Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Sophos Central XDR Engineer (ET12) Practice Questions

Pass your Sophos Certified Engineer — Sophos Central XDR (Detection and Response) (ET12) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Sophos does not publicly report ET12 pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

An analyst writes the Live Discover query 'SELECT pid, name, path FROM processes WHERE name = "powershell.exe"'. What is true about this query?

A
B
C
D
to track
Same family resources

Explore More Sophos Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Sophos Certified Architect — Central Endpoint, Intercept X & Server (AT15)

Practice Questions

Sophos Certified Architect — Central XDR / MDR (AT12)

Practice Questions

Sophos Certified Architect — Sophos Firewall

Practice Questions

Sophos Certified Engineer — Central Endpoint Protection

Practice Questions

Sophos Certified Engineer — Sophos Firewall

Practice Questions

Sophos Certified Technician — Sophos Firewall (FT80)

Practice Questions
2026 Statistics

Key Facts: Sophos Central XDR Engineer (ET12) Exam

50

Exam Questions

Multiple-choice, ET12 v5

60 min

Time Limit

Online proctored exam

80%

Passing Score

~40 correct answers

Free

Exam Fee

Included for Sophos partners

90 days

XDR Data Lake Retention

30 days for EDR-only

NetExam

Test Delivery

Sophos Training Portal

The Sophos Certified Engineer — Sophos Central XDR (ET12) is a 50-question, 60-minute online proctored exam with an 80% passing score, delivered through the Sophos Training Portal (NetExam) and free for Sophos partners. It validates engineer-level operations of Sophos XDR and MDR — Sophos Central architecture, the XDR Sensor, the Data Lake (90-day XDR / 30-day EDR retention), the Threat Analysis Center with Detections, Cases, and MITRE ATT&CK mapping, Live Discover OSQuery, Live Response, Sophos NDR, Microsoft 365 / Google Workspace / AWS / Azure / GCP integrations, the Sophos Central API (OAuth 2.0 with JWT bearer tokens), and MDR Essentials vs MDR Complete. ET12 is a step on the path to MDR accreditation.

Sample Sophos Central XDR Engineer (ET12) Practice Questions

Try these sample questions to test your Sophos Central XDR Engineer (ET12) exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which Sophos deployment option provides detection, investigation, and response capabilities on a device that is already running a third-party anti-malware product?
A.Sophos Endpoint with Intercept X Advanced
B.Sophos XDR Sensor
C.Sophos Server Protection Standard
D.Sophos NDR virtual appliance
Explanation: The Sophos XDR Sensor is a lightweight agent that provides Data Lake telemetry, Live Discover, and Live Response without delivering Sophos threat protection. It is intended for environments that already run a third-party AV/EDR product but want to add Sophos XDR data and investigation capability.
2How long is endpoint and server telemetry retained in the Sophos Data Lake by default for a customer with Sophos XDR licensing?
A.7 days
B.30 days
C.90 days
D.365 days
Explanation: Sophos XDR retains uploaded telemetry in the Data Lake for up to 90 days. Sophos EDR-only customers are limited to 30 days. Customers can extend retention to one year by purchasing the Central Data Storage 1-year add-on pack.
3What is the per-device daily upload cap to the Sophos Data Lake?
A.200 MB
B.500 MB
C.1 GB
D.2 GB
Explanation: Each managed device can upload up to 2 GB of telemetry per day to the Data Lake. Once the device hits the cap, uploads pause until the limit resets at midnight local time on Windows or 24 hours after agent start on Linux.
4Per Sophos Data Lake storage pool sizing, how much daily upload allocation does each XDR endpoint license contribute to the endpoint pool?
A.5 MB per license per day
B.20 MB per license per day
C.40 MB per license per day
D.100 MB per license per day
Explanation: The endpoint pool is sized at 20 MB per XDR endpoint license per day, which works out to roughly 1.8 GB per license over the 90-day retention window. The server pool is double that at 40 MB per license per day.
5Which Sophos Central area is the unified investigator workspace where detections, cases, Live Discover, and Live Response live?
A.Threat Analysis Center
B.Endpoint Protection Dashboard
C.Global Settings
D.Logs and Reports
Explanation: The Threat Analysis Center is the central XDR workspace in Sophos Central. It contains the Detections feed, Cases, MITRE ATT&CK mapping, Live Discover query interface, and Live Response sessions for managed devices.
6Which products can feed events into the Sophos Data Lake for cross-source XDR investigations?
A.Endpoint and Server only
B.Endpoint, Server, Mobile, Email, Firewall, and Cloud Optix
C.Endpoint and Firewall only
D.Mobile and Email only
Explanation: The Data Lake aggregates telemetry from Sophos Endpoint, Server, Mobile, Email, Firewall, and Cloud Optix. This is the foundation that lets Live Discover queries correlate evidence across products and across disconnected devices.
7An admin enrolls a Linux server with the XDR Sensor agent. Which capability is NOT supported by the sensor-only deployment?
A.Uploading telemetry to the Data Lake
B.Running Live Discover queries against the device
C.Blocking malware execution with Intercept X
D.Opening a Live Response session to the device
Explanation: The XDR Sensor delivers detection, investigation, and response telemetry only. It does not include Sophos Intercept X threat protection — that requires a full Endpoint or Server Protection license. Customers typically pair the sensor with a third-party AV product.
8Where in Sophos Central does an administrator configure the XDR agent mode (Endpoint, XDR, or XDR Sensor) for a Windows device?
A.Endpoint Protection > Policies > Threat Protection
B.Devices > Computers > select device > Manage agent mode
C.Threat Analysis Center > Detections > Agent
D.Account Health Check > Agent Mode
Explanation: Agent mode is set per device under Devices in Sophos Central. The Account Health Check surfaces incorrect agent mode warnings, but the actual change is made on the device record. Agent mode determines whether the device runs Endpoint protection only, full XDR, or sensor-only.
9A customer wants Data Lake retention extended from 90 days to one year. What is the correct approach?
A.Enable extended retention in Threat Analysis Center > Settings
B.Purchase the Central Data Storage 1-year add-on pack
C.Open a support case to request a tenant flag change
D.Upgrade from XDR to MDR Complete
Explanation: Sophos sells a Central Data Storage 1-year add-on pack that extends Data Lake retention to 365 days. This is a paid add-on per license; it is not a console toggle, support flag, or automatic MDR benefit.
10Which statement about Cloud Optix data uploads to the Data Lake is correct?
A.Cloud assets share the 2 GB per device daily limit
B.Cloud assets get 1.25 MB per asset per day, with daily reset at 00:00 UTC
C.Cloud assets do not upload to the Data Lake
D.Cloud assets have unlimited daily uploads
Explanation: Cloud Optix-monitored cloud assets each have a 1.25 MB per asset per day upload allowance, and the daily counter resets at 00:00 UTC. This is separate from the per-endpoint and per-server limits.

