Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Sophos XDR Architect Practice Questions

Pass your Sophos Certified Architect — Sophos Central XDR / MDR (AT12) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Sophos does not publish official pass rates for AT12 Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which Sophos product/endpoint exposes alerts and SIEM-style events for shipping into Splunk, Microsoft Sentinel, or QRadar?

A
B
C
D
to track
Same family resources

Explore More Sophos Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Sophos Certified Architect — Central Endpoint, Intercept X & Server (AT15)

Practice Questions

Sophos Certified Architect — Sophos Firewall

Practice Questions

Sophos Certified Engineer — Central Endpoint Protection

Practice Questions

Sophos Certified Engineer — Central XDR Detection and Response (ET12)

Practice Questions

Sophos Certified Engineer — Sophos Firewall

Practice Questions

Sophos Certified Technician — Sophos Firewall (FT80)

Practice Questions
2026 Statistics

Key Facts: Sophos XDR Architect Exam

60

Exam Questions

Sophos AT12

90 min

Time Limit

Online proctored

80%

Passing Score

Sophos AT12

Free

Exam Fee

With course / partner enablement

90 days

Data Lake Retention

Standard (1-year extended add-on available)

AT12

Sophos Code

ET12 Engineer prerequisite

The Sophos Certified Architect — Sophos Central XDR / MDR (AT12) is an architect-tier exam with 60 multiple-choice questions in 90 minutes and an 80% passing score, delivered free with course/partner enablement through the Sophos Training Portal (NetExam). It tests multi-tenant deployment with Sophos Central Enterprise sub-estates and Partner, Data Lake design (90-day default, 1-year extended retention add-on), custom Live Discover queries on OSquery and Sophos schemas with never-reused Sophos PIDs, hypothesis-driven hunting using the PEAK framework and MITRE ATT&CK Navigator, detection engineering with a measurable lifecycle, advanced incident response and forensics including Threat Cases and Live Response, OAuth 2.0 API automation (X-Tenant-ID, 1-hour tokens, 429 backoff) for SIEM (Splunk, Microsoft Sentinel, QRadar) and SOAR (Cortex XSOAR, Splunk SOAR) integration, and MDR Essentials vs MDR Complete operations with the contractual 60-minute high-severity SLA and $1M Breach Protection Warranty. ET12 Engineer is the recommended prerequisite.

