How to Apply to Sophos

9 min read Last updated April 20, 2026 115 open positions
Blake Crosley
Blake Crosley Researched using publicly available information, hiring data, and ATS analysis.

Key Takeaways

  • Sophos is a British cybersecurity company, owned by Thoma Bravo since 2020, with a 100% channel-only go-to-market model.
  • CEO Joe Levy took over in November 2024 after Kris Hagerman's 12-year tenure ended in August 2024.
  • The $859M SecureWorks acquisition closed in Q1 2025 and is the dominant integration story across 2026.
  • Sophos MDR and MDR Complete are the fastest-growing product lines and where most new headcount currently lives.
  • Applications go through Lever at jobs.lever.co/sophos; tailor keywords precisely to the posting.
  • Interviews are structured, technical, and culturally British: evidence over confidence.
  • Compensation includes a long-term incentive tied to a private-equity liquidity event, not public stock.
  • Channel and MSP fluency is the single biggest differentiator versus candidates from CrowdStrike, SentinelOne, or Palo Alto.

About Sophos

Sophos Group plc is a British cybersecurity company headquartered at The Pentagon in Abingdon, Oxfordshire, with roughly 4,500+ employees spread across 50+ countries. Jan Hruska and Peter Lammer founded the company at Oxford University in 1985, originally as one of the early antivirus pioneers, and the engineering culture still carries that deep technical heritage that distinguishes it from US-led competitors. The company spent decades building expertise in endpoint, network, and email security, and over time evolved from a traditional signature-based antivirus vendor into a cloud-managed, AI-augmented security platform. Sophos was a publicly traded LSE company until March 2020, when US private equity firm Thoma Bravo took it private in a deal valued at roughly $3.9 billion. That ownership matters to anyone considering a job here: Thoma Bravo runs cybersecurity portfolio companies (also Proofpoint, Imperva, Darktrace) with cost discipline and a typical 5-7 year exit horizon, which puts Sophos in the 2025-2027 window for a potential IPO or sale. Under PE ownership the company has also reorganized aggressively around higher-margin services, including the rapid build-out of MDR, and has been more willing to retire or consolidate underperforming product lines than it was as a public company. In November 2024, Joe Levy became permanent CEO after 12-year veteran Kris Hagerman departed in August 2024; Levy was previously CTO and is closely associated with the company's AI/ML investments through the Sophos AI Group, which publishes regularly on neural-network detection of ransomware and phishing. The product portfolio centers on Sophos Intercept X (XDR/EDR with deep-learning anti-ransomware and CryptoGuard), Sophos Firewall (XGS appliances plus virtual and cloud, the successor to the older XG and SG lines), Sophos Email (boosted by the Reflexion acquisition in 2018), Sophos Wireless, Sophos Cloud Optix for CSPM, and the rapidly growing Sophos MDR and Sophos MDR Complete managed services, all tied together by Sophos Central, the cloud management console partners and customers use to operate the stack. Threat research and content is published under the Sophos X-Ops umbrella, which combines SophosLabs, SecOps, and AI teams. The company closed its $859M acquisition of SecureWorks (formerly NASDAQ: SCWX) in Q1 2025, absorbing the Counter Threat Unit (CTU), the Taegis XDR platform, and significant 24x7 SOC capacity, and integration work continues to shape engineering, threat-research, and go-to-market roadmaps throughout 2026. Sophos serves roughly 600,000 organizations, mostly mid-market, and operates a 100% channel-only sales model through 50,000+ partners and a deep MSP base; competitors with even small direct-touch enterprise sales motions look meaningfully different inside. That channel-first commitment is the single biggest strategic difference from CrowdStrike, SentinelOne, and Palo Alto Networks, and it shapes everything from product packaging and pricing to support tiers, partner programs, and how field roles are scoped. Major engineering and operations hubs include Abingdon, Burlington and Lawrence (Massachusetts), Vancouver, Karlsruhe, Lyon, Linz, Budapest, Bratislava, Wexford, Ahmedabad, Tel Aviv, Tokyo, and Sydney, and the SecureWorks acquisition added significant US presence in Atlanta and Edinburgh in the UK.

Application Process

  1. 1
    Search openings at sophos

    Search openings at sophos.com/en-us/company/careers and apply through the Lever-hosted board at jobs.lever.co/sophos.

  2. 2
    Create a Lever candidate profile with current resume, LinkedIn URL, and country

    Create a Lever candidate profile with current resume, LinkedIn URL, and country of work authorization; Sophos hires globally so location filters matter.

  3. 3
    Tailor your resume to the specific posting using language from the JD around the

    Tailor your resume to the specific posting using language from the JD around the relevant product line (Intercept X, Firewall, MDR, Cloud Optix, Sophos Central, or SecureWorks Taegis).