About the Sophos Central XDR Engineer (ET12) Exam

The Sophos Certified Engineer — Sophos Central XDR (Detection and Response) (ET12) certification validates engineer-level competency operating Sophos XDR and MDR through Sophos Central. The exam covers the XDR architecture and Sensor deployment, Data Lake telemetry and retention, the Threat Analysis Center workflow (Detections, Cases, Threat Graphs, MITRE ATT&CK mapping), Live Discover OSQuery hunting against endpoint and Data Lake targets, Live Response remote shell, Sophos NDR east-west detection on encrypted traffic, third-party integrations (Microsoft 365, Google Workspace, AWS, Azure, GCP) and the Sophos Central API (OAuth 2.0, JWT, /v1/ endpoints, webhooks), and MDR Essentials vs MDR Complete service workflows. ET12 is a recommended step on the path to Sophos MDR accreditation and is free for Sophos partners.

Assessment

50 multiple-choice questions covering Sophos XDR fundamentals and Sensor, threat detection and investigation, Live Discover and Live Response, Sophos NDR, third-party integrations and the Sophos Central API, and MDR response workflows

Time Limit

60 minutes

Passing Score

80%

Exam Fee

Free with course / partner enablement (Sophos / NetExam Training Portal)

Sophos Central XDR Engineer (ET12) Exam Content Outline

20%

Sophos XDR Fundamentals & Sensor

XDR architecture, single agent for endpoint and server, XDR Sensor for third-party AV coexistence, Data Lake (90-day XDR / 30-day EDR), 2 GB/device/day upload cap, Endpoint/Server/Mobile/Email/Firewall/Cloud Optix data sources, agent mode selection

20%

Threat Detection & Investigation

Threat Analysis Center, Detections feed, 1-10 risk score, auto-created Cases for high-risk detections, Threat Graphs for root-cause and spread, MITRE ATT&CK tactic and technique mapping (e.g. T1003.001, T1486), IOCs as one detection input

15%

Live Discover & Live Response

OSQuery SQL syntax against virtual tables (processes, registry, logged_in_users), Endpoint vs Data Lake query targets, Sophos query packs, hourly/daily/weekly scheduling, Live Response 30-minute inactivity timeout, per-category enable, downloadable session audit logs

10%

NDR

Sophos NDR virtual sensor fed by SPAN/TAP, east-west traffic visibility, agentless coverage for OT/IoT, AI-assisted engines for encrypted payload analysis, deep packet inspection, DGA tracking, session risk analytics, device fingerprinting; integration with the Threat Analysis Center

15%

Third-Party Integrations & API

Microsoft 365 (Management Activity + Graph Security APIs, response actions), Google Workspace, AWS CloudTrail, Azure activity logs, GCP; Sophos Central API OAuth 2.0 client_credentials at id.sophos.com, JWT bearer tokens (~1 hour), /v1/ collections, /whoami for tenant region, webhooks/connectors for SIEM/SOAR

