huge amount of partners, selling MDR on a on a daily basis. And myself and Josh will just take you through some of the immense amount of resources that are available to you to start your MDR journey. I'd just like to just kick off today by, you know, just talking a little bit about the portal. We've added a tremendous amount of functionality to our portal over the last year and a half. And one of the things I wanna call out is it's absolutely easy to identify all of the customers that currently have our six solution that could be great potential customers, for, for NDR. So, of course, there's a huge amount of information and then products and, battle card information on the portal as as well as well as sales plays and training, and I'll take you through, some of that, in a second. So but to isolate the potential customers, to get you going, I would encourage you to, to start, at the portal. And then, I would encourage you to also connect with our Sophos teams and your distribution partners. You know, upgrading, six of customers to NDR is a strategic focus for us as a company. It's one of our big sales plays during the year, had been for the last couple of years. So whether you are selling into the enterprise as we've opened day, mid market, commercial, or indeed you are creating an MSP practice, we have people available that can help you, with those customer conversations, right away across the board. And, of course, our distributors are also available to help you from a training, quoting, and a review perspective as well. So, and then finally, I'd just like to to talk about our academy. Right? We've got some fantastic training available, all online. It's available to our sales, engineers, and and your architects, and, all of the training counts towards your partner status, and level. And there's also some services that we've added some training around services such as guided onboarding. So, you know, partners that want to take the extra step and build onboarding services, and we can and we promote those widely across our business, for those partners that wanna take the extra step on on services. So I'd encourage you to check out, our academy. We'll all be often sees a lot of our partners, you know, take their sales folks, through the, you know, through the sales training. So it's not uncommon for us to have 20 or 30 sales folks to go through that NDR training, in one go. We see that as something that really kickstarts our NDR journey. What I'd also like to just clarify, you know, our great deal reg program is available from one user. Right? So, you know, you typically with our deal reg program, that starts at a 100 users and above. For NDR NDR, that's not the case. We protect every single opportunity that you register from one user and above. And we're also making available some, some very special sort of deal reg boosters, as we call them. So every single, successful NDR deal that we closed through, through the deal reg program, you can earn an extra 5% margin. And if it's a net new customer, and that could be one of the Microsoft customers that that David was referring to just a second ago. You can add an extra 10% discount to your, deal reg quote. So you can earn a maximum of 15% on top of the existing deal reg discounts. And for some partners, that could mean a 40 to 45 to 50% discount on on on on their NVR opportunities. You know, of course, creating a huge profit opportunity. There are some terms and conditions associated with the boosters, but they are quite straightforward. Right? You know, it's deal reg. It's either an existing customer, 5%, or it's a new customer, 15%. But please check out the terms and conditions, on our portal. And another big area of success we've seen with NDR is around our MSP business, and I'm delighted to, pass the call over to, to Josh, who's gonna take us through the, MSP opportunity. Perfect. Thank you, Jason, and thank you for having me. So if I just go on to the next slide. The MSP. There we go. So for those who don't know, we've built a award winning MSP program about eight or nine years ago, to align with the way you send a support to your customers and the way you buy from Sophos. Now I'm just gonna quickly dive in to how you can take your MSP business to the next level with Sophos. Now as you can see by the first step, Sophos MSPs are growing fast. That's 30% year on year. And I believe that's down to the the way we've built, the platform and the program specifically for MSPs. Now it's not a repurposed reseller model. It's a true MSP platform. So it's built for flexibility, scalability, and simplicity. Now as you can see across the mail, we've got over three and a half thousand active partners, and they are able to manage and deploy all of their cybersecurity solutions for their customers in a centralized MSP dashboard. So there's no separate dashboard. It's a single pane of glass. You can deploy your licenses, manage your customers, and upgrade and downgrade licenses often this single pane of glass dashboard. Now you can build service, your services your way with a simple pay as you go billing method, and you're never alone. There's a dedicated MSP team