  4. 4
    Expect a recruiter screen within 1-3 weeks for active reqs; longer if the role s

    Expect a recruiter screen within 1-3 weeks for active reqs; longer if the role sits inside a SecureWorks integration team where headcount planning is still in flux.

  5. 5
    Plan for a hiring-manager conversation focused on your domain depth (endpoint, n

    Plan for a hiring-manager conversation focused on your domain depth (endpoint, network, SOC, threat research, cloud, or channel/MSP context) and how you operate inside a channel-only business model.

  6. 6
    Technical loops typically include a take-home or live exercise for engineering,

    Technical loops typically include a take-home or live exercise for engineering, a SOC/triage simulation for MDR analyst roles, or a deal-desk and partner-scenario walkthrough for sales.

  7. 7
    Prepare for a panel including cross-functional partners; Sophos values written c

    Prepare for a panel including cross-functional partners; Sophos values written communication, so be ready for some interviewers who joined after the SecureWorks deal and may probe integration awareness.

  8. 8
    References and a background check (criminal, employment, education, sometimes cr

    References and a background check (criminal, employment, education, sometimes credit for finance roles) are standard before offer; UK and EU candidates should expect GDPR-compliant data-handling disclosures.

  9. 9
    Offers from Thoma Bravo-owned companies generally include base, bonus, and a lon

    Offers from Thoma Bravo-owned companies generally include base, bonus, and a long-term incentive plan tied to a future liquidity event rather than public stock; ask the recruiter to walk you through the LTI mechanics in writing.

  10. 10
    Total timeline runs 4-8 weeks for individual contributors and 8-12+ weeks for se

    Total timeline runs 4-8 weeks for individual contributors and 8-12+ weeks for senior leadership, with longer waits during SecureWorks integration freezes.

Resume Tips for Sophos

recommended

Lead with cybersecurity domain depth: name the products you have shipped, defend

Lead with cybersecurity domain depth: name the products you have shipped, defended, or sold against (CrowdStrike Falcon, SentinelOne Singularity, Palo Alto Cortex, Microsoft Defender, Fortinet FortiGate).

recommended

Quantify outcomes in security terms: dwell time reduced, MTTR improved, ransomwa

Quantify outcomes in security terms: dwell time reduced, MTTR improved, ransomware incidents contained, alerts triaged per analyst, channel pipeline generated.

recommended

Reference the right Sophos product line for the role: Intercept X for endpoint,

Reference the right Sophos product line for the role: Intercept X for endpoint, Sophos Firewall/XGS for network, Sophos MDR for SOC, Cloud Optix for CSPM, Sophos Central for management plane, Taegis if the role is SecureWorks-aligned.

recommended

Show channel and MSP fluency for any sales, partner, or product-marketing role;

Show channel and MSP fluency for any sales, partner, or product-marketing role; mention specific MSP platforms (ConnectWise, Datto, N-able, Kaseya) you have worked with.

recommended

For SOC and threat-research roles, highlight published research, CVE credits, MI

For SOC and threat-research roles, highlight published research, CVE credits, MITRE ATT&CK coverage, detection engineering, and any prior CTU, GReAT, Talos, Mandiant, or Unit 42 affiliations.

recommended

Engineers should call out concrete stack experience: C++ and Rust for endpoint s

Engineers should call out concrete stack experience: C++ and Rust for endpoint sensors, Python/Go for backend, AWS or Azure for cloud, Kubernetes, Kafka, ClickHouse, Snowflake, and ML frameworks for the AI Group.

recommended

Demonstrate written-first communication: a public blog, conference talk, RFC, or

Demonstrate written-first communication: a public blog, conference talk, RFC, or detailed incident write-up signals fit with Sophos's distributed, multi-time-zone teams.

recommended

Match the language of the posting; Lever's filters and Sophos recruiter searches

Match the language of the posting; Lever's filters and Sophos recruiter searches lean keyword-driven, so spell out acronyms once (e.g., 'Endpoint Detection and Response (EDR)').

recommended

Keep it to two pages with reverse-chronological structure; British and European

Keep it to two pages with reverse-chronological structure; British and European reviewers often penalize over-styled US-format resumes for senior roles.

recommended

Include a one-line summary that names your specialism and seniority (e

Include a one-line summary that names your specialism and seniority (e.g., 'Detection engineer with 7 years building SOC tooling for managed services').

ATS System: Lever

Sophos uses Lever for global recruiting at jobs.lever.co/sophos. Lever is a collaborative ATS with strong keyword search, structured interview kits, and email-based scheduling; it does not require fancy formatting but does index plain-text content from PDF and DOCX uploads.