Sample Sophos XDR Architect Practice Questions

Try these sample questions to test your Sophos XDR Architect exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1An MSP partner needs to manage the security of 40 customer organizations from a single pane of glass while letting each customer keep its own admin team and policies. Which Sophos Central deployment model is the BEST fit?
A.A single Sophos Central Admin account with one global tenant
B.Sophos Central Enterprise with each customer linked as a sub-estate
C.Sophos Central Partner with each customer as a sub-estate
D.On-premise Sophos Enterprise Console (SEC) replicating to Central
Explanation: Sophos Central Partner is the multi-tenant management surface designed for MSPs. Each managed customer is a separate Sophos Central tenant (sub-estate) with its own admins, policies, and licensing, while the MSP keeps a unified Partner Dashboard for cross-tenant operations.
2An organization with 12 regional sites wants each region to have its own admins and policies but the head office to keep visibility into all regions. Which Sophos Central feature satisfies this requirement?
A.Role-based access control with custom roles
B.Sophos Central Enterprise sub-estates
C.Tag-based admin scoping inside a single tenant
D.Sophos Firewall Manager (SFM)
Explanation: Sophos Central Enterprise lets a single organization split itself into sub-estates. Each sub-estate is its own Central Admin tenant with its own admins and policies, but the Enterprise super admin sees and can opt into every sub-estate from the Enterprise Dashboard.
3What is the default Data Lake retention period for endpoint and server data in Sophos Central XDR (without an extended-retention add-on)?
A.30 days
B.90 days
C.180 days
D.365 days
Explanation: Sophos Central XDR ships with 90-day Data Lake retention as standard for endpoint, server, and integrated product data. Customers that need longer historical hunting can purchase the 1-year extended Data Lake retention add-on.
4A SOC architect needs hunters to be able to look back 9 months when investigating a slow-moving APT. Which design change is required on Sophos Central XDR?
A.Increase the Data Collection upload frequency to 'continuous'
B.Purchase the 1-year extended Data Lake retention add-on
C.Enable 'long-term offline storage' inside the XDR policy
D.Schedule weekly Data Lake exports to a customer S3 bucket only
Explanation: Standard XDR retention is 90 days. To routinely query 9 months of history inside the Sophos Data Lake, you must license the 1-year extended Data Lake retention SKU; once enabled it transparently extends the searchable window.
5Which Sophos product family contributes Data Lake telemetry that hunters can correlate alongside endpoint events through Live Discover?
A.Only Intercept X Endpoint
B.Only Intercept X Endpoint and Server Protection
C.Endpoint, Server, Sophos Firewall, Email, and Cloud Optix / Cloud Native Security
D.Only Sophos Firewall and Email
Explanation: Sophos XDR ingests telemetry from the broader Adaptive Cybersecurity Ecosystem: Intercept X Endpoint, Server Protection, Sophos Firewall, Email Security, and Cloud Optix / Cloud Native Security. Architects design hunts that pivot across all of these data sources from a single query interface.
6A customer has 8,000 endpoints distributed across three continents. Which Data Lake design fact most strongly influences the deployment architecture?
A.Customers must deploy a regional Data Lake collector appliance per site
B.The Data Lake is multi-tenant SaaS managed by Sophos; customers do not deploy collectors
C.Each endpoint must run a dedicated forwarder service to ship telemetry
D.A dedicated Sophos MDR agent must be installed on every endpoint
Explanation: The Sophos Data Lake is a Sophos-hosted SaaS service. Endpoints, servers, firewalls, and email products upload telemetry directly to Sophos Central — there are no customer-managed Data Lake appliances or forwarders to size, place, or scale.
7Which Sophos Central policy must be enabled for endpoints and servers to upload data into the Data Lake for XDR queries?
A.Threat Protection policy
B.Peripheral Control policy
C.Data Collection and Investigation policy (Data Lake uploads ON)
D.Web Control policy
Explanation: Data Lake uploads are governed by the 'Data Collection and Investigation' policy (sometimes called the XDR / Data Lake policy). The 'Upload to Data Lake' setting must be enabled for the device's data to be queryable from Live Discover Data Lake queries.
8Which integration is REQUIRED to enable Synchronized Security between Intercept X endpoints and a Sophos Firewall in the same XDR deployment?
A.Manually shipped syslog from endpoints to firewall
B.Both products registered to the same Sophos Central account with Heartbeat enabled
C.A dedicated Sophos Synchronized Security appliance
D.Open ports 8443/tcp and 4444/tcp from endpoints to firewall
Explanation: Synchronized Security (Security Heartbeat) is wired up automatically once Sophos Firewall and Intercept X are registered to the same Sophos Central tenant and Heartbeat is enabled. The firewall reacts to endpoint health, and the endpoint can be isolated by the firewall when compromised.
9A bank wants Sophos XDR to analyze East-West cloud traffic patterns across 60 AWS accounts and flag exposed S3 buckets. Which Sophos product MUST be integrated into Sophos Central to ingest that telemetry?
A.Sophos Cloud Optix / Sophos Cloud Native Security
B.Sophos ZTNA
C.Sophos Mobile
D.Sophos PhishThreat
Explanation: Sophos Cloud Optix (now part of Sophos Cloud Native Security) is the CSPM/CWPP component that connects to AWS, Azure, and GCP and sends posture, configuration, and network-flow data into Sophos Central XDR for cross-product correlation.
10An architect is planning XDR sensor coverage for a 10,000-seat estate with mixed Windows, macOS, and Linux servers. Which statement is TRUE about XDR sensor placement?
A.A separate XDR sensor agent must be installed beside the endpoint agent
B.Only Windows endpoints can act as XDR sensors
C.The standard Intercept X / Server Protection agent already collects XDR telemetry; no separate sensor is needed
D.An on-prem XDR collector VM must be placed in every subnet
Explanation: Sophos XDR is built on the existing Intercept X (Windows/macOS/Linux) and Server Protection agents. Once XDR is licensed and the Data Collection policy enables uploads, those agents become the XDR sensors — there is nothing extra to install.

