Sophos endpoint protection is priced per user per year and is sold through resellers: the baseline Sophos Endpoint (formerly Intercept X Advanced) starts around $28/user/year, Intercept X Advanced with XDR (the EDR tier) starts around $48/user/year, and managed offerings with Sophos MDR reach roughly $70 to $80+/user/year depending on scale. Sophos does not publish a direct list price, so these are aggregated reseller and buyer-reported figures.
Sophos Intercept X pricing tiers
| Tier | Price | Real EDR? | Notes |
|---|---|---|---|
| Sophos Endpoint (baseline) | ~$28/user/yr~$2.33/mo | No | Formerly Intercept X Advanced. NGAV + anti-ransomware. No EDR. |
| Intercept X Advanced with XDR | ~$48/user/yr~$4.00/mo | Yes | The EDR/XDR tier: telemetry, threat hunting, response. |
| Sophos MDR (managed) | ~$70-80+/user/yr~$6-7/mo | Yes | 24/7 managed detection and response on top of the platform. |
| Sophos MDR Complete | Custom quote | Yes | Full-service MDR with broader response and incident handling. |
The entry tier that delivers genuine EDR (continuous telemetry, behavioural detection, threat hunting, and response actions) is Intercept X Advanced with XDR (~$48/user/year). Cheaper tiers in the table are NGAV or prevention-only and do not give you the post-incident investigation trail that defines EDR.
What it costs at your size
Worked annual figures at the entry EDR tier, before negotiation. Use these to size the budget line, then run your own numbers in the budget calculator, which layers deployment, tuning, and internal operating cost on top of the licence.
| Organisation | Endpoints | Tier | Annual licence | Per endpoint / mo |
|---|---|---|---|---|
| Micro / SMB | 50 users | Intercept X + XDR | ~$2,400 | ~$4.00 |
| Small business | 200 users | Intercept X + XDR | ~$9,600 | ~$4.00 |
| Mid-market | 1,000 users | Intercept X + XDR | ~$45,000 | ~$3.75 |
| Mid-market + MDR | 1,000 users | Sophos MDR | ~$75,000 | ~$6.25 |
| Enterprise | 10,000 users | Intercept X + XDR | ~$400,000 | ~$3.33 |
Licence only. Deployment, tuning, IR retainer, and internal operating cost sit on top: see the five TCO categories. At SMB scale the licence is roughly half of true all-in cost.
Four ways to bring the Sophos Intercept X number down
Buy through a competitive reseller
Because Sophos is channel-led, the reseller margin is negotiable. Get quotes from two or three Sophos partners; the spread on the same SKU can be 15 to 25 percent.
Match the tier to the need
The baseline Sophos Endpoint is prevention-only. If you need EDR for compliance or insurance, you must buy the XDR tier; do not let a quote for the cheaper baseline pass as EDR.
Decide on MDR before signing, not after
Sophos pushes its MDR hard. It is genuinely strong, but it roughly doubles the per-user cost versus self-managed XDR. Buy it if you lack analyst capacity, not by default.
Bundle with Sophos firewall for synchronised security
If you already run Sophos XGS firewalls, the synchronised-security integration adds real value and gives you negotiating leverage on a combined renewal.
When Sophos Intercept X is the right pick, and when it is not
- + You are an SMB or mid-market shop that wants strong anti-ransomware and a single, simple console.
- + You already run Sophos firewalls and want synchronised security across network and endpoint.
- + You want a well-regarded managed MDR option from the same vendor without integrating a third party.
- + You buy through a channel and can negotiate reseller margin.
- − You need the absolute top of the MITRE ATT&CK detection rankings: CrowdStrike and SentinelOne score higher in independent evaluations.
- − You are on Microsoft 365 E5: Defender for Endpoint P2 is already included.
- − You want one published direct list price: Sophos's channel model makes apples-to-apples comparison harder.
- − You only need the baseline tier: that is prevention, not EDR, and will fail an EDR control test.