  • Upload a clean PDF or DOCX; avoid headers, footers, text boxes, and graphics that Lever's parser can mishandle.
  • Use a single-column layout with standard section headings (Experience, Education, Skills) so Lever maps fields cleanly.
  • Mirror exact phrases from the job description, including product names and certifications, since recruiters search Lever by literal keywords.
  • Fill in the structured profile fields (current title, location, work authorization) rather than relying solely on the resume upload.
  • Add your LinkedIn URL; Sophos recruiters often cross-reference Lever profiles with LinkedIn for tenure and endorsements.
  • Attach a short cover note in the message field for senior or specialist roles; Lever surfaces it directly in the candidate card.
  • Apply only to roles you genuinely fit; Lever tracks application history and spray-and-pray patterns are visible to recruiters.
  • If you previously interviewed at Sophos, your record persists in Lever; reference the prior conversation honestly in your note.

Interview Culture

Sophos interviews are structured, technically rigorous, and distinctly British in tone: polite, evidence-based, and skeptical of bravado.

Recruiter screens are conversational and check basics like role fit, comp expectations, location, and notice period (UK norms include statutory notice periods that can stretch offers by weeks or months relative to US expectations). Hiring-manager rounds dig into your domain story, with particular attention to how you would operate inside a channel-only, partner-led business; if you have only ever worked in direct-enterprise sales motions or pure inside-sales SaaS, expect to be probed on whether you can adapt to a model where the partner is the customer-facing relationship and Sophos enables them. Engineering loops typically include a take-home exercise scoped to a few hours plus a live system-design or code-review session, and SOC and MDR roles often include a triage simulation against a synthetic incident timeline where you will be asked to walk through your reasoning, not just the right answer. Threat-research candidates should expect deep technical discussion of recent ransomware families (LockBit, ALPHV/BlackCat, Akira, Cl0p), malware analysis tools, MITRE ATT&CK mapping, and the kind of long-form write-ups Sophos X-Ops and the SecureWorks CTU are known for. Panels are cross-functional and frequently span multiple time zones (Abingdon, Burlington, Vancouver, Karlsruhe, Ahmedabad, Atlanta), so video etiquette, written follow-ups, and asynchronous clarity matter more than they would at a single-site competitor. The post-acquisition culture in 2026 still has visible seams between legacy Sophos teams and incoming SecureWorks teams; smart candidates ask directly which org the role reports into, who the founding manager was, how the team has changed since Joe Levy became CEO in November 2024, and what success looks like in the next two quarters under continued PE ownership. Decisions usually take 1-3 weeks after the final round, with offers coordinated through a central recruiting operations team that handles paperwork, background checks, and start-date logistics across jurisdictions.

What Sophos Looks For

  • Cybersecurity domain credibility, not generic IT or software experience.
  • Comfort working inside a channel-only, MSP-heavy go-to-market model rather than direct enterprise sales.
  • Engineering rigor and willingness to ship into a mature, multi-product platform with real customers and real consequences.
  • Awareness of competitive positioning against CrowdStrike, SentinelOne, Palo Alto Networks, Fortinet, and Microsoft Defender.
  • Ability to operate in distributed, multi-time-zone teams with strong written communication.
  • Pragmatism about private-equity ownership: cost discipline, capital efficiency, and clear ROI on initiatives.
  • Curiosity and capacity to learn the SecureWorks Taegis platform and CTU workflows where roles overlap.
  • Customer empathy for mid-market organizations and the partners who serve them, not just Fortune 500 SOCs.
  • Integrity and discretion around threat intelligence, customer data, and unreleased detections.
  • Long-term thinking aligned with a likely 2025-2027 liquidity event under Thoma Bravo.