About the Sophos XDR Architect Exam

The Sophos Certified Architect — Sophos Central XDR / MDR (AT12) exam validates architect-level skills in deploying, hunting, and operating Sophos's XDR and MDR platforms at scale. It covers multi-tenant Sophos Central (Enterprise sub-estates and Partner), Sophos Data Lake design with 90-day default and 1-year extended retention, custom Live Discover queries against OSquery and Sophos schemas, MITRE ATT&CK and PEAK-driven hunting, detection engineering with Sigma-style translation and a measurable lifecycle, advanced incident response and forensics with Threat Cases and Live Response, Sophos Central OAuth 2.0 API automation with SIEM/SOAR integration, and MDR Essentials vs MDR Complete operations including onboarding, baselining, MTTD/MTTR metrics, and reporting cadence.

Assessment

60 multiple-choice questions covering XDR/MDR architecture and deployment, advanced threat hunting, detection engineering, incident response and forensics, integrations and automation, and MDR operations.

Time Limit

90 minutes

Passing Score

80%

Exam Fee

Free with course / partner enablement (Sophos / NetExam Training Portal)

Sophos XDR Architect Exam Content Outline

20%

XDR/MDR Architecture & Deployment

Multi-tenant Sophos Central designs (Enterprise sub-estates and Partner), sensor placement at scale on Intercept X and Server Protection, Data Lake retention design (90-day default vs 1-year extended retention add-on), and cross-product integration with Sophos Firewall, Email, and Cloud Optix / Cloud Native Security.

20%

Advanced Threat Hunting

Custom Live Discover queries against the OSquery + Sophos endpoint extension schema and the Data Lake schema, hypothesis-driven hunts using the PEAK methodology, MITRE ATT&CK Navigator coverage layers, and pivoting across endpoint, server, firewall, email, and cloud telemetry using never-reused Sophos PIDs.

15%

Detection Engineering

Custom detection rules, Sigma-to-Sophos translation, Threat Indicators for IOCs, scoped suppression rules for false positives, query performance tuning, backtesting against historical Data Lake telemetry, and a precision/recall-driven detection lifecycle.

15%

Incident Response & Forensics

Threat Cases with root-cause analysis graphs, advanced Live Response on Windows/macOS/Linux for memory captures and artifact collection, forensic timelines built from process and file journals, isolation containment that preserves the management channel, and lessons-learned with retro hunts.

15%

Integrations & Automation

Sophos Central OAuth 2.0 client_credentials API with X-Tenant-ID and 1-hour Bearer tokens, the sophos-central-api-connector Python SDK, SIEM integration (Splunk, Microsoft Sentinel, IBM QRadar), SOAR playbooks (Cortex XSOAR, Splunk SOAR), webhook destinations with signature validation, and exponential-backoff handling of HTTP 429 throttling.

15%

MDR Operations

MDR Essentials vs MDR Complete (contractual 60-minute SLA on 90% of high-severity cases, $1M Breach Protection Warranty), customer onboarding and baselining, escalation matrix, customer success metrics (MTTD, MTTR, dwell time), and MDR reporting cadence (real-time, monthly, QBR).

