Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Sophos Endpoint Architect (AT15) Practice Questions

Pass your Sophos Certified Architect — Central Endpoint, Intercept X & Server (AT15) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Sophos does not publish AT15 pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which is the best architectural recommendation when a customer wants centralized server protection across mixed Windows and Linux workloads?

A
B
C
D
to track
Same family resources

Explore More Sophos Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Sophos Certified Architect — Central XDR / MDR (AT12)

Practice Questions

Sophos Certified Architect — Sophos Firewall

Practice Questions

Sophos Certified Engineer — Central Endpoint Protection

Practice Questions

Sophos Certified Engineer — Central XDR Detection and Response (ET12)

Practice Questions

Sophos Certified Engineer — Sophos Firewall

Practice Questions

Sophos Certified Technician — Sophos Firewall (FT80)

Practice Questions
2026 Statistics

Key Facts: Sophos Endpoint Architect (AT15) Exam

60

Exam Questions

Sophos AT15

90 min

Time Limit

Sophos training portal

80%

Passing Score

Sophos AT15

Free

Cost

With AT15 course / partner enablement

ET15

Prerequisite

Engineer Central Endpoint

Architect

Certification Tier

Sophos certification track

The Sophos Certified Architect — Central Endpoint, Intercept X & Server (AT15) is an architect-tier exam delivered through the Sophos training portal (NetExam / training.sophos.com) with 60 multiple-choice questions, a 90-minute time limit, and an 80% passing score. The exam is free with the AT15 course / partner enablement and follows the ET15 Engineer credential as a prerequisite. AT15 covers deployment architecture (Update Cache TCP 8190, Message Relay TCP 8191, AD Sync, Federated ID), Windows/macOS/Linux client deployment methods, endpoint and server policy design, Intercept X advanced defenses (Deep Learning, Anti-exploit, CryptoGuard, WipeGuard, Adaptive Attack Protection), Server Lockdown and File Integrity Monitoring, and operational troubleshooting using Endpoint Self Help and the Sophos Diagnostic Utility.