Frequently Asked Questions

Is Sophos still a public company?
No. Sophos was delisted from the London Stock Exchange in March 2020 when Thoma Bravo took it private in a deal valued at roughly $3.9 billion. It has been a private company ever since, owned by Thoma Bravo's cybersecurity portfolio.
Who is the CEO of Sophos in 2026?
Joe Levy, who became CEO in November 2024. He was previously CTO and is closely associated with the company's investments in AI/ML through the Sophos AI Group. He replaced Kris Hagerman, who departed in August 2024 after a 12-year tenure.
What does the SecureWorks acquisition mean for job seekers?
Sophos closed its $859M acquisition of SecureWorks (formerly NASDAQ: SCWX) in Q1 2025. Throughout 2026, integration work continues across SOC operations, the Counter Threat Unit (CTU), and the Taegis XDR platform, alongside the existing Sophos MDR offering and the Sophos X-Ops research org. Some teams are net hiring (especially detection engineering, SOC analysts, and integration engineering), some are consolidating (overlapping marketing, sales-ops, and back-office functions), and a few have been restructured outright. Ask in the recruiter screen which org a role reports into, whether the team is legacy Sophos, legacy SecureWorks, or a newly merged group, how its charter has changed since the deal closed, and how it fits into the unified product roadmap Joe Levy has been outlining publicly.
What ATS does Sophos use?
Sophos uses Lever, hosted at jobs.lever.co/sophos. Lever indexes plain-text content from your resume and supports structured profile fields, so a clean single-column PDF or DOCX with explicit keywords from the job description performs best.
Where are Sophos's main offices?
The headquarters is The Pentagon in Abingdon, Oxfordshire, UK. Major hubs include Burlington and Lawrence (Massachusetts), Vancouver, Karlsruhe, Lyon, Linz, Budapest, Bratislava, Wexford, Ahmedabad, Tel Aviv, Tokyo, and Sydney. Many roles are hybrid or remote-friendly within a country.
How is compensation structured under Thoma Bravo ownership?
Offers typically include base salary, an annual bonus tied to company and individual performance, and a long-term incentive plan (LTIP) that pays out on a future liquidity event rather than vesting in publicly traded stock. Because there is no public ticker, you cannot value the LTI grant the way you would CrowdStrike RSUs; the upside depends on Thoma Bravo's exit, whether through an IPO, a strategic sale, or a secondary buyout, and on the implied equity value at that moment. Thoma Bravo took Sophos private in 2020, so the typical 5-7 year horizon points to a 2025-2027 window, but PE timelines slip. Ask the recruiter for the LTI grant size, vesting schedule, treatment on exit, treatment on termination without cause, and any acceleration triggers, all in writing before accepting.
What is Sophos's channel-only model and why does it matter?
Sophos sells exclusively through 50,000+ partners, including a deep base of managed service providers (MSPs); it does not have a direct enterprise sales force the way CrowdStrike or Palo Alto Networks do. For sales, marketing, and product roles, this means deal motions, packaging, and customer conversations always go through partners. Candidates without channel experience can still get hired but should expect direct probing on the topic.
Who are Sophos's main competitors?
On endpoint: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Trellix, and Cybereason. On network/firewall: Palo Alto Networks, Fortinet, Cisco, Check Point, WatchGuard, and SonicWall. On MDR: Arctic Wolf, eSentire, Expel, Red Canary, Huntress, and (until the acquisition) SecureWorks itself.
What products and platforms should I learn before interviewing?
At minimum: Sophos Intercept X (XDR/EDR), Sophos Firewall (XGS), Sophos MDR and MDR Complete, Sophos Central (management plane), Sophos Email, Cloud Optix, and the SecureWorks Taegis XDR platform if the role overlaps. Also be familiar with MITRE ATT&CK and recent ransomware threat trends covered by Sophos X-Ops and the SecureWorks Counter Threat Unit.
Does Sophos hire for remote roles?
Yes, many engineering, SOC, threat-research, marketing, and sales roles are remote or hybrid within a specific country, especially in the US, UK, Canada, India, and Central Europe. Some roles require proximity to a hub office (Abingdon, Burlington, Karlsruhe) or specific time-zone coverage; the posting will state the constraint explicitly.
How long does the interview process take?
Plan for 4-8 weeks for individual contributor roles and 8-12+ weeks for senior leadership. SecureWorks-integration roles can take longer because of headcount approval workflows still being harmonized in 2026.
What languages does Sophos hire in?
English is the working language across all teams worldwide. Hub-specific hiring also values German (Karlsruhe and Linz), French (Lyon), Hungarian (Budapest), Slovak (Bratislava), Czech, Hindi and Gujarati (Ahmedabad), Hebrew (Tel Aviv), and Japanese (Tokyo). Most postings are written in English regardless of country, but local-language fluency is often a differentiator for partner-facing channel and support roles.

Open Positions

Sophos currently has 115 open positions.

Check Your Resume Before Applying → View 115 open positions at Sophos

Related Resources

Similar Companies

Sources

  1. Sophos Careers
  2. Sophos Jobs on Lever
  3. Sophos Completes Acquisition of Secureworks
  4. Thoma Bravo Completes Acquisition of Sophos
  5. Sophos Names Joe Levy as Permanent CEO
  6. Sophos Group plc - Wikipedia
  7. Sophos MDR Product Page
  8. Sophos Intercept X Endpoint
  9. Sophos Firewall (XGS)
  10. Sophos X-Ops Threat Research
  11. Secureworks Counter Threat Unit
  12. Lever Applicant Tracking System