across EMEA able to assist you with onboarding and enabling yourselves as a partner so you can roll out those services to your customers. As pretty simply and straightforward. Now you've got if we look at MDR for MSPs, you've got three, flexible options that you can use that'll suit your business. You've got you provide your own services. So if you've got an in house operations team, you can fully own and deliver NDR services to your customers. You've then got partner with Sophos. So if you wanna stay involved, but lighten the load, you can co manage NDR with Sophos. We'll work alongside your team to deliver top tier protection. And then finally, outsource it to Sophos. If you prefer to focus on other areas in the business, you can fully outsource MDR to Sophos, and RxBest will handle everything end to end for you. Now if we just go on to the next slide, the MDR bundle for MSPs. That's not updated on my screen. Here we go now. So as some of you may see, with our elevate program, we've launched an MDR bundle for MSPs. So if you looked at the service tiers Dave mentioned earlier, you've got the essentials tier and you've got the complete tier. However, with MSP, you've got the MDR bundles for MSPs. And with that, you get all of the integration packs included, NDR, and the one year data retention all in one cost. You've also got the set the endpoint and the server pricing at the same cost as well. Now there's a 20% uplift on MDR complete for endpoints, but it's the same price across the endpoint and server. And here the service tiers that Dave mentioned earlier in the in the session. So you've got MDR essentials, MDR complete. You've got the additional, integrations and solutions here that are an added bolt on. But with the MDR bundle for MSP, as you'll see at the bottom, you've got the integrations included, the data retention included, and then also NDR is included in that same cost as well. Now you're probably thinking that sounds great. How do I sign up to elevate program? Well, here's here's the link to do so. You have the link at the top, lp.softops.com/mspelevate. Review the terms and conditions. You'll then receive a welcome email once you've done that, and then you'll be approved on the elevate program, and you'll be able to take advantage of that MDR bundle for MSPs. Now final slide, quick start tools for success. So as I mentioned, you've got a dedicated global MSP team. We've got a specific team here in MA that cover all regions. We've also got distribution as we're a we're a 100% channel focused. So you've got your distribution team there. We've also got partner care. So if you've got any operational or nontechnical questions, you can offload those to the partner care team. If If you've got a new customer that's already taken stock off services, but you but then even to use an MSP, route out to the partner care team. They will migrate that customer for you from from their existing MSP to to yourselves. You also got 24 by seven technical support. We've got full enablement in the partner portal. There's full training. We've got the MSP o one certification, MSP o two certification, which I recommend everyone takes. And then we've got the we we run things like the MSP community days across EMEA. We've got one in The UK. We've got some coming in Germany, with dates to follow for other regions. And I think that's Mick. Yeah. Nice job, Josh. Thank thank you very much for that. So, so everyone, thanks very much for the, the questions that we've been you've been sharing so far. So we'll just jump into those, David, in the interest of time. The, so there's a couple of days. Here we go. So we got, can can you have so Sophos NDR on one single server? You can. Not recommended that setup, I must admit, but, you can. There's nothing stopping you from putting just Sophos as MDR essentials. Now this is what I call a mixed estate. We allow that for essentials only. So you can't put MDR complete purely on a a server, a single server. I mean, you you can do it. There's nothing gonna stop you, but you're not gonna benefit from the value prop of MDR complete, which is the full scaleless response and the and the bridge protection warranty. So if something does go pop, just because you got NDR complete on one server, you you're not gonna get covered. So you can do this. It only is valid for NDR essentials. But, again, it's it's not a it's not a recommended, approach I would take. So get as much as you can full state for for for full protection. Yeah. Dave, thank you. And then, another question. Are there more insights into Sophos firewall logs compared to, say, FortiGate log if you're using Sophos MDR? Yeah. Good question. So the so, basically, the meta question around third party data versus our own stack. Right? So what's what's the sort of the value prop and the difference? So let's do let's zone zone in on the 48 question. So 40, we, yeah, we we pull in the logs from it. They will be a filterable set of logs, and that's the first difference. So we won't be pulling in flow logs, so level zero, real real low level logs. We'll be filtering it so it's a it's a high level. So more security relevant data comes