How to Pass the Sophos XDR Architect Exam

What You Need to Know

  • Passing score: 80%
  • Assessment: 60 multiple-choice questions covering XDR/MDR architecture and deployment, advanced threat hunting, detection engineering, incident response and forensics, integrations and automation, and MDR operations.
  • Time limit: 90 minutes
  • Exam fee: Free with course / partner enablement

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Sophos XDR Architect Study Tips from Top Performers

1Memorize the Data Lake numbers: 90 days default, 1 year extended add-on, 30-day per-query window, up to 4 concurrent queries.
2Drill the difference between Sophos Central Enterprise (one organization with sub-estates) and Sophos Central Partner (MSP managing legally separate customers) — every multi-tenant question hinges on it.
3Practice writing Live Discover queries that join on Sophos PID + endpoint_id, never on OS PID alone — that distinction is heavily tested.
4Internalize MDR tier differences: Essentials targets ~30 minutes (non-contractual), Complete is 60 minutes contractual on 90% of high-severity cases plus the $1M Breach Protection Warranty.
5Memorize the Sophos Central API basics: OAuth 2.0 client_credentials at id.sophos.com, X-Tenant-ID header, 1-hour token life, exponential backoff on HTTP 429.
6Map common detections (T1059 PowerShell, T1053 scheduled tasks, T1547 Run keys, T1070 indicator removal) to the Live Discover tables you would hunt them in.

Frequently Asked Questions

What is the Sophos AT12 (Sophos Certified Architect — Central XDR / MDR) exam?

AT12 is Sophos's architect-tier certification for designing and operating Sophos Central XDR and MDR at scale. It covers multi-tenant deployment with Enterprise sub-estates and Partner, Data Lake retention (90-day default and 1-year extended add-on), custom Live Discover queries across OSquery and Sophos schemas, hypothesis-driven hunting with PEAK and MITRE ATT&CK Navigator, detection engineering, advanced incident response with Threat Cases and Live Response, Sophos Central OAuth 2.0 API automation, SIEM/SOAR integration, and MDR Essentials vs MDR Complete operations.

How many questions are on AT12 and what is the passing score?

AT12 has 60 multiple-choice questions with a 90-minute time limit and an 80% passing score. The exam is delivered as an online proctored test through the Sophos Training Portal (NetExam) after candidates complete the AT12 Architect training course.

What is the difference between AT12 Architect and ET12 Engineer?

ET12 Engineer covers operational use of Sophos Central XDR / MDR — running Live Discover queries, working Threat Cases, applying detections, and using Live Response. AT12 Architect builds on that foundation with multi-tenant design (Enterprise sub-estates and Partner), Data Lake retention strategy, hunting methodology, detection lifecycle, integration architecture (SIEM, SOAR, API), and MDR service-tier design. Most candidates should complete ET12 before attempting AT12.

How much does AT12 cost?

Sophos typically delivers AT12 free of charge to partners and customers who complete the Architect training course on the Sophos Training Portal. Pricing and partner-tier eligibility can vary, so always check training.sophos.com for current AT12 enablement.

How long is the Sophos AT12 certification valid?

Sophos Architect certifications are typically valid for 2-3 years and require recertification when major Sophos Central or XDR releases reshape the product. Always confirm the current validity window on training.sophos.com.

What MDR service tiers does Sophos offer in 2026?

Sophos offers two MDR tiers: MDR Essentials and MDR Complete. Both include 24/7 monitoring and the standard 90-day Data Lake retention. MDR Complete adds a contractual 60-minute SLA on 90% of high-severity cases, full analyst-led incident response with no extra fees, and a $1M single-claim Breach Protection Warranty. A 1-year extended Data Lake retention add-on is available with either tier.

What is the difference between Live Discover endpoint queries and Data Lake queries?

Endpoint queries hit currently connected devices for live state (running processes, registry, real-time files) using OSquery plus the Sophos endpoint extension schema. Data Lake queries hit telemetry that endpoints have already uploaded to the Sophos-hosted Data Lake; they cover up to 90 days of history (or 1 year with the extended add-on) and can join across endpoint, server, firewall, email, and cloud sources. Architects use endpoint queries for live state and Data Lake queries for historical hunts.