20%

MDR & Response Workflows

MDR Essentials vs MDR Complete (60-minute SLA on 90% of high-severity cases, $1M breach protection warranty), 24x7 Sophos SOC, configurable response posture, response actions (host isolation, process termination, file scan/quarantine, user disable via M365), Account Health Check, MDR Security Posture Report

How to Pass the Sophos Central XDR Engineer (ET12) Exam

What You Need to Know

  • Passing score: 80%
  • Assessment: 50 multiple-choice questions covering Sophos XDR fundamentals and Sensor, threat detection and investigation, Live Discover and Live Response, Sophos NDR, third-party integrations and the Sophos Central API, and MDR response workflows
  • Time limit: 60 minutes
  • Exam fee: Free with course / partner enablement

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Sophos Central XDR Engineer (ET12) Study Tips from Top Performers

1Memorize the Data Lake retention numbers: 90 days for XDR, 30 days for EDR, 1 year with the Central Data Storage add-on, 2 GB/device/day upload cap — these come up repeatedly
2Learn the agent-mode trio (Endpoint, XDR, XDR Sensor) and exactly which capabilities each enables; the XDR Sensor specifically gives detection/investigation/response without Sophos threat protection
3Practice writing OSQuery SQL against common tables (processes, registry, logged_in_users) and know when to target Endpoint vs Data Lake — Data Lake is the right target for offline devices and historical IOC sweeps
4Memorize MITRE ATT&CK pairs that appear in real Sophos detections: T1003.001 LSASS dump (Credential Access), T1059.001 PowerShell (Execution), T1486 Data Encrypted for Impact (Impact), T1078 Valid Accounts
5Know the API auth flow cold: OAuth 2.0 client_credentials POST to https://id.sophos.com/api/v2/oauth2/token, returns a JWT in expires_in 3600s, sent as Authorization: Bearer <jwt> on /v1/ calls; /whoami returns tenant ID and dataRegion API host
6For MDR, distinguish Essentials (30-minute response target, no warranty) from Complete (60-minute SLA target on 90% high-severity, $1M breach protection warranty); both are 24x7 SOC-backed

Frequently Asked Questions

What is the Sophos ET12 (Sophos Central XDR Engineer) exam?

ET12 is the Sophos Certified Engineer — Sophos Central XDR (Detection and Response) exam. It validates engineer-level operations of Sophos XDR and MDR via Sophos Central, including the XDR Sensor, Data Lake, Threat Analysis Center, Live Discover, Live Response, Sophos NDR, third-party integrations, the Sophos Central API, and MDR Essentials vs MDR Complete response workflows.

How many questions are on the Sophos ET12 exam and what is the passing score?

ET12 is a 50-question online proctored multiple-choice exam with a 60-minute time limit. The passing score is 80%, which is approximately 40 correct answers out of 50. The exam is delivered through the Sophos Training Portal (NetExam).

Is the Sophos ET12 exam free?

Yes — Sophos provides ET12 free for Sophos partners and authorized resellers as part of partner enablement. Both the ET12 course on the Sophos Training Portal and the certification exam are included; you only need a Sophos Training Portal (NetExam) account.

What topics does the Sophos ET12 exam cover?

ET12 covers Sophos XDR Fundamentals and Sensor (20%), Threat Detection and Investigation (20%), Live Discover and Live Response (15%), Sophos NDR (10%), Third-Party Integrations and the Sophos Central API (15%), and MDR and Response Workflows (20%). Expect questions on the Data Lake, OSQuery, MITRE ATT&CK, MDR tiers, and Microsoft 365/Google Workspace/AWS/Azure/GCP integrations.

How long does Sophos retain XDR telemetry in the Data Lake?

Sophos XDR retains uploaded telemetry in the Data Lake for up to 90 days. Sophos EDR-only customers are limited to 30 days. Customers can purchase the Central Data Storage 1-year add-on to extend retention to 365 days. Each device can upload up to 2 GB per day before its quota resets.

What is the difference between Sophos MDR Essentials and MDR Complete?

Both tiers run on the XDR platform with 24x7 Sophos SOC coverage. MDR Essentials targets a 30-minute response action on critical detections. MDR Complete adds a contractual 60-minute SLA target on 90% of high-severity cases plus a $1 million breach protection warranty covering response expenses. Both support host isolation, process termination, file scan/quarantine, and user disable via Microsoft 365.

How is Sophos Live Discover different from Live Response?

Live Discover runs OSQuery SQL queries against either the device (online endpoints) or the Data Lake (90-day historical telemetry, including offline devices) — read-only investigative work. Live Response opens an authenticated remote shell to a single online device for hands-on commands, with a 30-minute inactivity timeout and per-session audit log download under Reports > Logs.