Sample Sophos Endpoint Architect (AT15) Practice Questions

Try these sample questions to test your Sophos Endpoint Architect (AT15) exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which TCP port does a Sophos Update Cache use to serve update content to managed endpoints on the LAN?
A.TCP 80
B.TCP 443
C.TCP 8190
D.TCP 8191
Explanation: An Update Cache downloads endpoint update bundles from Sophos servers over HTTPS and re-serves them to LAN endpoints over TCP 8190. This conserves WAN bandwidth at sites with many endpoints because each cached package is downloaded from Sophos only once.
2Which TCP port is used by a Sophos Message Relay to forward management communications between Sophos Central and managed endpoints?
A.TCP 80
B.TCP 443
C.TCP 8190
D.TCP 8191
Explanation: A Message Relay listens on TCP 8191 and proxies management/control traffic from endpoints to Sophos Central. It is used in segmented networks where endpoints cannot reach Sophos Central directly over the internet.
3An architect is designing a Sophos Central rollout for a 5,000-endpoint site that must minimize WAN bandwidth used for updates. Which Sophos role should they deploy?
A.Message Relay only
B.Update Cache only
C.Update Cache combined with Message Relay
D.AD Sync Utility
Explanation: For large remote sites Sophos recommends deploying both an Update Cache (8190) for content distribution and a Message Relay (8191) for control traffic, often co-located on the same Windows Server. The cache reduces WAN content downloads, and the relay reduces the number of endpoints that need direct internet access.
4Which operating system is required to host a Sophos Update Cache and Message Relay role?
A.Any supported Windows Server with the Sophos endpoint agent installed
B.Sophos Linux Sensor on Ubuntu LTS
C.A Sophos UTM appliance
D.Windows 11 Pro workstation only
Explanation: Update Cache and Message Relay are server roles activated on a managed Windows Server endpoint that already runs the Sophos endpoint agent. Once promoted, the server downloads update bundles and proxies management traffic for nearby endpoints.
5A Sophos Central administrator wants to import on-premises Active Directory users and groups into Sophos Central for policy assignment. Which tool should they use?
A.Sophos Diagnostic Utility (SDU)
B.Sophos AD Sync Utility
C.Sophos Endpoint Self Help (ESH)
D.Sophos Federated ID
Explanation: The Sophos AD Sync Utility runs on a Windows server with line-of-sight to a domain controller and pushes users, groups, and OU structure into Sophos Central. Once synced, admins can apply user-based policies and assign roles based on AD groups.
6Which statement about the Sophos AD Sync Utility is true?
A.It must run on a domain controller
B.It runs as a service on a domain-joined Windows server and synchronizes selected OUs to Sophos Central
C.It pulls SAML claims directly from Microsoft Entra ID with no on-prem component
D.It deploys the Sophos endpoint installer to every imported user automatically
Explanation: AD Sync Utility runs as a Windows service on a domain-joined member server (not a DC). The administrator selects which OUs and groups to sync, and the service pushes them into Sophos Central on a recurring schedule.
7What is the correct first step when a partner takes over administration of a customer's Sophos Central tenant?
A.Reinstall every endpoint agent
B.Establish access through Sophos Central Partner with a Federated ID
C.Disable Tamper Protection across all policies
D.Delete the customer's Super Admin account
Explanation: Partners manage customer tenants through Sophos Central Partner. Each admin uses a Sophos Federated ID, which is the global Sophos identity that links a person to one or more Central tenants and partner consoles.
8Which deployment topology forces every endpoint to communicate with Sophos Central exclusively through internal network paths?
A.Endpoints with direct internet egress on TCP 443
B.Endpoints configured to use a Message Relay that has internet egress on TCP 443
C.Endpoints configured to use only an Update Cache
D.Endpoints joined to AD with the AD Sync Utility installed
Explanation: When endpoints are configured to talk to a Message Relay, all control traffic terminates on the relay; only the relay needs outbound TCP 443 to Sophos Central. This is the standard topology for tightly segmented networks where endpoints have no direct internet access.
9An Update Cache fails to download new threat definitions but the Sophos endpoint agent on the same server is healthy. Which check should the architect perform first?
A.Verify that the cache server can reach Sophos cloud over TCP 443
B.Reinstall the AD Sync Utility
C.Switch the endpoint to Linux Sensor
D.Disable CryptoGuard on the cache server
Explanation: Update Cache pulls update bundles from Sophos cloud over outbound TCP 443. If endpoints are healthy but the cache cannot fetch updates, outbound HTTPS to Sophos infrastructure is the most likely failure point and should be tested first.
10Which Sophos Central console product surface manages Server Protection policies for Windows and Linux servers?
A.Sophos Endpoint
B.Sophos Server
C.Sophos Email
D.Sophos Firewall Manager
Explanation: Sophos Central exposes separate product surfaces for endpoint workstations and servers. Sophos Server manages Server Protection licenses, server-only policies (lockdown, FIM, etc.), and runs alongside Sophos Endpoint and Sophos XDR.

About the Sophos Endpoint Architect (AT15) Exam

The Sophos Certified Architect — Central Endpoint, Intercept X & Server (AT15) certification validates architect-level skills designing and operating Sophos Central Endpoint and Server deployments, including Update Caches and Message Relays, AD Sync Utility, Federated ID, segmented policy design, Intercept X advanced defenses (Deep Learning, Exploit Prevention, CryptoGuard, WipeGuard, Adaptive Attack Protection), Server Lockdown and File Integrity Monitoring, the Sophos Linux Sensor, and operational practices for ESH/SDU troubleshooting, isolation, Live Response, and Account Health Check reviews. AT15 follows the ET15 Engineer prerequisite.

Assessment

60 multiple-choice questions covering Sophos Central deployment scenarios, client deployment methods across Windows/macOS/Linux, endpoint protection configuration, server protection and hardening, Intercept X advanced threat defense, and logging/reporting/troubleshooting

Time Limit

90 minutes

Passing Score

80%

Exam Fee

Free with the AT15 course / partner enablement (Sophos / NetExam Training Portal)

Sophos Endpoint Architect (AT15) Exam Content Outline

20%

Deployment Scenarios

Sophos Central deployment design, Update Caches (TCP 8190), Message Relays (TCP 8191), AD Sync Utility, Federated ID, Sophos Central Partner/Enterprise tenants, branch and HQ topology decisions

15%

Client Deployment Methods

Manual installer, scripted/silent install, GPO startup scripts, SCCM/MECM, Microsoft Intune Win32 packaging, Jamf and other macOS MDM, Linux Sensor scripted install, competitor removal, and supported uninstall workflows

20%

Endpoint Protection Configuration

Threat Protection policy (Live Protection, Deep Learning, Behavioral analysis, Exploit Prevention, CryptoGuard, Active Adversary Mitigation), Application Control, Web Control with HTTPS decryption, Peripheral Control, Data Loss Prevention, Tamper Protection