in, sync, think, IPS events, etcetera. So there's a there's a the scope of the data that we ingest will be different. Of course, Sophos firewall, we will absolutely ingest absolutely everything. So all the flow logs will be in there in the firewall portal. So we'll have richer set of data, than the FortiGate. But then that's not so much the the biggest delta in terms of value prop. The delta in terms of value prop is the response actions. So today, if you're a Sophos firewall customer, RMDR analyst can push an IP list, an IP block list URL or domain block on the firewall directly through their console. We don't have any capability to do that on third party firewall vendors today. Spoiler alert, come, when we relaunch this offering, come when we bring the Tangis XDR capability into Sophos Central, you'll see probably you're talking half one. During half one calendar year, you'll see us widen the aperture of what response actions we can take on third party vendors, third party firewalls being one of them because the Tejas playbooks, and the Tejas response action capability does include that. So we're gonna really widen. Today in Sophos, it's restricted to our endpoint or sensor and our Microsoft response actions. The future is gonna include a hell of a lot more technology coverage. So it's a response action today, delta, and a depth of what log types we pull in. That's the difference. So, yeah, I always put pitch yeah. Bring in the FortiGate logs, but then come renewal cycle, you'll be fooled not to be positioning or at least having a conversation about, hey. Well, why wouldn't you consider the firewalls, especially the new XJS is that we've launched. This phenomenal firewall competes with the best out there, and you do have a better to get a story from a from a service delivery response and ingestion and detection point of view as well. Hope that answers your question. Yeah. Thanks very much, Dave. I'm gonna come back to you on a WatchGuard question in a second. But before that, Josh, does it come up about, you know, say if you're an existing Sophos partner, do do they need to register to be an MSP partner? You do. Yes. So to become an MSP partner, it's pretty straightforward. Www.softos.com/msp. Similar to the elevate process as I mentioned a second ago, you simply go on there, sign the t's and c's. First, before you do that, actually, you can log in to your existing partner account, and then you can sign the t's in there t's and c's in there. And it'll go through the approval process like normal. Usually, it takes about forty eight hours. But then once you're on the once you've done that, you'll be on the MSP program. Yeah. Great stuff. Yeah. So it's quite simple. So so, David, just coming back to you, question here. I recently attended a WatchGuard webinar about their MDR solution and claims to cover everything in the product stack that Sophos and other competitors do. What sets Sophos apart and is the ultimate unique selling point? Yeah. Well, yeah, funny. I I don't get questions on WatchGuard very often. That probably hints to the to my answer a little bit. I I don't consider them a a a fierce competitor in this space whatsoever. I see them a little bit in education in really budget sensitive, industries. I don't I I it's really unhelpful to abstract at the wrong level in any cybersecurity conversation. It's like saying, I have, my son plays on the on the, you know, primary basketball team, but LeBron James plays the Lakers. And and if you just say, well, both play basketball, it's pretty unhelpful comparison, isn't it? You have to go down to a level lower. I mean, what what an absurd comparison to say my basketball my son plays basketball and so does LeBron. So therefore, they both play basketball. How are you different? Well, the differences then come into the obstruction level lower. So I would go and encourage you to look at, industry reports, go and look at the Gartner performance. I don't think WatchGuard is there in from an endpoint protection point of view. Sure. They might have one, but but but what sort of capabilities do they have? You have to get and unpeel the onion on what the the quality of their capability, the quality of their endpoint protection evidenced by customer reviews and and industry third party, agnostic sort of independent reviews. So look at your MITRE ATT and CK results. I don't even think their watch card was in the MDR service evaluation. So go a level deeper. I don't see them as a competitor. I don't come across them. I think we're far superior from a quality outcome perspective. I think the ultimate USP for us is sort of I touched on, the size of our customer base. Go and ask them, whoever said that to you, how many MDR customers they have. I don't think it's gonna come anywhere near. I wouldn't I wouldn't be surprised if it's it's an order of magnitude less than us. Right? I'm not be surprised if they even have thousands. So 32,000 for us. It's not the number that really matters. It's the endpoint under management. We have 10,000,000 ish endpoints under management, MDR, and it's the machine behind us. WatchGuard has not been around and does not have the repertoire we