15%

Server Protection & Hardening

Sophos Server Lockdown (Server Application Control), File Integrity Monitoring, Linux Sensor for cloud workloads and containers, server-specific exclusions, hypervisor guidance, and lockdown lifecycle/maintenance

15%

Intercept X & Advanced Threat Defense

Intercept X advanced defenses including Deep Learning, Anti-exploit, CryptoGuard rollback, WipeGuard MBR protection, Adaptive Attack Protection, Account Health Check, Sophos Data Lake, and Live Discover threat hunting

15%

Logging, Reporting & Troubleshooting

Endpoint Self Help (ESH), Sophos Diagnostic Utility (SDU) log gathering, performance and exclusion troubleshooting, isolation and Live Response, support escalation through the Partner Portal, and reporting/QBR workflows

How to Pass the Sophos Endpoint Architect (AT15) Exam

What You Need to Know

  • Passing score: 80%
  • Assessment: 60 multiple-choice questions covering Sophos Central deployment scenarios, client deployment methods across Windows/macOS/Linux, endpoint protection configuration, server protection and hardening, Intercept X advanced threat defense, and logging/reporting/troubleshooting
  • Time limit: 90 minutes
  • Exam fee: Free with the AT15 course / partner enablement

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Sophos Endpoint Architect (AT15) Study Tips from Top Performers

1Memorize Sophos infrastructure ports — Update Cache uses TCP 8190 to serve endpoints, Message Relay uses TCP 8191 for control communications, and both upstream to Sophos Central on TCP 443
2Master AD Sync Utility vs Federated ID — AD Sync imports on-prem users/groups for policy targeting, Federated ID is the cross-tenant Sophos identity admins use to access Sophos Central Partner
3Differentiate Intercept X advanced defenses — Deep Learning is pre-execution ML, Behavioral analysis is runtime, Exploit Prevention blocks ROP/CFG/ASLR techniques, CryptoGuard handles ransomware rollback, and WipeGuard protects the MBR
4Know when to recommend Server Lockdown — static, single-purpose servers benefit; dynamic developer machines do not. Lockdown is a layer on top of Threat Protection, not a replacement
5Practice exclusion design — narrow path/process/hash exclusions only, never whole drives, and always tied to documented application requirements
6Get fluent with ESH (Endpoint Self Help) for user-facing diagnostics and SDU (Sophos Diagnostic Utility) for engineering escalations — exam scenarios often hinge on which tool to use

Frequently Asked Questions

What is the Sophos Certified Architect — Central Endpoint, Intercept X & Server (AT15) exam?

AT15 is Sophos's architect-tier credential for Sophos Central Endpoint, Intercept X, and Server Protection. It validates skills designing deployment infrastructure (Update Caches, Message Relays, AD Sync), segmented policy design, Intercept X advanced defenses, Server Lockdown and FIM, and operational troubleshooting workflows.

How many questions are on the Sophos AT15 exam?

AT15 contains 60 multiple-choice questions delivered in 90 minutes through the Sophos training portal (NetExam / training.sophos.com). The passing score is 80%, which works out to roughly 48 of 60 correct answers.

How much does the Sophos AT15 exam cost?

AT15 is typically delivered free with the official AT15 course or via Sophos partner enablement. Pricing for non-partners can change, so verify current details on training.sophos.com before scheduling.

Is there a prerequisite for AT15?

Yes — Sophos recommends and effectively requires the ET15 Engineer — Central Endpoint, Intercept X & Server credential before attempting AT15. The architect-level exam assumes the engineer-level material is already mastered.

How long is the AT15 certification valid?

Sophos certifications are typically valid for 2-3 years, with recertification aligned to major product or course revisions. Check training.sophos.com for the current AT15 validity terms before relying on a specific timeframe.

What topics does AT15 emphasize?

AT15 weights deployment scenarios at 20% (Update Cache 8190, Message Relay 8191, AD Sync, Federated ID), endpoint protection configuration at 20%, plus 15% each for client deployment methods, server protection and hardening, Intercept X advanced threat defense, and logging/reporting/troubleshooting.

How should I prepare for the Sophos AT15 exam?

Hold ET15 first, then complete the AT15 course on training.sophos.com. Build hands-on Sophos Central labs covering Update Cache and Message Relay topology, Linux Sensor, Server Lockdown and FIM, Intercept X (CryptoGuard, WipeGuard, Adaptive Attack Protection, Exploit Prevention), and ESH/SDU troubleshooting. Use this 100-question free practice bank to identify weak areas before sitting AT15.