have from an endpoint point of view. You couple our MDR now and the insights we see every single corner of the globe and how we can then operationalize those insights, into better protection and detection across our our market leading products. I can't see WatchGuard come close in in anything I just said then. Yeah. Great. Hope that answers the question. Yeah. Thank you. You're just jumping around. Can two XDR solutions coexist on the same endpoint device? So say Microsoft and so forth. Yeah. So can they exist? I theoretically, probably. Again, I wouldn't recommend you deploying two XDRs. Like, two depending, like, on on the like, an XDR, again, is a pretty, hung up full obstruction line. You have an XDR product like us. We can go in sensor mode. Defender has, like, monitor mode. So, technically, they're both XDR products, but they have to be deployed in a very certain way for this thing to work. So if you're using our protection product, right, so if you're using our full XDR agent, which some customers have this set up, full XDR where we do protection, detection, and response, and then having a defender on top that's like in sensor mode or monitor mode for like maybe an added layer of detection capability, maybe that works. Having both in full blown protect mode is a sure way in hell to, you know, really annoy your user base because you're probably gonna grind your laptops and your service to a halt. So don't recommend both in protect mode. Can they coexist? Yes. But they have to be deployed in the correct configuration, I e, one of them in sensor mode. Yeah. Great stuff, Dave. And just coming to the last question here. And just to confirm to everybody, we will be sharing the slides after the presentation, so, we'll get those out to everyone. But is there one unique feature or specialty that differs NDR from, say, SD WAN offered by Fortinet? One unique feature of specialty that differs MDR from SD WAN. I have never had a question that compares an MDR with an SD WAN solution. So so I almost wanna pass on that. I think that's completely two different apples. You're not comparing apples with apples here. MDR is a service, twenty four seven monitoring, detection, and response. SD WAN, is a software defined networking approach, two very different things. SD WAN might be a subset of MDR, but we can't we we can't separate them. So there's no such thing as a unique feature that differs them. They're completely different ones as managed service, and and and one is a a sort of a product slash approach you you take on the network. So, yeah, I would flip that question around and say, how do they sort of complement each other, which is a this is a different ballgame. But, yeah, there's there's no comparisons there from a feature point of view. Right. If I missed the question, whoever it is, say, Ed, please feel free to reach out to me offline. Yeah. Yeah. That's perfect. Dave, any final thoughts from you just before I close? I think I'll just re reiterate what I've said. Like, we're on a rocket ship journey. The the pull from the market is massive. The market compound annual growth rate for MDR just globally is about 20 something percent, 27%. So partners in the room, no doubt and I speak to hundreds of you globally. You're looking to find the next lever of growth for your business. You have to be thinking MDR. I'd be strongly suggesting, think about security services. Think about NDR. Don't think about just reselling us. You can start there. That's absolutely fine. But think strategically about how you would wrap your own services to make sure that the combination of Sophos NDR with your managed service wrapper is compelling and differentiated market. And I and I can assure you, we have hundreds of examples of partners that have started this journey with us and are now making you know, are causing a a a hell of a very competitive sort of push into the market, offering their own competitive competitive offerings with the backbone of MDR. So I'd recommend you. You're you're on the fence. When's the next lever of growth? I wanna get I wanna get the double s in my name. I'm an MSP. I do IT services, super nuts, but now I want security. Please please go and dig deeper into MDR. We're here to support you on that journey. Let's go and really, you know, combat this. There's no shortage of threats to go after, and there's a lot of value you can provide customers doing doing that model, and and you're gonna extract a lot of budget in return. So it's a win win from a business point of view and a security outcome and a security efficacy point of view. So just an encouragement from me. Go and, you know, explore a partnership with us in a deeper fashion to really accelerate the next the next part of your your business's chapter of growth. Yeah. Great stuff. Thanks, Dave. Thanks, Josh. Appreciate your time and, obviously, our partner's time. Very grateful, for that. So, look, we're here. As David, as Dave said, you know, we've got a new mental amount of resources, teams available. Please please reach out, and we look forward to driving more MD success with you soon. Thank you very much. Thank you. Thank you, everyone. Bye bye.